Download presentation
Presentation is loading. Please wait.
1
Secure Your Workstations
Mark Godfrey TekuITS.com Systems Engineer MDH Gary Blok GaryTown.com Lead Systems Engineer MDH Troy Martin 1e.com/blogs/author/troymartin Technical Architect 1E
2
Mark Godfrey Gary Blok @Geodesicz @GWBlok
2nd prize in pizza eating contest 1992 T-Ball Participation Award StarCraft 2 2v2 Diamond Bracket Unlocked all chars in Mario Kart Favorite beer: TinWhiskers FlipSwitch IPA Favorite Show: The IT Crowd
3
Troy Martin @TroyMartinNet (in '92) 3rd highest score in DeVry
NY Yankees 24/7/365!! I'm diabetic, so Ice Cream it is!!
4
Why is Workstation Security Important?
Why should I care?
5
Technical Point of Entry – Attack Surface Size Usage Mobility
# of Servers/Network Hardware vs # of Workstations More software = More vulnerabilities Usage End users click things Links in s Remote requests Macro requests in randomly downloaded documents Dancing animal pictures with embedded malware End users browse the web Humans make mistakes Mobility How many people leave their servers or switches on the bus or at a hotel? Operational More Secure = Less Issues = Less Time Spent Dealing with Issues
6
Non-Technical Financial Ethical Personal Regulatory Lawsuits
Loss of Business due to Loss of Trust Other Ethical Responsibility to Protect People’s Data Responsibility to Protect Your Organization Responsibility to Do Your Job Well Personal Pride in Your Work Employability Aftermath Regulatory HIPPA SOX FERPA
7
Changing Face of Workstation Security
Get Your Head Out of Your Past But, I Have Antivirus Now Vulnerability Management Least Privilege Security Software Application Whitelisting Firmware Firewall Encryption Social Engineering More
8
Firmware Security is like a pyramid, build it from the bottom up with a large, strong base. Requirements and Prerequisites UEFI Secure Boot BitLocker More Manage Your Firmware Upgrades See Leveraging Vendor Tools Session For BIOS Update and Settings Management
9
Secure Boot Process CHIPSET GUID PARTITION TABLE (GPT) DISK
Firmware stores list of trusted signatures Firmware checks Windows Boot Manager and Windows Boot Loader are signed with trusted certificate before executing Windows Boot Loader only loads kernel signed with trusted certificate CHIPSET GUID PARTITION TABLE (GPT) DISK UEFI FIRMWARE EFI SYSTEM PARTITION WINDOWS PARTITION UEFI Boot Manager Windows Boot Manager Windows Boot Loader Windows Kernel The device manufacturer hard-codes a list of trusted signing certificates in the firmware. [Click] This list is signed by the manufacturer and can only be updated by the manufacturer through firmware updates. UEFI uses a specific disk configuration – GUID Partition Table – that provides a lot more flexibility during boot up over the Master Boot Record disk configuration required by legacy BIOS. [Click] When the Windows device is started, the UEFI boot manager loads the Windows Boot Manager from the EFI System Partition (ESP). [Click] With Secure Boot enabled, the Windows Boot Manager can only be loaded if it is signed with a trusted signing certificate. [Click] The Windows Boot Manager will then go on to load the Windows Boot Loader from the Windows Partition, which again will only be loaded if it is signed with a trusted certificate. [Click] Finally, the Windows Boot Loader will load the Windows Kernel, which again must be signed with a trusted certificate.
10
Encryption BitLocker it up!
11
XTS-AES New Encryption Algorithm as of Win10 1511*
Provides protection against additional types of attacks FIPS-compliant Only use for fixed and OS drives Only use on removable drive if you don’t want to use it on other OSes Update MBAM before implementing to ensure you have support for this 128 vs 256 bit
12
Set in Group Policy Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption: Choose Drive Encryption Method and Cipher Strength (Windows 10 [Version 1511] and later) Select algorithm for each set
13
Enable XTS-AES in OSD Should already have steps to Activate TPM
Disable Pre-Provision BitLocker Steps Stop MBAM Service (if using MBAM) Partition Drive for BitLocker MDT Step using ZTIBDE.wsf Add 5 policy settings to the registry – HKLM:\Software\Policies\Microsoft\FVE "EncryptionMethodWithXtsOs"=dword: "EncryptionMethodWithXtsFdv"=dword: "EncryptionMethodWithXtsRdv"=dword: "OSEncryptionType"=dword: "EncryptionMethod"=dword: Additional Settings Required if Using MBAM – HKLM:\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Start MBAM Service (if using MBAM) Enable BitLocker
14
Credential Guard No hash for you!
15
What is Credential Guard?
Partial Implementation of Device Guard* Credentials Run in Protected, Virtual Environment Environment Isolated from the OS Protects NTLM password hashes, Kerberos Ticket Granting Tickets, and Application-stored creds Contrary to prior belief, does NOT require Hyper-V *Feature to be enabled Protects Credential Hashes Prevents Reverse Password Hash Lookups and Pass-the-Hash Attacks, Others Requirements: secure/requirements-and-deployment-planning-guidelines-for-device-guard Virtualization extensions in BIOS, TPM, UEFI, SecureBoot
16
Set in Group Policy Computer Configuration -> Policies -> Administrative Templates -> System -> Device Guard: Turn On Virtualization Based Security
17
Remote Protection Computer Configuration -> Policies -> Administrative Templates -> System -> Credentials Delegation: Remote host allows delegation of non-exportable credentials: Enabled Might have issues if your DNS sucks us/itpro/windows/keep- secure/remote-credential-guard Computer Configuration -> Policies -> Administrative Templates -> System -> Credentials Delegation: Restrict delegation of credentials to remote servers: Enabled – Require Remote Credential Guard
18
Enable Credential Guard – OSD TS
Set 3 Registry Settings for Virtualization-Based Security and Credential Guard 3 Run Command Line Steps REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F VBS on REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard" /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F Level – Secure Boot with DMA REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" /V LsaCfgFlags /T REG_DWORD /D 1 /F Enable Credential Guard with UEFI Lock
19
BitLocker XTS-AES 256 & Enable and Verify Credential Guard
20
AppLocker Application Whitelisting Part 1
21
What is AppLocker? Application Whitelisting at the Application Level
Relies on Application Identity Service Not a fool-proof security measure Use in conjunction with Device Guard for fine tuning Set of rules controlled via group policy to determine what can or can not run Can control EXEs, DLLs, MSIs, Scripts, and AppX Packages Enterprise and Education SKUs only
22
AppLocker – Initial Items to Configure
Set Application Identity Service to Automatic Start via Group Policy Set Log Sizes in Registry via Group Policy Preferences HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/EXE and DLL HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/MSI and Script HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/Packaged app-Deployment HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows- AppLocker/Packaged app-Execution Reg_DWORD MaxSize =
23
Create Initial AppLocker Policy
24
AppLocker Log Collection & Rule Creation
Use Audit Logs to Generate Rules for Policy No “One Size Fits All” Method Collection Script to Deploy as CM Package 2 parameters – string for log storage UNC path & Boolean for Clear After Collect Set Program to Run from DP to Ensure Machine Has Network Access to Log Collection Path at Time Script Runs Create AppLocker Rules from Logs Allow vs Deny Rules Scope to User or Group Rule Condition Types – Publisher, Path, File Hash Exceptions AppX Rules
25
Creating Rules and Refining AppLocker Policy
26
Move From Audit to Enforce
Refine Ruleset Until You Feel it is Complete Dwindling Logs Being Collected Deal with anything on the organizational side in regards to users running unapproved apps which will soon be blocked (let the business or a PM handle this) Use 2nd GPO With Duplicate Policy – Keep Changes Consistent – Enforce Instead of Audit Scope GPO with Security Filtering to Deployment AD Group Add Machines to AD Group as You Roll Out Could also do this by OU if you prefer that method Roll out will vary based on size and structure of organization One Business Unit at a Time
27
Device Guard Application Whitelisting Part 2
28
Before wannacry… “Sophos didn't publish a definition update until 1825 BST, hours after an outbreak..."
29
…and after
30
Proactive Security is essential…
Bouncer Bartender Device Guard (Code Integrity) expresses a high level of “trust”, whereas AppLocker allows for granular rules - To understand how Windows 10 can help in achieving the goals, let’s draw from some real-world examples of “Proactive Security”. This example is not my own idea, as I got it from a session at Ignite When I first heard it, I thought the analogy was genius!! So shout out to Jeffery Sutherland!! When you look at security at a bar or even a nightclub, they are expected to have protocols and procedures in-place to ensure the safety of their patrons. At the same time, they expect their patrons to follow the rules of the establishment. The Bouncers and Bartenders are on the front-lines when it comes to enforcing those protocols and procedures. Bouncer Checks I.D. i.e. 21 or older Verifies name is on the guest list Ensures proper attire is being worn Bartender Service will be refused when Patron is inebriated, hassling for free drinks, cutting the line, etc. [CLICK] Device Guard is like the Bouncer i.e. only allows trusted apps to run Validates that the app is signed by a trusted vendor Uses application Hash(es) are used to uniquely identify an app and further determine trust AppLocker is like the bartender i.e. provides granular control to govern the application exceptions Grants or Denies users permission to run applications Controls what folders an application is allowed to run Device Guard AppLocker
31
How Device Guard Works ACTIVE DIRECTORY POLICY CONFIGURATION MANAGER
MICROSOFT INTUNE POLICY POLICY CODE INTEGRITY Microsoft HP Printer Driver Adobe Policy applied to clients Microsoft Word HP FileZilla FTP Administrator defines trusted signing certificates in policy Only trusted applications can execute Unsigned App
32
What is Device Guard? More than just application whitelisting (Code Integrity) UMCI (user-mode) vs KMCI (kernel-mode) Uses a defined "code integrity policy" to determine what code can and cannot run Uses virtualization-based security to isolate the Code Integrity service from the kernel Requirements: secure/requirements-and-deployment-planning-guidelines-for-device-guard 10-device-guard-part-1-of-2/
33
Device Guard and Configuration Manager
Keep in Mind: Still a pre-release features Requirements: Configuration Manager 1702 minimum (or one of the tech previews) Consent to use pre-release features and turn on Device Guard feature Win 10 Enterprise 1703 minimum Automatically trust apps installed by a trusted installer (Configuration Manager) Not the same as using a signed binary code integrity policy! Actually uses AppLocker to identify Managed Installers. configuration-manager
34
Enable Device Guard Require UEFI Memory Attributes Table
Remember that Credential Guard policy setting? Same one! Set Virtualization Based Protection of Code Integrity to "Enabled with UEFI lock" Require UEFI Memory Attributes Table New in 1703, prevents crashes due to incompatibility
35
Set Code Integrity Policy
Throw that bin file on a share Ensure permissions allow for it to be read access by Domain Computers Enter the path for the bin file Will be copied to C:\Windows\System32\CodeIntegrity\SIP olicy.p7b and <EFI System Partition>\Microsoft\Boot
36
Create And Manage Code Integrity Policy
Use PowerShell to create and manage Cody Integrity Policies ConfigCI Module Create a policy xml file from scanning a reference machine Review xml policy file that is generated * Merge policy files from multiple machines, scans using different rule types, manually created, etc Convert xml file to bin for deploying Sign the Code Integrity bin file Audit Mode parameter Different "Levels" or rule types Not all files work well with specified level Use fallback parameter to specify secondary level After completion, error log file will indicate files for which rules could not be created based on specified levels
37
Create And Manage Code Integrity Policy
Policy Rule Options - guard/deploy-code-integrity-policies-policy-rules-and-file-rules
38
Create And Manage Code Integrity Policy
Policy Rule Options - guard/deploy-code-integrity-policies-policy-rules-and-file-rules
39
Managing Unsigned apps
Why manage unsigned apps or “sign” them? Rule #1 – It’s always better to “manage” known-good (and “block” unknown-bad) Most malware is not digitally signed Prevents your apps from accidentally becoming known-bad/untrusted e.g. Avoid business impact Package Inspector Catalogs hash-values of the files If Code Integrity policy is being enforced, ensure changed to Audit Mode before running SignTool Makes the catalog file (.cat) trusted within the Code Integrity policy files-to-support-code-integrity-policies
40
Sign Code Integrity Policy
Windows Store for Business or Education
41
Audit LogGing Microsoft-Windows-DeviceGuard/Operational
Policy application, block actions, etc Monitor in audit mode to create rules
42
Whitelisting – Ongoing maintenance reqs
Certificates New Cert Old expired or mfg just decided to change their cert for other reasons New applications Any new app not satisfying an existing rule will require an update to the ruleset Other environment changes
43
Can’t figure it out? If($AllElse.ExitCode -ne '0'){ $Consultant = New-Object Microsoft.Systems.Consultant $Consultant.Hire() }
44
Other Items of Note Security Compliance Manager (demo if time)
Crafting Secure Group Policy Objects Application Guard Built into Edge Uses VBS to isolate untrusted sites at the hardware layer, protecting the Windows kernel Protected Event Logging Use PKI to encrypt sensitive information in event logs LAPS Provide unique local administrative passwords for your clients using a centrally managed solution
47
Citations Line1 Bullet Level 1 Bullet Level 2 Bullet Level 3
48
Section Header This is the next section
49
Title Line1 Bullet Level 1 Bullet Level 2 Bullet Level 3
50
Title Code
51
Text Only with Border Level 1 Level 2 Level 3
52
Text Only (Red) Level 1 Level 2 Level 3
53
Title Text 1 Level 1 Level 2 Level 3 Text 2 Level 1 Level 2 Level 3
54
Title Section 1 Section 2 Text Text Level 1 Level 1 Level 2 Level 2
55
Demo Title
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.