SlideShare a Scribd company logo

Windows Service Hardening

Digital Bond
Digital Bond

Bryan Owen of OSIsoft at S4x15 OTDay. Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server

Technology
1 of 30
Download to read offline
Windows  Service  Hardening Applied  to  Securing  PI  Interfaces   S4x15   OT  Day   Bryan  S  Owen  PE   bryan@osiso8.com  
Objec5ves •  What  is  Service  Hardening?   •  How  to  harden  a  PI  Interface?    
Service  Hardening  is  a  Defensive  Prac5ce •  Part  of  ‘Assume  Breach’  mindset   •  Strive  to  limit  damage  poten?al  
Reality:  Services  are  A?rac5ve  Targets •  Readily  discoverable   •  Open  network  ports   •  No  user  interac?on   •  Elevated  privileges    
Countermeasures Whitelis?ng  approach  for:   1.  Specific  Privileges   2.  Allowed  Communica?on   Service Hardening ACL File system Registry Network
Windows  Service  Hardening   Kernel  changes  in  Windows  6.0  (Vista/2008  and  later) D DD •  Reduce  size  of  high   risk  layers   •  Segment  the   services   •  Increase  number     of  layers   Kernel DriversD D User-mode Drivers D D D Service 1 Service 2 Service 3 Service … Service … Service A Service B
Built-­‐in  Users/Groups •  System   •  Administrators   •  Network  Service   •  Users,  Local  Service   •  Virtual  Service  Account            (NT  ServiceServiceName)   Most   Privilege   Least   Privilege  
Default  Service  Account  is  ‘System’! Used  in   Stuxnet   Worm   Numerous   aYacks  
Access  Control  List  (ACL)  Example Local  System         Default:  Full  control       …access  to  everything  
Opportuni5es •  Network  access  restric?ons   •  Service  isola?on   File  system  and  registry  permissions   •  Specify  required  privileges   •  Service  accounts  
PISNMP  Interface  CASE  Study Securing  PI  Interfaces  
Harden      Harden      Harden   Harden      Harden      Harden   PI  SNMP  Interface  Data  flow SNMP  capable  ICS  device   PI  SNMP  Interface  Node   (collect  and  buffer  services)   PI  Server  PINET  protocol  Harden      Harden      Harden      Harden      Harden   SNMP  protocol   Harden      Harden      Harden      Harden      Harden  
Service  Hardening  Scope 1.  Service  Recovery  Policy   2.  Reduce  Privilege   3.  Protect  File  System   4.  Firewall  Service  Rules  
SCM   Service  Control  Manager  “SCM”   Configura5on  Tools Basic   Advanced  
Service  Recovery
Service  Process  Privileges SeChangeNo?fyPrivilege   SeCreateGlobalPrivilege   SeImpersonatePrivilege   SeAuditPrivilege   SeChangeNo?fyPrivilege   SeCreateGlobalPrivilege   SeCreatePagefilePrivilege   SeCreatePermanentPrivilege   SeCreateSymbolicLinkPrivilege   SeDebugPrivilege   SeImpersonatePrivilege   SeIncreaseWorkingSetPrivilege   SeLockMemoryPrivilege   SeProfileSingleProcessPrivilege   SeSystemProfilePrivilege   SeSystemProfilePrivilege   SeTcbPrivilege   SeTimeZonePrivilege     SeChangeNo?fyPrivilege   System   Network  Service   Minimum  Required  
Network  Service No  longer  full  access   •  Reduced  privileges   •  Authen?cated  Users  
Quiz By  default,  is  “Network  Service”  allowed  to  write  then  execute   from  disk?   Hint:   •  “ICACLS  %SystemRoot%system32”   •  “ICACLS  %SystemDrive%”    
Service  ‘Hopping’  with  Built-­‐In  Accounts •  Shared  Logon:  Network  Service   ACL   Network   Service   Service1   Service2  
Virtual  Service  Account •  Creates  a  security  iden?fier  based  on  service  name   •  Alterna?ve  to  sharing  built  in  service  accounts   •  NT  Serviceservice  name   •  Local  account   •  Windows  networking  iden?ty   •  Domain:  machine  name$   •  Workgroup:  anonymous     •  Passwords   •  Automa?cally  generated,  non-­‐expiring,  cannot  be  locked-­‐out     •  240  bytes,  cryptographically  random.  
Enable  Virtual  Service  Account  (example) C:>sc  qsidtype  pisnmp1     [SC]  QueryServiceConfig2  SUCCESS     SERVICE_NAME:  pisnmp1     SERVICE_SID_TYPE:  NONE       C:>sc  sidtype  pisnmp1  unrestricted     [SC]  ChangeServiceConfig2  SUCCESS        
SID  Types •  None   No  virtual  service  account  SID  available.   •  Unrestricted   Access  token  “NT  SERVICEServiceName”     •  Restricted   Access  token  with  RESTRICTED,MANDATORY  flags:   •  NT  SERVICEServiceName   •  NT  AUTHORITYWRITE  RESTRICTED   •  Everyone   •  NT  AUTHORITYS-­‐1-­‐5-­‐5-­‐0-­‐…..  (Logon  SID,  A  unique  SID  is  created  for  each  logon  session).  
Service  Isola5on   Grant  permission  to  Virtual  Service  Account Default  ACL   Full  Access   Logon:  Local  System   ACL   NT  Servicepisnmp1  –  r/w   Logon:  NT  ServicePISNMP1  More  secure   Any  File   Program  FilesPIPCInterfacesSNMP   PISNMP1   PISNMP1  
Specify  Required  Privileges C:>sc  sidtype  pisnmp1  unrestricted     [SC]  ChangeServiceConfig2  SUCCESS       C:>sc  privs  pisnmp1  seChangeNoPfyPrivilege     [SC]  ChangeServiceConfig2  SUCCESS       C:>sc  qprivs  pisnmp1     [SC]  QueryServiceConfig2  SUCCESS     SERVICE_NAME:  pisnmp1     PRIVILEGES  :  seChangeNoJfyPrivilege       **  Restart  the  service  **  
Quiz •  Find  a  Windows  service  that  has  an  ‘unrestricted’  SID  with   minimal  privileges.   Hint:   •  use  “sc  query  |  findstr  SERVICE_NAME”     •  Then  “sc  qsidtype  servicename”   •  And  “sc  qprivs  servicename”  (scheduler,  spooler,  etc…)  
Network  Service  Restric5ons PI  SNMP   Port  *   PI  SNMP   Port  *   PI  SNMP  Port  *   Port   5450   Port   53   Define  Required  Communica?on   Endpoints  and  Ports  for  each  Windows  Service   DNS  Server   Port   161   PI  Network  Manager   Port  *   (Proxy  for  PIBufSS  Service)   PI  Server   SNMP  ICS  Device   PI  SNMP     Interface  
Bind  Windows  Firewall  Rule  to  a  Service
Quiz •  Why  did  the  PISNMP  service  need  a  separate  firewall  rule  for   DNS?   Hint:   •  Browse  firewall  rules  for  "Core  Networking  -­‐  DNS  (UDP-­‐Out)"   •  (Alt)  redirect  output  to  file  and  search  file   “netsh  advfirewall  firewall  show  rule  name  =  all  verbose”  
Ideal  Case:  More  Secure  by  Default Secure   Configura?on   Maintenance  
References •  Overview  of  Windows  Services  (Microsot)   •  Securing  PI  Interfaces  (OSIsot  UC2014  Learning  Day  Workbooks)       Enjoy  the  rest  of  OT  Day  and  S4x15!  

Recommended

ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Chassis Cluster Configuration
Chassis Cluster ConfigurationChassis Cluster Configuration
Chassis Cluster ConfigurationKashif Latif
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscapeJisc
 
Workgroup vs domain
Workgroup vs domainWorkgroup vs domain
Workgroup vs domaintameemyousaf
 
Email security
Email securityEmail security
Email securitySultanErbo
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 

Recommended

ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Chassis Cluster Configuration
Chassis Cluster ConfigurationChassis Cluster Configuration
Chassis Cluster ConfigurationKashif Latif
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscapeJisc
 
Workgroup vs domain
Workgroup vs domainWorkgroup vs domain
Workgroup vs domaintameemyousaf
 
Email security
Email securityEmail security
Email securitySultanErbo
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Dmz
Dmz Dmz
Dmz أحلام انصارى
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gatewayFabrizio Volpe
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
IPsec
IPsecIPsec
IPsecabdullah roomi
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
CEH-brochure.pdf
CEH-brochure.pdfCEH-brochure.pdf
CEH-brochure.pdfkaouthermejri
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introductionDr.Florence Dayana
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Active directory
Active directory Active directory
Active directory deshvikas
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 

More Related Content

What's hot

Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Active directory
Active directory Active directory
Active directory deshvikas
 

What's hot (20)

Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Dmz
Dmz Dmz
Dmz
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gateway
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography ppt
 
IPsec
IPsecIPsec
IPsec
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
CEH-brochure.pdf
CEH-brochure.pdfCEH-brochure.pdf
CEH-brochure.pdf
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Information security
Information securityInformation security
Information security
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introduction
 
Information security
Information securityInformation security
Information security
 
Active directory
Active directory Active directory
Active directory
 

Viewers also liked

Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Digital Bond
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guideqqlan
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 

Viewers also liked (20)

Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guide
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 

Similar to Windows Service Hardening

Configuration Management Tools on NX-OS
Configuration Management Tools on NX-OSConfiguration Management Tools on NX-OS
Configuration Management Tools on NX-OSCisco DevNet
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Securitydkaya
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxColloqueRISQ
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartITimothy Chen
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at CitrixPerforce
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Puppet
 
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB Days UK: Securing Your Deployment with MongoDB EnterpriseMongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB Days UK: Securing Your Deployment with MongoDB EnterpriseMongoDB
 
Securing Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB EnterpriseSecuring Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB EnterpriseMongoDB
 
10 Tips Every XenDesktop Admin Should Know
10 Tips Every XenDesktop Admin Should Know10 Tips Every XenDesktop Admin Should Know
10 Tips Every XenDesktop Admin Should KnowDavid McGeough
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBMongoDB
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network securityZhaoyang Wang
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesPriyanka Aash
 

Similar to Windows Service Hardening (20)

Configuration Management Tools on NX-OS
Configuration Management Tools on NX-OSConfiguration Management Tools on NX-OS
Configuration Management Tools on NX-OS
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Security
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latéraux
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at Citrix
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB Days UK: Securing Your Deployment with MongoDB EnterpriseMongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
MongoDB Days UK: Securing Your Deployment with MongoDB Enterprise
 
Securing Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB EnterpriseSecuring Your Deployment with MongoDB Enterprise
Securing Your Deployment with MongoDB Enterprise
 
10 Tips Every XenDesktop Admin Should Know
10 Tips Every XenDesktop Admin Should Know10 Tips Every XenDesktop Admin Should Know
10 Tips Every XenDesktop Admin Should Know
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network security
 
Cl212
Cl212Cl212
Cl212
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
 

More from Digital Bond

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSDigital Bond
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Digital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Digital Bond
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Digital Bond
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItDigital Bond
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code ProtectionDigital Bond
 

More from Digital Bond (13)

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICS
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze It
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code Protection
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Windows Service Hardening

  • 1. Windows  Service  Hardening Applied  to  Securing  PI  Interfaces   S4x15   OT  Day   Bryan  S  Owen  PE   bryan@osiso8.com  
  • 2. Objec5ves •  What  is  Service  Hardening?   •  How  to  harden  a  PI  Interface?    
  • 3. Service  Hardening  is  a  Defensive  Prac5ce •  Part  of  ‘Assume  Breach’  mindset   •  Strive  to  limit  damage  poten?al  
  • 4. Reality:  Services  are  A?rac5ve  Targets •  Readily  discoverable   •  Open  network  ports   •  No  user  interac?on   •  Elevated  privileges    
  • 5. Countermeasures Whitelis?ng  approach  for:   1.  Specific  Privileges   2.  Allowed  Communica?on   Service Hardening ACL File system Registry Network
  • 6. Windows  Service  Hardening   Kernel  changes  in  Windows  6.0  (Vista/2008  and  later) D DD •  Reduce  size  of  high   risk  layers   •  Segment  the   services   •  Increase  number     of  layers   Kernel DriversD D User-mode Drivers D D D Service 1 Service 2 Service 3 Service … Service … Service A Service B
  • 7. Built-­‐in  Users/Groups •  System   •  Administrators   •  Network  Service   •  Users,  Local  Service   •  Virtual  Service  Account            (NT  ServiceServiceName)   Most   Privilege   Least   Privilege  
  • 8. Default  Service  Account  is  ‘System’! Used  in   Stuxnet   Worm   Numerous   aYacks  
  • 9. Access  Control  List  (ACL)  Example Local  System         Default:  Full  control       …access  to  everything  
  • 10. Opportuni5es •  Network  access  restric?ons   •  Service  isola?on   File  system  and  registry  permissions   •  Specify  required  privileges   •  Service  accounts  
  • 11. PISNMP  Interface  CASE  Study Securing  PI  Interfaces  
  • 12. Harden      Harden      Harden   Harden      Harden      Harden   PI  SNMP  Interface  Data  flow SNMP  capable  ICS  device   PI  SNMP  Interface  Node   (collect  and  buffer  services)   PI  Server  PINET  protocol  Harden      Harden      Harden      Harden      Harden   SNMP  protocol   Harden      Harden      Harden      Harden      Harden  
  • 13. Service  Hardening  Scope 1.  Service  Recovery  Policy   2.  Reduce  Privilege   3.  Protect  File  System   4.  Firewall  Service  Rules  
  • 14. SCM   Service  Control  Manager  “SCM”   Configura5on  Tools Basic   Advanced  
  • 16. Service  Process  Privileges SeChangeNo?fyPrivilege   SeCreateGlobalPrivilege   SeImpersonatePrivilege   SeAuditPrivilege   SeChangeNo?fyPrivilege   SeCreateGlobalPrivilege   SeCreatePagefilePrivilege   SeCreatePermanentPrivilege   SeCreateSymbolicLinkPrivilege   SeDebugPrivilege   SeImpersonatePrivilege   SeIncreaseWorkingSetPrivilege   SeLockMemoryPrivilege   SeProfileSingleProcessPrivilege   SeSystemProfilePrivilege   SeSystemProfilePrivilege   SeTcbPrivilege   SeTimeZonePrivilege     SeChangeNo?fyPrivilege   System   Network  Service   Minimum  Required  
  • 17. Network  Service No  longer  full  access   •  Reduced  privileges   •  Authen?cated  Users  
  • 18. Quiz By  default,  is  “Network  Service”  allowed  to  write  then  execute   from  disk?   Hint:   •  “ICACLS  %SystemRoot%system32”   •  “ICACLS  %SystemDrive%”    
  • 19. Service  ‘Hopping’  with  Built-­‐In  Accounts •  Shared  Logon:  Network  Service   ACL   Network   Service   Service1   Service2  
  • 20. Virtual  Service  Account •  Creates  a  security  iden?fier  based  on  service  name   •  Alterna?ve  to  sharing  built  in  service  accounts   •  NT  Serviceservice  name   •  Local  account   •  Windows  networking  iden?ty   •  Domain:  machine  name$   •  Workgroup:  anonymous     •  Passwords   •  Automa?cally  generated,  non-­‐expiring,  cannot  be  locked-­‐out     •  240  bytes,  cryptographically  random.  
  • 21. Enable  Virtual  Service  Account  (example) C:>sc  qsidtype  pisnmp1     [SC]  QueryServiceConfig2  SUCCESS     SERVICE_NAME:  pisnmp1     SERVICE_SID_TYPE:  NONE       C:>sc  sidtype  pisnmp1  unrestricted     [SC]  ChangeServiceConfig2  SUCCESS        
  • 22. SID  Types •  None   No  virtual  service  account  SID  available.   •  Unrestricted   Access  token  “NT  SERVICEServiceName”     •  Restricted   Access  token  with  RESTRICTED,MANDATORY  flags:   •  NT  SERVICEServiceName   •  NT  AUTHORITYWRITE  RESTRICTED   •  Everyone   •  NT  AUTHORITYS-­‐1-­‐5-­‐5-­‐0-­‐…..  (Logon  SID,  A  unique  SID  is  created  for  each  logon  session).  
  • 23. Service  Isola5on   Grant  permission  to  Virtual  Service  Account Default  ACL   Full  Access   Logon:  Local  System   ACL   NT  Servicepisnmp1  –  r/w   Logon:  NT  ServicePISNMP1  More  secure   Any  File   Program  FilesPIPCInterfacesSNMP   PISNMP1   PISNMP1  
  • 24. Specify  Required  Privileges C:>sc  sidtype  pisnmp1  unrestricted     [SC]  ChangeServiceConfig2  SUCCESS       C:>sc  privs  pisnmp1  seChangeNoPfyPrivilege     [SC]  ChangeServiceConfig2  SUCCESS       C:>sc  qprivs  pisnmp1     [SC]  QueryServiceConfig2  SUCCESS     SERVICE_NAME:  pisnmp1     PRIVILEGES  :  seChangeNoJfyPrivilege       **  Restart  the  service  **  
  • 25. Quiz •  Find  a  Windows  service  that  has  an  ‘unrestricted’  SID  with   minimal  privileges.   Hint:   •  use  “sc  query  |  findstr  SERVICE_NAME”     •  Then  “sc  qsidtype  servicename”   •  And  “sc  qprivs  servicename”  (scheduler,  spooler,  etc…)  
  • 26. Network  Service  Restric5ons PI  SNMP   Port  *   PI  SNMP   Port  *   PI  SNMP  Port  *   Port   5450   Port   53   Define  Required  Communica?on   Endpoints  and  Ports  for  each  Windows  Service   DNS  Server   Port   161   PI  Network  Manager   Port  *   (Proxy  for  PIBufSS  Service)   PI  Server   SNMP  ICS  Device   PI  SNMP     Interface  
  • 27. Bind  Windows  Firewall  Rule  to  a  Service
  • 28. Quiz •  Why  did  the  PISNMP  service  need  a  separate  firewall  rule  for   DNS?   Hint:   •  Browse  firewall  rules  for  "Core  Networking  -­‐  DNS  (UDP-­‐Out)"   •  (Alt)  redirect  output  to  file  and  search  file   “netsh  advfirewall  firewall  show  rule  name  =  all  verbose”  
  • 29. Ideal  Case:  More  Secure  by  Default Secure   Configura?on   Maintenance  
  • 30. References •  Overview  of  Windows  Services  (Microsot)   •  Securing  PI  Interfaces  (OSIsot  UC2014  Learning  Day  Workbooks)       Enjoy  the  rest  of  OT  Day  and  S4x15!