Derby con 2014

Post on 29-Nov-2014

291 views 0 download

description

2014 Derbycon slides

Transcript of Derby con 2014

How to Sys Admin and secure Windows like a Boss

Jim Kennedy

KennedyJamesD@Gmail.com

@TonikJDK

ENVIRONMENT

14 Buildings, fiber back to data center and fiber to the net.

Internal gig everywhere. 6800 users, 6000 students and 800 staff. Primarily a Microsoft/Cisco house. 37 servers physical/virtual, 3500 XP/Win7-8 desktops

and 1000 IPads/Nexus BYOD

600 Teachers do this everyday

Fire up presentation systems, computer, Smart Boards, audio and video feeds.

Rely on internet for content. YouTube, NetFlix, EDU’s, PBS, State and Federal along with a host of obscure sites from other educators.

Shared/Collaborative content from each other.

4 Educators with strong tech backgrounds developing new ways to use tech.

6000 students do this everyday

Try to surf porn. Install games and malware. Saturate our internet link with videos and music. Download IOS 8 for their phones. Try to break stuff. Try to get into servers and applications they shouldn’t. Oh, and use the system to learn.

How do we secure this and deliver the proper service level?

You need street cred in your org.Have a kid that is a recognized expert in InfoSec.Go to cons, give talks and email the talk to everyone.Talk up security that you do that is non-intrusive/unseen.Compromise.Keep it working.Get an audit.

Everything in this list is about you, and how you present the issues.

Defend Phishing attacks with user education?!?

Unknown

Pick your filter carefully

There are basically three categories on a filter, Good, Bad and Unknown.

They all do an excellent job with Good and Bad.

The percentage of the internet that is unknown key. Watch IP and ‘Content Server’ unknowns.

Only two that I have found:

Barracuda and IBoss.

+1 Cred with Bo$$+1 Cred with Management

Moar Cred!

4 days before school starts: Hey Jim, we need to set up a two Python labs for 150 students.

What could possibly go wrong? Two seconds on Google for MS08067 via Python TrustedSec.com for ready to run code.

Make it work

Dual Boot. Python air gapped via guest wireless Google Apps/Docs Hide other OS Drive

+1 Cred with Curriculum peeps.+1 Cred with Teachers.+1 Cred with my Bo$$.

But most of all students are learning and we are safe from them.

Can’t build on sand

Basic Training

Baseline everything.Common images/builds.Senior builder.Common hardware.

Recon

Document and define every system and every system interaction.

Document the software.Document the traffic.Document access. Who needs what, build

a list with an eye towards segmentation.

Recon

What is vulnerable?

NESSUS yourself regularly. http://www.tenable.com/products/nessus

What is it doing?

Read the server and desktop logs. Audit access success and failure. SCOM everything.

Defense

Intrusion detectionand moar.

• Security Onion• http://blog.securityonion.net • IDS• Full packet capture• Reconstructs full transactions• So simple even a Windows jockey can do it• 30 minutes from download to fully running

Patch it all

• MS08-067 or SQL Injections?!? You Suck.• 90 day patch window on average. Are you average?

http://patchmanagement.org/• Remember our software documentation and NESSUS.

That drives your patching.

Server hardening

Kill NTLM in your domain. Get service accounts under control.

Strong passwordsLimit privsSingle use service accounts

Google “Mitigating Service Account”HD Moore(Rapid 7), Joe Bialek(MS) and Ashwath

Murthy(Palo Alto)

Server hardening

EMET 5.0Ask the red team how many boxes they have

popped recently that are running EMETFirewall between users and servers.Build your severs with segmentation of resources in

mind so you can segment your users. Control that with your ASA and your VLANS.

Firewall on. Seriously, 2008+ the firewall is automatic.

Consider taking servers out of the domain. HVAC servers on management Vlan.

Desktop hardening

• No local admin. Period. • EMET 5.0• RDS for Finance and the like.• Local firewall via gpo.• Event logging with auditing on success and failure.• Hide last user login• UAC• Autorun off• Software Restrictions

Applocker

Remove unneeded features

Control Panel items. Explorer search and menu search Task manager Disable run/cmd/Internet Explorer drives which also

kills \\servername in IE No bat files, no VBS Hide the system drive.

No AV

99 percent of Fortune 1000 companies run Symantec. Most of the big hacks we are seeing are Fortune 1000. Ergo, 99 percent of the big hacks hit companies that

use Symantec and it apparently didn’t stop crap. Disclaimer: According to Twitter. (Allegedly).

Java

EMET kills much of it. It looks for behavior not signatures.

In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the filter sees the exploit phoning home.

91 percent of all attacks in 2013 were Java based. Keep it patched.

Network layer

• SSH only from management network. • Sticky Macs.• Kill unused ports.• Egress filtering.

Rinse, Lather and Repeat.

Negotiated time for this, and not just a general agreement. A specific agreement with days and time reserved for all of this.

Get the above on your review as a goal.

Thanks and hugs