practical ad security: how to secure your active directory network without breaking it
DESCRIPTION
IT professionals everywhere strive to secure their network, but it can be a daunting task. Luckily, Microsoft provides some boilerplate templates to get you started. In this session, Frank will demonstrate how to get started with Microsoft's security templates, and give you some tips on settings that he frequently needs to change in customer environments to maintain compatibility with existing applications or common configurationsTRANSCRIPT
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Practical AD SecurityHow to Secure Your Active Directory Network Without Breaking It
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 2
Quick Introduction
Frank Lesniak
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 3
Today’s Agenda
I. Why Implement a Security Baseline?
II. Getting Started: Get an Inventory
III. ACT Demo
IV. Getting Started: Get the Baselines
V. SCM Demo
VI. Putting it All Together (Demo)
VII. Common Issues
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 4
Why Implement a Security Baseline?
All IT Systems Have Vulnerabilities (Manadhata & Wing, 2010) Known/Current Unknown/Future
Being “attack-proof” is a pipe dream and the wrong way to sell IT security Given infinite time, most IT systems can be hacked or decrypted (brute-force, massive
parallelism) Hackers/malware often have more resources than YourCorp (state-sponsored hacks, toolkits)
Today’s threat landscape: We need to limit the ability for the bad guys to get in. However, the reality of today’s threat
landscape is that all systems will inevitably be attacked/compromised/hacked. Therefore, we need to consider IT security as a layered approach.
Once the bad guys are “in”, we need to also limit what they can do. Don’t forget breach detection and response!
Take a layered approach to security. Limit your “attack surface” and reduce user privileges.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 5
Why Implement a Security Baseline?
Enforce user privilege-limiting controls (UAC, session isolation) Disable code execution and downloads from non-whitelisted websites Reduce or eliminate the use of protocols and services with known security vulnerabilities Enforce the use of strong protocols/cryptographic algorithms over weak ones (or not using
one at all) Enforce the use of security auditing, and define what should be audited Limit user privileges Enforce strong passwords Enable the Windows Firewall and enforce logging Prevent ActiveX controls from running automatically Windows 8/8.1: prevent sign-in with Microsoft accounts
You can still link a Microsoft account to a corporate account Enforce miscellaneous “leading practices”
The Microsoft security baselines address a number of security concerns out of the box.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 6
Why Implement a Security Baseline?
SANS Critical Security Controls “First Five Quick Wins” Application whitelisting (IE whitelisting enforced, but not AppLocker – quarter point) Use of standard, secure system configurations (point) Patch application software within 48 hours (Microsoft software - quarter point) Patch system software within 48 hours (point) Reduced number of users with administrative privileges (point)
Fuzzy math: Implementing security baselines help address 3.5 out of 5 of these SANS controls
Qualys “Top 4 Controls” Application Whitelisting (IE whitelisting enforced, but not AppLocker – quarter point) Application Patching (Microsoft software – quarter point) OS Patching (point) User Privileges (point)
Fuzzy math: Implementing security baselines addresses 2.5 out of 4 of the Qualys controls
Deploying security baselines also upholds modern IT security frameworks.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 7
Getting Started: Get an Inventory
Application Compatibility Toolkit 6.1 (Windows Assessment and Deployment Kit “8.1 Update”) Inventory of applications Inventory of Websites (kind of…) Application compatibility issues Website compatibility issues (kind of…)
AppLocker in “Audit Mode” Will log events against a single PC; you will need to set up event collection & forwarding to aggregate
from multiple PCs Cannot inventory websites or identify their compatibility issues Very limited identification of application compatibility issues
System Center Configuration Manager (ConfigMgr) Can inventory applications, but not websites Cannot identify compatibility issues
Windows Intune Can inventory applications, but not websites Cannot identify compatibility issues
You need a solid application inventory before you start. Website inventory is a challenge.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 8
ACT Demo Creating Data Collection Packages Using Compatibility Monitor Information Gathered by ACT Example Compatibility Problem
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 9
ACT Demo
After installing ACT, create one or more data-collection packages.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 10
ACT Demo
Set up a testing workstation that has Compatibility Monitor already running.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 11
ACT Demo
ACT gathers and tracks lots of useful information.
Application Vendor, Name, and Version Assessment Tracking Vendor, Community, and User Assessment Detected Compatibility Issues Also indicates the number of computers, and number of versions of each program
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 12
ACT Demo
ACT will show issues with UAC or session isolation to focus testing efforts.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 13
Getting Started: Get the Baselines
Microsoft’s database of pre-canned security baselines Automatic updates Allows export in a variety of formats Version support for:
Windows XP – Windows 8 Windows Server 2003 – Windows Server 2012 Internet Explorer 8 – Internet Explorer 10 Office 2007 – 2010 Exchange 2007 – 2010 SQL Server 2012
Beta support for (separate download): Windows 8.1, Windows Server 2012 R2, Internet Explorer 11
No support for: Office 2013 …bummer. Best bet is to use the next-closest version as a proxy until the baseline is released.
Security Compliance Manager (SCM) 3.0 allows us to work with MS security baselines.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 14
SCM Demo Navigating SCM Exporting baselines
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 15
SCM Demo
A comprehensive list of baselines is available via a built-in check for updates.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 16
SCM Demo
Many baselines include hundreds of settings. Focus “phase 1” on lower risk settings.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 17
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 18
SCM Demo
Almost always want to use “GPO Backup (folder)”
Compare/Merge is interesting, too
Do not duplicate or modify baselines in SCM
With a baseline selected, many options appear on the right side.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 19
SCM Demo
Exported baselines show up in the designated folder as GUIDs for import.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 20
Putting It All Together (Demo) Building an OU Structure That Makes Sense Importing GPOs Baselines & Baseline Overrides WMI Filters
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 21
Putting It All Together
Organizational Units (OUs) should be created to serve three purposes: Forming the structure by which rights can be delegated to subordinate administrators Forming the structure by which Group Policies are most-often applied Organization, for organization sake
Build an OU structure that makes sense for your organization.
Not going to cut it!
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 22
Putting It All Together
Unless you have separate AD forests for test/dev, create top-level OUs that represent each stage of development.
Keep everyone in “prod” unless they are directly involved in test/dev of Group Policy / security baselines.
Build an OU structure that makes sense for your organization.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 23
Putting It All Together
Build an OU structure that makes sense for your organization.
Unless you have separate AD forests for test/dev, create top-level OUs that represent each stage of development.
Keep everyone in “prod” unless they are directly involved in test/dev of Group Policy / security baselines.
Create additional OUs, primarily for delegated administration
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 24
Putting It All Together
Build an OU structure that makes sense for your organization.
Unless you have separate AD forests for test/dev, create top-level OUs that represent each stage of development.
Keep everyone in “prod” unless they are directly involved in test/dev of Group Policy / security baselines.
Create additional OUs, primarily for delegated administration
Separate workstations from servers; users from admins
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 25
Putting It All Together
Import baselines as they come from Microsoft without modifications.
Start by creating an empty GPO
Name it so that you can easily tie it to the name of the baseline in SCM
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 26
Putting It All Together
Import baselines as they come from Microsoft without modifications.
Next, right-click on the empty GPO and click Import Settings.
You might be tempted to click Restore from Backup. Don’t; it will not work.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 27
Putting It All Together
Import baselines as they come from Microsoft without modifications.
Choose the same folder that you backed-up the baselines to(the one that contained all the GUID folders…)
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 28
Putting It All Together
Import baselines as they come from Microsoft without modifications.
Select the intended baseline
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 29
Putting It All Together
Use “Override” GPOs to track any deviations from the Microsoft default baselines.
Microsoft periodically releases new baselines; keeping them original allows easy drop-in Also allows easy proof to auditors that they have not been modified Document deviations from Microsoft standard in one or more override GPOs
Allows tracking of approvals and purpose of override in comment fields
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 30
Putting It All Together
Computers Running IE 11:SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version like "11.%"
Windows 7 and Windows Server 2008 R2 Systems:Select * from Win32_OperatingSystem Where Version like "6.1%"
Windows 7 and Windows Server 2008 R2 Systems (Member Servers and Workstations, Only):Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType <> "2"
Windows 7, Only:Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "1"
Windows Server 2008 R2 Domain Controllers, Only:Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "2"
Windows Server 2008 R2 Member Servers, Only:Select * from Win32_OperatingSystem Where Version like "6.1%" and ProductType = "3"
WMI Filters allow you to apply different OS/Internet Explorer baselines to the same OU.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 31
Common Issues
Applications that require admin privileges Can attempt to shim them, or use application virtualization (App-V) Can deploy dual credentials (flesniak and admin.flesniak)
FIPS-Compliance Intuit TurboTax Common “override”
User Downloads Common “override”
Website Whitelisting GPO length limitation – build a script
I have seen and had to deal with the following issues during the rollout of a security baseline:
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited
Common Issues
Follow the GUI, or write trusted sites using a script to: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
32
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 33
Common Issues
Applications that require admin privileges Can attempt to shim them, or use application virtualization (App-V) Can deploy dual credentials (flesniak and admin.flesniak)
FIPS-Compliance Intuit TurboTax Common “override”
User Downloads Common “override”
Website Whitelisting GPO length limitation – build a script
ActiveX Initiation Blue “no” symbol
I have seen and had to deal with the following issues during the rollout of a security baseline:
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 34
Common Issues
Several websites will need to be “opted-in” by users due to ActiveX filtering.
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 35
Common Issues
Applications that require admin privileges Can attempt to shim them, or use application virtualization (App-V) Can deploy dual credentials (flesniak and admin.flesniak)
FIPS-Compliance Intuit TurboTax Common “override”
User Downloads Common “override”
Website Whitelisting GPO length limitation – build a script
ActiveX Initiation Blue “no” symbol
Windows Firewall exceptions not created by application installation Applications that “come out of the woodwork” Users doing non work-related stuff, or deploying “rogue applications”
I have seen and had to deal with the following issues during the rollout of a security baseline:
© 2014 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent prohibited 36
twitter.com/franklesniaklinkedin.com/in/flesniakflesniak <atsign> westmonroepartners.com
Thanks! Connect with Frank Lesniak: