CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
1 like361 views
This document provides security tips and recommendations from Sami Laiho, a senior technical fellow specializing in Windows security. Some of the key recommendations include: implementing whitelisting like AppLocker and following the principle of least privilege; using Windows 10 Enterprise over Windows 7 for improved security features; choosing hardware with TPM and virtualization support; applying full disk encryption with BitLocker; restricting administrative access and using tools like Avecto DefendPoint for privilege elevation; and implementing password policies and end user training. Contact information is provided to learn more about security training and services.
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
- 2. The Night is Dark and full of Hackers: Security Tips & Tricks from Beyond the Wall AKA: ”Security affordable – this is how I do it!” 2
- 3. Sami Laiho Senior Technical Fellow adminize.com • IT Admin since 1996 • MVP in Windows OS since 2011 • Specializes in and trains: • Troubleshooting • Security • Windows Internals • Trophies: • Best and 3rd session at MCT Summit 2018 • Best two Sessions at IGNITE 2018! (out of 1708 session in total) • Best Session at AppManagEvent 2017 and 2018, Utrecht • Best External Speaker at Ignite 2017 • Best Sessions (#1 and #2) at TechTalks 2017, Helsinki • TechDays Sweden 2016 – Best Speaker • NIC 2016, 2017 - Best Speaker • Ignite 2015 – Best male presenter ;) (#2 out of 1000 speakers) • TechEd Europe and North America 2014 - Best session, Best speaker
- 4. I got Certs
- 6. • Established in 1983 • Just Me, Myself and I • We deliver: • Training! • Private classes anywhere in the World! • Around 1000€/1200$ per head for 4 days • Security Audit for Windows environments • Two days onsite/online • Two days of reporting/documenting offsite • 10000€/12000$ • AppLocker/Whitelisting implementation • 10000€/12000$ + t&e • Takes around 4 days • VoD Training • https://win-fu.com/dojo • Best at a very cheap price! • I deliver training through PluralSight as well but not the same content Adminize.com
- 7. Windows XP Deep Dive in 2001
- 8. • sami@adminize.com • Twitter: @samilaiho • Blog: http://blog.win-fu.com/ • Free newsletter: http://eepurl.com/F-GOj Contact
- 9. @samilaiho If you are not on Twitter – get on Twitter! 9
- 10. Security is a compromise Secure
- 11. Most Important Rules in Windows Security • You have no security in Windows unless • You have Full Disk Encryption • You follow the Principle of Least Privilege
- 12. Gartner, NIST and others • Say that the most important security feature to implement in 2018 is Whitelisting • #2 is Principle of Least Privilege • #3 is Hard Disk Encryption 12
- 13. Choosing the correct hardware 13
- 14. Choosing Harware • 64-bit • UEFI with SecureBoot • Virtualization support: Intel VT or AMD-V • SLAT: Intel EPT or AMD RVI • TPM • 1.2 ok for Windows 7 • 2.0 for Windows 10 is better • DMA-ports? • No on Windows 7 • TB3 on Windows 10 is OK • Nice to have: • IO-MMU • Intel VT-d or AMD-Vi • I would require: • PXE boot available and ON • Virtualization and TPM ON • For Windows 7 SecureBoot OFF 14
- 15. Operating System • I would go for Windows 10 Enterprise if I can choose • SecureKernel stuff like Credential Guard, Device Guard • Windows Defender Application Guard • AppLocker • Windows 7 Enteprise is fine as well • General rule: get the hell away from Windows 8 and 8.1 15
- 16. Network Infrastructure • Managed network devices that are easy to manage and monitor • Meraki (Awesome if money is no object) • Unifi (I’m in love with these because of the price) • I prefer my devices to connect to corporate network with Direct Access • BUT… 16
- 17. AD-infrastructure • Domain names • No company name • TLD to be .local or .ds • Always build two DFS-roots • One for shares used by users • One for IT’s needs and AD’s use • If you have insecure remote locations use RODC • Use Redircmp and Redirusr 17
- 18. Applying Principle of Least Privilege 18
- 19. Admin Access • No end user get admin access to their device • Not the Boss, not the girlfriend and not the devs • No IT-admin interactively logs on to their box with an administrative account • They use Runas-solutions like UAC 19
- 20. Avecto DefendPoint • You can • Auto elevate • Auto elevate with a warning • Auto elevate with a question for reason • Elevate with a managers approval • Elevate with a challenge code 20
- 21. Examples • Applications that require admin rights • Updating things you don’t have to time manage • IP-addresses and Networking • Joining the domain • Hyper-V Management • Visual Studio 21
- 22. Extra from Avecto • Whitelisting is better than AppLocker • Better pinpointing at a task • Grey list • Better messaging • Sandboxing for browsers • Neat but not without some problems • No admin + good whitelisting = very little need for this… 22
- 24. Randomizing Passwords • LAPS is fine • Randomizes passwords • AD-Domains only • Needs online access to AD • Doesn’t change password based on usage • This is a good thing for some people • I use Adminizer ;) • Randomizes passwords • Workgroups, Azure AD, BYOD etc. • Totally Offline and self-sufficient • Changes password both based on usage and based on time 24
- 25. Other stuff • I let the local Administrator be named Administrator as it will anyway have the same SID • I don’t intentionally disable them either • Guest I disable but don’t rename 25
- 26. Using AD administrative accounts (Domain, Enterprise, Schema) 26
- 27. Enterprise and Schema Admins • These group are and stay empty • Only added a domain admin user when needed • If you doubt yourself or colleagues just create a scheduled task on a DC to clear them • Schema Admins are only needed when changing the schema • Enterprise Admins are needed mainly for • DHCP authorize • Adding or removing domains • Site applied GPOs 27
- 28. Domain Admins • Only used for administering DC’s or AD • Remember to administer from an administration Work Station or Server – NOT BY LOGGING ON TO A DC!! • Are denied from logging on to anywhere else but Domain Controllers – By Policy! 28
- 29. Mitigating PtH? • Split your environment into three layers • Never allow higher layer admins to logon to lower layers Power (DCs) Data (Servers and Apps) Access (Endpoints) Domain Admins Server Admins Workstation Admins
- 31. BitLocker • BitLocker on all machines that are outside of the server rooms • Unless you can’t trust your admins → Include Servers • Aim for TPM only • Make sure your recovery keys are stored in AD • Increase encryption to 256 with a diffuser 31
- 32. BitLocker FlowChart by me • http://win-fu.com/files/TPM-FlowchartV3.pdf 32
- 33. Recommended settings for UAC 33
- 34. Normal UAC • No changes to security needed but I always disable UAC Virtualization 34
- 35. High Secure UAC • Change the prompt for UAC to ask for credentials for admins • Kills all BadUSB and Rubber Ducky –attacks • Also disable UAC virtualization 35
- 36. Recommended settings for AppLocker, SRP or other whitelisting 36
- 37. My own device • Relies on the knowledge of the user 37
- 38. My customer devices • Basic rules + AccessChk revealed exceptions • Use certificates if you can (and trust the company) • Then add required network locations with • UNC • IP • FQDN • Then add local applications outside of the default folders with Certs, Folders (if they can be blocked from writing to by limited users) • Problematic ones • Self-updating, not signed and stored in users profile 38
- 39. Recommended settings for Share permissions 39
- 40. Share settings are easy • Always change two things 1. Block Offline use by default 2. EVERYONE – FULL CONTROL • NTFS-ACL’s are always more granular and better • I won’t kill you if you want to set different for user redirected folders • EVERYONE – CHANGE • Blocks users from sharing their files with other as they will by default get Full Control to these 40
- 41. Recommended settings for builtin certificates 41
- 42. EFS • Remember to replace the default Administrator certificate from your CA 42
- 43. Recommended settings for AV and Firewalls 43
- 44. Things to note about Defender • Only things that Defender can’t do • Centralized Reporting • Centralized Management • Talk to the Firewall • We can say that the engine of Defender is just fine • 1% more found malware in tests currently means 10000 malware samples that were not detected → Basically useless! • I choose by • The size of the wallet • Burden on the OS • Honestly: • If you have System Center use SCEP • Take a look at ATP! 44
- 45. Recommended settings for IPsec 45
- 46. How I use IPsec • Require Inbound, Request Outbound • Kerberos for users and computers • Exclude DC’s and hard cases – You don’t need to get to 100%! • Buy printers (etc) that can have a certificate if possible 46
- 47. Common recommendations for Windows Security 47
- 48. Group Policies and Security Policies 48
- 49. My Policies • Document with the Group Policy Settings Reference • Many policies are not needed anymore for most, like: • Always wait for the network on startup and logon • Disable System Restore • I nowadays try to avoid GPUPDATE /FORCE by changing group policy CSE’s to process even if the policy has not changed • For troubleshooting I always change a few things as well: 49
- 51. Ability to read RSOP data 51
- 53. End User Training on Good Passwords • For everyone • Minimum length of 8 characters (but don’t advertise this) • Complexity required • Numbers • at the beginning and end OR • in the middle • For important users like admins it’s • Minimum length of 15 characters 53
- 54. End User Training on Good Passwords • Show people http://haveibeenpwned.com/ and teach to use different passwords on every site • Like • Flower10SkypeGrows! • Flower10DropbGrows! • Massively10HardIL • Massively10HardPO • Massively10HardBM 54
- 57. Contact • sami@adminize.com • Twitter: @samilaiho • Blog: http://blog.win-fu.com/ • Free newsletter: http://eepurl.com/F-GOj • Video-based training: • http://www.pluralsight.com/ • Want free codes? Email me! • NOW: http://win-fu.com/dojo •Trial2018