securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long...
Transcript of securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long...
![Page 1: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/1.jpg)
Securing the Sysadmin
SAMUEL KEELEY / 2017-10-05 / MACSYSADMIN 2017
![Page 2: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/2.jpg)
Securing the MacSysAdmin
SAMUEL KEELEY / 2017-10-05 / MACSYSADMIN 2017
![Page 3: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/3.jpg)
Security for the Mac Admin #1
SAMUEL KEELEY / 2017-10-05 / MACSYSADMIN 2017
![Page 4: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/4.jpg)
Practical Security for the Mac Admin #1
SAMUEL KEELEY / 2017-10-05 / MACSYSADMIN 2017
![Page 5: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/5.jpg)
WHAT AM I REALLY TALKING ABOUT?
![Page 6: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/6.jpg)
THINGS I WISH SOMEONE HAD MADE ME THINK ABOUT LONG AGO
![Page 7: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/7.jpg)
MAY BE A TALE OF BEST PRACTICES, BUT FOR THIS
SPECIAL AUDIENCE
![Page 8: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/8.jpg)
YOU!
![Page 9: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/9.jpg)
• What access does a "standard user" have in your organization?
• What access do you have as a sysadmin?
Ponder this!
![Page 10: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/10.jpg)
You are the target. Defend yourself.
![Page 11: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/11.jpg)
🕵🛡#🍌
![Page 12: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/12.jpg)
🍌
![Page 13: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/13.jpg)
🍌
![Page 14: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/14.jpg)
• What access does a "standard user" have in your organization?
• What access do you have as a sysadmin?
Ponder this!
![Page 15: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/15.jpg)
• How could an attacker use the access of a Mac sysadmin to achieve success?
• Attackers target those with privileged access - that’s you!
Access is key
![Page 16: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/16.jpg)
• Sysadmins have especially useful access, useful to amplify or zone in attacks.
• Nobody is going to be perfectly safe, but thinking security for the long term is key.
Access is key
![Page 17: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/17.jpg)
• An attacker with unlimited resources can certainly achieve goals, but reality imposes limits.
• Make it so expensive in time or effort that attackers don’t win.
Access is key
![Page 18: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/18.jpg)
A LITTLE GAME
![Page 19: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/19.jpg)
Connected to an RDP/VNC session from another user’s computer.
Never have I ever…
![Page 20: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/20.jpg)
Connected to an RDP/VNC session from another user’s computer… and left the credentials saved.
Never have I ever…
![Page 21: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/21.jpg)
Used my own credentials for an application such as a JSS or printer’s LDAP lookups.
Never have I ever…
![Page 22: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/22.jpg)
Used the same password for multiple applications.
Never have I ever…
![Page 23: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/23.jpg)
Submitted my password directly to an application.
Never have I ever…
![Page 24: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/24.jpg)
All of these actions lead to the loss of control of one’s credentials.
![Page 25: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/25.jpg)
PASSWORDS VS. KEYS
![Page 26: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/26.jpg)
![Page 27: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/27.jpg)
* avoid SSH agent forwarding
• Usually memorable
• Commonly short (64-128 bits)
• Password itself is the secret
• Submit the secret to the requestor
• Easily phishable
• Crackable
• No ability to verify single possession
• Can be intercepted by services
Passwords
• Not memorable
• Long (at least 1024 bits)
• Private key is the secret
• Submit proof of private key control to requestor
• Hard or impossible to phish
• Effectively not crackable if strong (2048 bit+)
• Can be secured easily to keep non-stealable
• Can’t be intercepted by services*
Keys
![Page 28: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/28.jpg)
% PASSWORDS %
![Page 29: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/29.jpg)
& KEYS &
![Page 30: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/30.jpg)
![Page 31: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/31.jpg)
![Page 32: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/32.jpg)
KEY SECURITY
![Page 33: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/33.jpg)
Security Keys (SMARTCARDS/PKCS#11 PROVIDERS/SMART TOKENS)
![Page 34: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/34.jpg)
NO MO’ YOLO
![Page 35: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/35.jpg)
How many types actions can you take alone, without review or checks?
![Page 36: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/36.jpg)
It takes two keys to launch a missile. What would a missile look like to your
organization?
![Page 37: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/37.jpg)
TO ØL S
![Page 38: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/38.jpg)
JAMF
![Page 39: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/39.jpg)
![Page 40: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/40.jpg)
![Page 41: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/41.jpg)
![Page 42: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/42.jpg)
![Page 43: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/43.jpg)
• Restrict web-facing API - you’ve probably opened it up for iOS MDM.
• Configure SAML based SSO using a secure provider with MFA.
• OneLogin
• Duo
• Okta
• Google Cloud Identity
• Consider programmatically making changes over API instead of GUI, based on code level changes and a testing server, while having no direct changes on the real JSS.
Jamf Pro
![Page 44: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/44.jpg)
MUNKI/PUPPET/IMAGR/DEPLOYSTUDIO/CHEF/ANSIBLE/SALTSTACK/
AUTOPKG/ETC
![Page 45: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/45.jpg)
• These tools can be controlled solely through text files, making version control through git easy.
• This allows code review, but further can be used to enforce code review.
• Used in conjunction with a product like GitHub or Phabricator, be sure that changes require at least two to act.
• Ensure that master pushes are blocked - merges must happen online.
Munki & Friends MUNKI/PUPPET/IMAGR/DEPLOYSTUDIO/CHEF/ANSIBLE/SALTSTACK/AUTOPKG/ETC
![Page 46: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/46.jpg)
PLEASE MIND THE SECURITY
![Page 47: securing the mac sysadmindocs.macsysadmin.se/2017/pdf/Day3Session2.pdf · 2017-10-05 · • Long (at least 1024 bits) • Private key is the secret • Submit proof of private key](https://reader034.fdocuments.net/reader034/viewer/2022050301/5f6ade2f5066565a5825bcf2/html5/thumbnails/47.jpg)
???