Practical AD Security: How to Secure Your Active Directory Network Without Breaking It

© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Practical AD Security
How to Secure Your Active Directory Network Without Breaking It

Quick Introduction
Frank Lesniak
2

Today’s Agenda
I. Why Implement a Security Baseline?
II. Getting Started: Get an Inventory
III. ACT Demo
IV. Getting Started: Get the Baselines
V. SCM Demo
VI. Putting it All Together (Demo)
VII. Common Issues
3

Why Implement a Security Baseline?
All IT Systems Have Vulnerabilities (Manadhata & Wing, 2010)
 Known/Current
 Unknown/Future
Being “attack-proof” is a pipe dream and the wrong way to sell IT security
 Given infinite time, most IT systems can be hacked or decrypted (brute-force, massive
parallelism)
 Hackers/malware often have more resources than YourCorp (state-sponsored hacks, toolkits)
Today’s threat landscape:
 We need to limit the ability for the bad guys to get in. However, the reality of today’s threat
landscape is that all systems will inevitably be attacked/compromised/hacked.
 Therefore, we need to consider IT security as a layered approach.
 Once the bad guys are “in”, we need to also limit what they can do.
 Don’t forget breach detection and response!
Take a layered approach to security. Limit your “attack surface” and reduce user privileges.
4

 Enforce user privilege-limiting controls (UAC, session isolation)
 Disable code execution and downloads from non-whitelisted websites
 Reduce or eliminate the use of protocols and services with known security vulnerabilities
 Enforce the use of strong protocols/cryptographic algorithms over weak ones (or not using
one at all)
 Enforce the use of security auditing, and define what should be audited
 Limit user privileges
 Enforce strong passwords
 Enable the Windows Firewall and enforce logging
 Prevent ActiveX controls from running automatically
 Windows 8/8.1: prevent sign-in with Microsoft accounts
 You can still link a Microsoft account to a corporate account
 Enforce miscellaneous “leading practices”
The Microsoft security baselines address a number of security concerns out of the box.
5

 SANS Critical Security Controls “First Five Quick Wins”
 Application whitelisting (IE whitelisting enforced, but not AppLocker – quarter point)
 Use of standard, secure system configurations (point)
 Patch application software within 48 hours (Microsoft software - quarter point)
 Patch system software within 48 hours (point)
 Reduced number of users with administrative privileges (point)
Fuzzy math: Implementing security baselines help address 3.5 out of 5 of these SANS controls
 Qualys “Top 4 Controls”
 Application Whitelisting (IE whitelisting enforced, but not AppLocker – quarter point)
 Application Patching (Microsoft software – quarter point)
 OS Patching (point)
 User Privileges (point)
Fuzzy math: Implementing security baselines addresses 2.5 out of 4 of the Qualys controls
Deploying security baselines also upholds modern IT security frameworks.
6

Getting Started: Get an Inventory
 Application Compatibility Toolkit 6.1 (Windows Assessment and Deployment Kit “8.1 Update”)
 Inventory of applications
 Inventory of Websites (kind of…)
 Application compatibility issues
 Website compatibility issues (kind of…)
 AppLocker in “Audit Mode”
 Will log events against a single PC; you will need to set up event collection & forwarding to aggregate
from multiple PCs
 Cannot inventory websites or identify their compatibility issues
 Very limited identification of application compatibility issues
 System Center Configuration Manager (ConfigMgr)
 Can inventory applications, but not websites
 Cannot identify compatibility issues
 Windows Intune
 Can inventory applications, but not websites
 Cannot identify compatibility issues
You need a solid application inventory before you start. Website inventory is a challenge.
7

ACT Demo
8
 Creating Data Collection Packages
 Using Compatibility Monitor
 Information Gathered by ACT
 Example Compatibility Problem

ACT Demo
After installing ACT, create one or more data-collection packages.
9

ACT Demo
Set up a testing workstation that has Compatibility Monitor already running.
10

ACT Demo
ACT gathers and tracks lots of useful information.
11
 Application Vendor, Name, and Version
 Assessment Tracking
 Vendor, Community, and User Assessment
 Detected Compatibility Issues
 Also indicates the number of computers, and number of versions of each program

ACT Demo
ACT will show issues with UAC or session isolation to focus testing efforts.
12

Getting Started: Get the Baselines
 Microsoft’s database of pre-canned security baselines
 Automatic updates
 Allows export in a variety of formats
 Version support for:
 Windows XP – Windows 8
 Windows Server 2003 – Windows Server 2012
 Internet Explorer 8 – Internet Explorer 10
 Office 2007 – 2010
 Exchange 2007 – 2010
 SQL Server 2012
 Beta support for (separate download):
 Windows 8.1, Windows Server 2012 R2, Internet Explorer 11
 No support for:
 Office 2013
 …bummer. Best bet is to use the next-closest version as a proxy until the baseline is released.
Security Compliance Manager (SCM) 3.0 allows us to work with MS security baselines.
13

SCM Demo
14
 Navigating SCM
 Exporting baselines

SCM Demo
A comprehensive list of baselines is available via a built-in check for updates.
15

SCM Demo
Many baselines include hundreds of settings. Focus “phase 1” on lower risk settings.
16

SCM Demo
 Almost always want to use “GPO Backup (folder)”
 Compare/Merge is interesting, too
 Do not duplicate or modify baselines in SCM
With a baseline selected, many options appear on the right side.
18

SCM Demo
Exported baselines show up in the designated folder as GUIDs for import.
19

Putting It All Together (Demo)
20
 Building an OU Structure That Makes Sense
 Importing GPOs
 Baselines & Baseline Overrides
 WMI Filters

Putting It All Together
Organizational Units (OUs) should be created to serve three purposes:
 Forming the structure by which rights can be delegated to subordinate administrators
 Forming the structure by which Group Policies are most-often applied
 Organization, for organization sake
Build an OU structure that makes sense for your organization.
21
Not going to cut it!

 Unless you have separate AD forests
for test/dev, create top-level OUs that
represent each stage of development.
 Keep everyone in “prod” unless they
are directly involved in test/dev of
Group Policy / security baselines.
22

23
 Create additional OUs, primarily for
delegated administration

24
 Create additional OUs, primarily for
delegated administration
 Separate workstations from servers;
users from admins

Import baselines as they come from Microsoft without modifications.
25
 Start by creating an empty GPO
 Name it so that you can easily tie it
to the name of the baseline in SCM

26
 Next, right-click on the empty GPO and click Import Settings.
 You might be tempted to click Restore from Backup. Don’t; it will not work.

27
 Choose the same folder that you backed-up the baselines to
(the one that contained all the GUID folders…)

28
 Select the intended baseline

Use “Override” GPOs to track any deviations from the Microsoft default baselines.
29
 Microsoft periodically releases new baselines; keeping them original allows easy drop-in
 Also allows easy proof to auditors that they have not been modified
 Document deviations from Microsoft standard in one or more override GPOs
 Allows tracking of approvals and purpose of override in comment fields

 Computers Running IE 11:
SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="Program
FilesInternet Explorer" AND filename="iexplore" AND extension="exe" AND version like "11.%"
 Windows 7 and Windows Server 2008 R2 Systems:
Select * from Win32_OperatingSystem Where Version like "6.1%"
 Windows 7 and Windows Server 2008 R2 Systems (Member Servers and Workstations, Only):
Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType <> "2"
 Windows 7, Only:
Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "1"
 Windows Server 2008 R2 Domain Controllers, Only:
 Windows Server 2008 R2 Member Servers, Only:
WMI Filters allow you to apply different OS/Internet Explorer baselines to the same OU.
30

Common Issues
 Applications that require admin privileges
 Can attempt to shim them, or use application virtualization (App-V)
 Can deploy dual credentials (flesniak and admin.flesniak)
 FIPS-Compliance
 Intuit TurboTax
 Common “override”
 User Downloads
 Website Whitelisting
 GPO length limitation – build a script
I have seen and had to deal with the following issues during the rollout of a security baseline:
31

Common Issues
Follow the GUI, or write trusted sites using a script to:
HKLMSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
32

Common Issues
 FIPS-Compliance
 Intuit TurboTax
 User Downloads
 ActiveX Initiation
 Blue “no” symbol
33

Common Issues
Several websites will need to be “opted-in” by users due to ActiveX filtering.
34

Common Issues
 FIPS-Compliance
 Intuit TurboTax
 User Downloads
 ActiveX Initiation
 Blue “no” symbol
 Windows Firewall exceptions not created by application installation
 Applications that “come out of the woodwork”
 Users doing non work-related stuff, or deploying “rogue applications”
35

twitter.com/franklesniak
linkedin.com/in/flesniak
flesniak <atsign> westmonroepartners.com
Thanks! Connect with Frank Lesniak:
36

Practical AD Security: How to Secure Your Active Directory Network Without Breaking It

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Practical AD Security: How to Secure Your Active Directory Network Without Breaking It

Similaire à Practical AD Security: How to Secure Your Active Directory Network Without Breaking It (20)

Dernier

Dernier (20)

Practical AD Security: How to Secure Your Active Directory Network Without Breaking It