Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
6. Windows Service Hardening
Kernel changes in Windows 6.0 (Vista/2008 and later)
D DD
• Reduce
size
of
high
risk
layers
• Segment
the
services
• Increase
number
of
layers
Kernel DriversD
D User-mode Drivers
D
D D
Service
1
Service
2
Service
3
Service
…
Service
…
Service
A
Service
B
7. Built-‐in Users/Groups
• System
• Administrators
• Network
Service
• Users,
Local
Service
• Virtual
Service
Account
(NT
ServiceServiceName)
Most
Privilege
Least
Privilege
18. Quiz
By
default,
is
“Network
Service”
allowed
to
write
then
execute
from
disk?
Hint:
• “ICACLS
%SystemRoot%system32”
• “ICACLS
%SystemDrive%”
19. Service ‘Hopping’ with Built-‐In Accounts
• Shared
Logon:
Network
Service
ACL
Network
Service
Service1
Service2
20. Virtual Service Account
• Creates
a
security
iden?fier
based
on
service
name
• Alterna?ve
to
sharing
built
in
service
accounts
• NT
Serviceservice
name
• Local
account
• Windows
networking
iden?ty
• Domain:
machine
name$
• Workgroup:
anonymous
• Passwords
• Automa?cally
generated,
non-‐expiring,
cannot
be
locked-‐out
• 240
bytes,
cryptographically
random.
22. SID Types
• None
No
virtual
service
account
SID
available.
• Unrestricted
Access
token
“NT
SERVICEServiceName”
• Restricted
Access
token
with
RESTRICTED,MANDATORY
flags:
• NT
SERVICEServiceName
• NT
AUTHORITYWRITE
RESTRICTED
• Everyone
• NT
AUTHORITYS-‐1-‐5-‐5-‐0-‐…..
(Logon
SID,
A
unique
SID
is
created
for
each
logon
session).
23. Service Isola5on
Grant permission to Virtual Service Account
Default
ACL
Full
Access
Logon:
Local
System
ACL
NT
Servicepisnmp1
–
r/w
Logon:
NT
ServicePISNMP1
More
secure
Any
File
Program
FilesPIPCInterfacesSNMP
PISNMP1
PISNMP1
25. Quiz
• Find
a
Windows
service
that
has
an
‘unrestricted’
SID
with
minimal
privileges.
Hint:
• use
“sc
query
|
findstr
SERVICE_NAME”
• Then
“sc
qsidtype
servicename”
• And
“sc
qprivs
servicename”
(scheduler,
spooler,
etc…)
26. Network Service Restric5ons
PI
SNMP
Port
*
PI
SNMP
Port
*
PI
SNMP
Port
*
Port
5450
Port
53
Define
Required
Communica?on
Endpoints
and
Ports
for
each
Windows
Service
DNS
Server
Port
161
PI
Network
Manager
Port
*
(Proxy
for
PIBufSS
Service)
PI
Server
SNMP
ICS
Device
PI
SNMP
Interface
28. Quiz
• Why
did
the
PISNMP
service
need
a
separate
firewall
rule
for
DNS?
Hint:
• Browse
firewall
rules
for
"Core
Networking
-‐
DNS
(UDP-‐Out)"
• (Alt)
redirect
output
to
file
and
search
file
“netsh
advfirewall
firewall
show
rule
name
=
all
verbose”
29. Ideal Case: More Secure by Default
Secure
Configura?on
Maintenance
30. References
• Overview
of
Windows
Services
(Microsot)
• Securing
PI
Interfaces
(OSIsot
UC2014
Learning
Day
Workbooks)
Enjoy
the
rest
of
OT
Day
and
S4x15!