SlideShare una empresa de Scribd logo

System hardening - OS and Application

Descargar como PPTX, PDF
E
edavid2685

OS System and Application Hardening

Tecnología
1 de 48
System Hardening Windows OS Clients and Applications
About me.. • This talk really shouldn’t be about me.. Its about you.. • This community is about educating each other and making things better
What is this talk about? • Hardening Microsoft OS’s for Domain and Standalone computers • Large Scale EMET deployments • How to approach Java problem if you run out of date versions • Adobe Acrobat customization according to NSA standards • Local Admin accounts and Passwords and what to do about them • Cryptography – Some brief thoughts
OS Security references • Microsoft Security Compliance Manager - http://technet.microsoft.com/en-us/library/cc677002.aspx • Center for Internet Security Benchmarks** - https://benchmarks.cisecurity.org/downloads/multiform/index.cfm • DISA Stigs - http://iase.disa.mil/stigs/os/windows/Pages/index.aspx
CIS Security Benchmarks • Recommended technical control rules/values for hardening operating systems • Distributed free of charge by CIS in .PDF format • Where to Begin?? • Incident Response and SSLF.. Flip up the guide for your audience!
Microsoft SCM Current Baselines
MS Security Compliance Manager • Exporting Group Policy Objects in your environment and re-import into SCM • Mix and Merge two separate security baselines to remediate issues or consolidate security • No Active Directory? Apply Policy through Local GPO Tools
Inventory Your current Security Posture (If Any) • Security Policies can easily be exported from Group Policy Management Console and re-imported into Microsoft Security Compliance Manager • Two options to mix and merge: Compare with SCM pre-populated baselines or build your own based upon CIS PDF’s • My preference is to build based upon CIS and take security to the maximum hardened limit. (Ex. Earlier Win7 CIS gave Self Limited Functionality Profiles SSLF for high security environments)
Warning: You will Break Stuff!
Troubleshooting Hardening issues • Easiest method is to have a container set up in Active Directory with all group policy inheritance blocked. • Apply your OS Hardening Policies through the local GPO tool. This tool is available when you install Security Compliance Manager. • Installer Can be found in C:Program Files (x86)Microsoft Security Compliance ManagerLGPO << After SCM Install
Why troubleshoot CIS with LGPO Tool • Instead of having your sever admins randomly shut group policies off at the server level you can rapidly respond to testing by locally turning off policies • It’s a needle in a haystack approach. Most issues you deal with will probably be around network security and authentication hardening • Works great if you want to applied hardened OS policies in standalone high security environments
A few other things • The concept of least privilege should always be used (UAC) • Getting asked even by IT folks to turn it off (UAC) • Limit Admin accounts. Secondary admin accounts are better. Never use admin accounts to browse or do daily tasks on your network • Autorun should be one of the first things you disable in any org. It’s a quick hit with minimal impacts to end users • Enforce the firewall from getting turned off. Use Domain firewall profiles heavily. While restricting public and home profiles. • Be careful with Audit policies. Too much audit information can be a bad thing in logs
A few other things continued • Debug programs.. No one should have access to do this. PG. 76 • Limit the amount of remotely accessible registry path’s. (Take note Windows 7 remote registry services has to be manually started. ) This should be disabled Pg. 133 • Lan Manager Authentication Level: Enforce NTLMv2 and Refuse LM and NTLM << This should be non negotiable IE. Pass the Hash Pg. 137 • For High security environments don’t process legacy and run once list << Could lead to other issues with certain applications and driver applications. Use cautiously. • Prevent computers from Joining Homegroups.. BYOD issues PG 169
But Wait….I HAZ Shells
Disable Remote Shell Access • Remote Shell Access pg160 • You need to decide if it’s worth it for you to really have remote shell access. • Reduce your attack surface… This is what OS hardening is all about
Lets have a talk about Large Scale EMET deployments (5,000 Machines and More)
EMET Large Scale deployments • Resources • Customizing • Scaling • Group Policy • Where does everything fit and in what order?
EMET Resources • Kurt Falde Blog (http://blogs.technet.com/b/kfalde/) • Security Research and Defense Blogs (http://blogs.technet.com/b/srd/) • EMET Social Technet Forum (http://social.technet.microsoft.com/Forums/security/en- US/home?forum=emet) • EMET Pilot Proof of Concept Recommendations (http://social.technet.microsoft.com/wiki/contents/articles/23598.emet-pilot- proof-of-concept-recommendations.aspx) • EMET Know Application Issues Table (http://social.technet.microsoft.com/wiki/contents/articles/22931.emet-known- application-issues-table.aspx)
Avoiding EMET “Resume Generating Events”
What to avoid with EMET deployments • Do not immediately add popular or recommended XML profiles to EMET. Attaching EMET to processes and not vetting them in a organization is not a good idea. • Do not use Group Policy out of the gate. Instead inject with local policies first to vet out problems. • Use System Wide DEP settings cautiously. You may uncover applications, even though not hooked into EMET, crashing because of system wide DEP. Use “Application Opt In” is a safer solution
EMET Customization • Base MSI • Exporting custom XML and using EMET_Conf to push settings • Registry import to policy key for EMET. Acts as local group policy.
Using EMET_Conf
EMET_Conf (cont.) • Use EMET_Conf --delete_all to remove all application mitigation settings and certificate trust configurations • Built your own settings… Then Export… Export will be in a .xml file • Reimport by using EMET_Conf --import.xml • If you script emet_conf to push out settings include HelperLib.dll, MitigationInterface.dll, PKIPinningSubsystem.dll, SdbHelper.dll
EMET Policies
Injecting EMET policies into Registry
Starting out with EMET • Start out with highest risk applications first. Start with browsers (Internet Explorer, Firefox, Chrome, Opera) • Move onto Adobe Reader/writer, Java. • High risk exploited apps should always be first
The Java Problem • Malicious actors are using trusted applications to exploit gaps in perimeter security. • Java comprises 91 percent of web exploits; 76 percent of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version. • “Watering hole” attacks are targeting specific industry-related websites to deliver malware. Source: Cisco 2014 Annual Security Report (http://www.cisco.com/web/offers/l p/2014-annual-security-report/ index.html)
The Java Problem Continued • Corporations rely on Out of Date versions • The “Pigeon Hole” Effect. I can’t upgrade Java because you will break my critical business app. • Virtualizing can be a expensive solution • But my AV will stop it! << Probably not… • Oracle EOL Java 6 but paid support can extend this.. << too expensive • Java is a security nightmare and a application administrators worst enemy
The Java problem continued
Prevent Java from running • Hopefully by now everyone has deployed MS014-051. If not you should.. Soon. • Don’t deploy and assume you are done. Don’t accept Default Policies for this. • Starting with MS014-051 does out of date java blocking by default but allows users to circumvent.
Mitigating the Java Problem with GPO’s • Before you do this… lock down trusted sites. Don’t allow users to circumvent security by putting stuff in trusted sites without a vetting process • Don’t allow users to “run this time” If Java is out of Date. Lock it down • Allow out of date java to sites that are business critical only.
Java Resources For Mitigation • http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins- blocking-out-of-date-activex-controls.aspx • http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage- the-new-quot-blocking-out-of-date-activex-controls-quot-feature- in-ie.aspx
Java Active X Blocking • Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd On Management
Java Active X Blocking
Java Active X Blocking
Java Active X Blocking
Java Active X Blocking
Bonus: Block Flash too.. High Security Environments
End Results
Hardening Adobe Reader/Writer • Adobe Enterprise Toolkit http://www.adobe.com/devnet-docs/ acrobatetk/index.html • Application Security Overview http://www.adobe.com/devnet-docs/ acrobatetk/tools/AppSec/index.html • Adobe Customization Wizard (Use this)ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/ • NSA guidelines for Adobe XI in Enterprise Environments (Use This) https://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring _Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
Hardening Adobe Reader/Writer • Don’t give people a chance to disable Protected mode, protected view, and enhanced security • For high security environments disable Javascript. Disable URL links.. Don’t allow flash content to be viewed in PDF’s << Very bad • Patch often and ASAP • Hook in with EMET to enhance exploit mitigation
Adobe Demo
Admin Passwords • Disable Admin Passwords • If you can’t disable then Randomize it.. Per machine.. • Sans SEC 505.. Awesome course… • http://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator- password-automatically-with-a-different-password-across- the-enterprise
Cryptography • Truecrypt << my advice is to please stay away from this. • http://istruecryptauditedyet.com/ • 2nd part of the audit is very important as it deals with Cryptanalysis and RNG’s. If the RNG’s are weak or in a predictable state such as Dual Elliptic Curve. Truecrypt users will be in trouble. • Developers were never known..
Cryptography • If you use bitlocker… Please enforce AES 256. Bitlocker defaults to AES 128 • Kill Secrets from memory.. • Starting in Windows 8.1 Pro versions come packed with bitlocker • 2008 Servers and above have it to • Encrypt all your things……There is no reason not to.
Questions???

Recomendados

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 

Recomendados

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Domain 4 - Communications and Network Security
Domain 4 - Communications and Network SecurityDomain 4 - Communications and Network Security
Domain 4 - Communications and Network Security
Maganathin Veeraragaloo
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
Rishabh Upadhyay
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
Rohan Bharadwaj
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
saloni mittal
 
Hardening firefox, Securizar Mozilla Firefox
Hardening firefox, Securizar Mozilla FirefoxHardening firefox, Securizar Mozilla Firefox
Hardening firefox, Securizar Mozilla Firefox
Privaciseguridad
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
Timothy Wood
 

Más contenido relacionado

La actualidad más candente

Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 

La actualidad más candente (20)

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Domain 4 - Communications and Network Security
Domain 4 - Communications and Network SecurityDomain 4 - Communications and Network Security
Domain 4 - Communications and Network Security
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Intruders
IntrudersIntruders
Intruders
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 

Destacado

Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
movinghats
 
Security Measure
Security MeasureSecurity Measure
Security Measure
syafiqa
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
Security measures (Microsoft Powerpoint)
Security measures (Microsoft Powerpoint)Security measures (Microsoft Powerpoint)
Security measures (Microsoft Powerpoint)
ainizbahari97
 

Destacado (20)

Hardening firefox, Securizar Mozilla Firefox
Hardening firefox, Securizar Mozilla FirefoxHardening firefox, Securizar Mozilla Firefox
Hardening firefox, Securizar Mozilla Firefox
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
 
Ejecutables
EjecutablesEjecutables
Ejecutables
 
Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux System
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurity
 
PACE-IT: Network Hardening Techniques (part 1)
PACE-IT: Network Hardening Techniques (part 1)PACE-IT: Network Hardening Techniques (part 1)
PACE-IT: Network Hardening Techniques (part 1)
 
Router hardening project.slide
Router hardening project.slideRouter hardening project.slide
Router hardening project.slide
 
Hardening Linux Server Security
Hardening Linux Server SecurityHardening Linux Server Security
Hardening Linux Server Security
 
Cloud Computing Legal Issues
Cloud Computing Legal IssuesCloud Computing Legal Issues
Cloud Computing Legal Issues
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Security Measures
Security MeasuresSecurity Measures
Security Measures
 
Security Measure
Security MeasureSecurity Measure
Security Measure
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2
 
Security measures (Microsoft Powerpoint)
Security measures (Microsoft Powerpoint)Security measures (Microsoft Powerpoint)
Security measures (Microsoft Powerpoint)
 

Similar a System hardening - OS and Application

Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
Debugging,Troubleshooting & Monitoring Distributed Web & Cloud Applications a...
Debugging,Troubleshooting & Monitoring Distributed Web & Cloud Applications a...Debugging,Troubleshooting & Monitoring Distributed Web & Cloud Applications a...
Debugging,Troubleshooting & Monitoring Distributed Web & Cloud Applications a...
Theo Jungeblut
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
Mike Spaulding
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
Adrian Sanabria
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 
Build automation best practices
Build automation best practicesBuild automation best practices
Build automation best practices
Code Mastery
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
eG Innovations
 

Similar a System hardening - OS and Application (20)

GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the Cheap
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoCSF18 - Moving from Reactive to Proactive Security - Sami Laiho
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Open source: Top issues in the top enterprise packages
Open source: Top issues in the top enterprise packagesOpen source: Top issues in the top enterprise packages
Open source: Top issues in the top enterprise packages
 
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers
 
Debugging,Troubleshooting & Monitoring Distributed Web & Cloud Applications a...
Debugging,Troubleshooting & Monitoring Distributed Web & Cloud Applications a...Debugging,Troubleshooting & Monitoring Distributed Web & Cloud Applications a...
Debugging,Troubleshooting & Monitoring Distributed Web & Cloud Applications a...
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Build automation best practices
Build automation best practicesBuild automation best practices
Build automation best practices
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

System hardening - OS and Application

  • 1. System Hardening Windows OS Clients and Applications
  • 2. About me.. • This talk really shouldn’t be about me.. Its about you.. • This community is about educating each other and making things better
  • 3. What is this talk about? • Hardening Microsoft OS’s for Domain and Standalone computers • Large Scale EMET deployments • How to approach Java problem if you run out of date versions • Adobe Acrobat customization according to NSA standards • Local Admin accounts and Passwords and what to do about them • Cryptography – Some brief thoughts
  • 4. OS Security references • Microsoft Security Compliance Manager - http://technet.microsoft.com/en-us/library/cc677002.aspx • Center for Internet Security Benchmarks** - https://benchmarks.cisecurity.org/downloads/multiform/index.cfm • DISA Stigs - http://iase.disa.mil/stigs/os/windows/Pages/index.aspx
  • 5. CIS Security Benchmarks • Recommended technical control rules/values for hardening operating systems • Distributed free of charge by CIS in .PDF format • Where to Begin?? • Incident Response and SSLF.. Flip up the guide for your audience!
  • 7. MS Security Compliance Manager • Exporting Group Policy Objects in your environment and re-import into SCM • Mix and Merge two separate security baselines to remediate issues or consolidate security • No Active Directory? Apply Policy through Local GPO Tools
  • 8. Inventory Your current Security Posture (If Any) • Security Policies can easily be exported from Group Policy Management Console and re-imported into Microsoft Security Compliance Manager • Two options to mix and merge: Compare with SCM pre-populated baselines or build your own based upon CIS PDF’s • My preference is to build based upon CIS and take security to the maximum hardened limit. (Ex. Earlier Win7 CIS gave Self Limited Functionality Profiles SSLF for high security environments)
  • 9. Warning: You will Break Stuff!
  • 10. Troubleshooting Hardening issues • Easiest method is to have a container set up in Active Directory with all group policy inheritance blocked. • Apply your OS Hardening Policies through the local GPO tool. This tool is available when you install Security Compliance Manager. • Installer Can be found in C:Program Files (x86)Microsoft Security Compliance ManagerLGPO << After SCM Install
  • 11. Why troubleshoot CIS with LGPO Tool • Instead of having your sever admins randomly shut group policies off at the server level you can rapidly respond to testing by locally turning off policies • It’s a needle in a haystack approach. Most issues you deal with will probably be around network security and authentication hardening • Works great if you want to applied hardened OS policies in standalone high security environments
  • 12.
  • 13.
  • 14. A few other things • The concept of least privilege should always be used (UAC) • Getting asked even by IT folks to turn it off (UAC) • Limit Admin accounts. Secondary admin accounts are better. Never use admin accounts to browse or do daily tasks on your network • Autorun should be one of the first things you disable in any org. It’s a quick hit with minimal impacts to end users • Enforce the firewall from getting turned off. Use Domain firewall profiles heavily. While restricting public and home profiles. • Be careful with Audit policies. Too much audit information can be a bad thing in logs
  • 15. A few other things continued • Debug programs.. No one should have access to do this. PG. 76 • Limit the amount of remotely accessible registry path’s. (Take note Windows 7 remote registry services has to be manually started. ) This should be disabled Pg. 133 • Lan Manager Authentication Level: Enforce NTLMv2 and Refuse LM and NTLM << This should be non negotiable IE. Pass the Hash Pg. 137 • For High security environments don’t process legacy and run once list << Could lead to other issues with certain applications and driver applications. Use cautiously. • Prevent computers from Joining Homegroups.. BYOD issues PG 169
  • 17. Disable Remote Shell Access • Remote Shell Access pg160 • You need to decide if it’s worth it for you to really have remote shell access. • Reduce your attack surface… This is what OS hardening is all about
  • 18. Lets have a talk about Large Scale EMET deployments (5,000 Machines and More)
  • 19. EMET Large Scale deployments • Resources • Customizing • Scaling • Group Policy • Where does everything fit and in what order?
  • 20. EMET Resources • Kurt Falde Blog (http://blogs.technet.com/b/kfalde/) • Security Research and Defense Blogs (http://blogs.technet.com/b/srd/) • EMET Social Technet Forum (http://social.technet.microsoft.com/Forums/security/en- US/home?forum=emet) • EMET Pilot Proof of Concept Recommendations (http://social.technet.microsoft.com/wiki/contents/articles/23598.emet-pilot- proof-of-concept-recommendations.aspx) • EMET Know Application Issues Table (http://social.technet.microsoft.com/wiki/contents/articles/22931.emet-known- application-issues-table.aspx)
  • 21. Avoiding EMET “Resume Generating Events”
  • 22. What to avoid with EMET deployments • Do not immediately add popular or recommended XML profiles to EMET. Attaching EMET to processes and not vetting them in a organization is not a good idea. • Do not use Group Policy out of the gate. Instead inject with local policies first to vet out problems. • Use System Wide DEP settings cautiously. You may uncover applications, even though not hooked into EMET, crashing because of system wide DEP. Use “Application Opt In” is a safer solution
  • 23. EMET Customization • Base MSI • Exporting custom XML and using EMET_Conf to push settings • Registry import to policy key for EMET. Acts as local group policy.
  • 25. EMET_Conf (cont.) • Use EMET_Conf --delete_all to remove all application mitigation settings and certificate trust configurations • Built your own settings… Then Export… Export will be in a .xml file • Reimport by using EMET_Conf --import.xml • If you script emet_conf to push out settings include HelperLib.dll, MitigationInterface.dll, PKIPinningSubsystem.dll, SdbHelper.dll
  • 27. Injecting EMET policies into Registry
  • 28. Starting out with EMET • Start out with highest risk applications first. Start with browsers (Internet Explorer, Firefox, Chrome, Opera) • Move onto Adobe Reader/writer, Java. • High risk exploited apps should always be first
  • 29. The Java Problem • Malicious actors are using trusted applications to exploit gaps in perimeter security. • Java comprises 91 percent of web exploits; 76 percent of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version. • “Watering hole” attacks are targeting specific industry-related websites to deliver malware. Source: Cisco 2014 Annual Security Report (http://www.cisco.com/web/offers/l p/2014-annual-security-report/ index.html)
  • 30. The Java Problem Continued • Corporations rely on Out of Date versions • The “Pigeon Hole” Effect. I can’t upgrade Java because you will break my critical business app. • Virtualizing can be a expensive solution • But my AV will stop it! << Probably not… • Oracle EOL Java 6 but paid support can extend this.. << too expensive • Java is a security nightmare and a application administrators worst enemy
  • 31. The Java problem continued
  • 32. Prevent Java from running • Hopefully by now everyone has deployed MS014-051. If not you should.. Soon. • Don’t deploy and assume you are done. Don’t accept Default Policies for this. • Starting with MS014-051 does out of date java blocking by default but allows users to circumvent.
  • 33. Mitigating the Java Problem with GPO’s • Before you do this… lock down trusted sites. Don’t allow users to circumvent security by putting stuff in trusted sites without a vetting process • Don’t allow users to “run this time” If Java is out of Date. Lock it down • Allow out of date java to sites that are business critical only.
  • 34. Java Resources For Mitigation • http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins- blocking-out-of-date-activex-controls.aspx • http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage- the-new-quot-blocking-out-of-date-activex-controls-quot-feature- in-ie.aspx
  • 35. Java Active X Blocking • Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd On Management
  • 36. Java Active X Blocking
  • 37. Java Active X Blocking
  • 38. Java Active X Blocking
  • 39. Java Active X Blocking
  • 40. Bonus: Block Flash too.. High Security Environments
  • 42. Hardening Adobe Reader/Writer • Adobe Enterprise Toolkit http://www.adobe.com/devnet-docs/ acrobatetk/index.html • Application Security Overview http://www.adobe.com/devnet-docs/ acrobatetk/tools/AppSec/index.html • Adobe Customization Wizard (Use this)ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/ • NSA guidelines for Adobe XI in Enterprise Environments (Use This) https://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring _Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
  • 43. Hardening Adobe Reader/Writer • Don’t give people a chance to disable Protected mode, protected view, and enhanced security • For high security environments disable Javascript. Disable URL links.. Don’t allow flash content to be viewed in PDF’s << Very bad • Patch often and ASAP • Hook in with EMET to enhance exploit mitigation
  • 45. Admin Passwords • Disable Admin Passwords • If you can’t disable then Randomize it.. Per machine.. • Sans SEC 505.. Awesome course… • http://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator- password-automatically-with-a-different-password-across- the-enterprise
  • 46. Cryptography • Truecrypt << my advice is to please stay away from this. • http://istruecryptauditedyet.com/ • 2nd part of the audit is very important as it deals with Cryptanalysis and RNG’s. If the RNG’s are weak or in a predictable state such as Dual Elliptic Curve. Truecrypt users will be in trouble. • Developers were never known..
  • 47. Cryptography • If you use bitlocker… Please enforce AES 256. Bitlocker defaults to AES 128 • Kill Secrets from memory.. • Starting in Windows 8.1 Pro versions come packed with bitlocker • 2008 Servers and above have it to • Encrypt all your things……There is no reason not to.