Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows Service Hardening


Published on

Bryan Owen of OSIsoft at S4x15 OTDay.

Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server

Published in: Technology
  • Login to see the comments

Windows Service Hardening

  1. 1. Windows  Service  Hardening Applied  to  Securing  PI  Interfaces   S4x15   OT  Day   Bryan  S  Owen  PE  
  2. 2. Objec5ves •  What  is  Service  Hardening?   •  How  to  harden  a  PI  Interface?    
  3. 3. Service  Hardening  is  a  Defensive  Prac5ce •  Part  of  ‘Assume  Breach’  mindset   •  Strive  to  limit  damage  poten?al  
  4. 4. Reality:  Services  are  A?rac5ve  Targets •  Readily  discoverable   •  Open  network  ports   •  No  user  interac?on   •  Elevated  privileges    
  5. 5. Countermeasures Whitelis?ng  approach  for:   1.  Specific  Privileges   2.  Allowed  Communica?on   Service Hardening ACL File system Registry Network
  6. 6. Windows  Service  Hardening   Kernel  changes  in  Windows  6.0  (Vista/2008  and  later) D DD •  Reduce  size  of  high   risk  layers   •  Segment  the   services   •  Increase  number     of  layers   Kernel DriversD D User-mode Drivers D D D Service 1 Service 2 Service 3 Service … Service … Service A Service B
  7. 7. Built-­‐in  Users/Groups •  System   •  Administrators   •  Network  Service   •  Users,  Local  Service   •  Virtual  Service  Account            (NT  ServiceServiceName)   Most   Privilege   Least   Privilege  
  8. 8. Default  Service  Account  is  ‘System’! Used  in   Stuxnet   Worm   Numerous   aYacks  
  9. 9. Access  Control  List  (ACL)  Example Local  System         Default:  Full  control       …access  to  everything  
  10. 10. Opportuni5es •  Network  access  restric?ons   •  Service  isola?on   File  system  and  registry  permissions   •  Specify  required  privileges   •  Service  accounts  
  11. 11. PISNMP  Interface  CASE  Study Securing  PI  Interfaces  
  12. 12. Harden      Harden      Harden   Harden      Harden      Harden   PI  SNMP  Interface  Data  flow SNMP  capable  ICS  device   PI  SNMP  Interface  Node   (collect  and  buffer  services)   PI  Server  PINET  protocol  Harden      Harden      Harden      Harden      Harden   SNMP  protocol   Harden      Harden      Harden      Harden      Harden  
  13. 13. Service  Hardening  Scope 1.  Service  Recovery  Policy   2.  Reduce  Privilege   3.  Protect  File  System   4.  Firewall  Service  Rules  
  14. 14. SCM   Service  Control  Manager  “SCM”   Configura5on  Tools Basic   Advanced  
  15. 15. Service  Recovery
  16. 16. Service  Process  Privileges SeChangeNo?fyPrivilege   SeCreateGlobalPrivilege   SeImpersonatePrivilege   SeAuditPrivilege   SeChangeNo?fyPrivilege   SeCreateGlobalPrivilege   SeCreatePagefilePrivilege   SeCreatePermanentPrivilege   SeCreateSymbolicLinkPrivilege   SeDebugPrivilege   SeImpersonatePrivilege   SeIncreaseWorkingSetPrivilege   SeLockMemoryPrivilege   SeProfileSingleProcessPrivilege   SeSystemProfilePrivilege   SeSystemProfilePrivilege   SeTcbPrivilege   SeTimeZonePrivilege     SeChangeNo?fyPrivilege   System   Network  Service   Minimum  Required  
  17. 17. Network  Service No  longer  full  access   •  Reduced  privileges   •  Authen?cated  Users  
  18. 18. Quiz By  default,  is  “Network  Service”  allowed  to  write  then  execute   from  disk?   Hint:   •  “ICACLS  %SystemRoot%system32”   •  “ICACLS  %SystemDrive%”    
  19. 19. Service  ‘Hopping’  with  Built-­‐In  Accounts •  Shared  Logon:  Network  Service   ACL   Network   Service   Service1   Service2  
  20. 20. Virtual  Service  Account •  Creates  a  security  iden?fier  based  on  service  name   •  Alterna?ve  to  sharing  built  in  service  accounts   •  NT  Serviceservice  name   •  Local  account   •  Windows  networking  iden?ty   •  Domain:  machine  name$   •  Workgroup:  anonymous     •  Passwords   •  Automa?cally  generated,  non-­‐expiring,  cannot  be  locked-­‐out     •  240  bytes,  cryptographically  random.  
  21. 21. Enable  Virtual  Service  Account  (example) C:>sc  qsidtype  pisnmp1     [SC]  QueryServiceConfig2  SUCCESS     SERVICE_NAME:  pisnmp1     SERVICE_SID_TYPE:  NONE       C:>sc  sidtype  pisnmp1  unrestricted     [SC]  ChangeServiceConfig2  SUCCESS        
  22. 22. SID  Types •  None   No  virtual  service  account  SID  available.   •  Unrestricted   Access  token  “NT  SERVICEServiceName”     •  Restricted   Access  token  with  RESTRICTED,MANDATORY  flags:   •  NT  SERVICEServiceName   •  NT  AUTHORITYWRITE  RESTRICTED   •  Everyone   •  NT  AUTHORITYS-­‐1-­‐5-­‐5-­‐0-­‐…..  (Logon  SID,  A  unique  SID  is  created  for  each  logon  session).  
  23. 23. Service  Isola5on   Grant  permission  to  Virtual  Service  Account Default  ACL   Full  Access   Logon:  Local  System   ACL   NT  Servicepisnmp1  –  r/w   Logon:  NT  ServicePISNMP1  More  secure   Any  File   Program  FilesPIPCInterfacesSNMP   PISNMP1   PISNMP1  
  24. 24. Specify  Required  Privileges C:>sc  sidtype  pisnmp1  unrestricted     [SC]  ChangeServiceConfig2  SUCCESS       C:>sc  privs  pisnmp1  seChangeNoPfyPrivilege     [SC]  ChangeServiceConfig2  SUCCESS       C:>sc  qprivs  pisnmp1     [SC]  QueryServiceConfig2  SUCCESS     SERVICE_NAME:  pisnmp1     PRIVILEGES  :  seChangeNoJfyPrivilege       **  Restart  the  service  **  
  25. 25. Quiz •  Find  a  Windows  service  that  has  an  ‘unrestricted’  SID  with   minimal  privileges.   Hint:   •  use  “sc  query  |  findstr  SERVICE_NAME”     •  Then  “sc  qsidtype  servicename”   •  And  “sc  qprivs  servicename”  (scheduler,  spooler,  etc…)  
  26. 26. Network  Service  Restric5ons PI  SNMP   Port  *   PI  SNMP   Port  *   PI  SNMP  Port  *   Port   5450   Port   53   Define  Required  Communica?on   Endpoints  and  Ports  for  each  Windows  Service   DNS  Server   Port   161   PI  Network  Manager   Port  *   (Proxy  for  PIBufSS  Service)   PI  Server   SNMP  ICS  Device   PI  SNMP     Interface  
  27. 27. Bind  Windows  Firewall  Rule  to  a  Service
  28. 28. Quiz •  Why  did  the  PISNMP  service  need  a  separate  firewall  rule  for   DNS?   Hint:   •  Browse  firewall  rules  for  "Core  Networking  -­‐  DNS  (UDP-­‐Out)"   •  (Alt)  redirect  output  to  file  and  search  file   “netsh  advfirewall  firewall  show  rule  name  =  all  verbose”  
  29. 29. Ideal  Case:  More  Secure  by  Default Secure   Configura?on   Maintenance  
  30. 30. References •  Overview  of  Windows  Services  (Microsot)   •  Securing  PI  Interfaces  (OSIsot  UC2014  Learning  Day  Workbooks)       Enjoy  the  rest  of  OT  Day  and  S4x15!