This session covered a number of free Microsoft tools that can be used to secure the Windows operating system, and to a lesser extent, applications. For the most part they presented tools that I was familiar with, and even have written a blog about (such as EMET). However, I did learn about a new tool that I think is pretty slick that your IA/security guys might really like.
The session started off with a brief background on security, then went into the specific tools and a few demos. Highlights of this session included:
- Active Directory compromise is BAD. 100% cleanup assurance is extremely difficult, if not nearly impossible. Rebuild is expensive and embarrassing.
- Malware is a profit driven industry and assume attackers are well funded and highly motivated. These are not just script kiddies trying to compromise a PC for fun.
- Sophisticated techniques are getting more efficient, obfuscation techniques are constantly evolving, and the number of malware variants exceeded 286 million in 2010.
- Attackers want to gain a beachhead, install malware, escalate their privileges, introduce redundant access into your environment, and exfiltrate data or other nefarious actions.
- They then presented a graphic showing the cost of defending a network and the return on benefit. For most organizations the optimal point is ‘commercial reasonability’, after which costs dramatically increase with diminishing security returns.
- If you aren’t even doing due diligence then you are really up the creek. This includes limiting domain admin privileges, limiting local administrator access, don’t allow internet browsing from administrative workstations, run 64-bit clients, patch, anti-virus software, and a firewall. In addition you should require two-factor authentication for administrators.
- A concept they introduced is the “trusted virtual machine client.” This is a client that is highly hardened and is what admins use to administrate the domain. Goals of this VM include lowing risks, prevent malware infections, limiting damage should the VM become compromised, and easy to use.
- This trusted admin VM should run Windows 7 x64, be joined to the domain, member of a hardened workstation OU, use the SSLF security profile, and NOT have browser access to the internet. Normal users should never login to these admin workstations. Only regular users should login to regular workstations. No server or domain admins allowed on regular workstations.
- You should have a concept of server admins, which is NOT a domain admin, and does NOT login to any clients. The account can only logon to authorized SERVERS.
- Next up is the first security tool, Security Compliance Manager (SCM). SCM lets you configure a security GPO baseline, maintain version control, then export to a GPO to use in your domain. Microsoft provides many baselines that you can copy and modify to fit your security requirements. It also has a lot of built-in knowledge to help you understand what the settings do. It can also work with SCCM’s DCM (desired configuration manager).
- Second up is EMET, the Enhanced Mitigation Experience Toolkit. A new version of EMET (v2.1) was just released a few days ago, that you can download here. EMET protects against unknown vulnerabilities, blocks entire classes of exploits, and is easy to install. In just the last year EMET mitigated several zero day Adobe and IE vulnerabilities..all before Adobe and Microsoft released patches. Unfortunately for enterprises there is no centralized control or native reporting. Enterprise enhancements are in the works, but no ETA.
- Applocker is a new feature in Windows 7 and Server 2008 R2 which can let you easily create whitelist and blacklists of applications. Unlike SRP (software restriction policies) in previous generations of OSes, Applocker is easy to configure, can automatically create rules, and is far more flexible.
- The last tool, which was new to me, is Attack Surface Analyzer (ASA). ASA identifies the changes in system state, runtime parameters, and securable objects in Windows. It’s part of Microsoft’s internal SDL (secure development lifecycle) process. Basically you execute the tool on a computer, and it will report any insecure findings such as weak ACLs on objects. You can also schedule snapshots of systems and do a historical comparison. You can download a beta here.
ASA is a great tool for analyzing golden images before you deploy them, or hosts in high risk environments like DMZs. It analyzes far more than just filesystem or registry ACLs, such as COM+ objects, named pipes, GAC assemblies, network shares, threads, handles, ports, and other deeply buried Windows features that you can’t possibly analyze manually. Microsoft uses it on 100% of all shipping products and any severity 1 findings prevent a product from shipping without a senior VP within MS granting a waiver.
Typical use scenario would be to run the tool on a virgin OS image (without any apps), then install all of your apps, then re-run the tool and look for any insecure settings that your applications created. You will probably see some false positives for weak ACLs involving the TrustedInstaller account. You can ignore those. Microsoft wanted to be transparent and not hide these findings, although I do think a check box to suppress the findings would be useful.
Fully supported platforms include Windows 7 and Server 2008 R2. You can do command line analysis and collection of Windows Vista and Server 2008 systems. Windows 8 and Server 2012 will require a new version of the tool.
Security is not just a matter of applying the right GPOs, installing anti-virus software, running a few tools, and calling it a day. Threats are constantly evolving, and policies and procedures are extremely important. User education is also critical, and often over looked. However, the tools covered in this session are a great start for hardening your base operating system.
The trusted virtual machine idea of Admins is interesting. I’ve read others that say that all Internet access for an organization should be run that way, but Admins for admin services internal is a good idea. That way those admin services only responde to request from approved VMs.
Yes and you can really turn the screws on the admin PC, like using AppLocker and maximizing EMET settings. Another option, if you are using VDI, is to have special admin virtual desktops. If you use a pooled model, where the VM is reset to a virgin state at every logoff, any malware or other tracking software gets permanently removed every time you logoff. They didn’t explain how one would typically manage desktops, if you aren’t supposed to ever login to desktops with your server/domain credentials. Maybe you have three sets of credentials if you are a super user? Domain… Read more »