Leveraging Visual Basic for Security

Slides:



Advertisements
Similar presentations
AD User Import From SIMS.NET
Advertisements

Chapter Five Users, Groups, Profiles, and Policies.
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Module 8: Implementing Administrative Templates and Audit Policy.
ManageEngine ADAudit Plus A detailed walkthrough.
Chapter 7 WORKING WITH GROUPS.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
Securing Windows Servers Using Group Policy Objects
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
Module 4: Add Client Computers and Devices to the Network.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Chapter 7: WORKING WITH GROUPS
V 0.1Slide 1 Security – System Configuration How to configure WebSAMS? Access Control Other Information Configuration  system customization  system configuration.
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
Module 7: Fundamentals of Administering Windows Server 2008.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 UNDERSTANDING USER ACCOUNTS  Local user accounts  stored in the Security.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
A Networked Machine Management System 16, 1999.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
NT4 SP4 Security Jack Schmidt - Fermilab
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.
Chapter 2 Securing Network Server and User Workstations.
Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
Module 7: Implementing Security Using Group Policy.
Module 10: Implementing Administrative Templates and Audit Policy.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common Methods Used to Commit Computer Crimes
Configuring Windows Firewall with Advanced Security
Active Directory Administration
Printer Admin Print Job Manager
Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016
Chapter 27: System Security
Lesson 16-Windows NT Security Issues
Configuring Internet-related services
Security through Group Policy
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Designing IIS Security (IIS – Internet Information Service)
Unit 6 NT1330 Client-Server Networking II Date: 7/19/2016
Features Overview.
6. Application Software Security
Presentation transcript:

Leveraging Visual Basic for Security Poor Man’s IDS

Outline History of Poor Man’s IDS Environment What to monitor Scripts that make up PMIDS A bit of Geek 2/16/2019

Who am I AVP of IT at TAPCO Credit Union IT generalist Worked at financial institutions for last 16 years Developed security programs for Banks and Credit Unions 2/16/2019

History 15 years ago I developed the account lockout alert The idea of leveraging VB scripts for other monitoring started 6 or 7 years ago Has been a pet project During a Trust CC audit used it to catch one of Tom’s techs Dubbed Poor Man’s IDS 2/16/2019

Disclaimer Not all inclusive solution All open source Backs up other layers I am not a VB Scripting expert 2/16/2019

My Environment No local admins Right? Separate Domain admin accounts SMTP server OUs in AD and on workstations Task scheduler 2/16/2019

What to monitor Malicious activity Trusted users New accounts Restricted group membership Brute force hack process 2/16/2019

Scripts

Pieces Domain admin login Local admin login User lockout alert New domain account Dormant account Bad password count Domain Admin membership 2/16/2019

Layout What are we trying to capture Alert example Configuration Reaction to alert 2/16/2019

Domain admin login 2/16/2019

What are we trying to capture Unauthorized use of privilege account Domain Admin account used to log into a server or workstation Unexpected user added to domain admin group 2/16/2019

Alert Example (server) Sent to domain admin that logged in 2/16/2019

Alert Example (server non-admin user ) Sent to default email address 2/16/2019

Alert Example (workstation) Sent to email address when admin logs into workstation 2/16/2019

Configuration Run from OU that houses only domain admin accounts Added logic to not alert on certain users Section to list email addresses of each admin Send an email to a default address if no email listed for particular account 2/16/2019

Reaction User logs into server or workstation with domain admin account An alert is received in their non-admin email account If user logged into system no action necessary If not, admin should immediately change password and begin investigation Reboot remote system to kick user off 2/16/2019

local admin login 2/16/2019

What are we trying to capture Unexpected / unknown user in local admin user group Helps us find the outliers that have not been removed from local admin group Identifies any accounts added to local admin user group 2/16/2019

Alert Example 2/16/2019

Configuration Run from local GPO Local GPO created by copying files to each workstation Local policies stored in C:\windows\system32\grouppolicy Has logic to disable for certain workstations and user names Email sent to group 2/16/2019

Reaction If it is not a normal system the user logs into lock the account and contact user We use to find those users not previously removed from local admin group Reminds us in the event one of us put the user in local admin group to troubleshoot 2/16/2019

User lockout alert 2/16/2019

What are we trying to capture Invalid login attempts Alerted after account is locked out Brute force attacks Track lockouts / unlocks 2/16/2019

Alert Example 2/16/2019

Configuration Installed on domain controller Scheduled using task scheduler Runs every 2 minutes Keeps log Send only one alert 2/16/2019

Reaction Creates helpdesk ticket Internal procedure requires us to contact the user Unlock account 2/16/2019

New domain account 2/16/2019

What are we trying to capture Know when new account is created Knowledge of unauthorized account creation We attach alerts to help desk tickets 2/16/2019

Alert Example 2/16/2019

Configuration Runs on domain controller Scheduled using task scheduler Runs every 5 minutes 2/16/2019

Reaction Change control policy requires approval for all new accounts Unauthorized accounts are deleted Alert contains who created account 2/16/2019

Dormant account 2/16/2019

What are we trying to capture Identify “lingering” accounts Not logged into for 90 days Non-service accounts that have gone dormant 2/16/2019

Alert Example Text file contents 2/16/2019

Configuration Runs on domain controller Scheduled using task scheduler Runs on 1st of every month 2/16/2019

Reaction Reviewed monthly Automatically creates help desk ticket Lingering accounts investigated and appropriate action taken 2/16/2019

Bad password count 2/16/2019

What are we trying to capture Brute force password guessing Multiple accounts with 2 bad password count Automated password guessing would hit multiple accounts in very short time 2/16/2019

Alert Example 2/16/2019

Configuration Issues Runs on domain controller Bad password count not replicated across DCs Child OUs not parsed through Runs on domain controller Scheduled using task scheduler 2/16/2019

Reaction Admins would begin investigation Highten network monitoring level to find source Implement incident response program 2/16/2019

Geek out time Connecting to Active Directory 2/16/2019

Geek out time Looping through items in list Testing/verifications ' Bind to the local group. Set objLocalGroup = GetObject("WinNT://"& strComputerName &"/Administrators,group") ' Enumerate direct members of the local group. For Each objMember In objLocalGroup.Members 'check if logged on user is member of local Administrator group if objMember.Name = strUserName Then sendmsg=1 SendAlert End If Next Looping through items in list Testing/verifications Limitations Batch file hand offs 2/16/2019

Geek out time Connecting to Active Directory Testing/verifications 2/16/2019

Geek out time Looping through items in list Testing/verifications msgbox(objMember.name) Looping through items in list Testing/verifications 2/16/2019

Geek out time Connecting to Active Directory Testing/verifications Sending alert 2/16/2019

Geek out time Looping through items in list Testing/verifications Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Domain Admin Workstation login" objMessage.Sender = emlsender ' Sender email address objMessage.to = emlrecip objMessage.cc = emlrecipcc 'objMessage.addattachment Attachment objmessage.Textbody = msg objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 'Name or IP of Remote SMTP Server objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = emlsrvr 'Server port (typically 25) objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 objMessage.Configuration.Fields.Update objMessage.Send Looping through items in list Testing/verifications 2/16/2019

Geek out time Connecting to Active Directory Testing/verifications Sending alert Batch file hand offs Run as domain admin Limitations 2/16/2019

Conclusion Network security should be multi layered VB scripting is extremely powerful Many examples are available on the Internet 2/16/2019

Questions? John Eyre MCITP, CCNA, VCP, MCSE AVP of IT John.eyre@tapcocu.org 2/16/2019 Insert Footer

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.