Tuesday, 11 September 2012

Securing your environment

So a recent risky.biz podcast (ep 252 here; http://risky.biz/RB252) prompted me to write this.
The host, Patrick Grey, Adam Boileau and later HD Moore were talking about the recent mass ownage of 30,000 workstations at Aramco, ouchies. Some of the things that were mentioned I have done before so I thought I would get them out there;

First up Administrative monitoring in a Windows Domain, trivially easy, should only take 15minutes at most to setup.

On one of your DC's create a group-audit.vbs file as below

'  Rem this script will query a group
sLDAPPath = WScript.Arguments.Item(0)
'wscript.echo sLDAPPath
strTargetGroupDN = "LDAP://" & sLDAPPath &""
EnumNestedgroup strTargetGroupDN
Function EnumNestedgroup(strGroupDN)
    Set objGroup = GetObject(strGroupDN)
    For Each objMember in objGroup.Members
        If (LCase(objMember.Class) = "group") Then
            wscript.echo objMember.AdsPath
            EnumNestedgroup objMember.AdsPath
            Wscript.Echo objMember.DisplayName & " ; " & objMember.Mail
        End If
    Set objGroup = Nothing
End Function

Then in a batch file run the below for each group (in the CN, I suggest domain adminis, administrators, enterprise admins, schema admins and any other privleged group) you want to monitor (different log files at the end) Then just diff them at the end of the script and email (blat is your friend) if there are any differences.
cscript //nologo C:\scripts\group-audit.vbs "CN=Domain Administrators,CN=Builtin,DC=DOMAIN,DC=TLD" > C:\scripts\administrators.log

Sudoers/Root group monitoring for Linux;
similar to our windows script run the below depending on the groups you need to monitor then diff the results from a previous time then pipe out to email, if you don't have getent use (grep ^GROUPNAME /etc/group). Then just sendemail (the Linux equivalent of blat) at the end if there is an error;
mv \root\logs\sudoers.log \root\logs\old\
mv \root\logs\root.log \root\logs\old\
getent group sudoers > \root\logs\sudoers.log
getent group root > \root\logs\root.log
diff  \root\logs\sudoers.log \root\logs\old\sudoers.log
diff  \root\logs\root.log \root\logs\old\root.log 

Inactive accounts check and if your really harsh disable in windows;
The 12 below is the number of weeks to look for, this is not foolproof sometimes accounts will show up that have been active more recently;
dsquery user -inactive 12 -limit 0 |find /v "OU=Disabled Accounts(Good idea to have this OU)" |find /v "OU=ANY OU YOU WANT TO IGNORE" > c:\scripts\inactive.txt
rem this is the disable part remove the double % if not used in a batch script. Hope you don't have # in your usernames too :)
for /f "delims=#" %%a in ('type c:\scripts\inactive.txt"') do (
    dsmod user %%a -disabled yes
  dsmove %%a -newparent "ou=Disabled Accounts,,

SSH monitoring for Linux, Fail2Ban or Denyhosts, use one or the other, love it.

Different local admins per computer, this idea came from a colleague that worked at a big multinational who said they had this as a standard, very cool idea. This will stop viruses and worms that simply learn the local admin then propagate via admin$ shares using this wherever they can. It won't stop a committed attacker who will probably work out the system (you can increase the password length by increasing the 15 on the set final pass, heck even do a second different md5 of something). This should be put in a batch file that is then set via scheduled task to run at midnight, you can go even further and set it to run hourly extending the thedate variables;

set thedate=%date:~4,10%
set passphrase="PASSWORD HERE"
for /f %%a in ('c:\stat\md5.exe -d%computername%%passphrase%%thedate:/=-%') do Set pass=%%a
set finalpass=%pass:~0,15%

net user LOCALADMIN %finalpass%

Then to retrieve the computers password simply run the below batch file, obviously protect the passphrase and retrieval batchfile somehow, and if just anyone can access the script on the local pc then they can see what the password is, so lock it down with permissions;

set /p computer="Enter computer hostname: " %=%
for /f %%a in ('c:\stat\md5.exe -d%computer%%passphrase%%thedate:/=-%') do Set pass=%%a
echo %pass:~0,15%

Workstation and server hardening.
This is a massive topic that people have written hundreds of volumes on, but really keep all your stuff up to date and look at what lockdown stuff is in your OS, obviously easier said than done, otherwise something like 80% of breaches wouldn't occur.
For network lockdown in windows there is the windows firewall, IP filtering(Windows 2003 only), and IPsec policy that can all easily lock down ports and applications. 
On Linux there is iptables, which is easy enough to use, see here for a quick guide http://richmorrison.net/?p=36

Generally speaking you limit the number of local admins/super users on any OS', so monitor this too. Monitor your important groups, heck on a windows workstation the below will do the trick;
net localgroup administrators > c:\scripts\local-admin.log
then diff it from last time and alert on difference.

Av is dead, so is blacklisting. Sure keep av running to protect any systems that don't have your kick ass whitelisting enabled. Use something simple, Clam is my favorite for simple effective av, cross platform too, windows you probably need more depending on what the machine is used for and your budget. I am generally pretty loathe to put more and more agents on servers, as one will always eventually cause a crash, so they really have to add value on an immense scale for me to say ok.
For filesystem and application lockdown; in windows there is Software restriction policy (SRP) and app locker, which from my playing around looks like a gussied up version of SRP. I would suggest if you have applocker use it to whitelist a clean system then block everything else and you are pretty safe for the time being, I can't find any info on the hash applocker uses but even if it is md5 the chance that some random attacking your server/pc is going to be able to generate an exe with their payload that has a hash collision with an existing file is pretty small. Of course if you chose signed exe's then some of the more recent possible state sponsored malware that comes signed will still get you, but then you could just hash your whole clean system and be pretty damn safe.
If you are stuck on an older system with just SRP you can still hash your files, heck you can use something md5deep or sha1deep to get all the hashes you need and script creation of your rules, or just compare the hashes later as a form of poor mans tripwire.
On Linux you have apparmor and SElinux, I prefer SElinux's approach but Apparmor is much easier to configure without breaking things. It is horses for courses, but I would recommend whichever way you go, don't go with the distros rather relaxed default. 
There are guides out there, so I am not going to reproduce them for SRP, app armour, SElinux and Apparmour, so go google. Another one I didn't mention as I have yet to have a decent play with it, is El Jefe (http://www.immunityinc.com/products-eljefe.shtml), which although being another agent does live processor monitoring and trending which is pretty cool.

Network segregation; really that is it, segregate your servers based on what they do, limit communication between them with a firewall. Easy to do get ipcop or smoothwall if you have no cash, think does this device really need to talk to that device, if no then why can it. 

This is all simpler said than done. But there you have it just a quick dump of protections that I have used and would recommend. Some of these you can get in with no pain, this was just meant to be a quick few scripts I have written over the years but ended up a diatribe against add-ons and a spruik of built in features... Ah well I hope it is of use to someone.

No comments: