In this presentation from her webinar, Enterprise Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz,explores common ‘infrastructure sins’.
Security audits are the best opportunity to become familiar with the common (and uncommon) Windows security mistakes made by sys admins. Unfortunately, too often the common mistakes are extremely serious and can present an easy inroad to catastrophic security event. But where do you start? Learn from Paula in this presentation, or check out the full webinar here:
https://www.beyondtrust.com/resources/webinar/avoiding-10-deadliest-common-sins-securing-windows/?access_code=bc633e62b0095c6ed17684297ee49db4
2. Consulting services
High quality penetration tests with useful reports
Applications
Websites
External services (edge)
Internal services
+ configuration reviews
Incident response emergency services
– immediate reaction!
Security architecture and design advisory
Forensics investigation
Security awareness
For management and employees
info@cqure.us
Trainings
Security Awareness trainings for executives
CQURE Academy: over 40 advanced security
trainings for IT Teams
Certificates and exams
Delivered all around the world only by a CQURE
Team: training authors
3.
4. Discounts for Beyond Trust webinar attendees!
Interested? Drop us quick email at: info@cqure.us
More info: https://cqureacademy.com/trainings
May 7-11th 2018NEW! System Forensics Training
and Security Operations +
Troubleshooting
January 22-26th 2018
5.
6.
7.
8. Will you share your passwords with others?
We do this every day!
How do services store passwords?
Passwords are often similar to your other passwords
At least one of them can be easily accessed by the administrator of the service
Be prepared for password loss and service recovery
11. Key learning points:
✓ Worldwide spending on information security is expected to reach
$90 billion in 2017, an increase of 7.6 percent over 2016, and to top
$113 billion by 2020, according to advisory firm Gartner
✓ With increasing budget the risk of possessing hipster tools increases
too – do we know where these tools come from and what are their
security practices?
✓ Lots of solutions where not created according to the good security
practices (backup software running as Domain Admin etc.)
✓ Each app running in the user’s context has access to secrets of other
apps – Data Protection API
✓ Case of CCleaner
12.
13. Key learning points:
✓ Set SPNs for services to avoid NTLM:
SetSPN –L <your service account for AGPM/SQL/Exch/Custom>
SetSPN –A Servicename/FQDN of hostname/FQDN of domain
domainserviceaccount
✓ Reconsider using Kerberos authentication all over
https://technet.microsoft.com/en-us/library/jj865668.aspx
✓ Require SPN target name validation
Microsoft network server: Server SPN target name validation level
✓ Reconsider turning on SMB Signing
✓ Reconsider port filtering
✓ Reconsider code execution prevention but do not forget that
this attack leverages administrative accounts
15. Key learning points:
Common file formats containing malware are:
✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc)
✓ .dll (Dynamic Link Libraries)
✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT,
COM, CMD etc)
✓ .docm, .xlsm etc. (Office Macro files)
✓ .other (LNK, PDF, PIF, etc.)
If SafeDllSearchMode is enabled, the search order is as follows:
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current directory
6. The directories that are listed in the PATH environment
variable
17. Key learning points:
✓ The best operators won't use a component until they
know how it breaks.
✓ Almost each solution has some ‘backdoor weakness’
✓ Some antivirus solutions can be stopped by SDDL
modification for their services
✓ Configuration can be monitored by Desired State
Configuration (DSC)
✓ DSC if not configured properly will not be able to spot
internal service configuration changes
Example: how to I get to the password management
portal?
18.
19.
20. Is this really the admin’s sin?
The negative side of this sin is that you need to trust people
Most companies are not prepared for the IT Staff going on a…
vacation
Set up the rules before creating the solutions
21. Infrastructure can be a silent
killer
Vulnerability Management
Put on the Hacker’s Shoes
External + Internal + Web Penetration tests
Configuration reviews
Prevention
22. Discounts for Beyond Trust webinar attendees!
Interested? Drop us quick email at: info@cqure.us
More info: https://cqureacademy.com/trainings
May 7-11th 2018NEW! System Forensics Training
and Security Operations +
Troubleshooting
January 22-26th 2018
24. Summary: Why PowerBroker for Windows?
• Asset discovery, application control, risk compliance, Windows event log monitoring included
• Optional: Session monitoring, file integrity monitoring
Deep capability
• U.S. Patent (No. 8,850,549) for the methods and systems employed for controlling access to
resources and privileges per process
Mature, patented leader
• Tightly integrated with vulnerability management
• Deep reporting and analytics insights for compliance and operations
Centralized reporting,
analytics and
management
• Privilege and session management on Unix, Linux and Windows
• Privileged password and session management
• Integrate Linux, Unix, and Mac OS X with Microsoft AD
• Real-time auditing of AD, File System, Exchange & SQL
Part of a broad solution
family
Validatedbycustomersandanalystsalike
25. Your solution should:
• Elevate privileges to applications, not users, on an as-needed basis without
exposing passwords
• Enforce least-privilege access based on an application’s known vulnerabilities
• Track and control applications with known vulnerabilities or malware to further
protect endpoints
• Monitor event logs and file integrity for unauthorized changes to key files and
directories
• Capture keystrokes and screens when rules are triggered with searchable
playback