Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Active Directory in ICS: Lessons Learned From The Field

Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.

  • Inicia sesión para ver los comentarios

Active Directory in ICS: Lessons Learned From The Field

  1. 1. L L d f th Fi ldLessons Learned from the Field Active Directory in ICS HPS Industrial Cyber Security Services DigitalBond S4x15 January 2015
  2. 2. AbstractAbstract • Many control systems don’t have domains or leverage them l f th ti ti Th i t d d t h lonly for user authentication. They are intended to help centralize the maintenance and management of a large group of member computers, as well as huge productivity gains for administration, implementing change, and consistency. This, p g g , y session will cover lessons learned of Active Directory domains and their use with control systems, from someone who deals only with control system environments. What works, what to avoid guidance on how to plan & implement certain featuresavoid, guidance on how to plan & implement certain features, and useful things you may not have known about. This is not an introduction to Active Directory, it is intended for those that have familiarity with Active Directory, its purpose, basic administration d li tand group policy management. • 45 minutes Honeywell Proprietary 2 2015
  3. 3. SpeakerSpeaker • Donovan Tindill, Senior Security Consultant – Honeywell Industrial Cyber Security (formerly Matrikon)Cyber Security (formerly Matrikon) – For almost 15 years, specialized in defending cyber security for industrial automation & control systems (IACS) to most every industry and countless ICS. R ibl f l l j t l i t i i k– Responsible for large scale project planning, enterprise risk management, security program development, training, vulnerability assessments, industry compliance, NERC CIP, etc. – ISA99/IEC62443 contributor, and co-chair of Working Group 6 on IACSg p patch management. – Assessed and designed LOTS of ICS networks and domains, cyber security assessments (people-process-technology), developed ICS cyber security programs etccyber security programs, etc. – Email: http://tinyurl.com/DonovanAtHon; Please connect on LinkedIn and mention this conference. The views and opinions expressed here are my own and don’t necessarily representThe views and opinions expressed here are my own and don t necessarily represent the views or opinions of Honeywell.
  4. 4. Honeywell Industrial Cyber SecurityHoneywell Industrial Cyber Security Honeywell Industrial Cyber Security is the leading provider ofy y y g p cyber security solutions that help protect the availability, safety, and reliability of industrial control systems (ICS) and plant operations. Leveraging our industry leading process control andLeveraging our industry leading process control and cyber security experience, our expertise, and technology, we deliver proven solutions designed for thewe deliver proven solutions designed for the specific needs of process control environments. Honeywell Proprietary 4 2015 Cyber Security = Process Availability, Safety and Reliability
  5. 5. Honeywell ProtectsHoneywell Protects From the Inside Out and Outside In • Build security into our products Employ same risk-management mechanisms for cyber security– Employ same risk-management mechanisms for cyber security we design for safe industrial operations • Strengthen security with proven end-to-end solutions – Security architecture, security controls and best industrial practices – Services delivered by global team of experts A ti d t ti d ili• Assure continued protection and resilience – Situational awareness – Monitoring, management and training services Honeywell Proprietary 5 2015
  6. 6. Industrial Cyber Security Solutions FrameworkIndustrial Cyber Security Solutions Framework Embedded Security Is Just the Start SecuritySecurity AwarenessAwareness Cyber Security Assessments, Monitoring and Situational Awareness Cyber Security Assessments, Monitoring and Situational Awareness SecuritySecuritySecuritySecurity TECHNOLOGY Used to Drive Secure Architectural Leveraging Network, Host & Used to Drive Secure Architectural Leveraging Network, Host & yy DesignDesign yy ControlsControls Architectural Design and Best Practices Operational Security Controls Architectural Design and Best Practices Operational Security Controls Honeywell Proprietary 6 2015 We Address Industrial Cyber Security End-to-End
  7. 7. Complete Industrial Cyber Security SolutionsComplete Industrial Cyber Security Solutions • Security Assessments • Network & Wireless Assessments • Security AuditsAssessmentsAssessments & Audits& Audits • Current State Analysis • Design & Optimization • Zones & Conduits & Audits& Audits ArchitectureArchitecture & Design& Design ResponseResponse & Recovery& Recovery • Backup and Restore • Incident Response • Firewall • Intrusion Prevention • Access Control P li D l t • Continuous Monitoring • Compliance & Reporting • Security Analytics NetworkNetwork SecuritySecurity SituationalSituational AwarenessAwareness TECHNOLOGY • Policy Development • Patching & Anti-Virus • Application Whitelisting • End Node Hardening • Security Analytics • Security Information & Event Management (SIEM) • Security Awareness Training EndpointEndpoint ProtectionProtection • Portable Media & Device Security Honeywell Proprietary 7 2015
  8. 8. Managed Industrial Cyber Security ServicesManaged Industrial Cyber Security Services Secure Connection Secure tunnel for servicesSecure tunnel for services Protection Management Qualified anti-malware files & operating system patchesQ p g y p Continuous Monitoring and Alerting Monitoring of system, network & cyber security performance 24/7 alerting against thresholds Intelligence Reporting Weekly compliance and quarterly trend reports Perimeter and Intrusion Management Firewall: Configuration rules + log file review and reporting Weekly compliance and quarterly trend reports Honeywell Proprietary 8 2015 Firewall: Configuration rules + log file review and reporting IPS: Signature update validation + log file review and reporting
  9. 9. Why Honeywell Industrial Cyber SecurityWhy Honeywell Industrial Cyber Security Global team of certified experts with deep experience across all industries Industry Leading People and Experience Global team of certified experts with deep experience across all industries 100’s of successful PCN / Industrial cyber security projects Leaders in security standards ISA99 / IEC62443 Proprietary methodologies specific for process control environment & operations Best practices developed through years of delivering solutions Industry Leading Processes and Expertise Best practices developed through years of delivering solutions Comprehensive understanding of unique process control security requirements Industry Leading Technology First to obtain ICS product security certification with ISASecure Largest R&D investment in cyber security solutions and technology Strategic partnerships with best in class security product vendors y g gy Honeywell Proprietary 9 2015 Trusted, Proven Solution Provider g y
  10. 10. TopicsTopics Technical Level 100 Time Synchronization DNS AD Replication DC MaintenanceDC Maintenance Backup and Restore 200 User and Group Guidelines ICS Group Policy200 ICS Group Policy Groups.xml Vulnerability 300 DC Through Firewall Fine Grained Password Policies 400 AppLocker If common sense were common we wouldn’t have to fix these over and Honeywell Proprietary 10 2015 If common sense were common, we wouldn t have to fix these over and over…
  11. 11. TerminologyTerminology • NTDS – NT Directory ServicesNTDS NT Directory Services • AD – Active Directory (aka. NTDS) • DC – Domain ControllerDC Domain Controller • FSMO – Flexible Single Master Operation • DNS Domain Naming Service• DNS – Domain Naming Service • GPO – Group Policy Object • SCW Security Configuration Wizard• SCW – Security Configuration Wizard Honeywell Proprietary 11 2015
  12. 12. Time Synchronization Ft McMurray Oilsands Conference 2015 12 2009 Drifting from Reality
  13. 13. Time SynchronizationTime Synchronization • Accurate time sync is a fundamental component of AD h i i Ti d if l i d i dauthentication. Time drift can result in domain decay and mysterious authentication issues if it exceeds 4 minutes between domain members. • Actual Event: – One group of computers cannot authenticate with other PCs in the same domain. Some logons work, some don’t, not i t t th i tconsistent across the environment. – Root Cause: Time drift greater than 5 minutes between DCs results in replication failure, domain members polarize with a DC and ‘islands’ of authentication resultDC and islands of authentication result. – Solution: It’s ugly! Force demotion of bad DC, fix time sync, promote to DC again. Honeywell Proprietary 13 2015
  14. 14. Time SynchronizationTime Synchronization • Identify the ‘PDC Emulator’ role. It is the timeIdentify the PDC Emulator role. It is the time master for the entire domain. • Get a GPS or other accurate (i.e., Stratum) time( , ) source; otherwise, the cheap clock on motherboard is used. • w32tm /config /manualpeerlist:“X.X.X.X Y.Y.Y.Y” /syncfromflags:manual /reliable:yes /update • w32tm /query /status • w32tm /query /peers Honeywell Proprietary 14 2015 Sources: - How to configure an authoritative time server in Windows Server, http://support.microsoft.com/kb/816042.
  15. 15. Domain Naming Service (DNS) Ft McMurray Oilsands Conference 2015 15 2009 What’s your address again?
  16. 16. Domain Naming Service (DNS)Domain Naming Service (DNS) • DNS allows humans to use hostnames to communicate with network devices. AD uses DNS to store DC roles, help DCs find each other, and domain members find DCs. • Every DC has a copy of the same DNS database and is continuously synchronized. • If a domain controller cannot communicate with DNS, you’re in trouble! • If a domain member cannot communicate with DNS, only previously cached credentials will work. Honeywell Proprietary 16 2015
  17. 17. DNSDNS • Actual Event: – Domain controller network driver update/change fails, after reboot it cannot find peer DNS server, cannot logon! – Root Cause: Its local IP address was not included in DNSRoot Cause: Its local IP address was not included in DNS server list. – Solution: DNS1 should be neighbor DC, DNS2 should be another neighbor, DNS3 should be 127.0.0.1. Have at least 2another neighbor, DNS3 should be 127.0.0.1. Have at least 2 real DNS servers, last one loopback IP. – When a DC first boots, it is member only. It must first find other DCs thru DNS and replicate DNS & NTDS databases,other DCs thru DNS and replicate DNS & NTDS databases, before it can authorize itself to authenticate users (including logons at console). Otherwise really slow or failed logon. – Always stagger DC reboots! Honeywell Proprietary 17 2015 Always stagger DC reboots! Sources: -DNS servers on NIC should include 127.0.0.1 but not as first entry, http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx. -Microsoft Best Practice for DC DNS settings, http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest.
  18. 18. DNSDNS • Replicate to all DNS servers in forest.p • Dynamic Updates: Secure Only – ipconfig /registerdns (used to refresh local DNS records on-demand) T i / i f ll f d d• Turn on aging/scavenging for all forward and reverse lookup zones (i.e., check the box). • Zone Transfers: Explicitly• Zone Transfers: Explicitly specify servers or turn off. • In ICS, you can delete list of, y root hint servers. Stops DNS noise before firewall. Honeywell Proprietary 18 2015
  19. 19. Active Directory Replication Ft McMurray Oilsands Conference 2015 19 2009 Working Together
  20. 20. Sites and Services (NTDS Replication)Sites and Services (NTDS Replication) • AD Sites and Services is used to specify theAD Sites and Services is used to specify the interval, protocol, and links for AD database (which may contain DNS) to replicate between domain controllers. • If subnets are specified and associated with sites (e.g., an area of the plant), members will prefer DCs in their subnet/site. Li k t ti ll t d f ll h d• Links are automatically created as full mesh and replicated every 3 hours. Honeywell Proprietary 20 2015
  21. 21. Sites and Services (NTDS Replication)Sites and Services (NTDS Replication) • Actual Event: – User accounts created on specific domain controller never work in other areas of the plant. Root Cause: NTDS replication links missing– Root Cause: NTDS replication links missing. – Solution: Re-architect links, verify all DCs participate in bi-directional replication. – Some scenarios require custom NTDS replication architecture • In ICS 15 minute replication• In ICS, 15 minute replication interval is fine (default 180). • repadmin /syncall Honeywell Proprietary 21 2015 p y
  22. 22. DC MaintenanceDC Maintenance • dcdiagdcdiag Honeywell Proprietary 22 2015
  23. 23. DC MaintenanceDC Maintenance • Actual Event: – Patches are installed on DC holding FSMO roles, during reboot it suffers critical failure and will not boot. – If FSMO roles are forcibly seized and transferred to anotherIf FSMO roles are forcibly seized and transferred to another DC while it is offline, its hostname is now blacklisted. Must force removal of DC role and reinstall OS with new hostname. – Root Cause: FSMO roles were not transferred before maintenance occurred on DC. – Solution: Transfer roles before/after using PowerShell:Solution: Transfer roles before/after using PowerShell: • Import-Module ActiveDirectory • Move-ADDirectoryServerOperationMasterRole -Identity “ServerName” -OperationMasterRole 0,1,2,3,4 • netdom query fsmo Honeywell Proprietary 23 2015 netdom query fsmo Sources: -Transfer or Seize FSMO Roles, https://support.microsoft.com/kb/255504/en-us, - How to remove data in Active Directory after an unsuccessful domain controller demotion , https://support.microsoft.com/kb/216498. - Why not to reuse server names, http://www.jackcobben.nl/?page_id=403.
  24. 24. Backup and Restore Ft McMurray Oilsands Conference 2015 24 2009 Prepared for Failure
  25. 25. Backup and RestoreBackup and Restore • DCs are peers that share and continuously replicate the AD d t b C t tl h i !AD database. Constantly changing! • Disk images (e.g., Acronis, Ghost, Clonedisk) of your DCs should not be used for restoration as it will include stale f AD d t b A f b k i k !copy of AD database. Age of backup is key! • Microsoft only supports Windows Server Backup Full System and ‘System State’ backups, which contains Active Directory contentsDirectory contents. • Schedule backup from 2+ DCs, store on different server, at least once per day. Also, use ntdsutil for ad-hoc snapshots Used by Directory Service Repair Modesnapshots. Used by Directory Service Repair Mode. • Microsoft recommends ntdsutil to remove failed DCs, then clean OS install and dcpromo for new ones. Honeywell Proprietary 25 2015 Sources: -AD Backup and Restore, http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx. System State Recovery of a Domain Controller; Taking Active Directory Snapshots.
  26. 26. Users and Groups Ft McMurray Oilsands Conference 2015 26 2009 “We use Administrator for everything”
  27. 27. User and Group GuidelinesUser and Group Guidelines • Don’t use domain or local Administrator account toDon t use domain or local Administrator account to run any applications! – Not due to security risk, but to decouple dependency upon it for password changes. • Rename local Administrator (e.g., LocalAdmin) d d i Ad i i t t ( Ad i i)and rename domain Administrator (e.g., Admini). • Avoid use of local or domain administrator t l i di id ll i daccounts, rely upon individually assigned user accounts with similar privilege. Honeywell Proprietary 27 2015
  28. 28. User and Group GuidelinesUser and Group Guidelines • Create two (2) user accounts per person.Create two (2) user accounts per person. – User-level account (e.g., jdoe) with application privileges. Standard password. – Admin-level accounts (e.g., admin_jdoe) with administrator privileges. Strong password. Logon regularly with user level account use admin level– Logon regularly with user-level account, use admin-level only when needed. Works very well with Windows 2008/Vista/7 UAC). Honeywell Proprietary 28 2015
  29. 29. User and Group GuidelinesUser and Group Guidelines • Create ‘Service’ user accounts for each major application ( hi t i i t f d t b h d l d t k(e.g., historian interfaces, databases, scheduled tasks, OPC services, backup software) so they can be used for running DCOM and Windows Services. Examples: dc backup task acronis backup service– Examples: dc_backup_task, acronis_backup_service, historian_opc_service • Running programs and services as Administrator is the single biggest reason why password changes don’tsingle biggest reason why password changes don t happen! – Changing Administrator password in many environments will require, or result in, process shutdown. • Application specific service accounts clearly identify their purpose and localizes their impact if/when their passwords are changed. Honeywell Proprietary 29 2015
  30. 30. User and Group GuidelinesUser and Group Guidelines • Restricted Resource group: grants a specificRestricted Resource group: grants a specific access level to a specific device/ system/ application. Defined owner for each. • Control System – Product Admins – Engineers • Domain Members – Domain Administrators – Remote Desktop Users – Supervisors – Operators • Domain Controllers – Domain Users • Network Infrastructure – Read-Only – Enterprise Admins – Administrators – Group Policy Mgrs – Password Update – Read-Write • Applications – Administrators E i / D l Honeywell Proprietary 30 2015 – Engineers / Developers – Users
  31. 31. Group Policy Ft McMurray Oilsands Conference 2015 31 2009 Shouldn’t they all be the same?
  32. 32. Group Policy SettingsGroup Policy Settings • Group Policies allow single step roll out of computer i l ll d i bsettings to select or all domain members. • GPO settings can be applied to users and computers, commonly based on group membership ory g p p organizational unit. – Windows 2008 Active Directory and Group Policy Preferences allows almost limitless selection criteria. With t h th t d b Wi d XPpatches, they are supported by Windows XP+. • Examples: – Password policy, security logging policy, disable unnecessaryy y gg g y y services, disable unnecessary Windows components and features, local group membership, Windows Firewall rules, Start Menu and Desktop appearance, startup scripts, etc. Honeywell Proprietary 32 2015 Sources: -Group Policy Preferences, Windows 2008, http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx. -Group Policy Preferences, Windows 2012, http://technet.microsoft.com/en-us/library/dn581922.aspx -Group Policy Preferences Patch, for Windows XP, 2003, and Vista: http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx.
  33. 33. Recommended Group Policy SettingsRecommended Group Policy Settings • Minimum password length, complexity, and age E bl it diti ( t l t t t l• Enable security auditing (account logon events, account mgmt, logon events, policy change, system events) • Increase default event log file size. • Disable LM authentication potentially NTLMDisable LM authentication, potentially NTLM. • Disable unnecessary services. In ICS, you can disable: – WinHTTP Auto-Proxy, SSDP Discovery, Smart Card, HomeGroup Listener, HomeGroup Provider Security Configuration Wizard (SCW) is excellent at hardening Windows Server– Security Configuration Wizard (SCW) is excellent at hardening Windows Server 2003 SP1 and newer (e.g., Disables unnecessary services; Windows Firewall rules; prepare Group Policies) • Disable unnecessary Windows components and features. In ICS, you can disable:can disable: – AutoPlay, Games, Desktop Gadgets, NetMeeting, Outlook Express, HomeGroup, Windows Messenger, Windows Media Player, Windows Media Center, • Uninstall unnecessary software (e g Adobe Java Office) Honeywell Proprietary 33 2015 • Uninstall unnecessary software (e.g., Adobe, Java, Office). Sources: -Security Configuration Wizard, http://technet.microsoft.com/en-us/library/cc754997.aspx
  34. 34. Advanced Group Policy SettingsAdvanced Group Policy Settings • Modify allow/deny User Rights Assignment for: – Logon locally (e.g., keyboard console) – Remote Desktop – Access Computer via network (e.g., Network Share, DCOM Service) – Logon As Service– Logon As Service – Logon As Batch (i.e., Scheduled Task) • Windows Firewall rules. In ICS, you might choose to control which IP address ranges (e.g., Local Subnet) can access:g ( g , ) – Network Discovery, Remote Desktop, File & Print Sharing, – Part of SCW • AppLocker application execution rules. In ICS, you can use A L k ’ hit li ti li tiAppLocker as poor man’s whitelisting application. – More on this in later slides… • Do not perform above on production environment without prior testing!!! Honeywell Proprietary 34 2015 testing!!!
  35. 35. Groups xml VulnerabilityGroups.xml Vulnerability • If you use Group Policy Preferences to automateIf you use Group Policy Preferences to automate resetting of local user passwords – Don’t! • The encryption used in the groups.xml file is weakyp g p and disabled in MS14-025. • Implement via PowerShell scriptp p – See MS14-025 Honeywell Proprietary 35 2015 Sources: -How To Automate Changing The Local Administrator Password, http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx. -MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege, http://support.microsoft.com/kb/2962486,
  36. 36. DC Through Firewall Ft McMurray Oilsands Conference 2015 36 2009 Fitting Just Right
  37. 37. DC Through FirewallDC Through Firewall • DCs will often be in different zones and across firewalls. Really they should be in enclaves due to their importanceshould be in enclaves due to their importance. • Domain Controller Default Ports: KB179442 – DNS TCP/UDP53 – NTP TCP/UDP123 – Kerberos TCP/UDP88 – RPC TCP135 – NetBIOS UDP137-138, TCP139 – File Sharing TCP445File Sharing TCP445 – kpasswd TCP/UDP464 – http-rpc-epmap TCP594 – Global Catalog TCP3268 RPC (Windows 2003/XP and older): TCP1025 5000– RPC (Windows 2003/XP and older): TCP1025-5000 – RPC (Windows 2008/Vista and newer): TCP49152-65535 – Not Used in Field: UDP500, TCP636, TCP3269, UDP4500, UDP5355, TCP9389 (based on actual results 2008R2 at ICS site) Honeywell Proprietary 37 2015 Sources: -Service overview and network port requirements for Windows, http://support.microsoft.com/kb/832017. -How to configure a firewall for domains and trusts, http://support.microsoft.com/kb/179442.
  38. 38. DC Through FirewallDC Through Firewall • Registry changes can be applied to changeRegistry changes can be applied to change dynamic ports to fixed, or specify smaller range. • Set NTDS to 32901 • Set NTFRS to 32902 • Set NetLogon to 32903Set NetLogon to 32903 • Set DFSR to 32904 (if used) • Set WMI to 32905 (if used)Set WMI to 32905 (if used) Sources: Restricting Active Directory RPC traffic to a specific port http://support microsoft com/kb/224196 Honeywell Proprietary 38 2015 -Restricting Active Directory RPC traffic to a specific port , http://support.microsoft.com/kb/224196. -How to restrict FRS replication traffic to a specific static port , http://support.microsoft.com/kb/319553. -Configuring DFSR to a Static Port, http://blogs.technet.com/b/askds/archive/2009/07/16/configuring-dfsr-to-a-static-port-the-rest-of-the-story.aspx. -Setting Up a Fixed Port for WMI, http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx. -IANA ports 32897-33122 Unassigned, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt.
  39. 39. DC Through FirewallDC Through Firewall • KB154596: Configureg RPC/DCOM range by Registry or dcomcnfg exedcomcnfg.exe – TCP 45000-45999 – 1000 ports is sufficient for most applicationsmost applications. • Used by all listening RPC services. • Best effect on Win2003 and earlier OS as it moves away from 1025-5000 Honeywell Proprietary 39 2015 from 1025-5000. Sources: -How to configure RPC dynamic port allocation to work with firewalls, http://support.microsoft.com/kb/154596. -IANA ports, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt.
  40. 40. DC Through FirewallDC Through Firewall • Before:Before: RPC RangeRPC Range 49152-65535 Honeywell Proprietary 40 2015
  41. 41. DC Through FirewallDC Through Firewall • After:After: Registry HacksRegistry Hacks 32901-32905 RPC Range 45000-45999 Honeywell Proprietary 41 2015
  42. 42. Fine Grained Password Policies Ft McMurray Oilsands Conference 2015 42 2009 Something for Everyone
  43. 43. Fine Grained Password PoliciesFine Grained Password Policies • By default, there is only one domain password policy.y , y p p y • Starting Windows 2008 domain functional level, different password policies can apply to different AD usersusers. – Set your Default: 12-char, 60-day expiry, never lockout. • Defined by Default Domain Policy Ad i L l 20 h 180 d i– Admin Level: 20-char, 180-day expiry. • Create and Assign to Group ‘Pass 20c 180d NoLock DL Group’ – Service Accts: 32-char, never auto-expire, never lockout. • Create and Assign to Global Group ‘Pass 32c NoExpire NoLock DL Group’• Create and Assign to Global Group Pass 32c NoExpire NoLock DL Group • Implemented manually with ADSIedit in Windows 2008; Wizard-driven in 2012. Rely on SIEM to detect Honeywell Proprietary 43 2015 Sources: -Fine Grained Password Policies, Windows 2008, http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx. multiple logons
  44. 44. Fine Grained Password PoliciesFine Grained Password Policies Parameter Admin Level Policy Service Accounts Common-Name Passwd-20char-MaxAge180d- NoLockout Passwd-32char-NoMaxAge- NoLockoutNoLockout NoLockout msDS-PasswordSettingsPrecedence 8 5 (low number is higher precedence) msDS- P dR ibl E ti E bl False PasswordReversibleEncryptionEnable d msDS-PasswordHistoryLength 20 32 msDS-PasswordComplexityEnabled TruemsDS PasswordComplexityEnabled True msDS-MinimumPasswordAge “-864000000000”, 9-zeros, 1 day msDS-MaximumPasswordAge “-155520000000000” 10-zeros, 180 days “-9223372036854775808” never expire10 zeros, 180 days never expire msDS-LockoutTreshold 0 msDS-LockoutObservationWindow 0 msDS LockoutDuration 0 Honeywell Proprietary 44 2015 msDS-LockoutDuration 0 msDS-PSOAppliesTo Windows Account: Pass 20c 180d NoLock DL Group Windows Account: Pass 32c NoExpire NoLock DL Group
  45. 45. Fine Grained Password PoliciesFine Grained Password Policies • ‘Pass 20c 180d NoLock DL Group’ members:Pass 20c 180d NoLock DL Group members: – Administrators, Domain Admins, Backup Operators, Schema Admins, Enterprise Admins, Account Operators, Server Operators, – DCS Administrators, Network Admins, Any other application specific groups or user accounts– Any other application-specific groups or user accounts with privilege to change the system. • ‘Pass 32c NoExpire NoLock DL Group’ members:Pass 32c NoExpire NoLock DL Group members: – Service Accounts Honeywell Proprietary 45 2015
  46. 46. AppLocker Ft McMurray Oilsands Conference 2015 46 2009 Use What You’ve Got
  47. 47. AppLockerAppLocker • Poor man’s application white listing to ensure onlyPoor man s application white listing to ensure only specified executables, scripts, and installers run. • It’s free-but: – No “learning mode” or management tools. – Weaker protections than commercial white listing solutions (e.g., injection, overflows) • Use-cases: Windows 7 Ent, 2008 R2, and higher – Application inventory, unwanted software, standardization, change control, etc. – DMZ Hosts Engineering Stations Operator Stations Honeywell Proprietary 47 2015 DMZ Hosts, Engineering Stations, Operator Stations Sources: -AppLocker Step-by-Step Guide, http://technet.microsoft.com/en-us/library/dd723686(v=ws.10).aspx.
  48. 48. AppLocker Base PolicyAppLocker Base Policy • Create group policy, link it to specific OU where the C ill b l dtest Computer will be located. • Computer Policy > Windows > Security > Application Control Policies: – Executable Rules: • Allow BUILTINAdministrators All Files • Allow Everyone All files in the Windows folder – Requires testing per-site to determine what executables are used commonlyRequires testing per site to determine what executables are used commonly. – Windows Installer Rules: • Allow BUILTINAdministrators All Windows Installer files – Script Rules: • Allow BUILTINAdministrators All Scripts • Application Identity service Startup Mode: Auto • Group Policy loopback processing mode: Replace Honeywell Proprietary 48 2015 p y p p g p
  49. 49. AppLocker Per-App PolicyAppLocker Per App Policy 1) Identify the application you want to run (e.g., R D k C i )Remote Desktop Connection) 2) Create Global Group (e.g., RDP Client Run) and add users. 3) Create GPO (e.g., RDP Client Run GPO), link to same OU as base AppLocker policy. 4) Modify GPO with Executable Rule allowing global4) Modify GPO with Executable Rule allowing global group to access specified executables (e.g., mstsc.exe). a Some applications may require multiple executables toa. Some applications may require multiple executables to function (will be confirmed during testing). 5) Logon as Test User > Execute > Check Logs > Tune GPO Honeywell Proprietary 49 2015 Tune GPO.
  50. 50. AppLockerAppLocker • With Loopback processing, only affects specifiedp p g, y p computers in the OU, and only users when they logon to that computer. • One GPO and group per application Once setup just• One GPO and group per application. Once setup, just add users to the AD group as well as link GPO to OUs. – Will need AppLocker GPOs for antivirus, backup tools, etc. • Ensures change control procedures are followed! • When implemented by qualified personnel with• When implemented by qualified personnel with testing discipline will increase system performance, reliability, and security posture. Honeywell Proprietary 50 2015
  51. 51. QuestionsQuestions • Time Synchronization • DNS • AD Replication • DC Maintenance • Backup and Restore • User and Group Guidelines • ICS Group Policy • Groups.xml Vulnerability • DC Through Firewall • Fine Grained Password Policies • AppLocker The views and opinions expressed here are my own and don’t necessarily represent Honeywell Proprietary 51 2015 The views and opinions expressed here are my own and don t necessarily represent the views or opinions of Honeywell.
  52. 52. Th k YThank You • Donovan Tindill, Senior Security Consultant • Email: http://tinyurl com/DonovanAtHon; Please• Email: http://tinyurl.com/DonovanAtHon; Please connect on LinkedIn and mention this conference. • Credits: Connor, Liam, Roger J.

×