Uploaded byedavid2685
PPTX, PDF4,475 views

System hardening - OS and Application

This document discusses strategies for hardening Windows operating systems and applications. It provides resources and guidelines for securing Microsoft OS's using tools like the Microsoft Security Compliance Manager and the Center for Internet Security benchmarks. Specific recommendations are given for mitigating risks from Java, Adobe Reader, local administrator passwords, and enabling full disk encryption with BitLocker. Troubleshooting tips are also included for addressing issues that may arise from an OS hardening project.

Technologyâ—¦

Embed presentation

Downloaded 132 times
System Hardening Windows OS Clients and Applications
About me.. • This talk really shouldn’t be about me.. Its about you.. • This community is about educating each other and making things better
What is this talk about? • Hardening Microsoft OS’s for Domain and Standalone computers • Large Scale EMET deployments • How to approach Java problem if you run out of date versions • Adobe Acrobat customization according to NSA standards • Local Admin accounts and Passwords and what to do about them • Cryptography – Some brief thoughts
OS Security references • Microsoft Security Compliance Manager - http://technet.microsoft.com/en-us/library/cc677002.aspx • Center for Internet Security Benchmarks** - https://benchmarks.cisecurity.org/downloads/multiform/index.cfm • DISA Stigs - http://iase.disa.mil/stigs/os/windows/Pages/index.aspx
CIS Security Benchmarks • Recommended technical control rules/values for hardening operating systems • Distributed free of charge by CIS in .PDF format • Where to Begin?? • Incident Response and SSLF.. Flip up the guide for your audience!
Microsoft SCM Current Baselines
MS Security Compliance Manager • Exporting Group Policy Objects in your environment and re-import into SCM • Mix and Merge two separate security baselines to remediate issues or consolidate security • No Active Directory? Apply Policy through Local GPO Tools
Inventory Your current Security Posture (If Any) • Security Policies can easily be exported from Group Policy Management Console and re-imported into Microsoft Security Compliance Manager • Two options to mix and merge: Compare with SCM pre-populated baselines or build your own based upon CIS PDF’s • My preference is to build based upon CIS and take security to the maximum hardened limit. (Ex. Earlier Win7 CIS gave Self Limited Functionality Profiles SSLF for high security environments)
Warning: You will Break Stuff!
Troubleshooting Hardening issues • Easiest method is to have a container set up in Active Directory with all group policy inheritance blocked. • Apply your OS Hardening Policies through the local GPO tool. This tool is available when you install Security Compliance Manager. • Installer Can be found in C:Program Files (x86)Microsoft Security Compliance ManagerLGPO << After SCM Install
Why troubleshoot CIS with LGPO Tool • Instead of having your sever admins randomly shut group policies off at the server level you can rapidly respond to testing by locally turning off policies • It’s a needle in a haystack approach. Most issues you deal with will probably be around network security and authentication hardening • Works great if you want to applied hardened OS policies in standalone high security environments
A few other things • The concept of least privilege should always be used (UAC) • Getting asked even by IT folks to turn it off (UAC) • Limit Admin accounts. Secondary admin accounts are better. Never use admin accounts to browse or do daily tasks on your network • Autorun should be one of the first things you disable in any org. It’s a quick hit with minimal impacts to end users • Enforce the firewall from getting turned off. Use Domain firewall profiles heavily. While restricting public and home profiles. • Be careful with Audit policies. Too much audit information can be a bad thing in logs
A few other things continued • Debug programs.. No one should have access to do this. PG. 76 • Limit the amount of remotely accessible registry path’s. (Take note Windows 7 remote registry services has to be manually started. ) This should be disabled Pg. 133 • Lan Manager Authentication Level: Enforce NTLMv2 and Refuse LM and NTLM << This should be non negotiable IE. Pass the Hash Pg. 137 • For High security environments don’t process legacy and run once list << Could lead to other issues with certain applications and driver applications. Use cautiously. • Prevent computers from Joining Homegroups.. BYOD issues PG 169
But Wait….I HAZ Shells
Disable Remote Shell Access • Remote Shell Access pg160 • You need to decide if it’s worth it for you to really have remote shell access. • Reduce your attack surface… This is what OS hardening is all about
Lets have a talk about Large Scale EMET deployments (5,000 Machines and More)
EMET Large Scale deployments • Resources • Customizing • Scaling • Group Policy • Where does everything fit and in what order?
EMET Resources • Kurt Falde Blog (http://blogs.technet.com/b/kfalde/) • Security Research and Defense Blogs (http://blogs.technet.com/b/srd/) • EMET Social Technet Forum (http://social.technet.microsoft.com/Forums/security/en- US/home?forum=emet) • EMET Pilot Proof of Concept Recommendations (http://social.technet.microsoft.com/wiki/contents/articles/23598.emet-pilot- proof-of-concept-recommendations.aspx) • EMET Know Application Issues Table (http://social.technet.microsoft.com/wiki/contents/articles/22931.emet-known- application-issues-table.aspx)
Avoiding EMET “Resume Generating Events”
What to avoid with EMET deployments • Do not immediately add popular or recommended XML profiles to EMET. Attaching EMET to processes and not vetting them in a organization is not a good idea. • Do not use Group Policy out of the gate. Instead inject with local policies first to vet out problems. • Use System Wide DEP settings cautiously. You may uncover applications, even though not hooked into EMET, crashing because of system wide DEP. Use “Application Opt In” is a safer solution
EMET Customization • Base MSI • Exporting custom XML and using EMET_Conf to push settings • Registry import to policy key for EMET. Acts as local group policy.
Using EMET_Conf
EMET_Conf (cont.) • Use EMET_Conf --delete_all to remove all application mitigation settings and certificate trust configurations • Built your own settings… Then Export… Export will be in a .xml file • Reimport by using EMET_Conf --import.xml • If you script emet_conf to push out settings include HelperLib.dll, MitigationInterface.dll, PKIPinningSubsystem.dll, SdbHelper.dll
EMET Policies
Injecting EMET policies into Registry
Starting out with EMET • Start out with highest risk applications first. Start with browsers (Internet Explorer, Firefox, Chrome, Opera) • Move onto Adobe Reader/writer, Java. • High risk exploited apps should always be first
The Java Problem • Malicious actors are using trusted applications to exploit gaps in perimeter security. • Java comprises 91 percent of web exploits; 76 percent of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version. • “Watering hole” attacks are targeting specific industry-related websites to deliver malware. Source: Cisco 2014 Annual Security Report (http://www.cisco.com/web/offers/l p/2014-annual-security-report/ index.html)
The Java Problem Continued • Corporations rely on Out of Date versions • The “Pigeon Hole” Effect. I can’t upgrade Java because you will break my critical business app. • Virtualizing can be a expensive solution • But my AV will stop it! << Probably not… • Oracle EOL Java 6 but paid support can extend this.. << too expensive • Java is a security nightmare and a application administrators worst enemy
The Java problem continued
Prevent Java from running • Hopefully by now everyone has deployed MS014-051. If not you should.. Soon. • Don’t deploy and assume you are done. Don’t accept Default Policies for this. • Starting with MS014-051 does out of date java blocking by default but allows users to circumvent.
Mitigating the Java Problem with GPO’s • Before you do this… lock down trusted sites. Don’t allow users to circumvent security by putting stuff in trusted sites without a vetting process • Don’t allow users to “run this time” If Java is out of Date. Lock it down • Allow out of date java to sites that are business critical only.
Java Resources For Mitigation • http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins- blocking-out-of-date-activex-controls.aspx • http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage- the-new-quot-blocking-out-of-date-activex-controls-quot-feature- in-ie.aspx
Java Active X Blocking • Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd On Management
Java Active X Blocking
Java Active X Blocking
Java Active X Blocking
Java Active X Blocking
Bonus: Block Flash too.. High Security Environments
End Results
Hardening Adobe Reader/Writer • Adobe Enterprise Toolkit http://www.adobe.com/devnet-docs/ acrobatetk/index.html • Application Security Overview http://www.adobe.com/devnet-docs/ acrobatetk/tools/AppSec/index.html • Adobe Customization Wizard (Use this)ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/ • NSA guidelines for Adobe XI in Enterprise Environments (Use This) https://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring _Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
Hardening Adobe Reader/Writer • Don’t give people a chance to disable Protected mode, protected view, and enhanced security • For high security environments disable Javascript. Disable URL links.. Don’t allow flash content to be viewed in PDF’s << Very bad • Patch often and ASAP • Hook in with EMET to enhance exploit mitigation
Adobe Demo
Admin Passwords • Disable Admin Passwords • If you can’t disable then Randomize it.. Per machine.. • Sans SEC 505.. Awesome course… • http://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator- password-automatically-with-a-different-password-across- the-enterprise
Cryptography • Truecrypt << my advice is to please stay away from this. • http://istruecryptauditedyet.com/ • 2nd part of the audit is very important as it deals with Cryptanalysis and RNG’s. If the RNG’s are weak or in a predictable state such as Dual Elliptic Curve. Truecrypt users will be in trouble. • Developers were never known..
Cryptography • If you use bitlocker… Please enforce AES 256. Bitlocker defaults to AES 128 • Kill Secrets from memory.. • Starting in Windows 8.1 Pro versions come packed with bitlocker • 2008 Servers and above have it to • Encrypt all your things……There is no reason not to.
Questions???

More Related Content

PPTX
Deep dive into ssrf
byn|u - The Open Security Community
 
PPTX
Introduction to penetration testing
byNezar Alazzabi
 
PDF
Web Application Penetration Testing
byPriyanka Aash
 
PPTX
OpenVAS
bysvm
 
PPT
Penetration Testing Basics
byRick Wanner
 
PPTX
SOC: Use cases and are we asking the right questions?
byJonathan Sinclair
 
PPTX
Web application security
byKapil Sharma
 
PDF
certified-ethical-hacker-cehv12_course_content.pdf
byinfosec train
 
Deep dive into ssrf
byn|u - The Open Security Community
 
Introduction to penetration testing
byNezar Alazzabi
 
Web Application Penetration Testing
byPriyanka Aash
 
OpenVAS
bysvm
 
Penetration Testing Basics
byRick Wanner
 
SOC: Use cases and are we asking the right questions?
byJonathan Sinclair
 
Web application security
byKapil Sharma
 
certified-ethical-hacker-cehv12_course_content.pdf
byinfosec train
 

What's hot

PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PDF
Threat Modeling Everything
byAnne Oikarinen
 
PPT
Web Application Security
byAbdul Wahid
 
PPTX
Reconnaissance
byn|u - The Open Security Community
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PPTX
Security testing
byKhizra Sammad
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
PDF
Web Application Security 101
byCybersecurity Education and Research Centre
 
PDF
OWASP Top 10 - 2017
byHackerOne
 
PPTX
Introduction to Malware Analysis
byAndrew McNicol
 
PDF
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
PDF
Security testing presentation
byConfiz
 
PPTX
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
PPTX
Domain 6 - Security Assessment and Testing
byMaganathin Veeraragaloo
 
PPTX
Penetration testing reporting and methodology
byRashad Aliyev
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PPT
Information Security Principles - Access Control
byidingolay
 
PDF
Understanding Cyber Attack - Cyber Kill Chain.pdf
byslametarrokhim1
 
PPT
Application Security
byReggie Niccolo Santos
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Threat Modeling Everything
byAnne Oikarinen
 
Web Application Security
byAbdul Wahid
 
Reconnaissance
byn|u - The Open Security Community
 
Malware analysis
byPrakashchand Suthar
 
Security testing
byKhizra Sammad
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
Web Application Security 101
byCybersecurity Education and Research Centre
 
OWASP Top 10 - 2017
byHackerOne
 
Introduction to Malware Analysis
byAndrew McNicol
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
Security testing presentation
byConfiz
 
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
Domain 6 - Security Assessment and Testing
byMaganathin Veeraragaloo
 
Penetration testing reporting and methodology
byRashad Aliyev
 
Application Security - Your Success Depends on it
byWSO2
 
Information Security Principles - Access Control
byidingolay
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
byslametarrokhim1
 
Application Security
byReggie Niccolo Santos
 

Viewers also liked

PDF
Hardening firefox, Securizar Mozilla Firefox
byPrivaciseguridad
 
PPT
WordPress Security Hardening
byTimothy Wood
 
PDF
CentOS Linux Server Hardening
byMyOwn Telco
 
DOCX
Ejecutables
bySandra Piarpuezan
 
PDF
Securing Your Linux System
byNovell
 
PDF
Getting started with GrSecurity
byFrancesco Pira
 
PPTX
PACE-IT: Network Hardening Techniques (part 1)
byPace IT at Edmonds Community College
 
PPTX
Router hardening project.slide
byAlya Al Saadi
 
PPT
Hardening Linux Server Security
byIlham Kurniawan
 
PPTX
Cloud Computing Legal Issues
byIkuo Takahashi
 
PPT
Legal issues in cloud computing
bymovinghats
 
PDF
Hardening Linux and introducing Securix Linux
bySecurity Session
 
DOCX
Linux Server Hardening - Steps by Steps
bySunil Paudel
 
PPT
Linux Security
bynayakslideshare
 
PPTX
Security Measures
bySyazzey Waniey II
 
PPT
Security Measure
bysyafiqa
 
PPTX
Securing your Windows Network with the Microsoft Security Baselines
byFrank Lesniak
 
PDF
Linux Hardening
byMichael Boelen
 
PPTX
Implementing a Secure and Effective PKI on Windows Server 2012 R2
byFrank Lesniak
 
PPTX
Security measures (Microsoft Powerpoint)
byainizbahari97
 
Hardening firefox, Securizar Mozilla Firefox
byPrivaciseguridad
 
WordPress Security Hardening
byTimothy Wood
 
CentOS Linux Server Hardening
byMyOwn Telco
 
Ejecutables
bySandra Piarpuezan
 
Securing Your Linux System
byNovell
 
Getting started with GrSecurity
byFrancesco Pira
 
PACE-IT: Network Hardening Techniques (part 1)
byPace IT at Edmonds Community College
 
Router hardening project.slide
byAlya Al Saadi
 
Hardening Linux Server Security
byIlham Kurniawan
 
Cloud Computing Legal Issues
byIkuo Takahashi
 
Legal issues in cloud computing
bymovinghats
 
Hardening Linux and introducing Securix Linux
bySecurity Session
 
Linux Server Hardening - Steps by Steps
bySunil Paudel
 
Linux Security
bynayakslideshare
 
Security Measures
bySyazzey Waniey II
 
Security Measure
bysyafiqa
 
Securing your Windows Network with the Microsoft Security Baselines
byFrank Lesniak
 
Linux Hardening
byMichael Boelen
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
byFrank Lesniak
 
Security measures (Microsoft Powerpoint)
byainizbahari97
 

Similar to System hardening - OS and Application

PDF
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
byNCCOMMS
 
PDF
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
byNCCOMMS
 
PDF
Reducing attack surface on ICS with Windows native solutions
byJan Seidl
 
DOCX
Documentation Artifact 5Long Term Care Plan-Continuing to .docx
bypetehbailey729071
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
DOCX
21030241005_PlatformSecurityCaseStudy..docx
bySubhabrataRoy16
 
PDF
Ch 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
PDF
Windows server hardening 1
byFrank Avila Zapata
 
PPTX
Microsoft on open source and security
byDavid Voyles
 
PDF
Windows Security Crash Course
byUTD Computer Security Group
 
PPTX
Derby con 2014
byTonikJDK
 
PDF
CNIT 123: 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
PDF
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
PPTX
Microsoft Platform Security Briefing
bytechnext1
 
PDF
Five years of Persistent Threats
byMaarten Van Horenbeeck
 
PPTX
Offence oriented Defence
bySensePost
 
PPTX
Microsoft Windows 7 Enhanced Security And Control
byMicrosoft TechNet
 
PPTX
Windows 7 in 60 minutes - New Horizons Bulgaria
byNew Horizons Bulgaria
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
byNCCOMMS
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
byNCCOMMS
 
Reducing attack surface on ICS with Windows native solutions
byJan Seidl
 
Documentation Artifact 5Long Term Care Plan-Continuing to .docx
bypetehbailey729071
 
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
21030241005_PlatformSecurityCaseStudy..docx
bySubhabrataRoy16
 
Ch 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
Windows server hardening 1
byFrank Avila Zapata
 
Microsoft on open source and security
byDavid Voyles
 
Windows Security Crash Course
byUTD Computer Security Group
 
Derby con 2014
byTonikJDK
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
Microsoft Platform Security Briefing
bytechnext1
 
Five years of Persistent Threats
byMaarten Van Horenbeeck
 
Offence oriented Defence
bySensePost
 
Microsoft Windows 7 Enhanced Security And Control
byMicrosoft TechNet
 
Windows 7 in 60 minutes - New Horizons Bulgaria
byNew Horizons Bulgaria
 

Recently uploaded

PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 

System hardening - OS and Application

  • 1.
    System Hardening WindowsOS Clients and Applications
  • 2.
    About me.. •This talk really shouldn’t be about me.. Its about you.. • This community is about educating each other and making things better
  • 3.
    What is thistalk about? • Hardening Microsoft OS’s for Domain and Standalone computers • Large Scale EMET deployments • How to approach Java problem if you run out of date versions • Adobe Acrobat customization according to NSA standards • Local Admin accounts and Passwords and what to do about them • Cryptography – Some brief thoughts
  • 4.
    OS Security references • Microsoft Security Compliance Manager - http://technet.microsoft.com/en-us/library/cc677002.aspx • Center for Internet Security Benchmarks** - https://benchmarks.cisecurity.org/downloads/multiform/index.cfm • DISA Stigs - http://iase.disa.mil/stigs/os/windows/Pages/index.aspx
  • 5.
    CIS Security Benchmarks • Recommended technical control rules/values for hardening operating systems • Distributed free of charge by CIS in .PDF format • Where to Begin?? • Incident Response and SSLF.. Flip up the guide for your audience!
  • 6.
  • 7.
    MS Security ComplianceManager • Exporting Group Policy Objects in your environment and re-import into SCM • Mix and Merge two separate security baselines to remediate issues or consolidate security • No Active Directory? Apply Policy through Local GPO Tools
  • 8.
    Inventory Your currentSecurity Posture (If Any) • Security Policies can easily be exported from Group Policy Management Console and re-imported into Microsoft Security Compliance Manager • Two options to mix and merge: Compare with SCM pre-populated baselines or build your own based upon CIS PDF’s • My preference is to build based upon CIS and take security to the maximum hardened limit. (Ex. Earlier Win7 CIS gave Self Limited Functionality Profiles SSLF for high security environments)
  • 9.
    Warning: You willBreak Stuff!
  • 10.
    Troubleshooting Hardening issues • Easiest method is to have a container set up in Active Directory with all group policy inheritance blocked. • Apply your OS Hardening Policies through the local GPO tool. This tool is available when you install Security Compliance Manager. • Installer Can be found in C:Program Files (x86)Microsoft Security Compliance ManagerLGPO << After SCM Install
  • 11.
    Why troubleshoot CISwith LGPO Tool • Instead of having your sever admins randomly shut group policies off at the server level you can rapidly respond to testing by locally turning off policies • It’s a needle in a haystack approach. Most issues you deal with will probably be around network security and authentication hardening • Works great if you want to applied hardened OS policies in standalone high security environments
  • 14.
    A few otherthings • The concept of least privilege should always be used (UAC) • Getting asked even by IT folks to turn it off (UAC) • Limit Admin accounts. Secondary admin accounts are better. Never use admin accounts to browse or do daily tasks on your network • Autorun should be one of the first things you disable in any org. It’s a quick hit with minimal impacts to end users • Enforce the firewall from getting turned off. Use Domain firewall profiles heavily. While restricting public and home profiles. • Be careful with Audit policies. Too much audit information can be a bad thing in logs
  • 15.
    A few otherthings continued • Debug programs.. No one should have access to do this. PG. 76 • Limit the amount of remotely accessible registry path’s. (Take note Windows 7 remote registry services has to be manually started. ) This should be disabled Pg. 133 • Lan Manager Authentication Level: Enforce NTLMv2 and Refuse LM and NTLM << This should be non negotiable IE. Pass the Hash Pg. 137 • For High security environments don’t process legacy and run once list << Could lead to other issues with certain applications and driver applications. Use cautiously. • Prevent computers from Joining Homegroups.. BYOD issues PG 169
  • 16.
  • 17.
    Disable Remote ShellAccess • Remote Shell Access pg160 • You need to decide if it’s worth it for you to really have remote shell access. • Reduce your attack surface… This is what OS hardening is all about
  • 18.
    Lets have atalk about Large Scale EMET deployments (5,000 Machines and More)
  • 19.
    EMET Large Scaledeployments • Resources • Customizing • Scaling • Group Policy • Where does everything fit and in what order?
  • 20.
    EMET Resources •Kurt Falde Blog (http://blogs.technet.com/b/kfalde/) • Security Research and Defense Blogs (http://blogs.technet.com/b/srd/) • EMET Social Technet Forum (http://social.technet.microsoft.com/Forums/security/en- US/home?forum=emet) • EMET Pilot Proof of Concept Recommendations (http://social.technet.microsoft.com/wiki/contents/articles/23598.emet-pilot- proof-of-concept-recommendations.aspx) • EMET Know Application Issues Table (http://social.technet.microsoft.com/wiki/contents/articles/22931.emet-known- application-issues-table.aspx)
  • 21.
    Avoiding EMET “ResumeGenerating Events”
  • 22.
    What to avoidwith EMET deployments • Do not immediately add popular or recommended XML profiles to EMET. Attaching EMET to processes and not vetting them in a organization is not a good idea. • Do not use Group Policy out of the gate. Instead inject with local policies first to vet out problems. • Use System Wide DEP settings cautiously. You may uncover applications, even though not hooked into EMET, crashing because of system wide DEP. Use “Application Opt In” is a safer solution
  • 23.
    EMET Customization •Base MSI • Exporting custom XML and using EMET_Conf to push settings • Registry import to policy key for EMET. Acts as local group policy.
  • 24.
  • 25.
    EMET_Conf (cont.) •Use EMET_Conf --delete_all to remove all application mitigation settings and certificate trust configurations • Built your own settings… Then Export… Export will be in a .xml file • Reimport by using EMET_Conf --import.xml • If you script emet_conf to push out settings include HelperLib.dll, MitigationInterface.dll, PKIPinningSubsystem.dll, SdbHelper.dll
  • 26.
  • 27.
  • 28.
    Starting out withEMET • Start out with highest risk applications first. Start with browsers (Internet Explorer, Firefox, Chrome, Opera) • Move onto Adobe Reader/writer, Java. • High risk exploited apps should always be first
  • 29.
    The Java Problem • Malicious actors are using trusted applications to exploit gaps in perimeter security. • Java comprises 91 percent of web exploits; 76 percent of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version. • “Watering hole” attacks are targeting specific industry-related websites to deliver malware. Source: Cisco 2014 Annual Security Report (http://www.cisco.com/web/offers/l p/2014-annual-security-report/ index.html)
  • 30.
    The Java ProblemContinued • Corporations rely on Out of Date versions • The “Pigeon Hole” Effect. I can’t upgrade Java because you will break my critical business app. • Virtualizing can be a expensive solution • But my AV will stop it! << Probably not… • Oracle EOL Java 6 but paid support can extend this.. << too expensive • Java is a security nightmare and a application administrators worst enemy
  • 31.
  • 32.
    Prevent Java fromrunning • Hopefully by now everyone has deployed MS014-051. If not you should.. Soon. • Don’t deploy and assume you are done. Don’t accept Default Policies for this. • Starting with MS014-051 does out of date java blocking by default but allows users to circumvent.
  • 33.
    Mitigating the JavaProblem with GPO’s • Before you do this… lock down trusted sites. Don’t allow users to circumvent security by putting stuff in trusted sites without a vetting process • Don’t allow users to “run this time” If Java is out of Date. Lock it down • Allow out of date java to sites that are business critical only.
  • 34.
    Java Resources ForMitigation • http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins- blocking-out-of-date-activex-controls.aspx • http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage- the-new-quot-blocking-out-of-date-activex-controls-quot-feature- in-ie.aspx
  • 35.
    Java Active XBlocking • Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesAdd On Management
  • 36.
    Java Active XBlocking
  • 37.
    Java Active XBlocking
  • 38.
    Java Active XBlocking
  • 39.
    Java Active XBlocking
  • 40.
    Bonus: Block Flashtoo.. High Security Environments
  • 41.
  • 42.
    Hardening Adobe Reader/Writer • Adobe Enterprise Toolkit http://www.adobe.com/devnet-docs/ acrobatetk/index.html • Application Security Overview http://www.adobe.com/devnet-docs/ acrobatetk/tools/AppSec/index.html • Adobe Customization Wizard (Use this)ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/ • NSA guidelines for Adobe XI in Enterprise Environments (Use This) https://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring _Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
  • 43.
    Hardening Adobe Reader/Writer • Don’t give people a chance to disable Protected mode, protected view, and enhanced security • For high security environments disable Javascript. Disable URL links.. Don’t allow flash content to be viewed in PDF’s << Very bad • Patch often and ASAP • Hook in with EMET to enhance exploit mitigation
  • 44.
  • 45.
    Admin Passwords •Disable Admin Passwords • If you can’t disable then Randomize it.. Per machine.. • Sans SEC 505.. Awesome course… • http://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator- password-automatically-with-a-different-password-across- the-enterprise
  • 46.
    Cryptography • Truecrypt<< my advice is to please stay away from this. • http://istruecryptauditedyet.com/ • 2nd part of the audit is very important as it deals with Cryptanalysis and RNG’s. If the RNG’s are weak or in a predictable state such as Dual Elliptic Curve. Truecrypt users will be in trouble. • Developers were never known..
  • 47.
    Cryptography • Ifyou use bitlocker… Please enforce AES 256. Bitlocker defaults to AES 128 • Kill Secrets from memory.. • Starting in Windows 8.1 Pro versions come packed with bitlocker • 2008 Servers and above have it to • Encrypt all your things……There is no reason not to.
  • 48.