Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Domain Hardening

Published byHoratio Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "Windows Domain Hardening"— Presentation transcript:

1 Windows Domain Hardening
Darren LaCasse

2 Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way to do this Your organization is unique, maybe… YMMV

3 Agenda Hardening 101 Hardening Challenges
Configuration/Monitoring Tools Demo

4 Why do we care? Improves system security Improves system availability
Systems configured with minimum necessary services Improves system availability All systems configured the same Help desk has a single configuration to support Problem on 1 system can be avoided on the rest

5 No really, why do we care? Why did I use “old” data? 2010 was the last year the DBIR broke down the data this way… 31 breaches attributed to misconfiguration 31 breaches attributed to not following a policy/standard for things like configuration Verizon DBIR 2010

6 Common Hardening Tasks
Apply OS and application patches Disable “Administrator” account Password requirements Length Complexity Expiration Lockout Install Antivirus Disable services

7 Hardening standards Develop one for your unique organization

8 Hardening standards Start with an industry standard
Center for Internet Security wse/?category=benchmarks NSA Microsoft 320 pages of this “stuff” Not even NIST touches this stuff. The NSA refers you back to CIS for the most part now as well. Server 2012 R2

9 System Hardening Methods
Manual Human error Personnel must know where the current baseline is Not reasonable with large # of systems Automatic Always the same Removes human error

10 Hardening Tools Microsoft Security Configuration and Analysis Tool (SCAT) Microsoft Security Compliance Manager (SCM) PowerShell Desired State Configuration (DSC) Freebies from Microsoft… Everything else is out of scope for now.

11 SCAT Doesn’t scale well Requires manual configuration for modern OS
No central management No easy reporting mechanism Can do remediation

12 Security Compliance Manager
Switch to SCM. Go through it. Show how you can export your configuraiton to a CPO, SCCM, SCP, excel… wee

13 Security Compliance Manager
Gives us baselines from MS for Operating Systems Applications IIS DNS DHCP Internet Explorer MS Office Doesn’t provide a way to apply to systems

14 Desired State Configuration (DSC)
PowerShell feature If you can PowerShell you can use DSC DSC you to configure and report on practically anything on the system Registry Files Configurations Services Software

15 Computers are hard… DSC works great if you aren’t on a consumer OS
DSC works great if you have SCCM or SCVMM SCCM = System Center Configuration Manager SCVMM = System Center Virtual Machine Manager

16 How to DSC Write a DSC script (I tried and failed)
configuration TestScript { param () Node Localhost { # Create a Test File File CreateTestFile Ensure = "Present" DestinationPath = "C:\Tempa\example.txt" Contents = “Example." Type = "File" } # Create MOF Files HelloWorld -OutputPath C:\Temp\TestScript # Start DSC Configuration Start-DscConfiguration -Path C:\Temp\TestScript -ComputerName Localhost -Verbose -Wait This generates an MOF (Machine Object Format) file That is used to apply (or check) the configuration against the specified hosts. The configuration is basically a function. I based my test script on the genius that is this person:

17 You can see that our LocalHost.mof file was created. Woo…
I tried using the ScriptimusExMachina examples as well and still failed ( I always get this stupid error because I don’t have WinRM installed properly… You can see that our LocalHost.mof file was created. Woo… Our example.txt file is created as well even though you don’t see that reflected on the screen

18 Check Against the Configuration
Test-DscConfiguration Returning the value of “True” means the single value in our MOF is met If we change the text in example.txt then we get this

19 You configured one value, GREAT…
Where you can go from here Convert your orgs baseline to DSC syntax Lots of time the first go Output per system with values that are “False” Startup scripts? Buy SCCM? GPO health! Remove local admin rights

20 Tell me there is something else!
Chef Puppet Nessus vulnerability-scanner

21

Download ppt "Windows Domain Hardening"

Similar presentations

MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.

MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc.

Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc.
16.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.

16.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.
Ch 8-3 Working with domains and Active Directory.

Ch 8-3 Working with domains and Active Directory.
Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.

Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
GROUP POLICY An overview of Microsoft Windows Group Policy.

GROUP POLICY An overview of Microsoft Windows Group Policy.
Security for Seniors SeniorNet Help Desk 631.629.5426

Security for Seniors SeniorNet Help Desk
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.

Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google