Moving from Reactive to Proactive Security. Sami Laiho Adminize / Intility Senior Technical Fellow, MVP April 28 th New-York City

Size: px

Start display at page:

Download "Moving from Reactive to Proactive Security. Sami Laiho Adminize / Intility Senior Technical Fellow, MVP April 28 th New-York City"

Aubrey Carroll
6 years ago
Views:

1 Moving from Reactive to Proactive Security Sami Laiho Adminize / Intility Senior Technical Fellow, MVP April 28 th New-York City

2 Thanks to our Organizers! Tome Tanasovski PowerShell MVP Blog: Ken Reid Website: Eric Fellen Website: Ben Serebin Exchange Junkie Blog: David Sebban Windows IT Pro MVP Blog: 4/28/2017 New-York City Page 2

3 User Group Communities NYC PowerShell User Group Meetings: Second Monday of the month, 6:00PM, Microsoft NYC Office Web: New York Exchange User Group (NYExUG) Meetings: Second Tuesday of the month, 5:45PM to 9PM, Microsoft NYC Office Web: Devices and Datacenter User Group New York (DDUGNY) Meetings: First Thursday of the month, 6:00PM, Microsoft NYC Office Web: 4/28/2017 New-York City Page 3

4 Event Sponsors 4/28/2017 New-York City Page 4

5 Event User Groups 4/28/2017 New-York City Page 5

Introduction Sami Laiho Senior Technical Fellow adminize.com @samilaiho sami@adminize.

Trophies: TechDays Sweden 2016 Best Speaker NIC 2016, 2017 - Best Speaker Ignite 2015 Best male presenter ;)

6 Introduction Sami Laiho Senior Technical Fellow IT Admin since 1996 MVP in Windows OS since 2011 Specializes in and trains: Troubleshooting Security Trophies: TechDays Sweden 2016 Best Speaker NIC 2016, Best Speaker Ignite 2015 Best male presenter ;) TechEd Europe and North America Best session, Best speaker TechEd Australia Best session, Best speaker 4/28/2017 New-York City Page 6

7 I got Certs

8 2,6 pounds of them

9 4/28/2017 New-York City Page 9

10 4/28/2017 New-York City Page 10

11 4/28/2017 New-York City Page 11

12 4/28/2017 New-York City Page 12

13 4/28/2017 New-York City Page 13

14 SWAG SWAG! 4/28/2017 New-York City Page 14

15 Security in 2017 It is estimated that more than 300,000 new malware variants are discovered daily Microsoft As reactive security measures aims to identify the 200,000 new samples gathered every single day in 2014 Pandalabs All major Anti-Malware companies have said that their products can t protect your devices in Proactive security is the only way to go! One of the biggest missing parts of security in enterprises is the lack of SIMPLE enough instructions 4/28/2017 New-York City Page 15

16 Human factor and physical security 4/28/2017 New-York City Page 16

17 Physical Security? 4/28/2017 New-York City Page 17

18 If you can t do it all here s the order #0 Biometrics #1 Hard Disk Encryption #2 Prevent Pass-the-Hash #3 Least Privilege #4 Whitelisting 4/28/2017 New-York City Page 18

19 #0 Biometrics April 28 th New-York City

20 4/28/2017 New-York City Page 20

21 Your Fingers can only be Pwned 10 times 4/28/2017 New-York City Page 21

22 #1 Hard Disk Encryption April 28 th New-York City

23 Why we need encryption? Data wise because over devices get lost or stolen on the biggest airports in US and Europe yearly Security wise because all Windows versions can be cracked with a single command Start teaching people that BitLocker is part of the INTEGRITY of Windows not just data protection! Secure decommissioning The format utility (since Windows Vista) deletes the volume metadata and overwrites those sectors to securely delete any BitLocker keys and by doing so makes the volume instantly unreadable 4/28/2017 New-York City Page 23

24 BitLocker deployment Project starts by choosing correct hardware UEFI, x64, SecureBoot, TPM, no DMA-enabled busses (or IO-MMU to protect them) INTEL IOMMU is VT-d AMD IOMMU is AMD-Vi Secure recovery keys (AD, Cloud, MBAM) Keep it simple, use only TPM if allowed Be secure enough but realistic 4/28/2017 New-York City Page 24

25 DEMO Computer without BitLocker 4/28/2017 New-York City Page 25

26 #2 Preventing Pass-The- Hash April 28 th New-York City

27 Simple at the end! Local Users Windows 7 Make sure no two computers have local administrators with the same password Microsoft LAPS Adminizer Lazy: Install and Deny access to Local Administrators from the network Windows 8.1/10 Lazy: Deny access to Local Administrators from the network Recommended: Same as Windows 7 4/28/2017 New-York City Page 27

28 Simple at the end! Domain Users Windows 7 and 8.1 Make sure Domain Admins can t log on to workstations Make sure admins can only access computers they are supposed to Use admin workstations (see my blog on RSAT) blog.win-fu.com Windows 10 Lazy: Deploy Credential Guard Recommended: Credential Guard + the same as Windows 7 4/28/2017 New-York City Page 28

29 Containing Split your environment into three layers Never allow higher layer admins to logon to lower layers Domain Admins Power (DCs) Data (Servers and Apps) Server Admins Workstation Admins Access (Endpoints) 4/28/2017 New-York City Page 29

30 DEMO PtH Prevention 4/28/2017 New-York City Page 30

31 #3 Least Privilege April 28 th New-York City

32 NT 3.1 Security Guide States that local admins have full access to computer. 4/28/2017 New-York City Page 32

33 2016 Microsoft Vulnerabilities Study Of the 189 vulnerabilities in 2016 with a Critical rating, 94% were concluded to be mitigated by removing administrator rights 66% of all Microsoft vulnerabilities reported in 2016 could be mitigated by removing admin rights 100% of vulnerabilities impacting Microsoft s latest browser Edge could be mitigated 100% of vulnerabilities in Internet Explorer could be mitigated by removing admin rights 99% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights 93% Critical vulnerabilities affecting Windows 10 could be mitigated by removing admin rights 4/28/2017 New-York City Page 33

34 Security policy states the given privileges 4/28/2017 New-York City Page 34

35 DEMO Privileges Beat Permissions 4/28/2017 New-York City Page 35

36 GPO s don t help Security policy can take away a privilege from an admin An admin can give it back It can be enforced with a GPO Admins can block GPOs! Fighting against windmills You lose! 4/28/2017 New-York City Page 36

37 DEMO Bypassing policies 4/28/2017 New-York City Page 37

38 And NO, UAC is not enough! 4/28/2017 New-York City Page 38

39 How to get rid of Admin rights Secure 4/28/2017 New-York City Page 39

40 Real solution If you ask me the real solution is to change from giving permissions to users or computers to giving permissions to processes Many solutions out there 4/28/2017 New-York City Page 40

41 DEMO Elevating Processes 4/28/2017 New-York City Page 41

42 #4 Whitelisting April 28 th New-York City

43 AppLocker Blacklisting and Whitelisting All software needs to be preapproved in some way Location, hash or signature based Is really SRPv2 Is based on a native function of the Windows OS since Windows 7 Requires Enterprise version of Windows Pro? Use Software Restriction Policies they still work well! 4/28/2017 New-York City Page 43

44 How to implement it? Keep to containers not items Folders vs Files, Signatures vs Hashes Remember to audit your installation with AccessChk! What about Device Guard? 4/28/2017 New-York City Page 44

45 Signing 95% of Malware is not signed just something to think about 4/28/2017 New-York City Page 45

46 DEMO Deploying AppLocker 4/28/2017 New-York City Page 46

47 An ounce of prevention is worth a pound of cure Benjamin Franklin 4/28/2017 New-York City Page 47

48 Other information All slide decks will be posted on Grand Prize Raffle at 5:15pm Join us for Cash Bar & Free Guys 5:45pm 4/28/2017 New-York City Page 48

What s really new in Windows 10?

Sami Laiho Senior Technical Fellow, MVP Adminize.com / Win-fu.com sami@adminize.com BLOG.WIN-FU.COM @samilaiho What s really new in Windows 10? Configuration Manager Forgive my English When most get Administrator