Windows Domain Hardening

Slides:



Advertisements
Similar presentations
MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.
Advertisements

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc.
16.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.
Ch 8-3 Working with domains and Active Directory.
Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
GROUP POLICY An overview of Microsoft Windows Group Policy.
Security for Seniors SeniorNet Help Desk
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
Hands-On Microsoft Windows Server 2008
Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.
Lesson 14: Installing and Uninstalling Programs how to install a new program what to do if the new program doesn’t work how to uninstall a program © CCI.
Managing Windows Server 2008 R2 Lesson 2. Objectives.
Week #7 Objectives: Secure Windows 7 Desktop
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely presents:
POSITIONING STATEMENT For people who operate shared computers with Genuine Windows XP, the Shared Computer Toolkit is an affordable, integrated, and easy-to-use.
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
Terry Henry IS System Manager, SharePoint SME Micron Technology Inc.
Module 14: Configuring Server Security Compliance
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
Implementing Group Policy. Overview What is Group Policy Introduction to Group Policy Group Policy Structure How Group Policy Settings Are Applied in.
Local Network for 3GPP Meeting 1. Directory Configuration for 3GPP Meeting 2. How to connect your PC to Local Network 3. Set Up for Microsoft NetMeeting.
4. Managing the Desktop Thomas Lee Chief Technologist – QA plc.
Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.
CHAPTER 9 HARDENING SERVERS. C REATING A BASELINE POLICY Security parameters used to create a baseline installation can be configured using a Group Policy.
Minimizing your vulnerabilities. Lets start with properly setting up your servers which includes… Hardening your servers Setting your file and folder.
Windows PowerShell Desired State Configuration Overview (for WMF 4.0 Preview) Windows PowerShell Desired State Configuration (DSC) is a new management.
Administering Group Policy Chapter Eleven. Exam Objectives in this Chapter  Plan a Group Policy strategy using Resultant Set of Policy Planning mode.
System Center & SharePoint On- Prem Matija Blagus, Acceleratio
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
WEEK 11 – TOPOLOGIES, TCP/IP, SHARING & SECURITY IT1001- Personal Computer Hardware System & Operations.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Windows Administration How to protect your computer.
By the end of this lesson you will be able to explain: 1. Identify the support categories for reported computer problems 2. Use Remote Assistance to connect.
Overview Microsoft Windows XP Pro (SP2) Microsoft Windows Server 2003 User accounts and groups File sharing and file permissions Password/Lockout Policy.
© ExplorNet’s Centers for Quality Teaching and Learning 1 Describe applications and services. Objective Course Weight 5%
Managing Office 365 Identities and Requirements.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Unit 8 NT1330 Client-Server Networking II Date: 2?10/2016
Simple Push DSC with SCCM Compliance Items Matthew H. Teegarden Systems Software Engineer Lifetouch Inc. Joseph.
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Microsoft - Managing Office 365 Identities and Requirements
Configuration Management with Azure Automation DSC
Fix Microsoft Office Error code Call for help
IS4550 Security Policies and Implementation
Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016
CIS 332 Competitive Success-- snaptutorial.com
CIS 332 Education for Service-- snaptutorial.com
CIS 332 Teaching Effectively-- snaptutorial.com
CIS 332 Inspiring Innovation-- snaptutorial.com
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
PowerShell Desired State Configuration
Lesson 16-Windows NT Security Issues
Operating System Hardening
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
System Center Third Party Tools Ivanti Patch and RCT Recast April 2019.
Presentation transcript:

Windows Domain Hardening Darren LaCasse

Disclaimer All material presented is my own unless otherwise specified. Don’t take this as the one and only way to do this Your organization is unique, maybe… YMMV

Agenda Hardening 101 Hardening Challenges Configuration/Monitoring Tools Demo

Why do we care? Improves system security Improves system availability Systems configured with minimum necessary services Improves system availability All systems configured the same Help desk has a single configuration to support Problem on 1 system can be avoided on the rest

No really, why do we care? Why did I use “old” data? 2010 was the last year the DBIR broke down the data this way… 31 breaches attributed to misconfiguration 31 breaches attributed to not following a policy/standard for things like configuration Verizon DBIR 2010

Common Hardening Tasks Apply OS and application patches Disable “Administrator” account Password requirements Length Complexity Expiration Lockout Install Antivirus Disable services

Hardening standards Develop one for your unique organization

Hardening standards Start with an industry standard Center for Internet Security http://benchmarks.cisecurity.org/downloads/bro wse/?category=benchmarks NSA Microsoft 320 pages of this “stuff” Not even NIST touches this stuff. The NSA refers you back to CIS for the most part now as well. Server 2012 R2 https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v1.1.0.pdf

System Hardening Methods Manual Human error Personnel must know where the current baseline is Not reasonable with large # of systems Automatic Always the same Removes human error

Hardening Tools Microsoft Security Configuration and Analysis Tool (SCAT) Microsoft Security Compliance Manager (SCM) PowerShell Desired State Configuration (DSC) Freebies from Microsoft… Everything else is out of scope for now.

SCAT Doesn’t scale well Requires manual configuration for modern OS No central management No easy reporting mechanism Can do remediation

Security Compliance Manager Switch to SCM. Go through it. Show how you can export your configuraiton to a CPO, SCCM, SCP, excel… wee

Security Compliance Manager Gives us baselines from MS for Operating Systems Applications IIS DNS DHCP Internet Explorer MS Office Doesn’t provide a way to apply to systems

Desired State Configuration (DSC) PowerShell feature If you can PowerShell you can use DSC DSC you to configure and report on practically anything on the system Registry Files Configurations Services Software https://technet.microsoft.com/en-gb/library/dn249912.aspx

Computers are hard… DSC works great if you aren’t on a consumer OS DSC works great if you have SCCM or SCVMM SCCM = System Center Configuration Manager SCVMM = System Center Virtual Machine Manager

How to DSC Write a DSC script (I tried and failed) configuration TestScript { param () Node Localhost { # Create a Test File File CreateTestFile Ensure = "Present" DestinationPath = "C:\Tempa\example.txt" Contents = “Example." Type = "File" } # Create MOF Files HelloWorld -OutputPath C:\Temp\TestScript # Start DSC Configuration Start-DscConfiguration -Path C:\Temp\TestScript -ComputerName Localhost -Verbose -Wait This generates an MOF (Machine Object Format) file That is used to apply (or check) the configuration against the specified hosts. The configuration is basically a function. I based my test script on the genius that is this person: https://scriptimus.wordpress.com/2015/04/14/powershell-desired-state-configuration-getting-started/

You can see that our LocalHost.mof file was created. Woo… I tried using the ScriptimusExMachina examples as well and still failed (https://scriptimus.wordpress.com/2015/04/14/powershell-desired-state-configuration-getting-started/) I always get this stupid error because I don’t have WinRM installed properly… You can see that our LocalHost.mof file was created. Woo… Our example.txt file is created as well even though you don’t see that reflected on the screen https://scriptimus.wordpress.com/2015/04/14/powershell-desired-state-configuration-getting-started/

Check Against the Configuration Test-DscConfiguration Returning the value of “True” means the single value in our MOF is met If we change the text in example.txt then we get this

You configured one value, GREAT… Where you can go from here Convert your orgs baseline to DSC syntax Lots of time the first go Output per system with values that are “False” Startup scripts? Buy SCCM? GPO health! Remove local admin rights

Tell me there is something else! Chef https://www.chef.io/ Puppet https://puppetlabs.com/ Nessus http://www.tenable.com/products/nessus- vulnerability-scanner

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.