Securing Windows with Group Policy

Securing Windows With Group Policy

Josh Rickard• BS in Computer Information Systems

• Central Methodist University – 1 year

• University of Missouri – 4 years

• Currently a Security Analyst-Specialist

– QualysGuard, Kasperksy, incident response

Josh Rickard• Microsoft Deployment Toolkit & SCCM

• Group Policy

• Digital forensics

• Incident response

• PowerShell tool making!

Josh Rickard• GIAC Certified Windows Security Administrator - GCWN

• GIAC Certified Forensic Analyst – GCFA

• QualysGuard Certified Specialist – QGCS-VM

• Apple Certified Associate – Mac Integration

FIRST STEP TOWARDS SECURING WINDOWS

START WITH MALWARE-RESISTANT OPERATING SYSTEMS AND SOFTWARE

NEXT STEPS

PATCH MANAGEMENT

Questions• Who uses Active Directory in their environment?

• Who uses Group Policy in their environment?

– Daily?

– Weekly?

– Monthly?

– Year or more?

Questions• Who has/uses two separate accounts?

– Mundane ([email protected])

– Admin (unique account)

USE TWO SEPARATE ACCOUNTS

Two Group Policy Questions• Where are you? (Domain, OU, Site)

• What are you? (User or Computer)

LSD OU!

Local •Local Group Policy

Site•Site or Forest Group Policy

Domain•Domain Group Policy

OU• Organizational

Unit Group Policy

Exceptions to the rule• Account Policies

– Password Policy

– Enforce password history

– Maximum & Minimum password age

– Minimum password length

– Passwords must meet complexity requirements

– Store password using reversible encryption for all users in the domain (NOOOOOOOOOO!!!!!!)

• Account Lockout Policy settings

– Account lockout duration

– Account lockout threshold

– Reset account lockout counter after

• Kerberos Policy settings

– Enforce user logon restrictions

– Maximum lifetime for service ticket

– Maximum lifetime for user ticket

– Maximum lifetime for user ticket renewal

– Maximum tolerance for computer clock synchronization

– Network Access: Allow anonymous SID/NAME translation

– Network Security: Force Logoff when Logon Hours expire

• Local Policies

Computer Configuration• Computer configuration almost always wins

• Used to apply configuration changes specific to machines

• Think, HKLM

• Exception: Loopback Processing Mode

User Configuration• Really only useful if user & computer objects in same OU

• Used to apply configuration changes specific to users

• Think, HKCU or HKU

Policies• No tattoo

– If GPO is out of scope, it will be removed

• Overwrite current application settings

• Policies are recognized by applications

– i.e. grayed out settings

Preferences• Tattoo's

– If GPO goes out of scope, settings remain

• Item Level Targeting

– We will talk about this later

Block Inheritance• Block GPOs higher in the LSD OU order

• Keep in mind that Kerberos, password, & lockout policies will still be enforced for everyone in that domain.

Enforced (a.k.a., “No Override”)• Enforce parent container GPO to all sub-containers

• This will “override” any “Block Inheritance” GPO settings

• Except: Loopback Mode GPOs

Loopback Processing Mode• User configurations for computer objects

• Replace

– This will replace current user settings applied to that OU

• Merge

– This will merge both the user & computer GPO

• *NOTE: User GPO will win.

WMI Filtering• Filter/configure GPO “scope”

• Filter based on specific users/computers/groups/etc.

Item Level Targeting• GPO Preferences

• Target a specific machine attribute (other than WMI Filtering)

Active Directory Permissions• Enable “Advanced Features”

• Delegate control

– Always take a “least privilege” approach

• Delegate full control over an OU only

Morale of the Story• We need to ask ourselves, where is the computer/user

account located in AD?

Now the fun stuff!

We need to ask ourselves, where is the computer/user account located in AD?

Auto-Play & Auto-Run• Disable the action taken when a thumb drive or portable

hard drive is plugged into a computer

Windows Firewall with Advanced Security

• Manage Network Profiles

– Domain

– Home

– Public

• Manage applications/services that should be allowed/denied

Manage Group Memberships• GPO Restricted Groups

– Manage global groups in AD

– Centrally manage all high-target groups

– “Rebuilds” the group completely every time GP is refreshed

• GPO Preferences

– Best for managing local groups on domain machines

– Create custom local groups

– Assign Customized rights and privileges

– Assign customized permission as well

Manage User Rights• Allow/Deny Log On Locally

– Why does someone need to log on locally to a server/computer?

• Allow/Deny Access to Computer From the Network

– Limit this to either specific user or just admins/IT Pro’s

• Allow/Deny Log On Remote Desktop Services

– Normal users do not need RDP

Manage High Target Accounts• Restrict Logon Hours and Workstations

– Enterprise, Schema, and Domain Admins should be restricted as tightly as possible.

• Remote Desktop logon

• Remote Control logon

• Etc.

• Why would Domain/Enterprise/Schema Admins be RDPing?

– Answer: They wouldn’t!

AppLocker• Requirements:

– Application Identity Service must be running (Automatic)

• Three different conditions can be use

– Hash Condition Rules

– Path Condition Rules

– Publisher Condition Rules

AppLocker – Hash Condition• Every file has a unique hash value

• Positive

– Unique hash for every executable

– Secure!

• Negative

– Every update has a new hash

AppLocker – Path Condition• Positive

– Select an entire suite of products

– You can use wildcards (*)

• Negative

– You must know all paths the application uses

• C:\ProgramData

• C:\Users\username\AppData\Local\*\*.zip\*

AppLocker – Publisher Condition• Positive

– Select an entire path to allow a suite of applications

– You can use wildcards (*)

• Negative

– Only works for applications that are digitally signed

Additional Security Measures• Require screensavers with passwords

• Use LAPS – do not keep the same local admin password on all machines

– If possible, disable the ability to logon with a local account

– If you set passwords using GP, then they are stored unencrypted in \\domain.com\SYSVOL

• Hashed does not mean encrypted.

Additional Security Measures• Disable Guest Account

– Option: Network Access: Sharing and Security Model for Local Accounts

• Automatically demotes any remote user who authenticates to guest status

– If you disable the guest account and this setting is enabled, then no one will be able to long using a local account (good thing!)

Additional Security Measures• Display a Logon Banner with Legal Notice

This system is for use of authorized users only and is not public. Individuals using this computer system without authority or in excess of their authority are subject to having all of their activities on this system monitored and recorded,

including their keystrokes and mouseclicks. Anyone using this system expressly consents to such monitoring and is advised that if this monitoring

reveals possible evidence of criminal activity, this evidence may be provided to law enforcement officials with the intent to prosecute.

Block Unsigned Scripts• PowerShell

• WSH

• VBScript

• Jscript

• Perl

• Python

• This does NOT protect you from advanced users & Malware

• PowerShell is not a security mechanism

Advanced Protection• DEP – Data Execution Prevention

– Prevents execution of code in memory that are not marked as executable

• ASLR – Address Space Layout Randomization

– Random address spaces make exploits more difficult. No way to hard code memory locations

• EMET – Enhanced Mitigation Experience Toolkit

Scheduled Tasks for GPO Scripts• Schedule tasks to run under the identity with the least

privilege

– Local Services

– Network Services

– Local System (if needed)

• Do NOT use passwords in scripts

7 Deadly Sins (for Malware)• Act As Part of the Operating System

• Create a Token Object

• Debug Programs

• Load and Unload Device Drivers

• Restore Files and Directories

• Take Ownership

• Impersonate a Client After Authentication

Impersonate A Client Privilege• Primary Security Access Token (SAT)

– Basically, impersonate a user’s SAT for other running processes

• Used by network services to impersonate clients

• Token stealing

– Steal SATs for network authentication

Debug Programs Privilege• Grants read/write access to user & kernel-mode memory

• Malware uses it for:

– New thread injected into any process

– Passwords, hashes, encryption keys and other data can be read out of kernel space memory without DLL injection.

• Pass-The-Hash Attacks

– Once malware has your password hash they can:

• Extract password hashes of local accounts

• Extract password hashes of interactive users with AD accounts

• Plus others

Disable IPv6 – Until You Need It• Why Disable IPv6?

– We want to shrink our attack surface

• Why Not Disable IPv6?

– Microsoft DirectAccess requires it (kind of)

– Microsoft doesn’t test their patches on systems with IPv6 disabled

JUST REMEMBERGroup Policy is basically a large enterprise scale registry editor!

Contact Info

• Name: Josh Rickard

• E-Mail: [email protected]

• Blog: http://MSAdministrator.com

• Twitter: @MS_dministrator