Contenu connexe Similaire à Practical AD Security: How to Secure Your Active Directory Network Without Breaking It (20) Practical AD Security: How to Secure Your Active Directory Network Without Breaking It1. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Practical AD Security
How to Secure Your Active Directory Network Without Breaking It
2. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Quick Introduction
Frank Lesniak
2
3. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Today’s Agenda
I. Why Implement a Security Baseline?
II. Getting Started: Get an Inventory
III. ACT Demo
IV. Getting Started: Get the Baselines
V. SCM Demo
VI. Putting it All Together (Demo)
VII. Common Issues
3
4. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Why Implement a Security Baseline?
All IT Systems Have Vulnerabilities (Manadhata & Wing, 2010)
Known/Current
Unknown/Future
Being “attack-proof” is a pipe dream and the wrong way to sell IT security
Given infinite time, most IT systems can be hacked or decrypted (brute-force, massive
parallelism)
Hackers/malware often have more resources than YourCorp (state-sponsored hacks, toolkits)
Today’s threat landscape:
We need to limit the ability for the bad guys to get in. However, the reality of today’s threat
landscape is that all systems will inevitably be attacked/compromised/hacked.
Therefore, we need to consider IT security as a layered approach.
Once the bad guys are “in”, we need to also limit what they can do.
Don’t forget breach detection and response!
Take a layered approach to security. Limit your “attack surface” and reduce user privileges.
4
5. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Why Implement a Security Baseline?
Enforce user privilege-limiting controls (UAC, session isolation)
Disable code execution and downloads from non-whitelisted websites
Reduce or eliminate the use of protocols and services with known security vulnerabilities
Enforce the use of strong protocols/cryptographic algorithms over weak ones (or not using
one at all)
Enforce the use of security auditing, and define what should be audited
Limit user privileges
Enforce strong passwords
Enable the Windows Firewall and enforce logging
Prevent ActiveX controls from running automatically
Windows 8/8.1: prevent sign-in with Microsoft accounts
You can still link a Microsoft account to a corporate account
Enforce miscellaneous “leading practices”
The Microsoft security baselines address a number of security concerns out of the box.
5
6. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Why Implement a Security Baseline?
SANS Critical Security Controls “First Five Quick Wins”
Application whitelisting (IE whitelisting enforced, but not AppLocker – quarter point)
Use of standard, secure system configurations (point)
Patch application software within 48 hours (Microsoft software - quarter point)
Patch system software within 48 hours (point)
Reduced number of users with administrative privileges (point)
Fuzzy math: Implementing security baselines help address 3.5 out of 5 of these SANS controls
Qualys “Top 4 Controls”
Application Whitelisting (IE whitelisting enforced, but not AppLocker – quarter point)
Application Patching (Microsoft software – quarter point)
OS Patching (point)
User Privileges (point)
Fuzzy math: Implementing security baselines addresses 2.5 out of 4 of the Qualys controls
Deploying security baselines also upholds modern IT security frameworks.
6
7. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Getting Started: Get an Inventory
Application Compatibility Toolkit 6.1 (Windows Assessment and Deployment Kit “8.1 Update”)
Inventory of applications
Inventory of Websites (kind of…)
Application compatibility issues
Website compatibility issues (kind of…)
AppLocker in “Audit Mode”
Will log events against a single PC; you will need to set up event collection & forwarding to aggregate
from multiple PCs
Cannot inventory websites or identify their compatibility issues
Very limited identification of application compatibility issues
System Center Configuration Manager (ConfigMgr)
Can inventory applications, but not websites
Cannot identify compatibility issues
Windows Intune
Can inventory applications, but not websites
Cannot identify compatibility issues
You need a solid application inventory before you start. Website inventory is a challenge.
7
8. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
ACT Demo
8
Creating Data Collection Packages
Using Compatibility Monitor
Information Gathered by ACT
Example Compatibility Problem
9. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
ACT Demo
After installing ACT, create one or more data-collection packages.
9
10. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
ACT Demo
Set up a testing workstation that has Compatibility Monitor already running.
10
11. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
ACT Demo
ACT gathers and tracks lots of useful information.
11
Application Vendor, Name, and Version
Assessment Tracking
Vendor, Community, and User Assessment
Detected Compatibility Issues
Also indicates the number of computers, and number of versions of each program
12. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
ACT Demo
ACT will show issues with UAC or session isolation to focus testing efforts.
12
13. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Getting Started: Get the Baselines
Microsoft’s database of pre-canned security baselines
Automatic updates
Allows export in a variety of formats
Version support for:
Windows XP – Windows 8
Windows Server 2003 – Windows Server 2012
Internet Explorer 8 – Internet Explorer 10
Office 2007 – 2010
Exchange 2007 – 2010
SQL Server 2012
Beta support for (separate download):
Windows 8.1, Windows Server 2012 R2, Internet Explorer 11
No support for:
Office 2013
…bummer. Best bet is to use the next-closest version as a proxy until the baseline is released.
Security Compliance Manager (SCM) 3.0 allows us to work with MS security baselines.
13
14. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
SCM Demo
14
Navigating SCM
Exporting baselines
15. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
SCM Demo
A comprehensive list of baselines is available via a built-in check for updates.
15
16. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
SCM Demo
Many baselines include hundreds of settings. Focus “phase 1” on lower risk settings.
16
17. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 17
18. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
SCM Demo
Almost always want to use “GPO Backup (folder)”
Compare/Merge is interesting, too
Do not duplicate or modify baselines in SCM
With a baseline selected, many options appear on the right side.
18
19. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
SCM Demo
Exported baselines show up in the designated folder as GUIDs for import.
19
20. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together (Demo)
20
Building an OU Structure That Makes Sense
Importing GPOs
Baselines & Baseline Overrides
WMI Filters
21. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Organizational Units (OUs) should be created to serve three purposes:
Forming the structure by which rights can be delegated to subordinate administrators
Forming the structure by which Group Policies are most-often applied
Organization, for organization sake
Build an OU structure that makes sense for your organization.
21
Not going to cut it!
22. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Unless you have separate AD forests
for test/dev, create top-level OUs that
represent each stage of development.
Keep everyone in “prod” unless they
are directly involved in test/dev of
Group Policy / security baselines.
Build an OU structure that makes sense for your organization.
22
23. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Build an OU structure that makes sense for your organization.
23
Unless you have separate AD forests
for test/dev, create top-level OUs that
represent each stage of development.
Keep everyone in “prod” unless they
are directly involved in test/dev of
Group Policy / security baselines.
Create additional OUs, primarily for
delegated administration
24. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Build an OU structure that makes sense for your organization.
24
Unless you have separate AD forests
for test/dev, create top-level OUs that
represent each stage of development.
Keep everyone in “prod” unless they
are directly involved in test/dev of
Group Policy / security baselines.
Create additional OUs, primarily for
delegated administration
Separate workstations from servers;
users from admins
25. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Import baselines as they come from Microsoft without modifications.
25
Start by creating an empty GPO
Name it so that you can easily tie it
to the name of the baseline in SCM
26. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Import baselines as they come from Microsoft without modifications.
26
Next, right-click on the empty GPO and click Import Settings.
You might be tempted to click Restore from Backup. Don’t; it will not work.
27. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Import baselines as they come from Microsoft without modifications.
27
Choose the same folder that you backed-up the baselines to
(the one that contained all the GUID folders…)
28. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Import baselines as they come from Microsoft without modifications.
28
Select the intended baseline
29. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Use “Override” GPOs to track any deviations from the Microsoft default baselines.
29
Microsoft periodically releases new baselines; keeping them original allows easy drop-in
Also allows easy proof to auditors that they have not been modified
Document deviations from Microsoft standard in one or more override GPOs
Allows tracking of approvals and purpose of override in comment fields
30. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Putting It All Together
Computers Running IE 11:
SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="Program
FilesInternet Explorer" AND filename="iexplore" AND extension="exe" AND version like "11.%"
Windows 7 and Windows Server 2008 R2 Systems:
Select * from Win32_OperatingSystem Where Version like "6.1%"
Windows 7 and Windows Server 2008 R2 Systems (Member Servers and Workstations, Only):
Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType <> "2"
Windows 7, Only:
Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "1"
Windows Server 2008 R2 Domain Controllers, Only:
Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "2"
Windows Server 2008 R2 Member Servers, Only:
Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "3"
WMI Filters allow you to apply different OS/Internet Explorer baselines to the same OU.
30
31. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Common Issues
Applications that require admin privileges
Can attempt to shim them, or use application virtualization (App-V)
Can deploy dual credentials (flesniak and admin.flesniak)
FIPS-Compliance
Intuit TurboTax
Common “override”
User Downloads
Common “override”
Website Whitelisting
GPO length limitation – build a script
I have seen and had to deal with the following issues during the rollout of a security baseline:
31
32. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Common Issues
Follow the GUI, or write trusted sites using a script to:
HKLMSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
32
33. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Common Issues
Applications that require admin privileges
Can attempt to shim them, or use application virtualization (App-V)
Can deploy dual credentials (flesniak and admin.flesniak)
FIPS-Compliance
Intuit TurboTax
Common “override”
User Downloads
Common “override”
Website Whitelisting
GPO length limitation – build a script
ActiveX Initiation
Blue “no” symbol
I have seen and had to deal with the following issues during the rollout of a security baseline:
33
34. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Common Issues
Several websites will need to be “opted-in” by users due to ActiveX filtering.
34
35. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Common Issues
Applications that require admin privileges
Can attempt to shim them, or use application virtualization (App-V)
Can deploy dual credentials (flesniak and admin.flesniak)
FIPS-Compliance
Intuit TurboTax
Common “override”
User Downloads
Common “override”
Website Whitelisting
GPO length limitation – build a script
ActiveX Initiation
Blue “no” symbol
Windows Firewall exceptions not created by application installation
Applications that “come out of the woodwork”
Users doing non work-related stuff, or deploying “rogue applications”
I have seen and had to deal with the following issues during the rollout of a security baseline:
35
36. © 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
twitter.com/franklesniak
linkedin.com/in/flesniak
flesniak <atsign> westmonroepartners.com
Thanks! Connect with Frank Lesniak:
36