Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using PowerShell to Configure Secure Environments and Delegated Administration.

Published byJemima Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "Using PowerShell to Configure Secure Environments and Delegated Administration."— Presentation transcript:

1 Using PowerShell to Configure Secure Environments and Delegated Administration

2 Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property

3 Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property

4 Move critical data into isolated environment Restrict “Administrator” role Provide specific access to user information Etc

5  Single corporate domain  Multiple domain admins  Many domain users have been granted more access than required because it was easier  Recently discovered that domain environment has been compromised  Business critical information on 3 different file servers  Suspected source of compromise is within corporate domain

6 Domain Controller Domain Admin Dept. Head P.A.P.A User DHCP Domain(Corporate.Contoso.Com) Servers containing critical information

7 Create Isolated Environment Separate Domain Controller DSC Pull Server JEA Management head (Jump box) Limit Access Domain Admins Firewall Ports Resources Add Servers Securely Never on Corp domain Boot to pull server for configuration Configure Servers Configure and copy critical information

8 Domain Controller Domain Admin Dept. Head P.A.P.A User DHCP Domain(Corporate.Contoso.Com) Servers containing critical information

9 Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust DSC Pull Server Corporate Safeharbor (safeharbor.contoso.com) Create Isolated Environment Requests

10 Create Isolated Environment

11 Configuration DomainController { Import-DscResource -Name Demo_Computer,Demo_Domain,Demo_DNSTransferZone Node $AllNodes.Where{$_.Role -eq "DomainController"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer MachineName { Ensure = "Present" Name = $Node.MachineName DependsOn = "[Script]NoIPv6" } WindowsFeature ADDS { Ensure = "Present" Name = "AD-Domain-Services" DependsOn = "[Computer]MachineName" } Domain Forest { Name = $Node.DomainName AdministratorCredential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[WindowsFeature]ADDS" }

12 Create Isolated Environment Configuration DomainTrust { Import-DscResource -Name Demo_DomainTrust,Demo_DNSSecondaryZone Node $AllNodes.Where{$_.Role -eq "DomainController"}.NodeName { if($Node.TrustDomainName) { DomainTrust TrustDomain { Ensure = "Present" SourceDomain = $Node.SourceDomainName TargetDomain = $NOde.TrustDomainName TargetDomainAdminCredential = Import-CliXMl ($Node.TrustDomainCred) TrustDirection = $Node.TrustDirection TrustType = $Node.TrustType }

13 Create Isolated Environment configuration DSCServer { Import-DscResource -Name Demo_DSCService, Demo_Computer Node $AllNodes.Where{$_.Role -eq "PullServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-CliXML $Node.DomainCredFile) DependsOn = "[Script]NoIPv6" } WindowsFeature DSCServiceBin { Ensure = "Present" Name = "DSC-Service" DependsOn = "[Computer]NameAndDomain" } DSCService ODataEP { Ensure = "Present" Name = "PSDSCPullServer" CertificateThumbPrint = $Node.PullCert DependsOn = "[WindowsFeature]DSCServiceBin" } Script SmbShare # Script to configure SMB Shares {...} }

14 Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust Mgmt Server DSC Pull Server Run As M.A.T.A Corporate Limit Access Safeharbor (safeharbor.contoso.com)

15 Limit Access configuration DelegatedAdmin { Import-DscResource -Name Demo_Computer,Demo_SessionConfiguration Node $AllNodes.Where{$_.Role -eq "DelegatedAdmin"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-CliXML $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" } PSEndpoint Secure { Ensure = "Present" Name = $Node.EPName RunAsCredential = (Import-CliXml $Node.RunAsCredFile) SDDL = $Node.SDDL ConfigurationFile = $Node.ConfigurationFile DependsOn = "[Computer]NameAndDomain" }

16 Limit Access

17 Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust Jump Box DSC Pull Server File Servers Run As M.A.T.A Corporate HTTPS only Allow WSMAN & SMB (In) Add Servers Securely Safeharbor (safeharbor.contoso.com)

18 Add Servers Securely

19 Configuration FileServer { Import-DscResource -Name Demo_Computer,Demo_Firewall Node $AllNodes.Where{$_.Role -eq "FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} # Remove all built-in firewall rules foreach ($rule in $Node.AbsentInRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[Script]NoIPv6" } Firewall HttpsForPullServer { Ensure = "Present" Access = "Allow" DisplayName = "DSC HTTPS" RemotePort = "8080"; Protocol = "TCP"; Direction = "Outbound"; State = "Enabled"; DependsOn = "[Script]NoIPv6" } Computer MachineName { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" } WindowsFeature FileServer { Ensure = "Present" Name = "File-Services" DependsOn = "[Computer]MachineName" } WindowsFeature WebServer { Ensure = "Absent" Name = "Web-Server" DependsOn = "[Computer]MachineName" } # Remove all built-in File firewall rules foreach ($rule in $Node.AbsentInFileRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[WindowsFeature]FileServer" } # Open selective ports & protocols foreach ($rule in $Node.AllowedInRules) { Firewall $rule.Name { Ensure = "Present"; Access = "Allow"; DisplayName = $rule.DisplayName; LocalPort = $rule.Port; Protocol = $rule.Protocol; State = "Enabled"; Direction = "Inbound"; DependsOn = "[WindowsFeature]FileServer" } Group MATA { GroupName = "Administrators" Ensure = "Present" MembersToInclude = @("safeharbor\MATA") Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Computer]MachineName" } User Administrator { Ensure = "Present" UserName = "Administrator" Disabled = $true } Add Servers Securely Configuration FileServer { Import-DscResource -Name Demo_Computer,Demo_Firewall Node $AllNodes.Where{$_.Role -eq "FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} # Remove all built-in firewall rules foreach ($rule in $Node.AbsentInRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[Script]NoIPv6" } Firewall HttpsForPullServer { Ensure = "Present" Access = "Allow" DisplayName = "DSC HTTPS" RemotePort = "8080"; Protocol = "TCP"; Direction = "Outbound"; State = "Enabled"; DependsOn = "[Script]NoIPv6" } Computer MachineName { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" } WindowsFeature FileServer { Ensure = "Present" Name = "File-Services" DependsOn = "[Computer]MachineName" } WindowsFeature WebServer { Ensure = "Absent" Name = "Web-Server" DependsOn = "[Computer]MachineName" } # Remove all built-in File firewall rules foreach ($rule in $Node.AbsentInFileRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[WindowsFeature]FileServer" } # Open selective ports & protocols foreach ($rule in $Node.AllowedInRules) { Firewall $rule.Name { Ensure = "Present"; Access = "Allow"; DisplayName = $rule.DisplayName; LocalPort = $rule.Port; Protocol = $rule.Protocol; State = "Enabled"; Direction = "Inbound"; DependsOn = "[WindowsFeature]FileServer" } Group MATA { GroupName = "Administrators" Ensure = "Present" MembersToInclude = @("safeharbor\MATA") Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Computer]MachineName" } User Administrator { Ensure = "Present" UserName = "Administrator" Disabled = $true }

20 Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust Jump Box DSC Pull Server File Servers Run As M.A.T.A Corporate Request A C T I O N A C C E S S Configure Servers Safeharbor (safeharbor.contoso.com)

21 Configure Servers

22  Remove domain trust from isolated environment  Remove domain from isolated environment  Regularly change Domain Admin password  JIT/JEA  Limit all isolated environment access through the management head  Provide necessary escape hatch  Workflows with approvals, etc.  Use Role Base Access Control (RBAC)  …

23  Assume corporate environment is not secure  Example of way to use PowerShell to create a secure environment for critical information.  Move critical data into isolated environment  Remove “Administrator” role  Provide specific access to users information  Further enhance security of isolated environment  Expand on this example  Create custom solutions

24 Corporate Safeharbor Domain Controller Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC Requests One Way Trust Create Isolated Environmen t Limited Access Add Role Servers

25 Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust Jump Box DSC Pull Server File Servers Ru n As M.A.T.A Corporat e Reque st HTTPS only Allow AD (In) Allow WSMAN & SMB (In) A C T I O N A C C E S S Safeharb or Create Isolated Environmen t Limited Access Add Role Servers

Download ppt "Using PowerShell to Configure Secure Environments and Delegated Administration."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.

Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.

Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

Similar presentations

Ads by Google