230 likes | 412 Views
Safe Harbor. Using PowerShell to Configure Secure Environments and Delegated Administration. Using PowerShell to C onfigure S ecure E nvironments and Delegated A dministration. Typical Corporate Environment. Personal health information (PHI). Personally identifiable information (PII).
E N D
Safe Harbor Using PowerShell to Configure Secure Environments and Delegated Administration Using PowerShell to Configure Secure Environments and Delegated Administration
Typical Corporate Environment Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property
“New” Threat Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property
Demo Scenario • Single corporate domain • Multiple domain admins • Many domain users have been granted more access than required because it was easier • Recently discovered that domain environment has been compromised • Business critical information on 3 different file servers • Suspected source of compromise is within corporate domain
Environment Servers containing critical information DHCP Dept. Head P.A.P.A Domain (Corporate.Contoso.Com) User Domain Admin Domain Controller
Plan of Attack • Create Isolated Environment • Limit Access • Add Servers Securely • Configure Servers • Separate Domain Controller • DSC Pull Server • JEA Management head (Jump box) • Domain Admins • Firewall Ports • Resources • Never on Corp domain • Boot to pull server for configuration • Configure and copy critical information
Environment Servers containing critical information DHCP Dept. Head P.A.P.A Domain (Corporate.Contoso.Com) User Domain Admin Domain Controller
Create Isolated Environment DHCP Dept. Head P.A.P.A Corporate Safeharbor (safeharbor.contoso.com) User SH Admin Domain Admin DSC Pull Server SH DC Requests One Way Trust
Domain ControllerConfiguration • Create Isolated Environment ConfigurationDomainController { Import-DscResource-NameDemo_Computer,Demo_Domain,Demo_DNSTransferZone Node $AllNodes.Where{$_.Role -eq"DomainController"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer MachineName { Ensure ="Present" Name =$Node.MachineName DependsOn="[Script]NoIPv6" } WindowsFeatureADDS { Ensure ="Present" Name ="AD-Domain-Services" DependsOn="[Computer]MachineName" } Domain Forest { Name =$Node.DomainName AdministratorCredential= (Import-Clixml$Node.DomainCredFile) DependsOn="[WindowsFeature]ADDS" } } }
DomainTrustConfiguration • Create Isolated Environment ConfigurationDomainTrust { Import-DscResource-NameDemo_DomainTrust,Demo_DNSSecondaryZone Node $AllNodes.Where{$_.Role -eq"DomainController"}.NodeName { if($Node.TrustDomainName) { DomainTrustTrustDomain { Ensure ="Present" SourceDomain=$Node.SourceDomainName TargetDomain=$NOde.TrustDomainName TargetDomainAdminCredential=Import-CliXMl ($Node.TrustDomainCred) TrustDirection=$Node.TrustDirection TrustType=$Node.TrustType } } } }
configurationDSCServer { Import-DscResource-NameDemo_DSCService,Demo_Computer Node $AllNodes.Where{$_.Role -eq"PullServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure ="Present" Name =$Node.MachineName DomainName=$Node.DomainName Credential = (Import-CliXML$Node.DomainCredFile) DependsOn="[Script]NoIPv6" } WindowsFeatureDSCServiceBin { Ensure ="Present" Name ="DSC-Service" DependsOn="[Computer]NameAndDomain" } DSCServiceODataEP { Ensure ="Present" Name ="PSDSCPullServer" CertificateThumbPrint=$Node.PullCert DependsOn="[WindowsFeature]DSCServiceBin" } Script SmbShare# Script to configure SMB Shares {...} } } DSCServiceConfiguration • Create Isolated Environment
Limit Access Run As DHCP M.A.T.A Dept. Head P.A.P.A Corporate Mgmt Server Safeharbor (safeharbor.contoso.com) User SH Admin Domain Admin DSC Pull Server SH DC One Way Trust
ManagementServerConfiguration • Limit Access configurationDelegatedAdmin { Import-DscResource-NameDemo_Computer,Demo_SessionConfiguration Node $AllNodes.Where{$_.Role -eq"DelegatedAdmin"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure ="Present" Name =$Node.MachineName DomainName=$Node.DomainName Credential = (Import-CliXML$Node.DomainCredFile) DependsOn="[Script]NoIPV6" } PSEndpointSecure { Ensure ="Present" Name =$Node.EPName RunAsCredential= (Import-CliXml$Node.RunAsCredFile) SDDL =$Node.SDDL ConfigurationFile=$Node.ConfigurationFile DependsOn="[Computer]NameAndDomain" } } }
Limit Access Demo
File Servers • Add Servers Securely Run As DHCP M.A.T.A Dept. Head Allow WSMAN & SMB (In) HTTPS only P.A.P.A Corporate Jump Box Safeharbor (safeharbor.contoso.com) User SH Admin Domain Admin DSC Pull Server SH DC One Way Trust
Add Servers Securely Demo
ConfigurationFileServer { Import-DscResource-NameDemo_Computer,Demo_Firewall Node $AllNodes.Where{$_.Role -eq"FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} # Remove all built-in firewall rules foreach ($rulein$Node.AbsentInRules) { Firewall $rule.Name { Ensure ="Present"; DisplayName=$rule.DisplayName; Direction ="Inbound"; State ="Disabled"; Protocol =$rule.Protocol; DependsOn="[Script]NoIPv6" } } Firewall HttpsForPullServer { Ensure ="Present" Access ="Allow" DisplayName="DSC HTTPS" RemotePort="8080"; Protocol ="TCP"; Direction ="Outbound"; State ="Enabled"; DependsOn="[Script]NoIPv6" } Computer MachineName { Ensure ="Present" Name =$Node.MachineName DomainName=$Node.DomainName Credential = (Import-Clixml$Node.DomainCredFile) DependsOn="[Script]NoIPV6" } WindowsFeatureFileServer { Ensure ="Present" Name ="File-Services" DependsOn="[Computer]MachineName" } WindowsFeatureWebServer { Ensure ="Absent" Name ="Web-Server" DependsOn="[Computer]MachineName" } # Remove all built-in File firewall rules foreach ($rulein$Node.AbsentInFileRules) { Firewall $rule.Name { Ensure ="Present"; DisplayName=$rule.DisplayName; Direction ="Inbound"; State ="Disabled"; Protocol =$rule.Protocol; DependsOn="[WindowsFeature]FileServer" } } # Open selective ports & protocols foreach ($rulein$Node.AllowedInRules) { Firewall $rule.Name { Ensure ="Present"; Access ="Allow"; DisplayName=$rule.DisplayName; LocalPort=$rule.Port; Protocol =$rule.Protocol; State ="Enabled"; Direction ="Inbound"; DependsOn="[WindowsFeature]FileServer" } } Group MATA { GroupName="Administrators" Ensure ="Present" MembersToInclude= @("safeharbor\MATA") Credential = (Import-Clixml$Node.DomainCredFile) DependsOn="[Computer]MachineName" } User Administrator { Ensure ="Present" UserName="Administrator" Disabled =$true } } } ConfigurationFileServer { Import-DscResource-NameDemo_Computer,Demo_Firewall Node $AllNodes.Where{$_.Role -eq"FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} # Remove all built-in firewall rules foreach ($rulein$Node.AbsentInRules) { Firewall $rule.Name { Ensure ="Present"; DisplayName=$rule.DisplayName; Direction ="Inbound"; State ="Disabled"; Protocol =$rule.Protocol; DependsOn="[Script]NoIPv6" } } Firewall HttpsForPullServer { Ensure ="Present" Access ="Allow" DisplayName="DSC HTTPS" RemotePort="8080"; Protocol ="TCP"; Direction ="Outbound"; State ="Enabled"; DependsOn="[Script]NoIPv6" } Computer MachineName { Ensure ="Present" Name =$Node.MachineName DomainName=$Node.DomainName Credential = (Import-Clixml$Node.DomainCredFile) DependsOn="[Script]NoIPV6" } WindowsFeatureFileServer { Ensure ="Present" Name ="File-Services" DependsOn="[Computer]MachineName" } WindowsFeatureWebServer { Ensure ="Absent" Name ="Web-Server" DependsOn="[Computer]MachineName" } # Remove all built-in File firewall rules foreach ($rulein$Node.AbsentInFileRules) { Firewall $rule.Name { Ensure ="Present"; DisplayName=$rule.DisplayName; Direction ="Inbound"; State ="Disabled"; Protocol =$rule.Protocol; DependsOn="[WindowsFeature]FileServer" } } # Open selective ports & protocols foreach ($rulein$Node.AllowedInRules) { Firewall $rule.Name { Ensure ="Present"; Access ="Allow"; DisplayName=$rule.DisplayName; LocalPort=$rule.Port; Protocol =$rule.Protocol; State ="Enabled"; Direction ="Inbound"; DependsOn="[WindowsFeature]FileServer" } } Group MATA { GroupName="Administrators" Ensure ="Present" MembersToInclude= @("safeharbor\MATA") Credential = (Import-Clixml$Node.DomainCredFile) DependsOn="[Computer]MachineName" } User Administrator { Ensure ="Present" UserName="Administrator" Disabled =$true } } } FileServerConfiguration • Add Servers Securely
File Servers • Configure Servers Run As DHCP A C T I O N M.A.T.A Request Dept. Head A C C E S S P.A.P.A Corporate Jump Box Safeharbor (safeharbor.contoso.com) User SH Admin Domain Admin DSC Pull Server SH DC One Way Trust
Configure Servers Demo
Opportunities • Remove domain trust from isolated environment • Remove domain from isolated environment • Regularly change Domain Admin password • JIT/JEA • Limit all isolated environment access through the management head • Provide necessary escape hatch • Workflows with approvals, etc. • Use Role Base Access Control (RBAC) • …
Summary • Assume corporate environment is not secure • Example of way to use PowerShell to create a secure environment for critical information. • Move critical data into isolated environment • Remove “Administrator” role • Provide specific access to users information • Further enhance security of isolated environment • Expand on this example • Create custom solutions