Practical AD Security: How to Secure Your Active Directory Network Without Breaking It

© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited

Practical AD SecurityHow to Secure Your Active Directory Network Without Breaking It

© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 2

Quick Introduction

Frank Lesniak


Today’s Agenda

I. Why Implement a Security Baseline?

II. Getting Started: Get an Inventory

III. ACT Demo

IV. Getting Started: Get the Baselines

V. SCM Demo

VI. Putting it All Together (Demo)

VII. Common Issues


Why Implement a Security Baseline?

All IT Systems Have Vulnerabilities (Manadhata & Wing, 2010) Known/Current Unknown/Future

Being “attack-proof” is a pipe dream and the wrong way to sell IT security Given infinite time, most IT systems can be hacked or decrypted (brute-force, massive

parallelism) Hackers/malware often have more resources than YourCorp (state-sponsored hacks, toolkits)

Today’s threat landscape: We need to limit the ability for the bad guys to get in. However, the reality of today’s threat

landscape is that all systems will inevitably be attacked/compromised/hacked. Therefore, we need to consider IT security as a layered approach.

Once the bad guys are “in”, we need to also limit what they can do. Don’t forget breach detection and response!

Take a layered approach to security. Limit your “attack surface” and reduce user privileges.

http://www.cs.cmu.edu/~pratyus/tse10.pdf

http://www.cs.cmu.edu/~pratyus/tse10.pdf



Enforce user privilege-limiting controls (UAC, session isolation) Disable code execution and downloads from non-whitelisted websites Reduce or eliminate the use of protocols and services with known security vulnerabilities Enforce the use of strong protocols/cryptographic algorithms over weak ones (or not using

one at all) Enforce the use of security auditing, and define what should be audited Limit user privileges Enforce strong passwords Enable the Windows Firewall and enforce logging Prevent ActiveX controls from running automatically Windows 8/8.1: prevent sign-in with Microsoft accounts

You can still link a Microsoft account to a corporate account Enforce miscellaneous “leading practices”

The Microsoft security baselines address a number of security concerns out of the box.



SANS Critical Security Controls “First Five Quick Wins” Application whitelisting (IE whitelisting enforced, but not AppLocker – quarter point) Use of standard, secure system configurations (point) Patch application software within 48 hours (Microsoft software - quarter point) Patch system software within 48 hours (point) Reduced number of users with administrative privileges (point)

Fuzzy math: Implementing security baselines help address 3.5 out of 5 of these SANS controls

Qualys “Top 4 Controls” Application Whitelisting (IE whitelisting enforced, but not AppLocker – quarter point) Application Patching (Microsoft software – quarter point) OS Patching (point) User Privileges (point)

Fuzzy math: Implementing security baselines addresses 2.5 out of 4 of the Qualys controls

Deploying security baselines also upholds modern IT security frameworks.


Getting Started: Get an Inventory

Application Compatibility Toolkit 6.1 (Windows Assessment and Deployment Kit “8.1 Update”) Inventory of applications Inventory of Websites (kind of…) Application compatibility issues Website compatibility issues (kind of…)

AppLocker in “Audit Mode” Will log events against a single PC; you will need to set up event collection & forwarding to aggregate

from multiple PCs Cannot inventory websites or identify their compatibility issues Very limited identification of application compatibility issues

System Center Configuration Manager (ConfigMgr) Can inventory applications, but not websites Cannot identify compatibility issues

Windows Intune Can inventory applications, but not websites Cannot identify compatibility issues

You need a solid application inventory before you start. Website inventory is a challenge.


ACT Demo Creating Data Collection Packages Using Compatibility Monitor Information Gathered by ACT Example Compatibility Problem


ACT Demo

After installing ACT, create one or more data-collection packages.


ACT Demo

Set up a testing workstation that has Compatibility Monitor already running.


ACT Demo

ACT gathers and tracks lots of useful information.

Application Vendor, Name, and Version Assessment Tracking Vendor, Community, and User Assessment Detected Compatibility Issues Also indicates the number of computers, and number of versions of each program


ACT Demo

ACT will show issues with UAC or session isolation to focus testing efforts.


Getting Started: Get the Baselines

Microsoft’s database of pre-canned security baselines Automatic updates Allows export in a variety of formats Version support for:

Windows XP – Windows 8 Windows Server 2003 – Windows Server 2012 Internet Explorer 8 – Internet Explorer 10 Office 2007 – 2010 Exchange 2007 – 2010 SQL Server 2012

Beta support for (separate download): Windows 8.1, Windows Server 2012 R2, Internet Explorer 11

No support for: Office 2013 …bummer. Best bet is to use the next-closest version as a proxy until the baseline is released.

Security Compliance Manager (SCM) 3.0 allows us to work with MS security baselines.

http://goo.gl/obIm79


SCM Demo Navigating SCM Exporting baselines


SCM Demo

A comprehensive list of baselines is available via a built-in check for updates.


SCM Demo

Many baselines include hundreds of settings. Focus “phase 1” on lower risk settings.


SCM Demo

Almost always want to use “GPO Backup (folder)”

Compare/Merge is interesting, too

Do not duplicate or modify baselines in SCM

With a baseline selected, many options appear on the right side.


SCM Demo

Exported baselines show up in the designated folder as GUIDs for import.


Putting It All Together (Demo) Building an OU Structure That Makes Sense Importing GPOs Baselines & Baseline Overrides WMI Filters


Putting It All Together

Organizational Units (OUs) should be created to serve three purposes: Forming the structure by which rights can be delegated to subordinate administrators Forming the structure by which Group Policies are most-often applied Organization, for organization sake

Build an OU structure that makes sense for your organization.

Not going to cut it!



Unless you have separate AD forests for test/dev, create top-level OUs that represent each stage of development.

Keep everyone in “prod” unless they are directly involved in test/dev of Group Policy / security baselines.







Create additional OUs, primarily for delegated administration






Create additional OUs, primarily for delegated administration

Separate workstations from servers; users from admins



Import baselines as they come from Microsoft without modifications.

Start by creating an empty GPO

Name it so that you can easily tie it to the name of the baseline in SCM




Next, right-click on the empty GPO and click Import Settings.

You might be tempted to click Restore from Backup. Don’t; it will not work.




Choose the same folder that you backed-up the baselines to(the one that contained all the GUID folders…)




Select the intended baseline



Use “Override” GPOs to track any deviations from the Microsoft default baselines.

Microsoft periodically releases new baselines; keeping them original allows easy drop-in Also allows easy proof to auditors that they have not been modified Document deviations from Microsoft standard in one or more override GPOs

Allows tracking of approvals and purpose of override in comment fields



Computers Running IE 11:SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version like "11.%"

Windows 7 and Windows Server 2008 R2 Systems:Select * from Win32_OperatingSystem Where Version like "6.1%"

Windows 7 and Windows Server 2008 R2 Systems (Member Servers and Workstations, Only):Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType <> "2"

Windows 7, Only:Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "1"

Windows Server 2008 R2 Domain Controllers, Only:Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "2"

Windows Server 2008 R2 Member Servers, Only:Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "3"

WMI Filters allow you to apply different OS/Internet Explorer baselines to the same OU.


Common Issues

Applications that require admin privileges Can attempt to shim them, or use application virtualization (App-V) Can deploy dual credentials (flesniak and admin.flesniak)

FIPS-Compliance Intuit TurboTax Common “override”

User Downloads Common “override”

Website Whitelisting GPO length limitation – build a script

I have seen and had to deal with the following issues during the rollout of a security baseline:

© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited

Common Issues

Follow the GUI, or write trusted sites using a script to: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

32


Common Issues





ActiveX Initiation Blue “no” symbol



Common Issues

Several websites will need to be “opted-in” by users due to ActiveX filtering.


Common Issues





ActiveX Initiation Blue “no” symbol

Windows Firewall exceptions not created by application installation Applications that “come out of the woodwork” Users doing non work-related stuff, or deploying “rogue applications”



twitter.com/franklesniaklinkedin.com/in/flesniakflesniak <atsign> westmonroepartners.com

Thanks! Connect with Frank Lesniak:

Practical AD Security: How to Secure Your Active Directory Network Without Breaking It

Technology

Transcript of Practical AD Security: How to Secure Your Active Directory Network Without Breaking It