LOCAL SECURITY AND PERMISSIONS - Sevecek · Default Volume Permissions SYSTEM, full control to be...

LOCAL SECURITY AND PERMISSIONS

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |

Outline

Generic Terminology

NTFS Permissions

Registry Permissions

LDAP Permissions

File Sharing

Disk Quotas

Windows Management Instrumentation

Other Permission Settings

Windows Firewall

Service Accounts and Impersonation

Physical Security

BitLocker

Dynamic Access Control

GENERIC TERMINOLOGY

Advanced Windows Security

Security Descriptor

Objects are protected with permissions files, folders, registry keys, LDAP objects, printers,

windows, desktops, ...

ACE – Access Control Entry one item in the permissions list Deny, Allow

ACL – Access Control List permission list

SACL – System Access Control List auditing ACL

Owner

Object Owner

Members of Administrators group

owner is Administrators group instead of the user

Can always change permissions

even if explicitly denied

Take Ownership

user right that allows taking ownership

CREATOR OWNER identity

used as a placeholder to express the current owner of the file

ACL Processing vs. ACE Order

ACEs are ordered

Note: it is contrary to a common statement that Deny ACEs are always stronger

the correct order must be maintained by applications when they modify ACL

ACEs are evaluated in the order present

like with firewall rules

Lab: Investigate Incorrect ACE Order Log on to GPS-WKS as Kamil Start REGEDIT Right-click on

SYSTEM/CurrentControlSet/Services/{anyGUID}/Parametes/Tcpip and select Permissions

Note the text: The permissions on the object are incorrectly ordered,

which may cause some entries to be ineffective

Click Cancel to see the incorrect order, click Advanced note that the Full Control permissions are lower than

expected

Auditing

Object Access auditing category

general switch to turn auditing on/off

ACEs in SACL of objects

be carefull to audit only preciselly required ACEs

applications generate extreme number of access attempts

NTFS PERMISSIONS


NTFS Permissions

Common Permissions

Common permission Real permissions

Read

Read dataRead attributesRead extended attributesRead permissions (Read control)List folder

ModifyRead + WriteDelete (not Delete subfolders)

Full ControlModifyChange permissions (Write DAC)Take ownership

NTFS Permissions

Dynamic Access Control (DAC)

NTFS Inheritance

Newly created folders and files inherit from parent by default

Explicit permissions can be granted in addition

Inheritance can be blocked

NTFS Copying vs. Moving

note: moving of a file/folder keeps inherited permissions although they may not be inherited from the new parent (displayed also in gray)

Single Volume Between Volumes

Move keepskeeps inherited!

inherits new

Copy inherits new inherits new

Lab: Common Documents

Log on to server GPS-DATA

Create F:\FS folder permissions

inheritance: disable (remove all)

Allow, Administrators, Full Control, All objects

Create F:\FS\Doc permissions

inheritance: inheriting from parent Allow, Employees, Read&Ex+CreateFolders, This folder only

Allow, Employees, Modify, Subfolders and files only

Allow, BIKES\Bikers, Read&Execute, All objects

Lab: User Home Folders


Create F:\FS\Homes

permissions

inheritance: inheriting from parent Allow, Employees, Read&Execute, This folder only

Allow, Employees, Create folders, This folder only

Allow, Domain Computers, Read&Execute, This folder only

Roaming Profiles GPOs

Default Volume Permissions

SYSTEM, full control

to be able to create page file

Administrators, full control

Users, read and execute

Users, create subfolders

CREATOR OWNER, full control

users can create subfolders, in them, they can do anything

Lab: Default Volume Root and Profile Permissions


Verify C:\ root folder permissions

Log on to GPS-WKS as GPS\Kamil

Verify C:\Users\Jitka folder permissions

Lab: Inherited Deny Can be Overridden


Create a new file F:\FS\Doc\people.txt

Add the following ACE onto the F:\FS\Doc folder Deny, Kamil, Delete

Open properties of the file F:\FS\Doc\people.txt and add the following ACE onto the file Allow, Kamil, Full control

Navigate into the Advanced Security properitesand verify that the Allow ACE is higher in the list than the inherited Deny ACE

Tools for NTFS Permissions

CACLS limited, built into Windows XP

XCACLS limited, built into Windows Resource Kit

ICACLS full functionality, Windows Vista/2008+

PowerShell Get-Acl, Set-Acl

ROBOCOPY /COPYALL

AccessEnum

NTFS auditing subcategories

AuditingDELETE(openonly)

Auditing DELETE (another open)

Auditing DELETE (final delete)

Note: Permissions and size metering

Incorrect folder sizes as a result of inaccessible sub-items

Note: Alternative NTFS streams

ECHO ahoj > test.txt:SevecekHiddenData

MORE < test.txt:SevecekHiddenData

Summary Informtation on Windows XP/2003 only

.URL link favicon

.EXE files downloaded from internet/network

DIR /R (since 8/2012)

REGISTRY PERMISSIONS



Mainly like NTFS permissions

Applies permissions to keys only

values cannot be secured


User Profile Permissions

User Profiles and Registry

User profiles

C:\Documents and Settings\%username%

C:\Users\%username%

User registry hive

%USERPROFILE%\NTUSER.DAT

Copying profiles

use System – Advanced – User Profiles tool for Default User

USMT!!!

Lab: Copying User Profiles

Log on to GPS-DC and start ADUC

Create a new user account name: Klara

options: Password never expires

Log on to GPS-WKS as Kamil start control panel System – Advanced – User Profiles

copy Judit’s profile to C:\Users\Klara and prepare it for Klara

Start REGEDIT – File – Load Hive and load C:\Users\Klara\NTUSER.DAT hive into HKLM\Klara

Verify registry permissions on the user’s registry hive

LDAP PERMISSIONS


Active Directory Permissions

Enable Security tab in ADUC – View –Advanced Features

Inheritance same as with NTFS

Some other differences against NTFS

moving objects

newly created objects

SELF identity

Default Security Descriptor

Newly created objects

inherit from parent (the same as with NTFS)

receive explicit ACEs from Default Security Descriptor

Default Security Descriptor

defined in AD Schema

modified occasionally by schema extensions

Lab: Default Security Descriptor

Log on to GPS-DC and start ADUC

Open Properties of Kamil user account

Open Security – Advanced and verify that it contains number of non-inherited ACEs

Run REGSVR32 SCHMMGMT.DLL

Run MMC and import Active Directory Schema snap-in

Find user class and open its properties

Verify the Default Security is in order with the previously seen Kamil’s ACEs

Lab: Join computer permissions

$ou = 'OU=Workstations,OU=Computers,OU=Company,DC=gopas,DC=virtual'

$who = 'GPS\WKS Admins'

dsacls $ou /T /S

dsacls $ou /Grant "$($who):CC;computer"

dsacls $ou /I:S /Grant "$($who):CA;Reset Password;computer"

dsacls $ou /I:S /Grant "$($who):RPWP;pwdLastSet;computer"

dsacls $ou /I:S /Grant "$($who):RPWP;servicePrincipalName;computer"

dsacls $ou /I:S /Grant "$($who):RPWP;dNSHostName;computer"

dsacls $ou /I:S /Grant "$($who):RPWP;msDS-

AdditionalDnsHostName;computer"

dsacls $ou /I:S /Grant "$($who):RPWP;Account Restrictions;computer“

# really needed on top of userAccountControl in order to

disable the account when dis-joining the domain

dsacls $ou /I:S /Grant "$($who):RPWP;member;group"

NETDOM JOIN scriptmust use Kerberos UPN @gopas.virtualbecause of Protected Users group

Lab: Move computer permissions

$ouSrc = 'OU=Computers,OU=Company,DC=gopas,DC=virtual'

$ouTgt = 'OU=Workstations,OU=Company,DC=gopas,DC=virtual'

$who = 'GPS\WKS Admins'

# on the target OU

dsacls $ouTgt /Grant "$($who):CC;computer"

# on the objects in the source OU

dsacls $ouSrc /I:S /Grant "$($who):SD;;computer"

dsacls $ouSrc /I:S /Grant "$($who):WP;distinguishedName;computer"

dsacls $ouSrc /I:S /Grant "$($who):WP;name;computer"

dsacls $ouSrc /I:S /Grant "$($who):WP;cn;computer"

Inheritance and Moving Objects

Contrary to NTFS, inherited permissions are lost after move

Moved objects inherit new permissions from their target parent

Tools for LDAP Permissions

DSACLS

very recommended to use instead of GUI

Delegation of Control Wizard

can be modified in order to add new permission templates

LDAP Auditing

Directory Services Access

Directory Service Changes

Directory Service Replication

Detailed Directory Service Replication

Directory Service Access

DS Changes auditing records individual attribute values before and after the change

AD Console Custom Views

Lab: LDAP Permissions

Start CMD on GPS-DC a domain-admin

Grant Kamil permissions to modify users mail address in the People OU

dsacls ou=people,ou=company,dc=gopas,dc=virtual /I:S /G “gps\kamil:RPWP;mail;user”

Start MMC on GPS-WKS and add and customize Active Directory Users and Computers console

Verify that Kamil can modify only user’s email address

FILE SHARING


File Sharing

SMB – Server Message Block protocol sometimes refered to as CIFS (Common Internet File

System) TCP 445, or NetBIOS for backward compatibility with

NT4.0/98-

SMB versions v1 - uninstall since 2012 (required only by XP/2003-) v2 - since Vista/2008 v3 - since 2012/8

Its own level of permissions by default Read only not usually used – Everyone = Full Control

used in the past with FAT or on Terminal Servers

Sharing Permissions

Sharing Permissions

Read

Change

write, delete, create folders, ...

Full Control

change permissions

This is the only method how to prevent OWNER from gaining full control to his own files

Disk

Flow of Access Control

NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

TCP 445Kerberos

NTLM

Allow Logon Locally

Authentication Kerberos

NTLM

Access TokenUAC Restricted

Access Token

Sh

arin

g P

erm

issi

on

s


User estabilishes TCP 445 connection

Server requires authentication Kerberos or fallback to NTLM

user identity established

Server builds Access Token for the user

Server checks the Access this computer from network right

Permissions on the Share get checked

Permissions on the NTFS get checked

Lab: Sharing Doc and Homes


Share the C:\FS\Doc folder as Documents

permissions: Everyone = Change

permissions: Administrators = Full Control

Share the C:\FS\Homes folder as Homes$

permissions: Everyone = Full Control

permissions: Administrators = Full Control

NET USE

NET USE \\gps-data /user:gps\kamil P$$wd

just provide credentials, no mapping

NET USE \\10.10.0.21 /user:gps\jitka P$$wd

the same server, but different credentials for different "name"

\\gps-data, \\gps-data.gopas.virtual, \\10.10.0.21 are all different "names"

NET USE \\gps-data /delete

Cleartext Passwords to NAS

Administrative Shares

Disable Admin Shares?

Should? why should admins connect to admin shares? malware can easily propagate to system folders malware can replace system and application files

Should not? antivirus client installation system center agents

How HKLM\System\CurrentControlSet\Services\LanManServer\Param

eters AutoShareServer = DWORD = 0

HKLM\System\CurrentControlSet\Services\LanManWorkstation\Parameters AutoShareWks = DWORD = 0

Admin/hidden shares are public

File Share Auditing

Either Object Access on NTFS

Or File Share subcategory of Object Access

AUDITPOL /set /subcategory:”File Share” /success:enable /failure:enable

File Share Auditing

Lab: File Share Auditing

Log on to GPS-DC and start GPMC

Create a new GPO to enable File Share auditing name: Security: File Share Auditing linked to: gopas.virtual enforced: yes

Use the Computer – Windows Settings – Security Settings –Advanced Audit Policy Configuration – Object Access File Share – success enable, failure enable


Update group policy with GPUPDATE

Test share access from GPS-WKS as Kamil

On server GPS-DATA start Event Viewer and lookup the File Share audit entries in the Security log

Access Based Enumeration

Selective authentication over trusts

Must assign Allowed to authenticate permission on target accounts

Lab: Selective Trusts

On GPS-DC switch the forest trust with BIKES domain to use Selective Authentication

Log on to BIKES-DC and try accessing \\GPS-DATA\Doc folder under BIKES\Tana credentials

On GPS-DC open properties of the GPS-DATA computer object and switch to Security tab

Grant BIKES\bikes-admin permission to Allowed to Authenticate on the GPS-DATA computer object

Verify the \\GPS-DATA\Doc access

Allowed to Authenticate?

Disk


NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Kerberos

NTLM

Allow Logon Locally


NTLM


Access Token

Sh

arin

g P

erm

issi

on

s

Allo

wed

to A

uth

enti

cate

?

TCP 445

Anonymous list of shares


+ Do not allow anonymous enumeration of shares: Disabled

+ Let everyone permissions apply to anonymous users: Enabled

+ Remotely accessible named pipes: SRVSVC


Disable SMBv1

2000/XP/2003

SMBv1

disabled by default on Windows 10.1803+, Windows 2019+

Vista/2008/7/2008R2

SMBv2

8/8.1/2012/2012R2/10/2016

SMBv3+ (+encryption)

DISK QUOTAS


Volume Based Disk Quotas

Available since NT4.0 SP5+

Properties of individual volumes

Quota usage determined by object owner

SYSTEM, Network Service, ...

Administrators

individual users

Limited per volume per owner

File Server Resource Manager

Per folder quotas

Available with Windows Server 2003 R2

Installable file system filter driver and Windows service

email and event notification to administrators

File Server Resource Manager

Tools for quotas

DIRQUOTA

Allowed to Authenticate?

Disk


NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Folder Quotas

Volume Quotas

Kerberos

NTLM

Allow Logon Locally


NTLM


Path

Owner

Access Token

Sh

arin

g P

erm

issi

on

s

Allo

wed

to A

uth

enti

cate

?

TCP 445

WINDOWS FIREWALL


VersionsWinodws XP Windows 2003 Windows

Vista/2008Windows 7/2008 R2 and newer

Default state enabled disabled enabled enabled

Direction inbound inbound inboundoutbound

inboundoutbound

Profiles DomainStandalone

DomainStandalone

DomainPrivatePublic

DomainPrivatePublic

Per NIC Profiles no no no yes

Integrated IPSec no no yes yes

Can disable MPSSVC

yes yes no no

Rule elements .EXE .EXE .EXEservice

.EXEservice

Blocking rules no no yes yes

Auditing TXT file TXT file TXT fileSecurity log

TXT fileSecurity log

Windows Firewall General Functionality

IP, ICMP, TCP, UDP, GRE, AH, ESP inspection

Allow/block Rules

IP ranges

TCP/UDP/ICMP ports and IDs

per .EXE

per Service (since Vista/2008)

IPSec protection (since Vista/2008)

Network Profiles

Domain Profile

DNS + ping DC on Windows XP/2003

download Group Policy since Windows Vista/2008

Private Profile

can be selected if default gateway is accessible (MAC address)

Public Profile

transition profile

all other networks

Private vs. Public Profiles

Minimizing incident spreading

WKSWKSWKSWKS

Wks Admins Wks Admins

SRV

SRVSRV

DC SRVSRV

DCDC

AdminGUI

Wks Admins

Kamil

Jitka

Kamil

Jitka


WKSWKSWKSWKS


SRV

SRVSRV

DC SRVSRV

DCDC

AdminGUI

Wks Admins

Kamil

Jitka

Kamil

Jitka


WKSWKSWKSWKS


SRV

SRVSRV

DC SRVSRV

DCDC

AdminGUI

Wks Admins


WKSWKSWKSWKS


SRV

MGMTSRV

DC SRVSRV

DCDC

AdminGUI

Wks Admins

svc-mgmt svc-mgmt

svc-mgmtlimited users

Example Policy (Several GPOs)

Example Policy (No Merging)

Example Policy (Combine GPOs)

Inbound Blocking

Stealth only

Inactive open ports are stealth as well

Allow local loop-back access

Outbound Block Rules

Does not let applications timeout

Immediately raises “general failure”

Firewall tools

NETSTAT -ano | FINSTR :445 locally opened and LISTENING ports

PORTQRY port scan

PING

PSPING ping + port scan

NETSH enable/disable, define rules

Disk


NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Folder Quotas

Volume Quotas

Win

do

ws

Fir

ewal

l

TCP 445 Kerberos

NTLM

Path

Owner

Allow Logon Locally


NTLM


Access Token

Sh

arin

g P

erm

issi

on

s

Allo

wed

to A

uth

enti

cate

?

Lab: Firewall

Define Windows Firewall GPOs for workstations FW: Block incoming with exceptions (all)

FW: Do not merge local rules (Workstations)

FW: Inbound Ping (all)

FW: Inbound RDP (domain profile, all)

FW: Block outbound with exceptions (Workstations)

FW: Outbound DNS (Workstations)

FW: Outbound DHCP (Workstations)

FW: Outbound all to 10.10.0.0/16 (Workstations)

FW: Outbound TCP 80, 443 (Workstations)

WMI Filter: Workstations

Lab: FW for Servers

Define Windows Firewall GPOs for servers

FW: Allow/Allow

FW: Block Inbound WMI

note: do not block TCP 135

WMI Filter: Servers

Firewall Auditing

Text file since Windows XP

Security event log since Windows Vista/2008

Object Access category

Filtering Platform Connection subcategory

Filtering Platform Packet Drop subcategory

Firewall Auditing

Lab: Firewall Auditing

On GPS-WKS enable firewall auditing into Security log

On GPS-DC start CMD

Try PING GPS-WKS this should succeed

Try PORTQRY -n GPS-WKS -e 445 this should succeed

Try PORTQRY -n GPS-WKS -e 135 this should succeed

Try PORTQRY -n GPS-WKS -e 80 this should show state of FILTERED

Investigate the security event log entries on GPS-WKS

DCOM AND WINDOWS MANAGEMENT INSTRUMENTATION


RPC and DCOM

Server

RPC Endpoint MapperTCP 135

DCOM Application Server

TCP dynamic

Launch

ActivateApp UUID

The App is now running on port

XXXX

SVCHOST.EXE

APP.EXE / .DLL

Launch

DCOM Applications

Windows Management Instrumentation (WMI)

Active Directory Certificate Services (AD CS)

Active Directory Replication

Event Log Remote Management

Task Scheduler Remote Management

Exchange Server

WMI

Remote management

DCOM based protocol

using random TCP ports

Uses normal authentication (Kerberos) and Access this computer from network access checks

By default allowed only for Administrators remotelly

Lab: Testing Remote WMI


Start MSINFO32

Use View – Remote Computer to connect to GPS-WFE and view the results

If the connection is not successful, enable Windows Management Instrumentation exceptions in Windows Firewall on GPS-WFE

PowerShell

gwmi Win32_Process -Computer GPS-WFE

WMI and DCOM Permissions

DCOM permissions are another layer of security before WMI permissions DCOM computer wide restrictions

DCOM permissions on the DCOM server

WMI has its own namespace permissions

Any later access depends on the actual object permissions on the managed objects

Enabling remote WMI access to non-admins http://www.sevecek.com/Lists/Posts/Post.aspx?ID

=17

DCOM Machine Permissions

http://www.sevecek.com/Lists/Posts/Post.aspx?ID=17

DCOM Server Permissions

WMI Permissions

NTFS, processes, services


Application Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Win

do

ws

Fir

ewal

l

TCP 135TCP random

Allow Logon Locally


NTLM


Access Token

Mac

hin

e D

CO

M P

erm

issi

on

s

DCOM Server Permissions

Allo

wed

to A

uth

enti

cate

?

Kerberos

NTLM

OTHER PERMISSION SETTINGS


Printer Permissions

Remote Desktop Permissions

Certification Authority Permissions

Process Permissions

Services and SDDL

SERVICE ACCOUNTS AND IMPERSONATION


Service Accounts

Services and IIS Application Pools run under some service identity

NT AUTHORITY\System

NT AUTHORITY\Network Service

NT AUTHORITY\Local Service

NT SERVICE\*

IIS APPPOOL\*

<domain>\*

Network Service vs. Local Service

DNS Client must register DNS name

NT AUTHORITY\Network Service

dynamic dns update requires Kerberos authentication

DHCP Client although is a networking service, does not require any authentication

NT AUTHORITY\Local Service

Lab: Network Service vs. Local Service

Log on to GPS-WKS as wks-admin

Using PSEXEC start command line under:

PSEXEC -S -I -D cmd

PSEXEC -U "NT Authority\Network Service" -I -D cmd

PSEXEC -U "NT Authority\Local Service" -I -D cmd

Try the following access

dir \\gps-dc\SYSVOL

Local administrator can obtain service passwords

NT SERVICE

NT SERVICE "domain"

sc qsidtype

IIS_IUSRS

IIS_IUSRS

IIS APPPOOL

Impersonation

Services usually access local resources under the remote user’s identity instead of their own

Only to network they go under their own identity

Impersonation

Service orIIS App Pool

GPS\svc-user

Local ResourcesNTFS, DCOM, Registry

GPS\kamil

Net

wo

rk R

eso

urc

esS

QL

, SM

B, L

DA

PDelegation (double-hop)

Service orIIS App Pool

Local ResourcesNTFS, DCOM, Registry

GPS\kamil

Net

wo

rk R

eso

urc

esS

QL

, SM

B, L

DA

P

GPS\kamil

Lab: Preparations for Impersonation

Log on to GPS-WFE as srv-admin

Create folder C:\WEB\IS

Copy contents from D:\Sevecek\IISTesty\ASP into the C:\WEB\IS

Install IIS Web Server

include all role services except for FTP and Hostable Server Core

Open IIS console and delete Default Web Site and all Application Pools

Lab: Impersonation

Open IIS console

Create new Application Pool name: ISAppPool identity: Network Service

Create new Web Site name: IS app pool: ISAppPool path: C:\WEB\IS

Change IS authentication method to Basic you must also disable Anonymous authentication

Test http://gps-wfe/username.asp from GPS-WKS log on as GPS\Kamil

On GPS-WFE verify that W3WP.EXE is running under Network Service

Lab: Permissions and Impersonation On GPS-WFE change permissions of the C:\WEB\IS folder

Network Service – Read Administrators – Full Control

From GPS-WKS verify that Kamil cannot access the http://gps-wfe/username.asp

From GPS-WKS verify that srv-admin can access the web page

On GPS-WFE start Process Monitor and monitor access attempt verify, that W3SVC, while impersonating Kamil, receives ACCESS

DENIED on the username.asp file

Solve the problem

IsolationDomain Account Network

PasswordGroups Local

IsolationNetwork Isolation

Kerberos PAC Validation

NT AUTHORITY SYSTEM automatic30 days

Administrators no MACHINE$ no

NT AUTHORITY Network Service automatic30 days

Users no MACHINE$ no

NT AUTHORITY Local Service no Users no anonymous no

NT SERVICE <serviceName> automatic30 days

Users yes MACHINE$ no

IIS APPPOOL <appPoolName> automatic30 days

Users yes MACHINE$ no

<domain> <userName> manual Users yes yes yes

<domain> <managedSvcAccount> automatic30 days

Users yes yes no

<domain> <groupSvcAccount> automatic30 days

Users yes yes no

Group managed AD account

Computer password change

Lab: Domain Account for IIS

On GPS-DC create new service account for IIS

OU: Service

name: svc-iis-isapppool

membership: Domain Users, Service Accounts

On GPS-WFE switch the identity of ISAppPool to GPS\svc-iis-isapppool

Verify HTTP connection and resolve all relevant issues

Obtain password with

AppPool passwords

C:\Windows\System32\InetSrv

APPCMD.exe LIST APPPOOL MyPool /text:*

Task scheduler passwords

Lab: Investigating SQL Server

Install SQL Server 2012 on GPS-DATA

install: Database Engine, Management Tools

use default values

sysadmins: GPS\SRV Admins

SQL Server Examples

SQL Server Examples

Lab: SQL Server

On GPS-DC create a new service account for the SQL Server instance OU: Service name: svc-sql-isdata membership: Domain Users, Service Accounts

On GPS-DATA open the SQL Server Configuration Utility console

Change the SQL Server service account to the GPS\svc-sql-isdata

Verify the changes in the Services console and on the file system

On GPS-DC verify that the GPS\svc-sql-isdata does not have servicePrincipalName attribute

Enable GPS\svc-sql-isdata to update its own servicePrincipalNameattribute DSACLS CN=svc-sql-isdata,OU=Service,OU=Company,DC=gopas,DC=virtual /G

“SELF:RPWP;servicePrincipalName”

Restart the SQL Server instance and verify the servicePrincipalNameattribute has been populated with two Kerberos SPNs

SQL Server Network Communications

SQL Server

SQL Browser ServiceUDP 1434

SQL Server Instance Service

TCP dynamic

Query Instance List

SQLSERV.EXE

Instance Listening on TCP XXX

Anonymous

Kerberos/NTLM

Lab: Firewall Exceptions for SQL Server On GPS-DC tighten the firewall configuration for

servers Remove GPO - FW: Allow/Allow Apply WMI Filter – Workstations and Servers – FW: Block

incoming with exceptions (all)

Update Group Policy on GPS-DATA GPUPDATE

On GPS-DATA define two firewall exceptions for SQL Browser and for the ISDATA SQL Server instance

Verify connectivity from GPS-WKS PORTQRY -n gps-data -e 1434 -p UDP PORTQRY -n gps-data -e ???

PHYSICAL SECURITY


Physical Security

If you have a physical access to a machine or data storage, you have full access

Nothing can prevent you from obtaining Administrators access

How to make something physically secure?

physical security

encryption

Attacks on Physical Security

Boot malware UEFI Secure Boot

requires GPT disks + EFI system partition

Hardware keyloggers Hidden cammeras Offline OS modifications

reset accounts replace system code change configuration install software keyloggers

Data theft

UEFI Secure Boot (msinfo32)

Lab: Hacking into Windows


Insert Windows 2008 R2 installation .ISO into DVD drive

Restart into the Setup

Press Shift-F10

CD windows\system32

COPY cmd.exe utilman.exe

Restart to the normal operating system and play with the Ease of Access dsa.msc, compmgmt.msc, iexplore, regedit, notepad

BITLOCKER


Full Volume Encryption (FVE) aka Bitlocker

BitLocker can encrypt whole partitions whole partition together with boot sector

AES 128, AES 192, AES 256

Require “password” before boot

Protects against theft

offline modification of operating system settings and/or data

Does not protect among different users use permissions

Requirements

Requires an unencrypted volume to boot from 100 MB on Windows 2008/Vista

150 MB on Windows 2008 R2/7 – created automatically during installation

350 MB on Windows 8/2012

500 MB on Windows 10/2016

May encrypt system volume (2008/Vista)

May encrypt data and removable volumes (2008 R2/7+)

“Password” Options

48 cipher “recovery password” Free-typed “Password”

since 2008 R2/7

USB “startup key” (.BEK) optional PIN

smart card with a certificate (data volumes only) mandatory PIN

TPM v1.2 Trusted Platform (Policy) Module built-in on motherboard optional PIN

Trusted Platform Module

Do not require any user interaction during boot

Supplies password automatically if

no changes to BIOS/CMOS

no changes to boot order

no changes to master boot and boot records

no changes to boot loader

Allow BitLocker without TPM

PIN length

Enabling BitLocker

Recovery Options

Backup recovery password to AD

if the disk is ok but we have lost the password

Backup recovery blobs to AD

if the disk is corrupted and the password does not work

BitLocker AD Backup

BitLocker AD Backup

BitLocker Recovery Password Viewer on Windows 2012+

BitLocker AD Backup

Recovery password

valid decryption metadata must be available on volume (3 same backup locations)

Key package

self-sufficient for recovery of raw data

Lab: BitLocker

On GPS-DC create new GPO BitLocker Enable backup of BitLocker key into AD Enable BitLocker without TPM

On GPS-Data attach virtual floppy .VFD disk

On GPS-Data enable BitLocker manage-bde -on c: -recoverypassword -startupkey a:\

On GPS-DC verify that the recovery kay has been backed-up into AD

Restart GPS-Data and verify that BitLocker is encrypting the volume

Eject the .VFD virtual floppy

Restart GPS-Data to observe manual key prompt

Turn off BitLocker on GPS-Data manage-bde -off c:

ANTIMALWARE


Windows Defender

Windows 7+, Windows 2016+

Updates by using Windows Update service always directly from internet + WSUS +SMB +MMPC

ignores Windows Update settings – must disable WUAUSERV

WINDOWS UPDATE FOR SERVERS


Updating servers

Do not try to postpone restart

Control install times and restart immediately

GPO or registry HKLM\Software\Policies\Microsoft\WindowsUpdate\AU

AUOptions = DWORD

AutoInstallMinorUpdates = DWORD

NoAutoRebootWithLoggedOnUsers = DWORD

...

Manual install + restart

Automatic Updates detection frequency

7 hours

Turn on recommended updates via Automatic Updates

ENABLED

Configure Automatic Updates

3 - Auto download and notify for install

Install updates for other Microsoft products = ENABLED

Allow Automatic Updates immediate installation

DISABLED

Reschedule Automatic Updates scheduled installations

DISABLED

Allow non-administrators to receive update notifications

DISABLED

No auto-restart with logged on users for scheduled automatic updates installations

DISABLED

Delay Restart for scheduled installations

5 min

Always automatically restart at the scheduled time

15 min

Automatic install + restart

Automatic Updates detection frequency

7 hours

Turn on recommended updates via Automatic Updates

ENABLED

Configure Automatic Updates

4 - Auto download and schedule the install

Saturday 03:00

Install updates for other Microsoft products = ENABLED

Allow Automatic Updates immediate installation

DISABLED

Reschedule Automatic Updates scheduled installations

DISABLED

Allow non-administrators to receive update notifications

DISABLED

No auto-restart with logged on users for scheduled automatic updates installations

DISABLED

Delay Restart for scheduled installations

5 min

Always automatically restart at the scheduled time

15 min

Lab: Windows Update for Servers

Apply GPO for SERVERs only using anappropriate WMI filter

Mgmt: Windows Update - ??? + Restart

DYNAMIC ACCESS CONTROL


Evolution

Access Control Lists (ACEs) and NTFS

File Server Resource Manager (FSRM) and simple file classification

Active Directory (AD) integrated classification and NTFS rules with term conditions

Automatic file classification with FSRM

Kerberos Claims and user attributes

Kerberos CompoundId and computer attributes

Central AD defined NTFS access rules and their enforcement with FSRM

EvolutionFeature Server Client Schema 2012 / DFL /

FFL

And logic ACL Windows 2012 - -

FSRM automatic classification

Windows 2012FSRM

- -

AD integrated classification terms

Windows 2012FSRM

- schema 2012FFL 2003

AD integrated NTFS access rules

Windows 2012FSRM

- schema 2012FFL 2003

User claims Windows 2012 - one Windows 2012 DC

Computer claims Windows 2012 Windows 8Windows 2012

local Windows 2012 DC

Claims, Terms, Classifications, Metadata

They are just the same thing

ACCESS CONTROL LISTS

What is New in Security in Windows 2012

Until Windows 2012

Sorted in order

DENY is not always stronger

Has OR logic

shadow groups

combined "AND" groups

Group Limits

Access Token

1024 SIDs

Kerberos ticket

12 kB by default

global group = 8 B

domain local group / foreign universal groups = 40B

260 max

Disk

Classic flow of access control

NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Folder Quotas

Volume Quotas

Win

do

ws

Fir

ewal

l

TCP 445 Kerberos

NTLM

Path

Owner

Allow Logon Locally


NTLM


Access Token

Sh

arin

g P

erm

issi

on

s

Allo

wed

to A

uth

enti

cate

?

New in Windows 2012

AND logic possible

Extendable with claims

FSRM file claims

user claims

device (computer) claims

Requires domain membership

Windows 8, Windows 2012

Disk

New flow of access control

NTFS Permissions

Acc

ess

this

Co

mp

ute

rfr

om

Net

wo

rk

Authentication

Folder Quotas

Volume Quotas

Win

do

ws

Fir

ewal

l

TCP 445 Kerberos

NTLM

Path

Owner

Allow Logon Locally


NTLM


Access Token

Sh

arin

g P

erm

issi

on

s

Allo

wed

to A

uth

enti

cate

?Condition ACEs

FILE CLASSIFICATION


File Server Resource Manager (FSRM)

Manual File Classification

Automatic File Classification

file name wildcard

folder path

words and/or regular expressions

PowerShell code

Locally vs. AD defined terms

Adds file metadata

alternative NTFS streams

File claims and ACL

File claims can be used in the new ACE conditions

only AD based file terms

AD defined file claims

Requires Windows 2012 schema extension

Requires Windows 2003 forest functional level

do not require any Windows 2012 DC

some editor like ADSI Edit or Windows 2012 ADAC

Must be uploaded to FSRM servers manually

KERBEROS CLAIMS


Kerberos ticket until Windows 2012 KDC

User identity

login

SID

Additional SIDs

groups

SID history

Good old Kerberos

ClientXP

DC2003

Server

TGT

Good old Kerberos

ClientXP

DC2003

Server

TGT

TGS

TGS

SIDs

SIDs

What is new in Kerberos tickets with Windows 2012 KDC

User identity

login

SID

Additional SIDs

groups

SID history

User claims

AD attributes in Kerberos TGT tickets

Requirements

At least single Windows 2012 DC (KDC)

Tickets are extendable

If client does not understand the extension, it simple ignores its contents

If server requires user claims and they are not present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)

Good old Kerberos supportsclaims as well

ClientXP

DC2003

Server2012

TGT

TGS

TGS

DC2012

ClaimsSIDs

SIDs

Brand new Kerberos with Windows 2012 KDC

ClientXP

DC2012

Server2012

TGT User Claims


ClientXP

DC2012

Server2012

TGT

TGS

TGS

SIDs

User Claims

SIDs

User Claims

User Claims

What is new in Kerberos with DFL 2012 User identity

login SID

Additional SIDs groups SID history

User claims AD attributes in Kerberos TGT tickets

Device claims AD attributes of computers Compound ID in Kerberos TGT tickets

Kerberos Compound ID with device claims

Client8

DC2012

Server2012

TGT Request

TGT User Claims

Computer TGT

Device Claims


Client8

DC2012

Server2012

TGT

TGS

TGS

SIDs

SIDs

User Claims

User Claims

Device Claims

User Claims

Device Claims

Device Claims

Requirements

At least local Windows 2012 DC (KDC)

better to have 2012 DFL for consistent behavior

Clients Windows 8 or Windows 2012

must ask for TGTs with Compound ID extension

Server cannot just obtain device claims because it does not know from what device the user came

CENTRAL ACCESS RULES


Requirements

Windows 2012 schema extension

Windows 2003 forest functional level

do not require any Windows 2012 DC

some editor like ADSI Edit or Windows 2012 ADAC

Uploaded to FS by using Group Policy

LOCAL SECURITY AND PERMISSIONS - Sevecek · Default Volume Permissions SYSTEM, full control to be...

Documents

Transcript of LOCAL SECURITY AND PERMISSIONS - Sevecek · Default Volume Permissions SYSTEM, full control to be...