Download presentation
Presentation is loading. Please wait.
Published byJemima Hart Modified over 8 years ago
1
Using PowerShell to Configure Secure Environments and Delegated Administration
2
Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property
3
Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property
4
Move critical data into isolated environment Restrict “Administrator” role Provide specific access to user information Etc
5
Single corporate domain Multiple domain admins Many domain users have been granted more access than required because it was easier Recently discovered that domain environment has been compromised Business critical information on 3 different file servers Suspected source of compromise is within corporate domain
6
Domain Controller Domain Admin Dept. Head P.A.P.A User DHCP Domain(Corporate.Contoso.Com) Servers containing critical information
7
Create Isolated Environment Separate Domain Controller DSC Pull Server JEA Management head (Jump box) Limit Access Domain Admins Firewall Ports Resources Add Servers Securely Never on Corp domain Boot to pull server for configuration Configure Servers Configure and copy critical information
8
Domain Controller Domain Admin Dept. Head P.A.P.A User DHCP Domain(Corporate.Contoso.Com) Servers containing critical information
9
Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust DSC Pull Server Corporate Safeharbor (safeharbor.contoso.com) Create Isolated Environment Requests
10
Create Isolated Environment
11
Configuration DomainController { Import-DscResource -Name Demo_Computer,Demo_Domain,Demo_DNSTransferZone Node $AllNodes.Where{$_.Role -eq "DomainController"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer MachineName { Ensure = "Present" Name = $Node.MachineName DependsOn = "[Script]NoIPv6" } WindowsFeature ADDS { Ensure = "Present" Name = "AD-Domain-Services" DependsOn = "[Computer]MachineName" } Domain Forest { Name = $Node.DomainName AdministratorCredential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[WindowsFeature]ADDS" }
12
Create Isolated Environment Configuration DomainTrust { Import-DscResource -Name Demo_DomainTrust,Demo_DNSSecondaryZone Node $AllNodes.Where{$_.Role -eq "DomainController"}.NodeName { if($Node.TrustDomainName) { DomainTrust TrustDomain { Ensure = "Present" SourceDomain = $Node.SourceDomainName TargetDomain = $NOde.TrustDomainName TargetDomainAdminCredential = Import-CliXMl ($Node.TrustDomainCred) TrustDirection = $Node.TrustDirection TrustType = $Node.TrustType }
13
Create Isolated Environment configuration DSCServer { Import-DscResource -Name Demo_DSCService, Demo_Computer Node $AllNodes.Where{$_.Role -eq "PullServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-CliXML $Node.DomainCredFile) DependsOn = "[Script]NoIPv6" } WindowsFeature DSCServiceBin { Ensure = "Present" Name = "DSC-Service" DependsOn = "[Computer]NameAndDomain" } DSCService ODataEP { Ensure = "Present" Name = "PSDSCPullServer" CertificateThumbPrint = $Node.PullCert DependsOn = "[WindowsFeature]DSCServiceBin" } Script SmbShare # Script to configure SMB Shares {...} }
14
Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust Mgmt Server DSC Pull Server Run As M.A.T.A Corporate Limit Access Safeharbor (safeharbor.contoso.com)
15
Limit Access configuration DelegatedAdmin { Import-DscResource -Name Demo_Computer,Demo_SessionConfiguration Node $AllNodes.Where{$_.Role -eq "DelegatedAdmin"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-CliXML $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" } PSEndpoint Secure { Ensure = "Present" Name = $Node.EPName RunAsCredential = (Import-CliXml $Node.RunAsCredFile) SDDL = $Node.SDDL ConfigurationFile = $Node.ConfigurationFile DependsOn = "[Computer]NameAndDomain" }
16
Limit Access
17
Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust Jump Box DSC Pull Server File Servers Run As M.A.T.A Corporate HTTPS only Allow WSMAN & SMB (In) Add Servers Securely Safeharbor (safeharbor.contoso.com)
18
Add Servers Securely
19
Configuration FileServer { Import-DscResource -Name Demo_Computer,Demo_Firewall Node $AllNodes.Where{$_.Role -eq "FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} # Remove all built-in firewall rules foreach ($rule in $Node.AbsentInRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[Script]NoIPv6" } Firewall HttpsForPullServer { Ensure = "Present" Access = "Allow" DisplayName = "DSC HTTPS" RemotePort = "8080"; Protocol = "TCP"; Direction = "Outbound"; State = "Enabled"; DependsOn = "[Script]NoIPv6" } Computer MachineName { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" } WindowsFeature FileServer { Ensure = "Present" Name = "File-Services" DependsOn = "[Computer]MachineName" } WindowsFeature WebServer { Ensure = "Absent" Name = "Web-Server" DependsOn = "[Computer]MachineName" } # Remove all built-in File firewall rules foreach ($rule in $Node.AbsentInFileRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[WindowsFeature]FileServer" } # Open selective ports & protocols foreach ($rule in $Node.AllowedInRules) { Firewall $rule.Name { Ensure = "Present"; Access = "Allow"; DisplayName = $rule.DisplayName; LocalPort = $rule.Port; Protocol = $rule.Protocol; State = "Enabled"; Direction = "Inbound"; DependsOn = "[WindowsFeature]FileServer" } Group MATA { GroupName = "Administrators" Ensure = "Present" MembersToInclude = @("safeharbor\MATA") Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Computer]MachineName" } User Administrator { Ensure = "Present" UserName = "Administrator" Disabled = $true } Add Servers Securely Configuration FileServer { Import-DscResource -Name Demo_Computer,Demo_Firewall Node $AllNodes.Where{$_.Role -eq "FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} # Remove all built-in firewall rules foreach ($rule in $Node.AbsentInRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[Script]NoIPv6" } Firewall HttpsForPullServer { Ensure = "Present" Access = "Allow" DisplayName = "DSC HTTPS" RemotePort = "8080"; Protocol = "TCP"; Direction = "Outbound"; State = "Enabled"; DependsOn = "[Script]NoIPv6" } Computer MachineName { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" } WindowsFeature FileServer { Ensure = "Present" Name = "File-Services" DependsOn = "[Computer]MachineName" } WindowsFeature WebServer { Ensure = "Absent" Name = "Web-Server" DependsOn = "[Computer]MachineName" } # Remove all built-in File firewall rules foreach ($rule in $Node.AbsentInFileRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[WindowsFeature]FileServer" } # Open selective ports & protocols foreach ($rule in $Node.AllowedInRules) { Firewall $rule.Name { Ensure = "Present"; Access = "Allow"; DisplayName = $rule.DisplayName; LocalPort = $rule.Port; Protocol = $rule.Protocol; State = "Enabled"; Direction = "Inbound"; DependsOn = "[WindowsFeature]FileServer" } Group MATA { GroupName = "Administrators" Ensure = "Present" MembersToInclude = @("safeharbor\MATA") Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Computer]MachineName" } User Administrator { Ensure = "Present" UserName = "Administrator" Disabled = $true }
20
Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust Jump Box DSC Pull Server File Servers Run As M.A.T.A Corporate Request A C T I O N A C C E S S Configure Servers Safeharbor (safeharbor.contoso.com)
21
Configure Servers
22
Remove domain trust from isolated environment Remove domain from isolated environment Regularly change Domain Admin password JIT/JEA Limit all isolated environment access through the management head Provide necessary escape hatch Workflows with approvals, etc. Use Role Base Access Control (RBAC) …
23
Assume corporate environment is not secure Example of way to use PowerShell to create a secure environment for critical information. Move critical data into isolated environment Remove “Administrator” role Provide specific access to users information Further enhance security of isolated environment Expand on this example Create custom solutions
24
Corporate Safeharbor Domain Controller Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC Requests One Way Trust Create Isolated Environmen t Limited Access Add Role Servers
25
Domain Admin Dept. Head P.A.P.A User SH Admin DHCP SH DC One Way Trust Jump Box DSC Pull Server File Servers Ru n As M.A.T.A Corporat e Reque st HTTPS only Allow AD (In) Allow WSMAN & SMB (In) A C T I O N A C C E S S Safeharb or Create Isolated Environmen t Limited Access Add Role Servers
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.