This document provides lessons learned from implementing Active Directory domains in control system environments. It covers topics like time synchronization, DNS, Active Directory replication, domain controller maintenance, backup and restore, user and group guidelines, and ICS group policy. The key lessons are: accurate time sync is critical; DNS configuration on domain controllers must include the loopback address; Active Directory replication links need to be properly configured; flexible single master operations roles should be transferred before domain controller maintenance; individual user accounts should be used instead of shared administrator accounts; and group policy can be used to apply security settings to control systems. The presentation provides guidance on best practices, common problems encountered, and their solutions.
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Active Directory in ICS: Lessons Learned From The Field
1. L L d f th Fi ldLessons Learned from the Field
Active Directory in ICS
HPS Industrial Cyber Security Services
DigitalBond S4x15 January 2015
2. AbstractAbstract
• Many control systems don’t have domains or leverage them
l f th ti ti Th i t d d t h lonly for user authentication. They are intended to help
centralize the maintenance and management of a large group of
member computers, as well as huge productivity gains for
administration, implementing change, and consistency. This, p g g , y
session will cover lessons learned of Active Directory domains
and their use with control systems, from someone who deals
only with control system environments. What works, what to
avoid guidance on how to plan & implement certain featuresavoid, guidance on how to plan & implement certain features,
and useful things you may not have known about. This is not an
introduction to Active Directory, it is intended for those that have
familiarity with Active Directory, its purpose, basic administration
d li tand group policy management.
• 45 minutes
Honeywell
Proprietary
2
2015
3. SpeakerSpeaker
• Donovan Tindill, Senior Security Consultant – Honeywell Industrial
Cyber Security (formerly Matrikon)Cyber Security (formerly Matrikon)
– For almost 15 years, specialized in defending cyber security for
industrial automation & control systems (IACS) to most every industry
and countless ICS.
R ibl f l l j t l i t i i k– Responsible for large scale project planning, enterprise risk
management, security program development, training, vulnerability
assessments, industry compliance, NERC CIP, etc.
– ISA99/IEC62443 contributor, and co-chair of Working Group 6 on IACSg p
patch management.
– Assessed and designed LOTS of ICS networks and domains, cyber
security assessments (people-process-technology), developed ICS
cyber security programs etccyber security programs, etc.
– Email: http://tinyurl.com/DonovanAtHon; Please connect on LinkedIn
and mention this conference.
The views and opinions expressed here are my own and don’t necessarily representThe views and opinions expressed here are my own and don t necessarily represent
the views or opinions of Honeywell.
4. Honeywell Industrial Cyber SecurityHoneywell Industrial Cyber Security
Honeywell Industrial Cyber Security is the leading provider ofy y y g p
cyber security solutions that help protect the
availability, safety, and reliability
of industrial control systems (ICS) and plant operations.
Leveraging our industry leading process control andLeveraging our industry leading process control and
cyber security experience, our expertise, and technology,
we deliver proven solutions designed for thewe deliver proven solutions designed for the
specific needs of process control environments.
Honeywell
Proprietary
4
2015
Cyber Security = Process Availability, Safety and Reliability
5. Honeywell ProtectsHoneywell Protects
From the Inside Out and Outside In
• Build security into our products
Employ same risk-management mechanisms for cyber security– Employ same risk-management mechanisms for cyber security
we design for safe industrial operations
• Strengthen security with proven end-to-end solutions
– Security architecture, security controls and best industrial practices
– Services delivered by global team of experts
A ti d t ti d ili• Assure continued protection and resilience
– Situational awareness
– Monitoring, management and training services
Honeywell
Proprietary
5
2015
6. Industrial Cyber Security Solutions FrameworkIndustrial Cyber Security Solutions Framework
Embedded Security Is Just the Start
SecuritySecurity
AwarenessAwareness
Cyber Security
Assessments, Monitoring
and Situational Awareness
Cyber Security
Assessments, Monitoring
and Situational Awareness
SecuritySecuritySecuritySecurity
TECHNOLOGY
Used to Drive
Secure
Architectural
Leveraging
Network, Host &
Used to Drive
Secure
Architectural
Leveraging
Network, Host & yy
DesignDesign
yy
ControlsControls
Architectural
Design and
Best Practices
Operational
Security Controls
Architectural
Design and
Best Practices
Operational
Security Controls
Honeywell
Proprietary
6
2015
We Address Industrial Cyber Security End-to-End
7. Complete Industrial Cyber Security SolutionsComplete Industrial Cyber Security Solutions
• Security Assessments
• Network & Wireless Assessments
• Security AuditsAssessmentsAssessments
& Audits& Audits
• Current State Analysis
• Design & Optimization
• Zones & Conduits
& Audits& Audits
ArchitectureArchitecture
& Design& Design
ResponseResponse
& Recovery& Recovery
• Backup and Restore
• Incident Response
• Firewall
• Intrusion Prevention
• Access Control
P li D l t
• Continuous Monitoring
• Compliance &
Reporting
• Security Analytics
NetworkNetwork
SecuritySecurity
SituationalSituational
AwarenessAwareness
TECHNOLOGY
• Policy Development
• Patching & Anti-Virus
• Application Whitelisting
• End Node Hardening
• Security Analytics
• Security Information
& Event Management (SIEM)
• Security Awareness Training
EndpointEndpoint
ProtectionProtection
• Portable Media & Device Security
Honeywell
Proprietary
7
2015
8. Managed Industrial Cyber Security ServicesManaged Industrial Cyber Security Services
Secure Connection
Secure tunnel for servicesSecure tunnel for services
Protection Management
Qualified anti-malware files & operating system patchesQ p g y p
Continuous Monitoring and Alerting
Monitoring of system, network & cyber security performance
24/7 alerting against thresholds
Intelligence Reporting
Weekly compliance and quarterly trend reports
Perimeter and Intrusion Management
Firewall: Configuration rules + log file review and reporting
Weekly compliance and quarterly trend reports
Honeywell
Proprietary
8
2015
Firewall: Configuration rules + log file review and reporting
IPS: Signature update validation + log file review and reporting
9. Why Honeywell Industrial Cyber SecurityWhy Honeywell Industrial Cyber Security
Global team of certified experts with deep experience across all industries
Industry Leading People and Experience
Global team of certified experts with deep experience across all industries
100’s of successful PCN / Industrial cyber security projects
Leaders in security standards ISA99 / IEC62443
Proprietary methodologies specific for process control environment & operations
Best practices developed through years of delivering solutions
Industry Leading Processes and Expertise
Best practices developed through years of delivering solutions
Comprehensive understanding of unique process control security requirements
Industry Leading Technology
First to obtain ICS product security certification with ISASecure
Largest R&D investment in cyber security solutions and technology
Strategic partnerships with best in class security product vendors
y g gy
Honeywell
Proprietary
9
2015
Trusted, Proven Solution Provider
g y
10. TopicsTopics
Technical Level
100
Time Synchronization
DNS
AD Replication
DC MaintenanceDC Maintenance
Backup and Restore
200
User and Group Guidelines
ICS Group Policy200 ICS Group Policy
Groups.xml Vulnerability
300
DC Through Firewall
Fine Grained Password Policies
400 AppLocker
If common sense were common we wouldn’t have to fix these over and
Honeywell
Proprietary
10
2015
If common sense were common, we wouldn t have to fix these over and
over…
11. TerminologyTerminology
• NTDS – NT Directory ServicesNTDS NT Directory Services
• AD – Active Directory (aka. NTDS)
• DC – Domain ControllerDC Domain Controller
• FSMO – Flexible Single Master Operation
• DNS Domain Naming Service• DNS – Domain Naming Service
• GPO – Group Policy Object
• SCW Security Configuration Wizard• SCW – Security Configuration Wizard
Honeywell
Proprietary
11
2015
13. Time SynchronizationTime Synchronization
• Accurate time sync is a fundamental component of AD
h i i Ti d if l i d i dauthentication. Time drift can result in domain decay
and mysterious authentication issues if it exceeds 4
minutes between domain members.
• Actual Event:
– One group of computers cannot authenticate with other PCs
in the same domain. Some logons work, some don’t, not
i t t th i tconsistent across the environment.
– Root Cause: Time drift greater than 5 minutes between DCs
results in replication failure, domain members polarize with a
DC and ‘islands’ of authentication resultDC and islands of authentication result.
– Solution: It’s ugly! Force demotion of bad DC, fix time sync,
promote to DC again.
Honeywell
Proprietary
13
2015
14. Time SynchronizationTime Synchronization
• Identify the ‘PDC Emulator’ role. It is the timeIdentify the PDC Emulator role. It is the time
master for the entire domain.
• Get a GPS or other accurate (i.e., Stratum) time( , )
source; otherwise, the cheap clock on
motherboard is used.
• w32tm /config /manualpeerlist:“X.X.X.X Y.Y.Y.Y” /syncfromflags:manual
/reliable:yes /update
• w32tm /query /status
• w32tm /query /peers
Honeywell
Proprietary
14
2015
Sources:
- How to configure an authoritative time server in Windows Server, http://support.microsoft.com/kb/816042.
15. Domain Naming Service (DNS)
Ft McMurray Oilsands Conference
2015
15
2009
What’s your address again?
16. Domain Naming Service (DNS)Domain Naming Service (DNS)
• DNS allows humans to use hostnames to communicate with network
devices. AD uses DNS to store DC roles, help DCs find each other,
and domain members find DCs.
• Every DC has a copy of the same DNS database and is continuously
synchronized.
• If a domain controller cannot
communicate with DNS,
you’re in trouble!
• If a domain member cannot
communicate with DNS, only
previously cached credentials
will work.
Honeywell
Proprietary
16
2015
17. DNSDNS
• Actual Event:
– Domain controller network driver update/change fails, after
reboot it cannot find peer DNS server, cannot logon!
– Root Cause: Its local IP address was not included in DNSRoot Cause: Its local IP address was not included in DNS
server list.
– Solution: DNS1 should be neighbor DC, DNS2 should be
another neighbor, DNS3 should be 127.0.0.1. Have at least 2another neighbor, DNS3 should be 127.0.0.1. Have at least 2
real DNS servers, last one loopback IP.
– When a DC first boots, it is member only. It must first find
other DCs thru DNS and replicate DNS & NTDS databases,other DCs thru DNS and replicate DNS & NTDS databases,
before it can authorize itself to authenticate users (including
logons at console). Otherwise really slow or failed logon.
– Always stagger DC reboots!
Honeywell
Proprietary
17
2015
Always stagger DC reboots!
Sources:
-DNS servers on NIC should include 127.0.0.1 but not as first entry, http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx.
-Microsoft Best Practice for DC DNS settings, http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest.
18. DNSDNS
• Replicate to all DNS servers in forest.p
• Dynamic Updates: Secure Only
– ipconfig /registerdns (used to refresh local DNS records on-demand)
T i / i f ll f d d• Turn on aging/scavenging for all forward and
reverse lookup zones (i.e., check the box).
• Zone Transfers: Explicitly• Zone Transfers: Explicitly
specify servers or turn off.
• In ICS, you can delete list of, y
root hint servers. Stops
DNS noise before firewall.
Honeywell
Proprietary
18
2015
20. Sites and Services (NTDS Replication)Sites and Services (NTDS Replication)
• AD Sites and Services is used to specify theAD Sites and Services is used to specify the
interval, protocol, and links for AD database
(which may contain DNS) to replicate between
domain controllers.
• If subnets are specified and associated with sites
(e.g., an area of the plant), members will prefer
DCs in their subnet/site.
Li k t ti ll t d f ll h d• Links are automatically created as full mesh and
replicated every 3 hours.
Honeywell
Proprietary
20
2015
21. Sites and Services (NTDS Replication)Sites and Services (NTDS Replication)
• Actual Event:
– User accounts created on specific domain controller
never work in other areas of the plant.
Root Cause: NTDS replication links missing– Root Cause: NTDS replication links missing.
– Solution: Re-architect links, verify all DCs
participate in bi-directional replication.
– Some scenarios require custom
NTDS replication architecture
• In ICS 15 minute replication• In ICS, 15 minute replication
interval is fine (default 180).
• repadmin /syncall
Honeywell
Proprietary
21
2015
p y
23. DC MaintenanceDC Maintenance
• Actual Event:
– Patches are installed on DC holding FSMO roles, during
reboot it suffers critical failure and will not boot.
– If FSMO roles are forcibly seized and transferred to anotherIf FSMO roles are forcibly seized and transferred to another
DC while it is offline, its hostname is now blacklisted. Must
force removal of DC role and reinstall OS with new
hostname.
– Root Cause: FSMO roles were not transferred before
maintenance occurred on DC.
– Solution: Transfer roles before/after using PowerShell:Solution: Transfer roles before/after using PowerShell:
• Import-Module ActiveDirectory
• Move-ADDirectoryServerOperationMasterRole -Identity “ServerName”
-OperationMasterRole 0,1,2,3,4
• netdom query fsmo
Honeywell
Proprietary
23
2015
netdom query fsmo
Sources:
-Transfer or Seize FSMO Roles, https://support.microsoft.com/kb/255504/en-us,
- How to remove data in Active Directory after an unsuccessful domain controller demotion , https://support.microsoft.com/kb/216498.
- Why not to reuse server names, http://www.jackcobben.nl/?page_id=403.
24. Backup and Restore
Ft McMurray Oilsands Conference
2015
24
2009
Prepared for Failure
25. Backup and RestoreBackup and Restore
• DCs are peers that share and continuously replicate the
AD d t b C t tl h i !AD database. Constantly changing!
• Disk images (e.g., Acronis, Ghost, Clonedisk) of your DCs
should not be used for restoration as it will include stale
f AD d t b A f b k i k !copy of AD database. Age of backup is key!
• Microsoft only supports Windows Server Backup Full
System and ‘System State’ backups, which contains Active
Directory contentsDirectory contents.
• Schedule backup from 2+ DCs, store on different server, at
least once per day. Also, use ntdsutil for ad-hoc
snapshots Used by Directory Service Repair Modesnapshots. Used by Directory Service Repair Mode.
• Microsoft recommends ntdsutil to remove failed DCs,
then clean OS install and dcpromo for new ones.
Honeywell
Proprietary
25
2015
Sources:
-AD Backup and Restore, http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx. System State Recovery of a Domain Controller; Taking Active Directory Snapshots.
26. Users and Groups
Ft McMurray Oilsands Conference
2015
26
2009
“We use Administrator for everything”
27. User and Group GuidelinesUser and Group Guidelines
• Don’t use domain or local Administrator account toDon t use domain or local Administrator account to
run any applications!
– Not due to security risk, but to decouple dependency
upon it for password changes.
• Rename local Administrator (e.g., LocalAdmin)
d d i Ad i i t t ( Ad i i)and rename domain Administrator (e.g., Admini).
• Avoid use of local or domain administrator
t l i di id ll i daccounts, rely upon individually assigned user
accounts with similar privilege.
Honeywell
Proprietary
27
2015
28. User and Group GuidelinesUser and Group Guidelines
• Create two (2) user accounts per person.Create two (2) user accounts per person.
– User-level account (e.g., jdoe) with application
privileges. Standard password.
– Admin-level accounts (e.g., admin_jdoe) with
administrator privileges. Strong password.
Logon regularly with user level account use admin level– Logon regularly with user-level account, use admin-level
only when needed. Works very well with Windows
2008/Vista/7 UAC).
Honeywell
Proprietary
28
2015
29. User and Group GuidelinesUser and Group Guidelines
• Create ‘Service’ user accounts for each major application
( hi t i i t f d t b h d l d t k(e.g., historian interfaces, databases, scheduled tasks,
OPC services, backup software) so they can be used for
running DCOM and Windows Services.
Examples: dc backup task acronis backup service– Examples: dc_backup_task, acronis_backup_service,
historian_opc_service
• Running programs and services as Administrator is the
single biggest reason why password changes don’tsingle biggest reason why password changes don t
happen!
– Changing Administrator password in many environments will
require, or result in, process shutdown.
• Application specific service accounts clearly identify their
purpose and localizes their impact if/when their passwords
are changed.
Honeywell
Proprietary
29
2015
30. User and Group GuidelinesUser and Group Guidelines
• Restricted Resource group: grants a specificRestricted Resource group: grants a specific
access level to a specific device/ system/
application. Defined owner for each.
• Control System
– Product Admins
– Engineers
• Domain Members
– Domain Administrators
– Remote Desktop Users
– Supervisors
– Operators
• Domain Controllers
– Domain Users
• Network Infrastructure
– Read-Only
– Enterprise Admins
– Administrators
– Group Policy Mgrs
– Password Update
– Read-Write
• Applications
– Administrators
E i / D l
Honeywell
Proprietary
30
2015
– Engineers / Developers
– Users
32. Group Policy SettingsGroup Policy Settings
• Group Policies allow single step roll out of computer
i l ll d i bsettings to select or all domain members.
• GPO settings can be applied to users and computers,
commonly based on group membership ory g p p
organizational unit.
– Windows 2008 Active Directory and Group Policy
Preferences allows almost limitless selection criteria. With
t h th t d b Wi d XPpatches, they are supported by Windows XP+.
• Examples:
– Password policy, security logging policy, disable unnecessaryy y gg g y y
services, disable unnecessary Windows components and
features, local group membership, Windows Firewall rules,
Start Menu and Desktop appearance, startup scripts, etc.
Honeywell
Proprietary
32
2015
Sources:
-Group Policy Preferences, Windows 2008, http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx.
-Group Policy Preferences, Windows 2012, http://technet.microsoft.com/en-us/library/dn581922.aspx
-Group Policy Preferences Patch, for Windows XP, 2003, and Vista: http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx.
33. Recommended Group Policy SettingsRecommended Group Policy Settings
• Minimum password length, complexity, and age
E bl it diti ( t l t t t l• Enable security auditing (account logon events, account mgmt, logon
events, policy change, system events)
• Increase default event log file size.
• Disable LM authentication potentially NTLMDisable LM authentication, potentially NTLM.
• Disable unnecessary services. In ICS, you can disable:
– WinHTTP Auto-Proxy, SSDP Discovery, Smart Card, HomeGroup Listener,
HomeGroup Provider
Security Configuration Wizard (SCW) is excellent at hardening Windows Server– Security Configuration Wizard (SCW) is excellent at hardening Windows Server
2003 SP1 and newer (e.g., Disables unnecessary services; Windows Firewall
rules; prepare Group Policies)
• Disable unnecessary Windows components and features. In ICS, you
can disable:can disable:
– AutoPlay, Games, Desktop Gadgets, NetMeeting, Outlook Express,
HomeGroup, Windows Messenger, Windows Media Player, Windows Media
Center,
• Uninstall unnecessary software (e g Adobe Java Office)
Honeywell
Proprietary
33
2015
• Uninstall unnecessary software (e.g., Adobe, Java, Office).
Sources:
-Security Configuration Wizard, http://technet.microsoft.com/en-us/library/cc754997.aspx
34. Advanced Group Policy SettingsAdvanced Group Policy Settings
• Modify allow/deny User Rights Assignment for:
– Logon locally (e.g., keyboard console)
– Remote Desktop
– Access Computer via network (e.g., Network Share, DCOM Service)
– Logon As Service– Logon As Service
– Logon As Batch (i.e., Scheduled Task)
• Windows Firewall rules. In ICS, you might choose to control
which IP address ranges (e.g., Local Subnet) can access:g ( g , )
– Network Discovery, Remote Desktop, File & Print Sharing,
– Part of SCW
• AppLocker application execution rules. In ICS, you can use
A L k ’ hit li ti li tiAppLocker as poor man’s whitelisting application.
– More on this in later slides…
• Do not perform above on production environment without prior
testing!!!
Honeywell
Proprietary
34
2015
testing!!!
35. Groups xml VulnerabilityGroups.xml Vulnerability
• If you use Group Policy Preferences to automateIf you use Group Policy Preferences to automate
resetting of local user passwords – Don’t!
• The encryption used in the groups.xml file is weakyp g p
and disabled in MS14-025.
• Implement via PowerShell scriptp p
– See MS14-025
Honeywell
Proprietary
35
2015
Sources:
-How To Automate Changing The Local Administrator Password, http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx.
-MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege, http://support.microsoft.com/kb/2962486,
37. DC Through FirewallDC Through Firewall
• DCs will often be in different zones and across firewalls. Really they
should be in enclaves due to their importanceshould be in enclaves due to their importance.
• Domain Controller Default Ports: KB179442
– DNS TCP/UDP53
– NTP TCP/UDP123
– Kerberos TCP/UDP88
– RPC TCP135
– NetBIOS UDP137-138, TCP139
– File Sharing TCP445File Sharing TCP445
– kpasswd TCP/UDP464
– http-rpc-epmap TCP594
– Global Catalog TCP3268
RPC (Windows 2003/XP and older): TCP1025 5000– RPC (Windows 2003/XP and older): TCP1025-5000
– RPC (Windows 2008/Vista and newer): TCP49152-65535
– Not Used in Field: UDP500, TCP636, TCP3269, UDP4500, UDP5355,
TCP9389 (based on actual results 2008R2 at ICS site)
Honeywell
Proprietary
37
2015
Sources:
-Service overview and network port requirements for Windows, http://support.microsoft.com/kb/832017.
-How to configure a firewall for domains and trusts, http://support.microsoft.com/kb/179442.
38. DC Through FirewallDC Through Firewall
• Registry changes can be applied to changeRegistry changes can be applied to change
dynamic ports to fixed, or specify smaller range.
• Set NTDS to 32901
• Set NTFRS to 32902
• Set NetLogon to 32903Set NetLogon to 32903
• Set DFSR to 32904 (if used)
• Set WMI to 32905 (if used)Set WMI to 32905 (if used)
Sources:
Restricting Active Directory RPC traffic to a specific port http://support microsoft com/kb/224196
Honeywell
Proprietary
38
2015
-Restricting Active Directory RPC traffic to a specific port , http://support.microsoft.com/kb/224196.
-How to restrict FRS replication traffic to a specific static port , http://support.microsoft.com/kb/319553.
-Configuring DFSR to a Static Port, http://blogs.technet.com/b/askds/archive/2009/07/16/configuring-dfsr-to-a-static-port-the-rest-of-the-story.aspx.
-Setting Up a Fixed Port for WMI, http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx.
-IANA ports 32897-33122 Unassigned, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt.
39. DC Through FirewallDC Through Firewall
• KB154596: Configureg
RPC/DCOM range by
Registry or
dcomcnfg exedcomcnfg.exe
– TCP 45000-45999
– 1000 ports is sufficient for
most applicationsmost applications.
• Used by all listening
RPC services.
• Best effect on Win2003 and
earlier OS as it moves away
from 1025-5000
Honeywell
Proprietary
39
2015
from 1025-5000.
Sources:
-How to configure RPC dynamic port allocation to work with firewalls, http://support.microsoft.com/kb/154596.
-IANA ports, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt.
40. DC Through FirewallDC Through Firewall
• Before:Before:
RPC RangeRPC Range
49152-65535
Honeywell
Proprietary
40
2015
41. DC Through FirewallDC Through Firewall
• After:After:
Registry HacksRegistry Hacks
32901-32905
RPC Range
45000-45999
Honeywell
Proprietary
41
2015
42. Fine Grained Password Policies
Ft McMurray Oilsands Conference
2015
42
2009
Something for Everyone
43. Fine Grained Password PoliciesFine Grained Password Policies
• By default, there is only one domain password policy.y , y p p y
• Starting Windows 2008 domain functional level,
different password policies can apply to different AD
usersusers.
– Set your Default: 12-char, 60-day expiry, never lockout.
• Defined by Default Domain Policy
Ad i L l 20 h 180 d i– Admin Level: 20-char, 180-day expiry.
• Create and Assign to Group ‘Pass 20c 180d NoLock DL Group’
– Service Accts: 32-char, never auto-expire, never lockout.
• Create and Assign to Global Group ‘Pass 32c NoExpire NoLock DL Group’• Create and Assign to Global Group Pass 32c NoExpire NoLock DL Group
• Implemented manually with ADSIedit in Windows
2008; Wizard-driven in 2012. Rely on SIEM to detect
Honeywell
Proprietary
43
2015
Sources:
-Fine Grained Password Policies, Windows 2008, http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx.
multiple logons
44. Fine Grained Password PoliciesFine Grained Password Policies
Parameter Admin Level Policy Service Accounts
Common-Name Passwd-20char-MaxAge180d-
NoLockout
Passwd-32char-NoMaxAge-
NoLockoutNoLockout NoLockout
msDS-PasswordSettingsPrecedence 8 5
(low number is higher precedence)
msDS-
P dR ibl E ti E bl
False
PasswordReversibleEncryptionEnable
d
msDS-PasswordHistoryLength 20 32
msDS-PasswordComplexityEnabled TruemsDS PasswordComplexityEnabled True
msDS-MinimumPasswordAge “-864000000000”, 9-zeros, 1 day
msDS-MaximumPasswordAge “-155520000000000”
10-zeros, 180 days
“-9223372036854775808”
never expire10 zeros, 180 days never expire
msDS-LockoutTreshold 0
msDS-LockoutObservationWindow 0
msDS LockoutDuration 0
Honeywell
Proprietary
44
2015
msDS-LockoutDuration 0
msDS-PSOAppliesTo Windows Account:
Pass 20c 180d NoLock DL Group
Windows Account: Pass 32c
NoExpire NoLock DL Group
45. Fine Grained Password PoliciesFine Grained Password Policies
• ‘Pass 20c 180d NoLock DL Group’ members:Pass 20c 180d NoLock DL Group members:
– Administrators, Domain Admins, Backup Operators,
Schema Admins, Enterprise Admins, Account
Operators, Server Operators,
– DCS Administrators, Network Admins,
Any other application specific groups or user accounts– Any other application-specific groups or user accounts
with privilege to change the system.
• ‘Pass 32c NoExpire NoLock DL Group’ members:Pass 32c NoExpire NoLock DL Group members:
– Service Accounts
Honeywell
Proprietary
45
2015
47. AppLockerAppLocker
• Poor man’s application white listing to ensure onlyPoor man s application white listing to ensure only
specified executables, scripts, and installers run.
• It’s free-but:
– No “learning mode” or management tools.
– Weaker protections than commercial white listing
solutions (e.g., injection, overflows)
• Use-cases: Windows 7 Ent, 2008 R2, and higher
– Application inventory, unwanted software,
standardization, change control, etc.
– DMZ Hosts Engineering Stations Operator Stations
Honeywell
Proprietary
47
2015
DMZ Hosts, Engineering Stations, Operator Stations
Sources:
-AppLocker Step-by-Step Guide, http://technet.microsoft.com/en-us/library/dd723686(v=ws.10).aspx.
48. AppLocker Base PolicyAppLocker Base Policy
• Create group policy, link it to specific OU where the
C ill b l dtest Computer will be located.
• Computer Policy > Windows > Security > Application
Control Policies:
– Executable Rules:
• Allow BUILTINAdministrators All Files
• Allow Everyone All files in the Windows folder
– Requires testing per-site to determine what executables are used commonlyRequires testing per site to determine what executables are used commonly.
– Windows Installer Rules:
• Allow BUILTINAdministrators All Windows Installer files
– Script Rules:
• Allow BUILTINAdministrators All Scripts
• Application Identity service Startup Mode: Auto
• Group Policy loopback processing mode: Replace
Honeywell
Proprietary
48
2015
p y p p g p
49. AppLocker Per-App PolicyAppLocker Per App Policy
1) Identify the application you want to run (e.g.,
R D k C i )Remote Desktop Connection)
2) Create Global Group (e.g., RDP Client Run) and
add users.
3) Create GPO (e.g., RDP Client Run GPO), link to
same OU as base AppLocker policy.
4) Modify GPO with Executable Rule allowing global4) Modify GPO with Executable Rule allowing global
group to access specified executables (e.g.,
mstsc.exe).
a Some applications may require multiple executables toa. Some applications may require multiple executables to
function (will be confirmed during testing).
5) Logon as Test User > Execute > Check Logs >
Tune GPO
Honeywell
Proprietary
49
2015
Tune GPO.
50. AppLockerAppLocker
• With Loopback processing, only affects specifiedp p g, y p
computers in the OU, and only users when they logon
to that computer.
• One GPO and group per application Once setup just• One GPO and group per application. Once setup, just
add users to the AD group as well as link GPO to
OUs.
– Will need AppLocker GPOs for antivirus, backup tools, etc.
• Ensures change control procedures are followed!
• When implemented by qualified personnel with• When implemented by qualified personnel with
testing discipline will increase system performance,
reliability, and security posture.
Honeywell
Proprietary
50
2015
51. QuestionsQuestions
• Time Synchronization
• DNS
• AD Replication
• DC Maintenance
• Backup and Restore
• User and Group Guidelines
• ICS Group Policy
• Groups.xml Vulnerability
• DC Through Firewall
• Fine Grained Password Policies
• AppLocker
The views and opinions expressed here are my own and don’t necessarily represent
Honeywell
Proprietary
51
2015
The views and opinions expressed here are my own and don t necessarily represent
the views or opinions of Honeywell.
52. Th k YThank You
• Donovan Tindill, Senior Security Consultant
• Email: http://tinyurl com/DonovanAtHon; Please• Email: http://tinyurl.com/DonovanAtHon; Please
connect on LinkedIn and mention this conference.
• Credits: Connor, Liam, Roger J.