using powershell to configure secure environments and delegated administration
TRANSCRIPT
Safe Harbor
Using PowerShell to Configure Secure Environments and Delegated Administration
Using PowerShell to Configure Secure Environments and Delegated Administration
Typical Corporate Environment
Domain
Mail Server
File Server Database Server
Domain Controller
SharePoint Server
Web Server
Hacker
User Administrator Administrator User
Personal health information (PHI)
Personally identifiable information (PII)
Trade secrets
Intellectual property
Hacker
“New” Threat
Domain
Mail Server
File Server Database Server
Domain Controller
SharePoint Server
Web Server
User Administrator Administrator UserHacker Hacker
Personal health information (PHI)
Personally identifiable information (PII)
Trade secrets
Intellectual property
Mitigations
Move critical data into isolated environment
Restrict “Administrator” role
Provide specific access to user information
Etc
Demo Scenario
Single corporate domain Multiple domain adminsMany domain users have been granted more access than required because it was easier
Recently discovered that domain environment has been compromised
Business critical information on 3 different file serversSuspected source of compromise is within corporate domain
Environment
Domain Controller
Domain Admin
Dept. Head
P.A.P.A
User
DHCP
Domain(Corporate.Contoso.Com)
Servers containing critical information
Plan of AttackCreate Isolated
Environment
• Separate Domain Controller
• DSC Pull Server
• JEA Management head (Jump box)
Limit Access
• Domain Admins
• Firewall Ports
• Resources
Add Servers Securely
• Never on Corp domain
• Boot to pull server for configuration
Configure Servers
• Configure and copy critical information
Environment
Domain Controller
Domain Admin
Dept. Head
P.A.P.A
User
DHCP
Domain(Corporate.Contoso.Com)
Servers containing critical information
Domain Admin
Dept. Head
P.A.P.A
User SH Admin
DHCP
SH DC
One Way Trust
DSC Pull Server
Corporate
Safeharbor(safeharbor.contoso.com)
Create Isolated
Environment
Requests
Demo
Create Isolated
Environment
Create Isolated
EnvironmentConfiguration DomainController{ Import-DscResource -Name Demo_Computer,Demo_Domain,Demo_DNSTransferZone
Node $AllNodes.Where{$_.Role -eq "DomainController"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...}
Computer MachineName { Ensure = "Present" Name = $Node.MachineName DependsOn = "[Script]NoIPv6" } WindowsFeature ADDS { Ensure = "Present" Name = "AD-Domain-Services" DependsOn = "[Computer]MachineName" }
Domain Forest { Name = $Node.DomainName AdministratorCredential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[WindowsFeature]ADDS" } }}
Domain ControllerConfiguration
Create Isolated
Environment
DomainTrustConfiguration
Configuration DomainTrust{ Import-DscResource -Name Demo_DomainTrust,Demo_DNSSecondaryZone
Node $AllNodes.Where{$_.Role -eq "DomainController"}.NodeName { if($Node.TrustDomainName) { DomainTrust TrustDomain { Ensure = "Present" SourceDomain = $Node.SourceDomainName TargetDomain = $NOde.TrustDomainName TargetDomainAdminCredential = Import-CliXMl ($Node.TrustDomainCred) TrustDirection = $Node.TrustDirection TrustType = $Node.TrustType } } }}
Create Isolated
Environment
DSCServiceConfiguration
configuration DSCServer{ Import-DscResource -Name Demo_DSCService, Demo_Computer
Node $AllNodes.Where{$_.Role -eq "PullServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...}
Computer NameAndDomain { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-CliXML $Node.DomainCredFile) DependsOn = "[Script]NoIPv6" }
WindowsFeature DSCServiceBin { Ensure = "Present" Name = "DSC-Service" DependsOn = "[Computer]NameAndDomain" }
DSCService ODataEP { Ensure = "Present" Name = "PSDSCPullServer" CertificateThumbPrint = $Node.PullCert DependsOn = "[WindowsFeature]DSCServiceBin" }
Script SmbShare # Script to configure SMB Shares {...} }}
Domain Admin
Dept. Head
P.A.P.A
User SH Admin
DHCP
SH DC
One Way Trust
Mgmt Server
DSC Pull Server
Run As
M.A.T.A
Corporate
Limit Access
Safeharbor(safeharbor.contoso.com)
Limit Access
ManagementServerConfiguration
configuration DelegatedAdmin{ Import-DscResource -Name Demo_Computer,Demo_SessionConfiguration
Node $AllNodes.Where{$_.Role -eq "DelegatedAdmin"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-CliXML $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" }
PSEndpoint Secure { Ensure = "Present" Name = $Node.EPName RunAsCredential = (Import-CliXml $Node.RunAsCredFile) SDDL = $Node.SDDL ConfigurationFile = $Node.ConfigurationFile DependsOn = "[Computer]NameAndDomain" } }}
Demo
Limit Access
Domain Admin
Dept. Head
P.A.P.A
User SH Admin
DHCP
SH DC
One Way Trust
Jump Box
DSC Pull Server
File Servers
Run As
M.A.T.A
Corporate HTT
PS
on
ly
Allow WSMAN & SMB (In)
Add Servers Securely
Safeharbor(safeharbor.contoso.com)
Demo
Add Servers Securely
Configuration FileServer{ Import-DscResource -Name Demo_Computer,Demo_Firewall
Node $AllNodes.Where{$_.Role -eq "FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...}
# Remove all built-in firewall rules foreach ($rule in $Node.AbsentInRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[Script]NoIPv6" } }
Firewall HttpsForPullServer { Ensure = "Present" Access = "Allow" DisplayName = "DSC HTTPS" RemotePort = "8080"; Protocol = "TCP"; Direction = "Outbound"; State = "Enabled"; DependsOn = "[Script]NoIPv6" }
Computer MachineName { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" } WindowsFeature FileServer { Ensure = "Present" Name = "File-Services" DependsOn = "[Computer]MachineName" }
WindowsFeature WebServer { Ensure = "Absent" Name = "Web-Server" DependsOn = "[Computer]MachineName" }
# Remove all built-in File firewall rules foreach ($rule in $Node.AbsentInFileRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[WindowsFeature]FileServer" } } # Open selective ports & protocols foreach ($rule in $Node.AllowedInRules) { Firewall $rule.Name { Ensure = "Present"; Access = "Allow"; DisplayName = $rule.DisplayName; LocalPort = $rule.Port; Protocol = $rule.Protocol; State = "Enabled"; Direction = "Inbound"; DependsOn = "[WindowsFeature]FileServer" } }
Group MATA { GroupName = "Administrators" Ensure = "Present" MembersToInclude = @("safeharbor\MATA") Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Computer]MachineName" }
User Administrator { Ensure = "Present" UserName = "Administrator" Disabled = $true } }}
Add Servers Securely
FileServerConfiguration
Configuration FileServer{ Import-DscResource -Name Demo_Computer,Demo_Firewall
Node $AllNodes.Where{$_.Role -eq "FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...}
# Remove all built-in firewall rules foreach ($rule in $Node.AbsentInRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[Script]NoIPv6" } }
Firewall HttpsForPullServer { Ensure = "Present" Access = "Allow" DisplayName = "DSC HTTPS" RemotePort = "8080"; Protocol = "TCP"; Direction = "Outbound"; State = "Enabled"; DependsOn = "[Script]NoIPv6" }
Computer MachineName { Ensure = "Present" Name = $Node.MachineName DomainName = $Node.DomainName Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Script]NoIPV6" } WindowsFeature FileServer { Ensure = "Present" Name = "File-Services" DependsOn = "[Computer]MachineName" }
WindowsFeature WebServer { Ensure = "Absent" Name = "Web-Server" DependsOn = "[Computer]MachineName" }
# Remove all built-in File firewall rules foreach ($rule in $Node.AbsentInFileRules) { Firewall $rule.Name { Ensure = "Present"; DisplayName = $rule.DisplayName; Direction = "Inbound"; State = "Disabled"; Protocol = $rule.Protocol; DependsOn = "[WindowsFeature]FileServer" } } # Open selective ports & protocols foreach ($rule in $Node.AllowedInRules) { Firewall $rule.Name { Ensure = "Present"; Access = "Allow"; DisplayName = $rule.DisplayName; LocalPort = $rule.Port; Protocol = $rule.Protocol; State = "Enabled"; Direction = "Inbound"; DependsOn = "[WindowsFeature]FileServer" } }
Group MATA { GroupName = "Administrators" Ensure = "Present" MembersToInclude = @("safeharbor\MATA") Credential = (Import-Clixml $Node.DomainCredFile) DependsOn = "[Computer]MachineName" }
User Administrator { Ensure = "Present" UserName = "Administrator" Disabled = $true } }}
Domain Admin
Dept. Head
P.A.P.A
User SH Admin
DHCP
SH DC
One Way Trust
Jump Box
DSC Pull Server
File Servers
Run As
M.A.T.A
Corporate
Req
uest
A C T I O N
A C C E S S
Configure Servers
Safeharbor(safeharbor.contoso.com)
Demo
Configure Servers
Opportunities Remove domain trust from isolated environment
Remove domain from isolated environment
Regularly change Domain Admin password
JIT/JEA Limit all isolated environment access through the management head Provide necessary escape hatch Workflows with approvals, etc.
Use Role Base Access Control (RBAC)
…
Summary Assume corporate environment is not secure
Example of way to use PowerShell to create a secure environment for critical information. Move critical data into isolated environment Remove “Administrator” role Provide specific access to users information
Further enhance security of isolated environment Expand on this example Create custom solutions