System Hardening, Auditing, & Logs Day 8
A Firewall blocks network traffic based on rules. Firewall Definition 16 Identify basic Windows Firewall concepts
Control Panel GUI => wf.msc netsh advfirewall show allprofiles Get-NetFirewallRule | Select Name, Enabled, Direction, Description | Format-List The Windows Firewall 16.1 Enable Windows Firewall settings with the graphical user interface and command line tools
The service itself HKLM\SYSTEM\CurrentControlSet\services\MpsSvc Executable hosting the service is svchost.exe The hosted DLL is mpssvc.dll Profiles Private Public Work \ Domain Multiple profiles can be active on one interface at the same time Log settings are per profile Windows Firewall Components 16.2 Describe the different components of Windows Firewall
Each file in NTFS has a security descriptor This security descriptor can include: Security identifiers (SIDs) for the owner A DACL that specifies the access rights allowed or denied to particular users or groups. A SACL that specifies the types of access attempts that generate audit records for the object. New Technology File System (NTFS) 17.1 Describe basic file and folder permissions
GUI Right click, select Properties, select Security tab Command Line cacls.exe (Windows NT 3.5+) icacls.exe (Windows Server 2003 SP2+) WMI wmic PATH Win32_LogicalFileSecuritySetting WHERE path="C:\\Windows\\system32\\notepad.exe” CALL GetSecurityDescriptor Powershell Get-Acl C:\Windows\System32\notepad.exe | Format-List Sysinternals accesschk C:\Windows\System32\notepad.exe Modifying Permissions 17.2 Modify permissions in Windows 17.3 Apply permissions based on users and groups
Previously Windows File Protection (WFP) in XP Watched for system file overwrite attempts Checked file signature against known good If bad, replaced with copy from system32/dllcache folder Windows Resource Protection does the same thing Additionally, it will now keep the protected files from being installed to begin with, rather than just overwriting them. Can only installed with TrustedInstaller Also can protect system registry keys Windows Resource Protection 18.1 Describe Windows Resource Protection
Full list of protected files available at: https://msdn.microsoft.com/en-us/library/windows/desktop/aa382530(v=vs.85).aspx Windows Resource Protection What is protected? 18.2 Identify files that are protected by Windows Resource Protection
Unable to overwrite protected files while Windows is running Still able to load drive into another OS, and overwrite them Able to look for drivers installed by 3rd Party to compromise still Security Implications 18.3 Discuss the security implications of Windows Resource Protection on a compromised system
UAC limits the privileges of user run applications, even when run as Administrator, to prevent the modification of system files, resources, or settings. Requesting elevated privileges requires explicit acknowledgement from the user. [6] Some Windows executables can "auto elevate" without a prompt. User Account Control 19.1 Identify the purpose of User Account Control (UAC)
UIPI is part of UAC. Each process is given a privilege level. Higher integrity level can send messages to lower level integrity Lower can only read from higher UIPI can be bypassed by signed and trusted applications with the UIaccess manifest setting User Interface Privilege Isolation 19.1 Identify the purpose of User Account Control (UAC)
Is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. Concerned with the business as a whole. Designed to cover more than just electronic information (paper, verbal) Multi-discipline approach to protecting the business as a whole Uses all available security mechanisms (technology, organisational, human-oriented, legal) Decision making takes place at the management level Information assurance (IA) 20.1 Discuss information assurance and information security policies
Preservation of confidentiality, integrity and availability of information. Note: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved. ~ ISO27000 CIA Triade is the basis for InfoSec, but it has been greatly expanded upon since the 1970’s when first introduced to include a wide-range of 'Security Goals' Primary focus is on technical security mechanisms Crafted by technical employees rather than management Information Security 20.1 Discuss information assurance and information security policies
Day 9
Monitors traffic across the wire. Can be inline or passive. Inline often modifies traffic between destination and source. Firewalls IDS/IPS Web/Application Proxy VPN Concentrator Host-based Security Products 21.2 Identify network security products
Runs local on the machine, only concerned with that machine. OS dependent, version dependent. Some install as a service. Many new versions are cloud based. System Firewalls Process monitoring, kernel calls Directory monitoring System Setting/Registry monitoring Log monitoring AAA Application Whitelisting Network Security Products 21.2 Identify network security products
Device/Software maintains a database of previously identified attack signatures. Compares activities and binaries to this database to determine if they are a match. Only capable of catching previously identified attacks Signatures require constant updating Small changes to a binary could bypass the signature Signature Based Detection 21.3 Discuss signature based detection
Device/Software develops a baseline of the system, then looks for anomalous activity Has potential to catch 0-day attacks (Good Luck) Larger number of false positives vs detection based (Job Security) Heuristic Based Detection 21.4 Discuss heuristic based detection
At startup (or on config changes), LSASS sends the system audit policy to the Security Reference Monitor (SRM). When an object is accessed, SRM generates auditing messages and sends them to LSASS. LSASS sends the event log messages on to the Event Logger. Auditing settings are contained in the System Access Control List (SACL) Object-access ACE: Audit settings defined on a per object basis Global Audit Policy - SACL Global policy to setup auditing on all objects of one type: File system objects Registry keys Local Security Policy must also be enabled to auditing to be logged Windows Auditing 22.1 Explain why audit policies are important 22.2 Explain the functionality of the main logs 22.3 Discuss audit policy settings 22.4 Identify the kinds of events that get audited and what they mean
eventvwr C:\Windows\System32\Winevt folder. Locations are configurable. Analyze Event Logs 24.1 Identify events that would be audited and why 24.2 Identify the location of logs on the Windows system
Command Prompt wevtutil el # show all logs wevtutil gli security # get security log info wevtutil qe security /c:3 # get last 3 events from security log Powershell Get-EventLog -LogName System -Newest 10 Command Line Tools to View Event Logs 24.3 Employ command line tools to view event logs
Discuss the purpose of covering your tracks Discussion: Covering Tracks