Más contenido relacionado Similar a Hypervisor and VDI security (20) Más de Denis Gundarev (20) Hypervisor and VDI security2. Do You Think Your Citrix
Environment is Secure Enough?
Ready or Not, Here I Come!
Denis Gundarev
Consultant
Entisys Solutions
BriForum | © TechTarget
3. About presenter
C:>whoami /all
USER INFORMATION
----------------
User Name Twitter Name E-Mail
============== ============ ==================
ENTISYSdenisg @fdwl DenisG@entisys.com
GROUP INFORMATION
-----------------
Group Name Type SID
============================== ================ =================
Citrix Technology Professional Well-known group S-1-5-32-544
Citrix Certified Instructor Well-known group S-1-5-32-545
Microsoft Certified Trainer Well-known group S-1-5-32-546
BriForum | © TechTarget 3
4. Disclaimer
● Information in this presentation is intended for
educational purposes only. Some topics in this
presentation may contain the information related to
“Hacking Passwords” or “Elevating permissions” (Or
Similar terms). Some topics will provide information about
the legal ways of retrieving the passwords. You shall not
misuse the information to gain unauthorized access.
However you may try out these hacks on your own
computer at your own risk.
● Some of the stuff that you will learn is dangerous, playing
with this knowledge on your production environment can
make you very unhappy
BriForum | © TechTarget 4
5. Agenda
● Physical server security
● Trusted Platform Module
● Hypervisor hardening
● VDI security
- Microsoft installer
- Password security
- SQL security #BriForum
BriForum | © TechTarget 5
6. ● All links from this presentation are available here:
- http://bit.ly/SecureIT
BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 6
7. Physical Security
• Why you need to secure servers?
• Server can be stolen
• Server can be duplicated
• Seamlessly replace disk in the storage array and stole the
data
• Attacker can boot from CD/USB and reset the admin
password
• Do you need to secure your hypervisors?
• Sure, hypervisor is a key to your infrastructure
BriForum | © TechTarget 7
8. Get Access to the Windows Box - Demo
BriForum | © TechTarget 8
9. Breaking into hypervisor
● XenServer - http://bit.ly/XenServerPassword
● VMware ESX - http://bit.ly/ResetESXPassword, same
procedure as for XenServer
● VMware ESXi – password reset not supported, but
possible http://bit.ly/ResetESXiPassword
BriForum | © TechTarget 9
10. Securing Server boot
● Disable boot from CD/USB/PXE
- If using UEFI – change the boot order using UEFI manager
- Be careful, some UEFI firmware adds removable devices
as a boot option by default
● Disable removable drives after installation
● Set BIOS admin password
- Does not prevent boot, but
prevent changing the boot order
● Disable intelligent provisioning
available on HP G8 servers
BriForum | © TechTarget 10
11. Out-of-band management (lights-out
management)
● Implement AD integration for HP iLO, Dell iDRAC or IBM
RSA (can be done with or without schema extension)
● Disable default local administrator and/or change default
password
- root/calvin for Dell
- Printed on the server label for HP
- USERID/PASSW0RD for IBM
● Configure SNMP and/or syslog to monitor who are using
LOM
● Grant permissions carefully
BriForum | © TechTarget 11
12. Out-of-band management (lights-out
management)
● Use a separate management network
● Use trusted certificates
● Disable telnet (HP G8 doesn’t have it!, disabled by default
on Dell/IBM)
● Disable SSH if you not use it
● Change SNMP community strings
BriForum | © TechTarget 12
13. Out-of-band management (lights-out
management)
● Regularly read security guides:
- Dell - http://bit.ly/DRACSecurity
- HP - http://bit.ly/ILOSecurity
- IBM doesn’t have one, just manual
http://bit.ly/IBMRSAGuide
● Regularly update firmware
● Review audit logs and configure alerts
BriForum | © TechTarget 13
14. Trusted Platform Module
● Smartcard-like hardware module on the motherboard
- Protects secrets
- Performs cryptographic functions
- Can create, store and manage keys
- Performs digital signature operations
- Holds Platform Measurements (hashes)
● Can be used to check platform integrity
● Can be used to store disk encryption keys
BriForum | © TechTarget 14
15. Trusted Platform Module
● Disabled by default
● Resets automatically during the BIOS reset by switches
● Owned by OS
● Change of ownership not possible without reset
● Secure boot order in BIOS+TPM-aware OS+BIOS setup
password makes hacker’s life harder
BriForum | © TechTarget 15
17. Windows (Hyper-V)
● Windows server 2008 and above is a TPM-aware OS
● BitLocker Full-Disk Encryption protecting the OS and data
● BitLocker protects from the offline password reset
(pogostik/opengate/WinRE)
● BitLocker protects OS data from offline analysis (stolen or
duplicated drives)
BriForum | © TechTarget 17
18. BitLocker™ Drive Encryption Architecture
Static Root of Trust Measurement of boot components
PreOS Static OS All Boot Blobs Volume Blob of Target OS
unlocked unlocked
TPM Init
BIOS
MBR
BootSector
BootBlock
BootManager
Start
OS Loader
OS
Source: Microsoft
19. Windows disk encryption
● BitLocker can be managed with GPO
● Data can be recovered if needed
● BitLocker can store recovery passwords in AD (schema extension is
required)
- Domain admins and computer itself can read recovery passwords –
permissions can be changed: http://bit.ly/BitLockerAD
● Whitepaper is available on Microsoft.com http://bit.ly/HyperVBitLocker
● Hyper-V Clusters supported, Hotfix needed:
http://support.microsoft.com/kb/2446607
● In-Guest VM encryption not supported
● Windows Server 2012 support BitLocker-encrypted CSV
http://bit.ly/BitLockerCSV2012
● HP HOWTO: http://bit.ly/HPBitLocker
BriForum | © TechTarget 19
20. XenServer & TPM
● No official support
● Basic vTPM is in the product, but not documented yet
and still not secured with physical TPM
● But XenServer is just a Linux!
● TrustedGRUB, GRUB-IMA and Open Secure LOader
(OSLO) are available to secure boot process
● Disk encryption with dm-crypt with TPM is possible, but
complicated.
- Details in IBM Blueprint http://bit.ly/IBMTrustedGRUB
BriForum | © TechTarget 20
21. Linux Trusted Boot Stages
Operating
System
DB
BIOS Bootloader JVM
GRUB
Stage2 MAC
Policy
ROT GRUB conf SELinux
GRUB
Stage1 Kernel
Stage1.5
CRTM POST (MBR)
TPM PCR01-07 PCR04-05 PCR08-14
Trusted Boot
Source: Trent Jaeger
22. TrustedGRUB
● IBM BluePrint with step-by-step instructions available
http://bit.ly/IBMTrustedGRUB
● GPT is not supported by TrustedGRUB, MBR is required
- Modify /opt/xensource/installer/constants.py during install
- step-by-step instructions from Major Hayden
(@rackerhacker) on his blog http://bit.ly/XS6GPTDisable
● Sirrix AG together with German Federal Office for
Information Security (BSI) tested different TPM-enabled
Open source solutions, review the document before
implementation - http://bit.ly/TSSStudy
BriForum | © TechTarget 22
23. XenServer boot hardening
1. Disable boot from removable devices
2. Set BIOS setup password
3. Enable TPM
4. Disable single user mode without password
- Add the following entry into /etc/inittab file:
- ~~:S:wait:/sbin/sulogin
5. Install TrustedGRUB
6. Enable GRUB password
7. Configure additional checks on /etc/passwd,
/etc/shadow, /boot/grub.lst and PAM configuration files
8. Enable TrustedGRUB
BriForum | © TechTarget 23
24. VMware & Support
● VMware claims that TPM is supported
(http://kb.vmware.com/kb/1033811)
● Not configurable
● Not documented
● No partner solutions that use TPM
● Disk encryption for vKernel is not supported (FAT16!!!)
BriForum | © TechTarget 24
26. Platform-independent recommendations
● Don’t store VMs on the local drive, use SAN/NAS instead
● Use mutual CHAP authentication for iSCSI
● Consider using Boot from SAN with storage-based
encryption and Fibre channel Security Protocol (FC-SP)
enabled HBAs
- short overview - http://bit.ly/FC-SPOverview
- Standard http://bit.ly/FC-SPStandard
- HBAs available from all major vendors (Emulex, Qlogic,
Cisco, Brocade, Hitachi)
● Use fixed virtual disk size to avoid unexpected VMs
pause
BriForum | © TechTarget 26
27. Platform-independent recommendations
● Separate management network
● Optionally implement IPSEC on the management network
- VMware - http://bit.ly/VMwareIPsec
● Change default MAC addresses to avoid use of MAC
address DB by attacker:
- http://www.coffer.com/mac_find
- 00-15-5D – Hyper-V
- 00-50-56 – VMWare
BriForum | © TechTarget 27
28. Platform-independent recommendations
● vCenter/SCVMM should be secured better than your DC
● Configure monitoring and auditing
● Use Active Directory for authentication
● Disable/lock local users and/or configure Password policy
● Do not use management console as a RDP replacement
BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 28
29. XenServer hardening
● Review XenServer User Security guide
http://bit.ly/XSSecurity
● Review XenServer Hardening guide (released by Positive
Technologies) - http://bit.ly/XSHardening
● Configure AD authentication
● Disable SSH if you not using it
● Install server certificates http://bit.ly/XSCertificates
● Disable unencrypted XAPI access
● Disable autologon to the console from XenCenter
● Avoid using pool-admin privilege, any pool admin can
change root password with xe user-password-change
BriForum | © TechTarget 29
30. XenServer hardening
● All passwords stored on XenServer are insecure
- Use dedicated user for CIFS iso repositories, limit
computers where this user can logon, because passwords
can be retrieved even by read-only user (xe pbd-list)
- Use dedicated users for power management (any pool
operator can retrieve them with xe secret-list)
● Be careful with RBAC, lot of “security” implemented in
XenCenter only, XAPI and xe.exe gives a lot of
information even for read-only user
● Be careful with XenServer monitoring, if vendor ask more
permissions than read-only user – change your vendor
● Avoid saving passwords in XenCenter (more information
later)
BriForum | © TechTarget 30
31. VMware hardening
● Check VMware vSphere hardening guide
http://bit.ly/vSphereHardening
● Install trusted Certificates
● vCenter – remove local admins
● vCenter – check permissions on vCenter folders,
certificates are stored there
● Use remote management instead of console installed on
vCenter
● Change SQL account permissions after installation
http://bit.ly/VMwareSQL
● Disable SSH if nobody use it
BriForum | © TechTarget 31
32. VMware hardening
● Be careful with monitoring agents permissions
● Use partner solutions for hardening and compliance
management:
- vGate from Security Code (http://vgate.info/en/)
- HyTrust virtual Appliance (http://www.hytrust.com)
BriForum | © TechTarget 32
33. Hyper-V/VMM hardening
● Use server core installation
● Remove local administrators from VMM
● Use remote management instead of console installed on
SCVMM
● Implement BitLocker
● Secure “HKLMSOFTWAREMicrosoftVirtual Machine”
on guests
● Change permissions on VHD store
● Read Hyper-V security guide
http://bit.ly/HyperVHardening
● Download and use Microsoft Security Compliance
Manager http://bit.ly/MS-SCM
BriForum | © TechTarget 33
35. VDI security best practices
● In most cases – same best practices apply to
XenDesktop/View/RDS/vWorkspace
● Use GPO to manage VDI
● Create separate OUs for different desktop groups
● Don’t disable firewall, configure rules instead
- http://bit.ly/WindowsFirewall
● Monitor Logs
● Remove Domain Users from Terminal Server
Users/Users groups, use dedicated groups, configure
them using GPO
BriForum | © TechTarget 35
36. VDI security best practices
● Use AppLocker/SRP/other application control tools to
audit application usage
● Don’t forget about scripting environments:
- Visual Basic for applications
- Browsers
- HTML Applications
● Even with AppLocker/AppSense/RES there is a ways to
execute any application
- XLSploit from Remko Weijnen (@RemkoWeijnen) -
http://bit.ly/XLSploit
- Application control processes can be suspended/killed from
task manager
BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 36
38. Windows Installer
● Be careful with Windows Installer, ANY user can restart
server
● Configure MSI logging with GPO, collect MSI logs and
analyze them
● “AlwaysInstallElevated” is Equivalent to Granting
Administrative Rights - http://bit.ly/AlwaysInstallElevated
● Enforce *.MSI signing
● Always check permissions on a folder with the source
MSI files
BriForum | © TechTarget 38
40. Password security
● Almost all passwords that you enter during the
setup/configuration are stored somewhere
- HKLMSoftware<VendorName>
- HKLMSystemCurrentControlSetServices<ServiceName>
- %ProgramFiles%<VendorName>
- C:ProgramData<VendorName>
- %AppData%<VendorName>
- *Anywhere*
● Some passwords are encrypted, some not
BriForum | © TechTarget 40
41. DPAPI
● Data Protection API
● Introduced with Windows 2000, improved with every new
version of Windows
● “Secure by Design”
● Simple API, CryptProtectData and CryptUnprotectData
functions
● Recommended as a best practice
BriForum | © TechTarget 41
42. DPAPI
● Widely used:
- EFS, Internet Explorer, Outlook, IIS, RMS, WiFi passwords,
CredManager
- Skype, Gtalk, Chrome
- XenApp, AppSense, XenCenter, Acronis, vSphere
● Can be “Salted”, not everyone use “salt”
● Data can be encrypted with user or system keys
- Data encrypted with user keys can be decrypted only by
user
- Data encrypted with system keys can be decrypted by
*ANY* user
BriForum | © TechTarget 42
43. DPAPI
● Tools from Remko Weijnen (@RemkoWeijnen):
- IMA Password decoder - http://bit.ly/IMAPassword
- RDP Password decoder - http://bit.ly/RDPPassword
● Universal password decoder from me
Add-Type -AssemblyName System.Security
[system.text.encoding]::Unicode.Getstring([System.Security.Cryptography.ProtectedData]::Unprotect([s
ystem.convert]::FromBase64String("Base64EncodedString"),[system.text.encoding]::Unicode.GetBytes
("MagicWord:)"),'LocalMachine'))
- Tested with XenCenter, XenApp, AppSense
● 01,00,00,00,D0,8C,9D,DF,01,15,D1,11,8C,7A,00,C0
BriForum | © TechTarget 43
44. Other ways to “decrypt” passwords
BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 44
45. Password Security
● Datastore access from the user-accessible desktop
- In perfect situation there is no direct DB access from the
desktop
- Even encrypted password should be secured by ACL
- Should have read-only permissions
● Good examples:
- Citrix IMA password – Secured by the ACL in the registry
- XenCenter passwords – stored in the user profile
BriForum | © TechTarget 45
46. Database security
● Most of the software checking permissions on the
application level, not on the database level
● Direct access to the database can help to elevate
permissions within the application
● All tools to access the database is already on the
desktop:
- Microsoft Office
- .NET framework
- PowerShell
- Scripting environment
BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 46
47. SlimJim for XenApp 6.5
1. delete indextable FROM KEYTABLE INNER JOIN
INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid
WHERE (KEYTABLE.parentid = 42)
2. go
3. delete KEYTABLE from KEYTABLE where parentid=42
4. go
● Where this “42” is coming from?
- DSView from supportdebug folder on XenApp CD
- Directory->ServerNeighborhoods-><FarmName>->AdminTool->Users cid
BriForum | © TechTarget 47
49. Provisioning Services
1. INSERT INTO [AuthGroup]
2. ([authGroupId]
3. ,[authGroupName]
4. ,[authGroupGuidName]
5. ,[description])
6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA'
7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users'
8. ,N'de56c6b1-06ef-4ed6-85b8-a130f036d075'
9. ,'')
10. GO
11. INSERT INTO [AuthGroupFarm]
12. ([authGroupId])
13. VALUES ('UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA')
14. GO
● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsiedit
BriForum | © TechTarget 49
50. SQL
● SQL servers should be secured even they are “not
hosting important company data”
- Access to XA datastore=XA Admin rights
- Access to Provisioning Server DB=Assigning of custom
image
- Access to VMM/vCenter DB= IDDQD
- Access to AppSense/RES/VUEM DB=Ability to bypass
SRP and execute processes under another user
● Use Microsoft Security Compliance Manager
http://bit.ly/MS-SCM
● Read SQL Security Best Practices from Microsoft -
http://bit.ly/SQLSecurity
BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 50