SlideShare a Scribd company logo

System hardening - OS and Application

Download as PPTX, PDF
E
edavid2685

This document discusses strategies for hardening Windows operating systems and applications. It provides resources and guidelines for securing Microsoft OS's using tools like the Microsoft Security Compliance Manager and the Center for Internet Security benchmarks. Specific recommendations are given for mitigating risks from Java, Adobe Reader, local administrator passwords, and enabling full disk encryption with BitLocker. Troubleshooting tips are also included for addressing issues that may arise from an OS hardening project.

Technology
1 of 48
Downloaded 131 times
1
2
3
4
5
6
7
8
9
10
11
Most read
12
13
14
Most read
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Most read
46
47
48
System Hardening Windows OS Clients and Applications
About me.. • This talk really shouldn’t be about me.. Its about you.. • This community is about educating each other and making things better
What is this talk about? • Hardening Microsoft OS’s for Domain and Standalone computers • Large Scale EMET deployments • How to approach Java problem if you run out of date versions • Adobe Acrobat customization according to NSA standards • Local Admin accounts and Passwords and what to do about them • Cryptography – Some brief thoughts
OS Security references • Microsoft Security Compliance Manager - http://technet.microsoft.com/en-us/library/cc677002.aspx • Center for Internet Security Benchmarks** - https://benchmarks.cisecurity.org/downloads/multiform/index.cfm • DISA Stigs - http://iase.disa.mil/stigs/os/windows/Pages/index.aspx
CIS Security Benchmarks • Recommended technical control rules/values for hardening operating systems • Distributed free of charge by CIS in .PDF format • Where to Begin?? • Incident Response and SSLF.. Flip up the guide for your audience!
Microsoft SCM Current Baselines
MS Security Compliance Manager • Exporting Group Policy Objects in your environment and re-import into SCM • Mix and Merge two separate security baselines to remediate issues or consolidate security • No Active Directory? Apply Policy through Local GPO Tools
Inventory Your current Security Posture (If Any) • Security Policies can easily be exported from Group Policy Management Console and re-imported into Microsoft Security Compliance Manager • Two options to mix and merge: Compare with SCM pre-populated baselines or build your own based upon CIS PDF’s • My preference is to build based upon CIS and take security to the maximum hardened limit. (Ex. Earlier Win7 CIS gave Self Limited Functionality Profiles SSLF for high security environments)
Warning: You will Break Stuff!
Troubleshooting Hardening issues • Easiest method is to have a container set up in Active Directory with all group policy inheritance blocked. • Apply your OS Hardening Policies through the local GPO tool. This tool is available when you install Security Compliance Manager. • Installer Can be found in C:Program Files (x86)Microsoft Security Compliance ManagerLGPO << After SCM Install
Why troubleshoot CIS with LGPO Tool • Instead of having your sever admins randomly shut group policies off at the server level you can rapidly respond to testing by locally turning off policies • It’s a needle in a haystack approach. Most issues you deal with will probably be around network security and authentication hardening • Works great if you want to applied hardened OS policies in standalone high security environments
System hardening - OS and Application
System hardening - OS and Application
A few other things • The concept of least privilege should always be used (UAC) • Getting asked even by IT folks to turn it off (UAC) • Limit Admin accounts. Secondary admin accounts are better. Never use admin accounts to browse or do daily tasks on your network • Autorun should be one of the first things you disable in any org. It’s a quick hit with minimal impacts to end users • Enforce the firewall from getting turned off. Use Domain firewall profiles heavily. While restricting public and home profiles. • Be careful with Audit policies. Too much audit information can be a bad thing in logs
A few other things continued • Debug programs.. No one should have access to do this. PG. 76 • Limit the amount of remotely accessible registry path’s. (Take note Windows 7 remote registry services has to be manually started. ) This should be disabled Pg. 133 • Lan Manager Authentication Level: Enforce NTLMv2 and Refuse LM and NTLM << This should be non negotiable IE. Pass the Hash Pg. 137 • For High security environments don’t process legacy and run once list << Could lead to other issues with certain applications and driver applications. Use cautiously. • Prevent computers from Joining Homegroups.. BYOD issues PG 169
But Wait….I HAZ Shells
Disable Remote Shell Access • Remote Shell Access pg160 • You need to decide if it’s worth it for you to really have remote shell access. • Reduce your attack surface… This is what OS hardening is all about
Lets have a talk about Large Scale EMET deployments (5,000 Machines and More)
EMET Large Scale deployments • Resources • Customizing • Scaling • Group Policy • Where does everything fit and in what order?
EMET Resources • Kurt Falde Blog (http://blogs.technet.com/b/kfalde/) • Security Research and Defense Blogs (http://blogs.technet.com/b/srd/) • EMET Social Technet Forum (http://social.technet.microsoft.com/Forums/security/en- US/home?forum=emet) • EMET Pilot Proof of Concept Recommendations (http://social.technet.microsoft.com/wiki/contents/articles/23598.emet-pilot- proof-of-concept-recommendations.aspx) • EMET Know Application Issues Table (http://social.technet.microsoft.com/wiki/contents/articles/22931.emet-known- application-issues-table.aspx)
Avoiding EMET “Resume Generating Events”
What to avoid with EMET deployments • Do not immediately add popular or recommended XML profiles to EMET. Attaching EMET to processes and not vetting them in a organization is not a good idea. • Do not use Group Policy out of the gate. Instead inject with local policies first to vet out problems. • Use System Wide DEP settings cautiously. You may uncover applications, even though not hooked into EMET, crashing because of system wide DEP. Use “Application Opt In” is a safer solution
EMET Customization • Base MSI • Exporting custom XML and using EMET_Conf to push settings • Registry import to policy key for EMET. Acts as local group policy.
Using EMET_Conf
EMET_Conf (cont.) • Use EMET_Conf --delete_all to remove all application mitigation settings and certificate trust configurations • Built your own settings… Then Export… Export will be in a .xml file • Reimport by using EMET_Conf --import.xml • If you script emet_conf to push out settings include HelperLib.dll, MitigationInterface.dll, PKIPinningSubsystem.dll, SdbHelper.dll
EMET Policies
Injecting EMET policies into Registry
Starting out with EMET • Start out with highest risk applications first. Start with browsers (Internet Explorer, Firefox, Chrome, Opera) • Move onto Adobe Reader/writer, Java. • High risk exploited apps should always be first
The Java Problem • Malicious actors are using trusted applications to exploit gaps in perimeter security. • Java comprises 91 percent of web exploits; 76 percent of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version. • “Watering hole” attacks are targeting specific industry-related websites to deliver malware. Source: Cisco 2014 Annual Security Report (http://www.cisco.com/web/offers/l p/2014-annual-security-report/ index.html)
The Java Problem Continued • Corporations rely on Out of Date versions • The “Pigeon Hole” Effect. I can’t upgrade Java because you will break my critical business app. • Virtualizing can be a expensive solution • But my AV will stop it! << Probably not… • Oracle EOL Java 6 but paid support can extend this.. << too expensive • Java is a security nightmare and a application administrators worst enemy
The Java problem continued
Prevent Java from running • Hopefully by now everyone has deployed MS014-051. If not you should.. Soon. • Don’t deploy and assume you are done. Don’t accept Default Policies for this. • Starting with MS014-051 does out of date java blocking by default but allows users to circumvent.
Mitigating the Java Problem with GPO’s • Before you do this… lock down trusted sites. Don’t allow users to circumvent security by putting stuff in trusted sites without a vetting process • Don’t allow users to “run this time” If Java is out of Date. Lock it down • Allow out of date java to sites that are business critical only.
Java Resources For Mitigation • http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins- blocking-out-of-date-activex-controls.aspx • http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage- the-new-quot-blocking-out-of-date-activex-controls-quot-feature- in-ie.aspx
Java Active X Blocking • Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd On Management
Java Active X Blocking
Java Active X Blocking
Java Active X Blocking
Java Active X Blocking
Bonus: Block Flash too.. High Security Environments
End Results
Hardening Adobe Reader/Writer • Adobe Enterprise Toolkit http://www.adobe.com/devnet-docs/ acrobatetk/index.html • Application Security Overview http://www.adobe.com/devnet-docs/ acrobatetk/tools/AppSec/index.html • Adobe Customization Wizard (Use this)ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/ • NSA guidelines for Adobe XI in Enterprise Environments (Use This) https://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring _Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
Hardening Adobe Reader/Writer • Don’t give people a chance to disable Protected mode, protected view, and enhanced security • For high security environments disable Javascript. Disable URL links.. Don’t allow flash content to be viewed in PDF’s << Very bad • Patch often and ASAP • Hook in with EMET to enhance exploit mitigation
Adobe Demo
Admin Passwords • Disable Admin Passwords • If you can’t disable then Randomize it.. Per machine.. • Sans SEC 505.. Awesome course… • http://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator- password-automatically-with-a-different-password-across- the-enterprise
Cryptography • Truecrypt << my advice is to please stay away from this. • http://istruecryptauditedyet.com/ • 2nd part of the audit is very important as it deals with Cryptanalysis and RNG’s. If the RNG’s are weak or in a predictable state such as Dual Elliptic Curve. Truecrypt users will be in trouble. • Developers were never known..
Cryptography • If you use bitlocker… Please enforce AES 256. Bitlocker defaults to AES 128 • Kill Secrets from memory.. • Starting in Windows 8.1 Pro versions come packed with bitlocker • 2008 Servers and above have it to • Encrypt all your things……There is no reason not to.
Questions???

More Related Content

PPTX
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
PPT
Introduction To OWASP
Marco Morana
 
PDF
Vulnerability and Patch Management
n|u - The Open Security Community
 
PPTX
Introduction to Cloud Security
Legal Services National Technology Assistance Project (LSNTAP)
 
PDF
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
PDF
Cyber Security Vulnerabilities
Siemplify
 
PPT
Information security management
UMaine
 
PPTX
Cyber security
Sabir Raja
 
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Introduction To OWASP
Marco Morana
 
Vulnerability and Patch Management
n|u - The Open Security Community
 
Introduction to Cloud Security
Legal Services National Technology Assistance Project (LSNTAP)
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
Cyber Security Vulnerabilities
Siemplify
 
Information security management
UMaine
 
Cyber security
Sabir Raja
 

What's hot (20)

PDF
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PPTX
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
PPTX
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
ODP
Cyber security awareness
Jason Murray
 
PPT
IT Security management and risk assessment
CAS
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
PDF
1. introduction to cyber security
Animesh Roy
 
PPTX
Understanding cyber resilience
Christophe Foulon, CISSP
 
PDF
Cloud Security: A New Perspective
Wen-Pai Lu
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PDF
Setting up CSIRT
APNIC
 
PDF
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
DOCX
ARMITAGE-THE CYBER ATTACK MANAGEMENT
Devil's Cafe
 
PDF
Cybersecurity Awareness Posters - Set #2
NetLockSmith
 
PDF
SIEM Architecture
Nishanth Kumar Pathi
 
PDF
Cloud Security And Privacy
tmather
 
PPTX
Introduction to penetration testing
Nezar Alazzabi
 
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Next-Gen security operation center
Muhammad Sahputra
 
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Cyber security awareness
Jason Murray
 
IT Security management and risk assessment
CAS
 
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Security Information and Event Management (SIEM)
k33a
 
1. introduction to cyber security
Animesh Roy
 
Understanding cyber resilience
Christophe Foulon, CISSP
 
Cloud Security: A New Perspective
Wen-Pai Lu
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Setting up CSIRT
APNIC
 
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
ARMITAGE-THE CYBER ATTACK MANAGEMENT
Devil's Cafe
 
Cybersecurity Awareness Posters - Set #2
NetLockSmith
 
SIEM Architecture
Nishanth Kumar Pathi
 
Cloud Security And Privacy
tmather
 
Introduction to penetration testing
Nezar Alazzabi
 
Ad

Viewers also liked (20)

PDF
Hardening firefox, Securizar Mozilla Firefox
Privaciseguridad
 
PPT
WordPress Security Hardening
Timothy Wood
 
PDF
CentOS Linux Server Hardening
MyOwn Telco
 
DOCX
Ejecutables
Sandra Piarpuezan
 
PDF
Securing Your Linux System
Novell
 
PDF
Getting started with GrSecurity
Francesco Pira
 
PPTX
PACE-IT: Network Hardening Techniques (part 1)
Pace IT at Edmonds Community College
 
PPTX
Router hardening project.slide
Alya Al Saadi
 
PPT
Hardening Linux Server Security
Ilham Kurniawan
 
PPTX
Cloud Computing Legal Issues
Ikuo Takahashi
 
PPT
Legal issues in cloud computing
movinghats
 
PDF
Hardening Linux and introducing Securix Linux
Security Session
 
DOCX
Linux Server Hardening - Steps by Steps
Sunil Paudel
 
PPT
Linux Security
nayakslideshare
 
PPTX
Security Measures
Syazzey Waniey II
 
PPT
Security Measure
syafiqa
 
PPTX
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
PDF
Linux Hardening
Michael Boelen
 
PPTX
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Frank Lesniak
 
PPTX
Security measures (Microsoft Powerpoint)
ainizbahari97
 
Hardening firefox, Securizar Mozilla Firefox
Privaciseguridad
 
WordPress Security Hardening
Timothy Wood
 
CentOS Linux Server Hardening
MyOwn Telco
 
Ejecutables
Sandra Piarpuezan
 
Securing Your Linux System
Novell
 
Getting started with GrSecurity
Francesco Pira
 
PACE-IT: Network Hardening Techniques (part 1)
Pace IT at Edmonds Community College
 
Router hardening project.slide
Alya Al Saadi
 
Hardening Linux Server Security
Ilham Kurniawan
 
Cloud Computing Legal Issues
Ikuo Takahashi
 
Legal issues in cloud computing
movinghats
 
Hardening Linux and introducing Securix Linux
Security Session
 
Linux Server Hardening - Steps by Steps
Sunil Paudel
 
Linux Security
nayakslideshare
 
Security Measures
Syazzey Waniey II
 
Security Measure
syafiqa
 
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
Linux Hardening
Michael Boelen
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Frank Lesniak
 
Security measures (Microsoft Powerpoint)
ainizbahari97
 
Ad

Similar to System hardening - OS and Application (20)

PDF
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
NCCOMMS
 
PDF
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
NCCOMMS
 
PDF
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
 
DOCX
Documentation Artifact 5Long Term Care Plan-Continuing to .docx
petehbailey729071
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
DOCX
21030241005_PlatformSecurityCaseStudy..docx
SubhabrataRoy16
 
PDF
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Valtiokonttori / Statskontoret / State Treasury of Finland
 
PDF
Windows server hardening 1
Frank Avila Zapata
 
PPTX
Microsoft on open source and security
David Voyles
 
PDF
Windows Security Crash Course
UTD Computer Security Group
 
PPTX
Derby con 2014
TonikJDK
 
PDF
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
PDF
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
PPTX
Microsoft Platform Security Briefing
technext1
 
PDF
Five years of Persistent Threats
Maarten Van Horenbeeck
 
PPTX
Offence oriented Defence
SensePost
 
PPTX
Microsoft Windows 7 Enhanced Security And Control
Microsoft TechNet
 
PPTX
Windows 7 in 60 minutes - New Horizons Bulgaria
New Horizons Bulgaria
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
NCCOMMS
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
NCCOMMS
 
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
 
Documentation Artifact 5Long Term Care Plan-Continuing to .docx
petehbailey729071
 
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
21030241005_PlatformSecurityCaseStudy..docx
SubhabrataRoy16
 
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Valtiokonttori / Statskontoret / State Treasury of Finland
 
Windows server hardening 1
Frank Avila Zapata
 
Microsoft on open source and security
David Voyles
 
Windows Security Crash Course
UTD Computer Security Group
 
Derby con 2014
TonikJDK
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Microsoft Platform Security Briefing
technext1
 
Five years of Persistent Threats
Maarten Van Horenbeeck
 
Offence oriented Defence
SensePost
 
Microsoft Windows 7 Enhanced Security And Control
Microsoft TechNet
 
Windows 7 in 60 minutes - New Horizons Bulgaria
New Horizons Bulgaria
 

Recently uploaded (20)

PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation theory and applications.pdf
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 

System hardening - OS and Application

  • 1. System Hardening Windows OS Clients and Applications
  • 2. About me.. • This talk really shouldn’t be about me.. Its about you.. • This community is about educating each other and making things better
  • 3. What is this talk about? • Hardening Microsoft OS’s for Domain and Standalone computers • Large Scale EMET deployments • How to approach Java problem if you run out of date versions • Adobe Acrobat customization according to NSA standards • Local Admin accounts and Passwords and what to do about them • Cryptography – Some brief thoughts
  • 4. OS Security references • Microsoft Security Compliance Manager - http://technet.microsoft.com/en-us/library/cc677002.aspx • Center for Internet Security Benchmarks** - https://benchmarks.cisecurity.org/downloads/multiform/index.cfm • DISA Stigs - http://iase.disa.mil/stigs/os/windows/Pages/index.aspx
  • 5. CIS Security Benchmarks • Recommended technical control rules/values for hardening operating systems • Distributed free of charge by CIS in .PDF format • Where to Begin?? • Incident Response and SSLF.. Flip up the guide for your audience!
  • 7. MS Security Compliance Manager • Exporting Group Policy Objects in your environment and re-import into SCM • Mix and Merge two separate security baselines to remediate issues or consolidate security • No Active Directory? Apply Policy through Local GPO Tools
  • 8. Inventory Your current Security Posture (If Any) • Security Policies can easily be exported from Group Policy Management Console and re-imported into Microsoft Security Compliance Manager • Two options to mix and merge: Compare with SCM pre-populated baselines or build your own based upon CIS PDF’s • My preference is to build based upon CIS and take security to the maximum hardened limit. (Ex. Earlier Win7 CIS gave Self Limited Functionality Profiles SSLF for high security environments)
  • 9. Warning: You will Break Stuff!
  • 10. Troubleshooting Hardening issues • Easiest method is to have a container set up in Active Directory with all group policy inheritance blocked. • Apply your OS Hardening Policies through the local GPO tool. This tool is available when you install Security Compliance Manager. • Installer Can be found in C:Program Files (x86)Microsoft Security Compliance ManagerLGPO << After SCM Install
  • 11. Why troubleshoot CIS with LGPO Tool • Instead of having your sever admins randomly shut group policies off at the server level you can rapidly respond to testing by locally turning off policies • It’s a needle in a haystack approach. Most issues you deal with will probably be around network security and authentication hardening • Works great if you want to applied hardened OS policies in standalone high security environments
  • 14. A few other things • The concept of least privilege should always be used (UAC) • Getting asked even by IT folks to turn it off (UAC) • Limit Admin accounts. Secondary admin accounts are better. Never use admin accounts to browse or do daily tasks on your network • Autorun should be one of the first things you disable in any org. It’s a quick hit with minimal impacts to end users • Enforce the firewall from getting turned off. Use Domain firewall profiles heavily. While restricting public and home profiles. • Be careful with Audit policies. Too much audit information can be a bad thing in logs
  • 15. A few other things continued • Debug programs.. No one should have access to do this. PG. 76 • Limit the amount of remotely accessible registry path’s. (Take note Windows 7 remote registry services has to be manually started. ) This should be disabled Pg. 133 • Lan Manager Authentication Level: Enforce NTLMv2 and Refuse LM and NTLM << This should be non negotiable IE. Pass the Hash Pg. 137 • For High security environments don’t process legacy and run once list << Could lead to other issues with certain applications and driver applications. Use cautiously. • Prevent computers from Joining Homegroups.. BYOD issues PG 169
  • 17. Disable Remote Shell Access • Remote Shell Access pg160 • You need to decide if it’s worth it for you to really have remote shell access. • Reduce your attack surface… This is what OS hardening is all about
  • 18. Lets have a talk about Large Scale EMET deployments (5,000 Machines and More)
  • 19. EMET Large Scale deployments • Resources • Customizing • Scaling • Group Policy • Where does everything fit and in what order?
  • 20. EMET Resources • Kurt Falde Blog (http://blogs.technet.com/b/kfalde/) • Security Research and Defense Blogs (http://blogs.technet.com/b/srd/) • EMET Social Technet Forum (http://social.technet.microsoft.com/Forums/security/en- US/home?forum=emet) • EMET Pilot Proof of Concept Recommendations (http://social.technet.microsoft.com/wiki/contents/articles/23598.emet-pilot- proof-of-concept-recommendations.aspx) • EMET Know Application Issues Table (http://social.technet.microsoft.com/wiki/contents/articles/22931.emet-known- application-issues-table.aspx)
  • 21. Avoiding EMET “Resume Generating Events”
  • 22. What to avoid with EMET deployments • Do not immediately add popular or recommended XML profiles to EMET. Attaching EMET to processes and not vetting them in a organization is not a good idea. • Do not use Group Policy out of the gate. Instead inject with local policies first to vet out problems. • Use System Wide DEP settings cautiously. You may uncover applications, even though not hooked into EMET, crashing because of system wide DEP. Use “Application Opt In” is a safer solution
  • 23. EMET Customization • Base MSI • Exporting custom XML and using EMET_Conf to push settings • Registry import to policy key for EMET. Acts as local group policy.
  • 25. EMET_Conf (cont.) • Use EMET_Conf --delete_all to remove all application mitigation settings and certificate trust configurations • Built your own settings… Then Export… Export will be in a .xml file • Reimport by using EMET_Conf --import.xml • If you script emet_conf to push out settings include HelperLib.dll, MitigationInterface.dll, PKIPinningSubsystem.dll, SdbHelper.dll
  • 27. Injecting EMET policies into Registry
  • 28. Starting out with EMET • Start out with highest risk applications first. Start with browsers (Internet Explorer, Firefox, Chrome, Opera) • Move onto Adobe Reader/writer, Java. • High risk exploited apps should always be first
  • 29. The Java Problem • Malicious actors are using trusted applications to exploit gaps in perimeter security. • Java comprises 91 percent of web exploits; 76 percent of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version. • “Watering hole” attacks are targeting specific industry-related websites to deliver malware. Source: Cisco 2014 Annual Security Report (http://www.cisco.com/web/offers/l p/2014-annual-security-report/ index.html)
  • 30. The Java Problem Continued • Corporations rely on Out of Date versions • The “Pigeon Hole” Effect. I can’t upgrade Java because you will break my critical business app. • Virtualizing can be a expensive solution • But my AV will stop it! << Probably not… • Oracle EOL Java 6 but paid support can extend this.. << too expensive • Java is a security nightmare and a application administrators worst enemy
  • 31. The Java problem continued
  • 32. Prevent Java from running • Hopefully by now everyone has deployed MS014-051. If not you should.. Soon. • Don’t deploy and assume you are done. Don’t accept Default Policies for this. • Starting with MS014-051 does out of date java blocking by default but allows users to circumvent.
  • 33. Mitigating the Java Problem with GPO’s • Before you do this… lock down trusted sites. Don’t allow users to circumvent security by putting stuff in trusted sites without a vetting process • Don’t allow users to “run this time” If Java is out of Date. Lock it down • Allow out of date java to sites that are business critical only.
  • 34. Java Resources For Mitigation • http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins- blocking-out-of-date-activex-controls.aspx • http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage- the-new-quot-blocking-out-of-date-activex-controls-quot-feature- in-ie.aspx
  • 35. Java Active X Blocking • Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd On Management
  • 36. Java Active X Blocking
  • 37. Java Active X Blocking
  • 38. Java Active X Blocking
  • 39. Java Active X Blocking
  • 40. Bonus: Block Flash too.. High Security Environments
  • 42. Hardening Adobe Reader/Writer • Adobe Enterprise Toolkit http://www.adobe.com/devnet-docs/ acrobatetk/index.html • Application Security Overview http://www.adobe.com/devnet-docs/ acrobatetk/tools/AppSec/index.html • Adobe Customization Wizard (Use this)ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/ • NSA guidelines for Adobe XI in Enterprise Environments (Use This) https://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring _Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
  • 43. Hardening Adobe Reader/Writer • Don’t give people a chance to disable Protected mode, protected view, and enhanced security • For high security environments disable Javascript. Disable URL links.. Don’t allow flash content to be viewed in PDF’s << Very bad • Patch often and ASAP • Hook in with EMET to enhance exploit mitigation
  • 45. Admin Passwords • Disable Admin Passwords • If you can’t disable then Randomize it.. Per machine.. • Sans SEC 505.. Awesome course… • http://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator- password-automatically-with-a-different-password-across- the-enterprise
  • 46. Cryptography • Truecrypt << my advice is to please stay away from this. • http://istruecryptauditedyet.com/ • 2nd part of the audit is very important as it deals with Cryptanalysis and RNG’s. If the RNG’s are weak or in a predictable state such as Dual Elliptic Curve. Truecrypt users will be in trouble. • Developers were never known..
  • 47. Cryptography • If you use bitlocker… Please enforce AES 256. Bitlocker defaults to AES 128 • Kill Secrets from memory.. • Starting in Windows 8.1 Pro versions come packed with bitlocker • 2008 Servers and above have it to • Encrypt all your things……There is no reason not to.