windows domain hardening darren lacasse. disclaimer all material presented is my own unless...
TRANSCRIPT
![Page 1: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/1.jpg)
Windows Domain Hardening
Darren LaCasse
![Page 2: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/2.jpg)
Disclaimer
• All material presented is my own unless otherwise specified.
• Don’t take this as the one and only way to do this– Your organization is unique, maybe…– YMMV
![Page 3: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/3.jpg)
Agenda
• Hardening 101
• Hardening Challenges
• Configuration/Monitoring Tools
• Demo
![Page 4: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/4.jpg)
Why do we care?
• Improves system security– Systems configured with minimum necessary
services
• Improves system availability– All systems configured the same– Help desk has a single configuration to support– Problem on 1 system can be avoided on the
rest
![Page 5: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/5.jpg)
No really, why do we care?
Verizon DBIR 2010
![Page 6: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/6.jpg)
Common Hardening Tasks
• Apply OS and application patches
• Disable “Administrator” account
• Password requirements– Length
– Complexity
– Expiration
– Lockout
• Install Antivirus
• Disable services
![Page 7: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/7.jpg)
Hardening standards
• Develop one for your unique organization
![Page 8: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/8.jpg)
Hardening standards
• Start with an industry standard– Center for Internet Security
http://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks
– NSA– Microsoft
![Page 9: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/9.jpg)
System Hardening Methods
• Manual– Human error– Personnel must know where the current
baseline is– Not reasonable with large # of systems
• Automatic– Always the same– Removes human error
![Page 10: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/10.jpg)
Hardening Tools
• Microsoft Security Configuration and Analysis Tool (SCAT)
• Microsoft Security Compliance Manager (SCM)
• PowerShell Desired State Configuration (DSC)
![Page 11: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/11.jpg)
SCAT
• Doesn’t scale well
• Requires manual configuration for modern OS
• No central management
• No easy reporting mechanism
• Can do remediation
![Page 12: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/12.jpg)
Security Compliance Manager
![Page 13: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/13.jpg)
Security Compliance Manager
• Gives us baselines from MS for– Operating Systems– Applications
• IIS• DNS• DHCP• Internet Explorer• MS Office
• Doesn’t provide a way to apply to systems
![Page 14: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/14.jpg)
Desired State Configuration (DSC)
• PowerShell feature– If you can PowerShell you can use DSC
• DSC you to configure and report on practically anything on the system– Registry– Files– Configurations– Services– Software
https://technet.microsoft.com/en-gb/library/dn249912.aspx
![Page 15: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/15.jpg)
Computers are hard…
• DSC works great if you aren’t on a consumer OS
• DSC works great if you have SCCM or SCVMM
![Page 16: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/16.jpg)
How to DSC
• Write a DSC script (I tried and failed)configuration TestScript { param () Node Localhost { # Create a Test File File CreateTestFile { Ensure = "Present" DestinationPath = "C:\Tempa\example.txt" Contents = “Example." Type = "File" } }}# Create MOF FilesHelloWorld -OutputPath C:\Temp\TestScript# Start DSC ConfigurationStart-DscConfiguration -Path C:\Temp\TestScript -ComputerName Localhost -Verbose -Wait
![Page 17: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/17.jpg)
https://scriptimus.wordpress.com/2015/04/14/powershell-desired-state-configuration-getting-started/
![Page 18: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/18.jpg)
Check Against the Configuration
• Test-DscConfiguration
– Returning the value of “True” means the single value in our MOF is met
– If we change the text in example.txt then we get this
![Page 19: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/19.jpg)
You configured one value, GREAT…
• Where you can go from here– Convert your orgs baseline to DSC syntax
• Lots of time the first go
– Output per system with values that are “False”– Startup scripts?– Buy SCCM?– GPO health!– Remove local admin rights
![Page 20: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/20.jpg)
Tell me there is something else!
• Chef– https://www.chef.io/
• Puppet– https://puppetlabs.com/
• Nessus– http://
www.tenable.com/products/nessus-vulnerability-scanner
![Page 21: Windows Domain Hardening Darren LaCasse. Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way](https://reader037.vdocuments.us/reader037/viewer/2022102818/56649e695503460f94b66609/html5/thumbnails/21.jpg)