Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Your Workstations

Published byCassandra Patterson Modified over 7 years ago

Similar presentations

Presentation on theme: "Secure Your Workstations"— Presentation transcript:

1 Secure Your Workstations
Mark Godfrey TekuITS.com Systems Engineer MDH Gary Blok GaryTown.com Lead Systems Engineer MDH Troy Martin 1e.com/blogs/author/troymartin Technical Architect 1E

2 Mark Godfrey Gary Blok @Geodesicz @GWBlok
2nd prize in pizza eating contest 1992 T-Ball Participation Award StarCraft 2 2v2 Diamond Bracket Unlocked all chars in Mario Kart Favorite beer: TinWhiskers FlipSwitch IPA Favorite Show: The IT Crowd

3 Troy Martin @TroyMartinNet (in '92) 3rd highest score in DeVry
NY Yankees 24/7/365!! I'm diabetic, so Ice Cream it is!!

4 Why is Workstation Security Important?
Why should I care?

5 Technical Point of Entry – Attack Surface Size Usage Mobility
# of Servers/Network Hardware vs # of Workstations More software = More vulnerabilities Usage End users click things Links in s Remote requests Macro requests in randomly downloaded documents Dancing animal pictures with embedded malware End users browse the web Humans make mistakes Mobility How many people leave their servers or switches on the bus or at a hotel? Operational More Secure = Less Issues = Less Time Spent Dealing with Issues

6 Non-Technical Financial Ethical Personal Regulatory Lawsuits
Loss of Business due to Loss of Trust Other Ethical Responsibility to Protect People’s Data Responsibility to Protect Your Organization Responsibility to Do Your Job Well Personal Pride in Your Work Employability Aftermath Regulatory HIPPA SOX FERPA

7 Changing Face of Workstation Security
Get Your Head Out of Your Past But, I Have Antivirus Now Vulnerability Management Least Privilege Security Software Application Whitelisting Firmware Firewall Encryption Social Engineering More

8 Firmware Security is like a pyramid, build it from the bottom up with a large, strong base. Requirements and Prerequisites UEFI Secure Boot BitLocker More Manage Your Firmware Upgrades See Leveraging Vendor Tools Session For BIOS Update and Settings Management

9 Secure Boot Process CHIPSET GUID PARTITION TABLE (GPT) DISK
Firmware stores list of trusted signatures Firmware checks Windows Boot Manager and Windows Boot Loader are signed with trusted certificate before executing Windows Boot Loader only loads kernel signed with trusted certificate CHIPSET GUID PARTITION TABLE (GPT) DISK UEFI FIRMWARE EFI SYSTEM PARTITION WINDOWS PARTITION UEFI Boot Manager Windows Boot Manager Windows Boot Loader Windows Kernel The device manufacturer hard-codes a list of trusted signing certificates in the firmware. [Click] This list is signed by the manufacturer and can only be updated by the manufacturer through firmware updates. UEFI uses a specific disk configuration – GUID Partition Table – that provides a lot more flexibility during boot up over the Master Boot Record disk configuration required by legacy BIOS. [Click] When the Windows device is started, the UEFI boot manager loads the Windows Boot Manager from the EFI System Partition (ESP). [Click] With Secure Boot enabled, the Windows Boot Manager can only be loaded if it is signed with a trusted signing certificate. [Click] The Windows Boot Manager will then go on to load the Windows Boot Loader from the Windows Partition, which again will only be loaded if it is signed with a trusted certificate. [Click] Finally, the Windows Boot Loader will load the Windows Kernel, which again must be signed with a trusted certificate.

10 Encryption BitLocker it up!

11 XTS-AES New Encryption Algorithm as of Win10 1511*
Provides protection against additional types of attacks FIPS-compliant Only use for fixed and OS drives Only use on removable drive if you don’t want to use it on other OSes Update MBAM before implementing to ensure you have support for this 128 vs 256 bit

12 Set in Group Policy Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption: Choose Drive Encryption Method and Cipher Strength (Windows 10 [Version 1511] and later) Select algorithm for each set

13 Enable XTS-AES in OSD Should already have steps to Activate TPM
Disable Pre-Provision BitLocker Steps Stop MBAM Service (if using MBAM) Partition Drive for BitLocker MDT Step using ZTIBDE.wsf Add 5 policy settings to the registry – HKLM:\Software\Policies\Microsoft\FVE "EncryptionMethodWithXtsOs"=dword: "EncryptionMethodWithXtsFdv"=dword: "EncryptionMethodWithXtsRdv"=dword: "OSEncryptionType"=dword: "EncryptionMethod"=dword: Additional Settings Required if Using MBAM – HKLM:\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Start MBAM Service (if using MBAM) Enable BitLocker

14 Credential Guard No hash for you!

15 What is Credential Guard?
Partial Implementation of Device Guard* Credentials Run in Protected, Virtual Environment Environment Isolated from the OS Protects NTLM password hashes, Kerberos Ticket Granting Tickets, and Application-stored creds Contrary to prior belief, does NOT require Hyper-V *Feature to be enabled Protects Credential Hashes Prevents Reverse Password Hash Lookups and Pass-the-Hash Attacks, Others Requirements: secure/requirements-and-deployment-planning-guidelines-for-device-guard Virtualization extensions in BIOS, TPM, UEFI, SecureBoot

16 Set in Group Policy Computer Configuration -> Policies -> Administrative Templates -> System -> Device Guard: Turn On Virtualization Based Security

17 Remote Protection Computer Configuration -> Policies -> Administrative Templates -> System -> Credentials Delegation: Remote host allows delegation of non-exportable credentials: Enabled Might have issues if your DNS sucks us/itpro/windows/keep- secure/remote-credential-guard Computer Configuration -> Policies -> Administrative Templates -> System -> Credentials Delegation: Restrict delegation of credentials to remote servers: Enabled – Require Remote Credential Guard

18 Enable Credential Guard – OSD TS
Set 3 Registry Settings for Virtualization-Based Security and Credential Guard 3 Run Command Line Steps REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F VBS on REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F Level – Secure Boot with DMA REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" /V LsaCfgFlags /T REG_DWORD /D 1 /F Enable Credential Guard with UEFI Lock

19 BitLocker XTS-AES 256 & Enable and Verify Credential Guard

20 AppLocker Application Whitelisting Part 1

21 What is AppLocker? Application Whitelisting at the Application Level
Relies on Application Identity Service Not a fool-proof security measure Use in conjunction with Device Guard for fine tuning Set of rules controlled via group policy to determine what can or can not run Can control EXEs, DLLs, MSIs, Scripts, and AppX Packages Enterprise and Education SKUs only

22 AppLocker – Initial Items to Configure
Set Application Identity Service to Automatic Start via Group Policy Set Log Sizes in Registry via Group Policy Preferences HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/EXE and DLL HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/MSI and Script HKLM:\​SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/Packaged app-Deployment HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/Packaged app-Execution Reg_DWORD MaxSize =

23 Create Initial AppLocker Policy

24 AppLocker Log Collection & Rule Creation
Use Audit Logs to Generate Rules for Policy No “One Size Fits All” Method Collection Script to Deploy as CM Package 2 parameters – string for log storage UNC path & Boolean for Clear After Collect Set Program to Run from DP to Ensure Machine Has Network Access to Log Collection Path at Time Script Runs Create AppLocker Rules from Logs Allow vs Deny Rules Scope to User or Group Rule Condition Types – Publisher, Path, File Hash Exceptions AppX Rules

25 Creating Rules and Refining AppLocker Policy

26 Move From Audit to Enforce
Refine Ruleset Until You Feel it is Complete Dwindling Logs Being Collected Deal with anything on the organizational side in regards to users running unapproved apps which will soon be blocked (let the business or a PM handle this) Use 2nd GPO With Duplicate Policy – Keep Changes Consistent – Enforce Instead of Audit Scope GPO with Security Filtering to Deployment AD Group Add Machines to AD Group as You Roll Out Could also do this by OU if you prefer that method Roll out will vary based on size and structure of organization One Business Unit at a Time

27 Device Guard Application Whitelisting Part 2

28 Before wannacry… “Sophos didn't publish a definition update until 1825 BST, hours after an outbreak..."

29 …and after

30 Proactive Security is essential…
Bouncer Bartender Device Guard (Code Integrity) expresses a high level of “trust”, whereas AppLocker allows for granular rules - To understand how Windows 10 can help in achieving the goals, let’s draw from some real-world examples of “Proactive Security”. This example is not my own idea, as I got it from a session at Ignite When I first heard it, I thought the analogy was genius!! So shout out to Jeffery Sutherland!! When you look at security at a bar or even a nightclub, they are expected to have protocols and procedures in-place to ensure the safety of their patrons. At the same time, they expect their patrons to follow the rules of the establishment. The Bouncers and Bartenders are on the front-lines when it comes to enforcing those protocols and procedures. Bouncer Checks I.D. i.e. 21 or older Verifies name is on the guest list Ensures proper attire is being worn Bartender Service will be refused when Patron is inebriated, hassling for free drinks, cutting the line, etc. [CLICK] Device Guard is like the Bouncer i.e. only allows trusted apps to run Validates that the app is signed by a trusted vendor Uses application Hash(es) are used to uniquely identify an app and further determine trust AppLocker is like the bartender i.e. provides granular control to govern the application exceptions Grants or Denies users permission to run applications Controls what folders an application is allowed to run Device Guard AppLocker

31 How Device Guard Works ACTIVE DIRECTORY POLICY CONFIGURATION MANAGER
MICROSOFT INTUNE POLICY POLICY CODE INTEGRITY Microsoft HP Printer Driver Adobe Policy applied to clients Microsoft Word HP FileZilla FTP Administrator defines trusted signing certificates in policy Only trusted applications can execute Unsigned App

32 What is Device Guard? More than just application whitelisting (Code Integrity) UMCI (user-mode) vs KMCI (kernel-mode) Uses a defined "code integrity policy" to determine what code can and cannot run Uses virtualization-based security to isolate the Code Integrity service from the kernel Requirements: secure/requirements-and-deployment-planning-guidelines-for-device-guard 10-device-guard-part-1-of-2/

33 Device Guard and Configuration Manager
Keep in Mind: Still a pre-release features Requirements: Configuration Manager 1702 minimum (or one of the tech previews) Consent to use pre-release features and turn on Device Guard feature Win 10 Enterprise 1703 minimum Automatically trust apps installed by a trusted installer (Configuration Manager) Not the same as using a signed binary code integrity policy! Actually uses AppLocker to identify Managed Installers. configuration-manager

34 Enable Device Guard Require UEFI Memory Attributes Table
Remember that Credential Guard policy setting? Same one! Set Virtualization Based Protection of Code Integrity to "Enabled with UEFI lock" Require UEFI Memory Attributes Table New in 1703, prevents crashes due to incompatibility

35 Set Code Integrity Policy
Throw that bin file on a share Ensure permissions allow for it to be read access by Domain Computers Enter the path for the bin file Will be copied to C:\Windows\System32\CodeIntegrity\SIP olicy.p7b and <EFI System Partition>\Microsoft\Boot

36 Create And Manage Code Integrity Policy
Use PowerShell to create and manage Cody Integrity Policies ConfigCI Module Create a policy xml file from scanning a reference machine Review xml policy file that is generated * Merge policy files from multiple machines, scans using different rule types, manually created, etc Convert xml file to bin for deploying Sign the Code Integrity bin file Audit Mode parameter Different "Levels" or rule types Not all files work well with specified level Use fallback parameter to specify secondary level After completion, error log file will indicate files for which rules could not be created    based on specified levels

37 Create And Manage Code Integrity Policy
Policy Rule Options - guard/deploy-code-integrity-policies-policy-rules-and-file-rules

38 Create And Manage Code Integrity Policy
Policy Rule Options - guard/deploy-code-integrity-policies-policy-rules-and-file-rules

39 Managing Unsigned apps
Why manage unsigned apps or “sign” them? Rule #1 – It’s always better to “manage” known-good (and “block” unknown-bad) Most malware is not digitally signed Prevents your apps from accidentally becoming known-bad/untrusted e.g. Avoid business impact Package Inspector Catalogs hash-values of the files If Code Integrity policy is being enforced, ensure changed to Audit Mode before running SignTool Makes the catalog file (.cat) trusted within the Code Integrity policy files-to-support-code-integrity-policies

40 Sign Code Integrity Policy
Windows Store for Business or Education

41 Audit LogGing Microsoft-Windows-DeviceGuard/Operational
Policy application, block actions, etc Monitor in audit mode to create rules

42 Whitelisting – Ongoing maintenance reqs
Certificates New Cert Old expired or mfg just decided to change their cert for other reasons New applications Any new app not satisfying an existing rule will require an update to the ruleset Other environment changes

43 Can’t figure it out? If($AllElse.ExitCode -ne '0'){ $Consultant = New-Object Microsoft.Systems.Consultant $Consultant.Hire() }

44 Other Items of Note Security Compliance Manager (demo if time)
Crafting Secure Group Policy Objects Application Guard Built into Edge Uses VBS to isolate untrusted sites at the hardware layer, protecting the Windows kernel Protected Event Logging Use PKI to encrypt sensitive information in event logs LAPS Provide unique local administrative passwords for your clients using a centrally managed solution

45

46

47 Citations Line1 Bullet Level 1 Bullet Level 2 Bullet Level 3

48 Section Header This is the next section

49 Title Line1 Bullet Level 1 Bullet Level 2 Bullet Level 3

50 Title Code

51 Text Only with Border Level 1 Level 2 Level 3

52 Text Only (Red) Level 1 Level 2 Level 3

53 Title Text 1 Level 1 Level 2 Level 3 Text 2 Level 1 Level 2 Level 3

54 Title Section 1 Section 2 Text Text Level 1 Level 1 Level 2 Level 2

55 Demo Title

56

57

58

59

60

61

62

63

64

Download ppt "Secure Your Workstations"

Similar presentations

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
Working with Drivers and Printers Lesson 6. Skills Matrix Technology SkillObjective DomainObjective # Understanding Drivers and Devices Install and configure.

Working with Drivers and Printers Lesson 6. Skills Matrix Technology SkillObjective DomainObjective # Understanding Drivers and Devices Install and configure.
Chapter 7 Installing and Using Windows XP Professional.

Chapter 7 Installing and Using Windows XP Professional.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.

Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.

Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Troubleshooting Windows Vista Security Chapter 4.

Troubleshooting Windows Vista Security Chapter 4.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

Similar presentations

Ads by Google