Secure Your Workstations Mark Godfrey TekuITS.com Mark.Godfrey@tekuits.com Systems Engineer MN.IT @ MDH Gary Blok GaryTown.com garywblok@gmail.com Lead Systems Engineer MN.IT @ MDH Troy Martin 1e.com/blogs/author/troymartin Troy.Martin@1e.com Technical Architect 1E

Mark Godfrey Gary Blok @Geodesicz @GWBlok 2nd prize in pizza eating contest 1992 T-Ball Participation Award StarCraft 2 2v2 Diamond Bracket Unlocked all chars in Mario Kart Favorite beer: TinWhiskers FlipSwitch IPA Favorite Show: The IT Crowd

Troy Martin @TroyMartinNet (in '92) 3rd highest score in DeVry NY Yankees 24/7/365!! I'm diabetic, so Ice Cream it is!!

Why is Workstation Security Important? Why should I care?

Technical Point of Entry – Attack Surface Size Usage Mobility # of Servers/Network Hardware vs # of Workstations More software = More vulnerabilities Usage End users click things Links in emails Remote requests Macro requests in randomly downloaded documents Dancing animal pictures with embedded malware End users browse the web Humans make mistakes Mobility How many people leave their servers or switches on the bus or at a hotel? Operational More Secure = Less Issues = Less Time Spent Dealing with Issues

Non-Technical Financial Ethical Personal Regulatory Lawsuits Loss of Business due to Loss of Trust Other Ethical Responsibility to Protect People’s Data Responsibility to Protect Your Organization Responsibility to Do Your Job Well Personal Pride in Your Work Employability Aftermath Regulatory HIPPA SOX FERPA

Changing Face of Workstation Security Get Your Head Out of Your Past But, I Have Antivirus Now Vulnerability Management Least Privilege Security Software Application Whitelisting Firmware Firewall Encryption Social Engineering More

Firmware Security is like a pyramid, build it from the bottom up with a large, strong base. Requirements and Prerequisites UEFI Secure Boot BitLocker More Manage Your Firmware Upgrades See Leveraging Vendor Tools Session For BIOS Update and Settings Management

Secure Boot Process CHIPSET GUID PARTITION TABLE (GPT) DISK Firmware stores list of trusted signatures Firmware checks Windows Boot Manager and Windows Boot Loader are signed with trusted certificate before executing Windows Boot Loader only loads kernel signed with trusted certificate CHIPSET GUID PARTITION TABLE (GPT) DISK UEFI FIRMWARE EFI SYSTEM PARTITION WINDOWS PARTITION UEFI Boot Manager Windows Boot Manager Windows Boot Loader Windows Kernel The device manufacturer hard-codes a list of trusted signing certificates in the firmware. [Click] This list is signed by the manufacturer and can only be updated by the manufacturer through firmware updates. UEFI uses a specific disk configuration – GUID Partition Table – that provides a lot more flexibility during boot up over the Master Boot Record disk configuration required by legacy BIOS. [Click] When the Windows device is started, the UEFI boot manager loads the Windows Boot Manager from the EFI System Partition (ESP). [Click] With Secure Boot enabled, the Windows Boot Manager can only be loaded if it is signed with a trusted signing certificate. [Click] The Windows Boot Manager will then go on to load the Windows Boot Loader from the Windows Partition, which again will only be loaded if it is signed with a trusted certificate. [Click] Finally, the Windows Boot Loader will load the Windows Kernel, which again must be signed with a trusted certificate.

Encryption BitLocker it up!

XTS-AES New Encryption Algorithm as of Win10 1511* Provides protection against additional types of attacks FIPS-compliant Only use for fixed and OS drives Only use on removable drive if you don’t want to use it on other OSes Update MBAM before implementing to ensure you have support for this 128 vs 256 bit

Set in Group Policy Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption: Choose Drive Encryption Method and Cipher Strength (Windows 10 [Version 1511] and later) Select algorithm for each set

Enable XTS-AES in OSD Should already have steps to Activate TPM Disable Pre-Provision BitLocker Steps Stop MBAM Service (if using MBAM) Partition Drive for BitLocker MDT Step using ZTIBDE.wsf Add 5 policy settings to the registry – HKLM:\Software\Policies\Microsoft\FVE "EncryptionMethodWithXtsOs"=dword:00000007 "EncryptionMethodWithXtsFdv"=dword:00000007 "EncryptionMethodWithXtsRdv"=dword:00000003 "OSEncryptionType"=dword:00000001 "EncryptionMethod"=dword:00000002 Additional Settings Required if Using MBAM – HKLM:\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Start MBAM Service (if using MBAM) Enable BitLocker

Credential Guard No hash for you!

What is Credential Guard? Partial Implementation of Device Guard* Credentials Run in Protected, Virtual Environment Environment Isolated from the OS Protects NTLM password hashes, Kerberos Ticket Granting Tickets, and Application-stored creds Contrary to prior belief, does NOT require Hyper-V *Feature to be enabled Protects Credential Hashes Prevents Reverse Password Hash Lookups and Pass-the-Hash Attacks, Others Requirements: https://technet.microsoft.com/en-us/itpro/windows/keep- secure/requirements-and-deployment-planning-guidelines-for-device-guard Virtualization extensions in BIOS, TPM, UEFI, SecureBoot

Set in Group Policy Computer Configuration -> Policies -> Administrative Templates -> System -> Device Guard: Turn On Virtualization Based Security

Remote Protection Computer Configuration -> Policies -> Administrative Templates -> System -> Credentials Delegation: Remote host allows delegation of non-exportable credentials: Enabled Might have issues if your DNS sucks https://technet.microsoft.com/en- us/itpro/windows/keep- secure/remote-credential-guard Computer Configuration -> Policies -> Administrative Templates -> System -> Credentials Delegation: Restrict delegation of credentials to remote servers: Enabled – Require Remote Credential Guard

Enable Credential Guard – OSD TS Set 3 Registry Settings for Virtualization-Based Security and Credential Guard 3 Run Command Line Steps REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F VBS on REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F Level – Secure Boot with DMA REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" /V LsaCfgFlags /T REG_DWORD /D 1 /F Enable Credential Guard with UEFI Lock

BitLocker XTS-AES 256 & Enable and Verify Credential Guard

AppLocker Application Whitelisting Part 1

What is AppLocker? Application Whitelisting at the Application Level Relies on Application Identity Service Not a fool-proof security measure Use in conjunction with Device Guard for fine tuning Set of rules controlled via group policy to determine what can or can not run Can control EXEs, DLLs, MSIs, Scripts, and AppX Packages Enterprise and Education SKUs only

AppLocker – Initial Items to Configure Set Application Identity Service to Automatic Start via Group Policy Set Log Sizes in Registry via Group Policy Preferences HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/EXE and DLL HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/MSI and Script HKLM:\​SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/Packaged app-Deployment HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/Packaged app-Execution Reg_DWORD MaxSize =10485760

Create Initial AppLocker Policy

AppLocker Log Collection & Rule Creation Use Audit Logs to Generate Rules for Policy No “One Size Fits All” Method Collection Script to Deploy as CM Package 2 parameters – string for log storage UNC path & Boolean for Clear After Collect Set Program to Run from DP to Ensure Machine Has Network Access to Log Collection Path at Time Script Runs Create AppLocker Rules from Logs Allow vs Deny Rules Scope to User or Group Rule Condition Types – Publisher, Path, File Hash Exceptions AppX Rules

Creating Rules and Refining AppLocker Policy

Move From Audit to Enforce Refine Ruleset Until You Feel it is Complete Dwindling Logs Being Collected Deal with anything on the organizational side in regards to users running unapproved apps which will soon be blocked (let the business or a PM handle this) Use 2nd GPO With Duplicate Policy – Keep Changes Consistent – Enforce Instead of Audit Scope GPO with Security Filtering to Deployment AD Group Add Machines to AD Group as You Roll Out Could also do this by OU if you prefer that method Roll out will vary based on size and structure of organization One Business Unit at a Time

Device Guard Application Whitelisting Part 2

Before wannacry… “Sophos didn't publish a definition update until 1825 BST, hours after an outbreak..." https://www.theregister.co.uk/2017/05/15/sophos_nhs/

…and after https://www.theregister.co.uk/2017/05/15/sophos_nhs/

Proactive Security is essential… Bouncer Bartender Device Guard (Code Integrity) expresses a high level of “trust”, whereas AppLocker allows for granular rules - https://channel9.msdn.com/Events/Ignite/2015/BRK2336 To understand how Windows 10 can help in achieving the goals, let’s draw from some real-world examples of “Proactive Security”. This example is not my own idea, as I got it from a session at Ignite 2015. When I first heard it, I thought the analogy was genius!! So shout out to Jeffery Sutherland!! When you look at security at a bar or even a nightclub, they are expected to have protocols and procedures in-place to ensure the safety of their patrons. At the same time, they expect their patrons to follow the rules of the establishment. The Bouncers and Bartenders are on the front-lines when it comes to enforcing those protocols and procedures. Bouncer Checks I.D. i.e. 21 or older Verifies name is on the guest list Ensures proper attire is being worn Bartender Service will be refused when Patron is inebriated, hassling for free drinks, cutting the line, etc. [CLICK] Device Guard is like the Bouncer i.e. only allows trusted apps to run Validates that the app is signed by a trusted vendor Uses application Hash(es) are used to uniquely identify an app and further determine trust AppLocker is like the bartender i.e. provides granular control to govern the application exceptions Grants or Denies users permission to run applications Controls what folders an application is allowed to run Device Guard AppLocker

How Device Guard Works ACTIVE DIRECTORY POLICY CONFIGURATION MANAGER MICROSOFT INTUNE POLICY POLICY CODE INTEGRITY Microsoft HP Printer Driver Adobe Policy applied to clients Microsoft Word HP FileZilla FTP Administrator defines trusted signing certificates in policy Only trusted applications can execute Unsigned App

What is Device Guard? More than just application whitelisting (Code Integrity) UMCI (user-mode) vs KMCI (kernel-mode) Uses a defined "code integrity policy" to determine what code can and cannot run Uses virtualization-based security to isolate the Code Integrity service from the kernel Requirements: https://technet.microsoft.com/en-us/itpro/windows/keep- secure/requirements-and-deployment-planning-guidelines-for-device-guard https://blogs.technet.microsoft.com/ukplatforms/2017/04/04/getting-started-with-windows- 10-device-guard-part-1-of-2/ https://drive.google.com/file/d/0B-K55rLoulAfOGVteEllR0xnRnc/view

Device Guard and Configuration Manager Keep in Mind: Still a pre-release features Requirements: Configuration Manager 1702 minimum (or one of the tech previews) Consent to use pre-release features and turn on Device Guard feature Win 10 Enterprise 1703 minimum Automatically trust apps installed by a trusted installer (Configuration Manager) Not the same as using a signed binary code integrity policy! Actually uses AppLocker to identify Managed Installers. https://docs.microsoft.com/en-us/sccm/protect/deploy-use/use-device-guard-with- configuration-manager

Enable Device Guard Require UEFI Memory Attributes Table Remember that Credential Guard policy setting? Same one! Set Virtualization Based Protection of Code Integrity to "Enabled with UEFI lock" Require UEFI Memory Attributes Table New in 1703, prevents crashes due to incompatibility

Set Code Integrity Policy Throw that bin file on a share Ensure permissions allow for it to be read access by Domain Computers Enter the path for the bin file Will be copied to C:\Windows\System32\CodeIntegrity\SIP olicy.p7b and <EFI System Partition>\Microsoft\Boot

Create And Manage Code Integrity Policy Use PowerShell to create and manage Cody Integrity Policies ConfigCI Module Create a policy xml file from scanning a reference machine Review xml policy file that is generated * Merge policy files from multiple machines, scans using different rule types, manually created, etc Convert xml file to bin for deploying Sign the Code Integrity bin file Audit Mode parameter Different "Levels" or rule types Not all files work well with specified level Use fallback parameter to specify secondary level After completion, error log file will indicate files for which rules could not be created    based on specified levels

Create And Manage Code Integrity Policy Policy Rule Options - https://docs.microsoft.com/en-us/windows/device-security/device- guard/deploy-code-integrity-policies-policy-rules-and-file-rules

Create And Manage Code Integrity Policy Policy Rule Options - https://docs.microsoft.com/en-us/windows/device-security/device- guard/deploy-code-integrity-policies-policy-rules-and-file-rules

Managing Unsigned apps Why manage unsigned apps or “sign” them? Rule #1 – It’s always better to “manage” known-good (and “block” unknown-bad) Most malware is not digitally signed Prevents your apps from accidentally becoming known-bad/untrusted e.g. Avoid business impact Package Inspector Catalogs hash-values of the files If Code Integrity policy is being enforced, ensure changed to Audit Mode before running SignTool Makes the catalog file (.cat) trusted within the Code Integrity policy https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-catalog- files-to-support-code-integrity-policies

Sign Code Integrity Policy Windows Store for Business or Education http://businessstore.microsoft.com/ https://educationstore.microsoft.com/

Audit LogGing Microsoft-Windows-DeviceGuard/Operational Policy application, block actions, etc Monitor in audit mode to create rules

Whitelisting – Ongoing maintenance reqs Certificates New Cert Old expired or mfg just decided to change their cert for other reasons New applications Any new app not satisfying an existing rule will require an update to the ruleset Other environment changes

Can’t figure it out? If($AllElse.ExitCode -ne '0'){ $Consultant = New-Object Microsoft.Systems.Consultant $Consultant.Hire() }

Other Items of Note Security Compliance Manager (demo if time) Crafting Secure Group Policy Objects Application Guard Built into Edge Uses VBS to isolate untrusted sites at the hardware layer, protecting the Windows kernel Protected Event Logging Use PKI to encrypt sensitive information in event logs LAPS Provide unique local administrative passwords for your clients using a centrally managed solution

Citations Line1 Bullet Level 1 Bullet Level 2 Bullet Level 3

Section Header This is the next section

Title Line1 Bullet Level 1 Bullet Level 2 Bullet Level 3

Title Code

Text Only with Border Level 1 Level 2 Level 3

Text Only (Red) Level 1 Level 2 Level 3

Title Text 1 Level 1 Level 2 Level 3 Text 2 Level 1 Level 2 Level 3

Title Section 1 Section 2 Text Text Level 1 Level 1 Level 2 Level 2

Demo Title