Implementing Least Privilege on Microsoft Windows XP computers at DOE-RL Hanford

Similar documents
We ve been hacked! We did it! Rick Grandy Lockheed Martin Hanford Site

System Center Configuration Manager 2007

SmartDraw Installation Guide

AdminToys Suite. Installation & Setup Guide

IT-Pruefungen.de. Hochwertige Qualität, neueste Prüfungsunterlagen.

LEARNING SOLUTIONS website milner.com/learning phone

Applying the Principle of Least Privilege to Windows 7

FREQUENTLY ASKED QUESTIONS

Windows Operating Systems. Basic Security

Audit Tools That Won t Break the Bank

Windows 7, Enterprise Desktop Support Technician

Microsoft. Pro: Upgrading to Windows 7 MCITP Enterprise Desktop Support Technician.

Desktop Authority and Group Policy Preferences

NAS 253 Introduction to Backup Plan

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

C13 - Establishing a Windows Baseline Mike Villegas

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Installing T-HUB on multiple computers

DriveLock and Windows 7

Net Protector Admin Console

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Implementing HIPAA Compliance with ScriptLogic

Compliance series Guide to meeting requirements of USGCB

User Guide Microsoft Exchange Remote Test Instructions

Chapter 1 Scenario 1: Acme Corporation

Agency Pre Migration Tasks

Windows 7. Qing Liu Michael Stevens

Escalation Server Documentation For Tele-Support HelpDesk Rev 5/29/2001

How To Write A Gpmc Script For A Gpc (Windows 2003) On A Windows 2000 (Windows 2000) On Your Computer Or Your Computer (Windows 3) On An Ipad Or Ipad (Windows 2) On The Macbook

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

Richmond Systems. SupportDesk Quick Start Guide

Virto Create & Clone AD User Web Part for Microsoft SharePoint. Release Installation and User Guide

Remote Terminal Service (RTS) User Guide (Version 2.1)

Connecting to Remote Desktop Windows Users

Updating Your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008

Remote Desktop Administration

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

50331D Windows 7, Enterprise Desktop Support Technician (Windows 10 Curriculum)

SANS Institute First Five Quick Wins

Updating your Network Infrastructure Technology Skills to Windows Server 2008

Module 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.

c360 Advanced Quote and Order Processing for Microsoft Dynamics CRM 4.0 Installing Guide

Upgrading Client Security and Policy Manager in 4 easy steps

Module 7 Management. Section 7.1: WSUS. CIST2414 Microsoft Server Administrator. Summary. Windows Server 2008 Server Administrator

Course Agenda: Managing Active Directory with NetIQ Directory and Resource Administrator and NetIQ Exchange Administrator

How To Use Exchange Reporter Plus On A Microsoft Mailbox On A Windows (Windows) On A Server Or Ipa (Windows 7) On An Ubuntu 7.6 (Windows 8) On Your Pc Or

Understand Troubleshooting Methodology

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

MCSE TestPrep: Windows NT Server 4, Second Edition Managing Resources

THE COMPLETE VIEWER FOR MS PROJECT. Deployment White Paper

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

ILTA HANDS ON Securing Windows 7

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

Integrating LANGuardian with Active Directory

STATE OF ARIZONA Department of Revenue

Course MS20696A Managing Enterprise Devices and Apps using System Center Configuration Manager

Backup Exec 12.5 Icons Glossary

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Diebold Security Analysis of ATM Operating and Application Systems Using the Center for Internet Security Scoring Tool

Table of Contents. Introduction. Audience. At Course Completion

Configuring Windows 7 to Use Encrypted (WPA-E) Wireless Services a...

MS MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp

DOT.Comm Oversight Committee Policy

Microsoft Corporation. Status: Preliminary documentation

Use Remote Desktop capabilities to Access your Work PC from home over VPN

Installation Notes for Outpost Network Security (ONS) version 3.2

Zubair Alexander's Training History (History of classes taught from June 28, 1996 through today)

Q&A. DEMO Version

Managing Enterprise Devices and Apps using System Center Configuration Manager

Building a Secure and Compliant Windows Desktop

Fundamentals, Security, and the Managed Desktop

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Introduction to Windows 7 Feature Practice Examination (brought to you by RMRoberts.com)

DriveLock and Windows 8

This document details the procedure for installing Layer8 software agents and reporting dashboards.

Websense Support Webinar: Questions and Answers

Introduction and Overview

ICT Professional Optional Programmes

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Network Access Protection (NAP)

For Splunk Universal Forwarder and Splunk Cloud

Exam : TS: Upgrading Your MCSE on Windows Server 2003 to Windows Server 2008, Technology Specialist. Title : Version : DEMO

Quick Start Guide. User Manual. 1 March 2012

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Downloading and Mass Deploying Applications

Desktop Authority vs. Group Policy Preferences

Server Edition Administrator s Guide

Centralized Auditing in Windows Derek Melber

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Out n About! for Outlook Electronic In/Out Status Board. Administrators Guide. Version 3.x

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Updating your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008

SQL Server Hardening

DameWare Server. Administrator Guide

Printing Options. Netgear FR114P Print Server Installation for Windows XP

Transcription:

Implementing Least Privilege on Microsoft Windows XP computers at DOE-RL Hanford Presented By Eric Anderson, PMP, CISM, CISSP, MCSE Cyber Projects and Technical Lead MSA / Lockheed Martin IS&GS

DOE Hanford Site To make our customers extraordinarily successful in our unified mission of cleaning up the Hanford Site 2 Hanford Site Scope 586 square miles 9,000+ PCs 500+ servers 400+ applications 1,000+ miles fiber to 300 bldgs 12,500+ phones

What s the problem? Compliance problem OIG finding in 2007 too many users operate as a privileged, Local Administrator (LA) on their computers. Cyber Security problem Users engage in risky activities while operating as LA. 68% of the 6,800 computers at DOE-RL (June 2008) ran with LA. IT Administration problem Difficult to upgrade from Windows XP to Windows 7 without getting client privilege usage under control. 3

Least Privilege Microsoft recommends use of least-privileged user accounts (LUA) The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. Applying the Principle of Least Privilege to User Accounts on Windows XP Published: January 18, 2006. http://technet.microsoft.com/en-us/library/bb456992.aspx 4

User Account Control (UAC) Microsoft defaults to User Account Control (UAC) in Windows 7 User Account Control is a security feature in Windows 7 that was introduced with Windows Vista. The primary goal of User Account Control is to reduce the exposure and attack surface of the Windows 7 operating system by requiring that all users run in standard user mode, and by limiting administrator-level access to authorized processes. By default, Windows 7 runs every application as a standard user even if the current user is logged on as a member of the Administrators group. Least Privilege, User Account Control, and Setuid http://technet.microsoft.com/en-us/library/cc770863.aspx 5

why not remove all LA s? Some applications are not developed or configured to use least privilege. Therefore, removing LA impacts the use of some applications that users need to do their jobs and to satisfy mission goals. 6

4 Categories of Users Run as LA Experience from the field 1. Most users do not need to run as LA 2. Administrators need LA to troubleshoot 3. Small number of users (~100) need persistent LA 4. Sometimes users (average ~60/day) need temporary LA 7

What s the approach or PLAN for reducing the number of LA s? Scenario 1 Remove users as LA on all computers, fix all breakage. Scenario 2 Fix all critical & essential applications needing LA to install and run, then remove all LA s and fix breakage. Scenario 3 Implement a white list product to discover applications with LA dependencies, remove all LA s and fix remaining breakage. Scenario 4 Identify and fix all applications needing LA to install and run, then remove all LA s and fix breakage. 8

What s needed to implement the PLAN? Need a Local Administrator Reduction Project (LARP) to quickly & effectively reduce LA on Windows XP computers Identify applications that are dependent on LA to install or run. Fix or remediate the LA-dependent applications. Remove LA privileges from all site computers, and Implement controls to keep LA privileges removed unless the need is justified and authorized. LARP is Phase 1 of the 2-phased approach. 9

Next Steps Identify key stakeholders potentially impacted by LARP project Senior management Application owners Product managers Application and system administrators Software developers & testers Service Desk (or Customer Technical Support) General users 10

LARP Project Activities Application Management Take inventory Test for install without LA Test for execution without LA Fix or remediate LA-dependent applications Privilege Management Develop or procure a privilege elevation tool Register legitimate LA usage Control legitimate LA usage Report on LA usage frequency for computers & users Document risk acceptance for legitimate LA usage 11

What were important TOOLS? Experience from the field 1. Application Inventory * - to identify all applications to test. 2. LARP SharePoint site - for project, tester, help desk and user communication. 3. LARP mailbox - for the project to respond to specific troubleshooting requests. 4. Software distribution system * - for the site to fix/remediate LA install issues. 5. Microsoft Systems Management Server - (SMS) for application inventory assistance. 6. Privilege elevation tool * - (set Local Administrator, or setla) for testers and general users. 7. Account Management System * - (AMS) to register legitimate LA usage. 8. Network system logon process * - (Syslogon) to control legitimate LA usage. 9. Local Group Machine Enumeration * - (LGME) reports potential for administrative access. 10. Metric reporting * - from backend information system databases (Syslogon, setla & LGME). * Denotes Hanford Local Area Network (HLAN) custom tools or systems. 12

Schedule of Activities Experience from the field 13

Application Management Why take inventory? Application inventory provides a: Good baseline for estimating project costs; Assessment of impacts to users; and Tracking outcomes of test\mitigation activities. It s a critical security control to know which software or applications are authorized to run on network computers, and which are not. SANS Consensus Audit Guidelines, 20 Critical Controls for Effective Cyber Security, http://www.sans.org/critical-security-controls/ 14

Application Management Test for install and execute without LA Test whether application installation requires LA privileges easily handled by one person. Test whether application execution requires LA privileges usually many people (system owner, application support or users). 15

Application Management Fix / Remediate application dependence on LA Move all software installs to a site software distribution method to enforce configuration management, develop install tools or wizards, or both (below). Change permissions on directories, registry keys or files for applications needing LA to execute. 16

Privilege Management Privilege elevation setla tool The set Local Administrator (setla) tool was developed for controlled privilege elevation. It requires the user account to be a member of the Remote Desktop Users (RDU) group, AND only runs when connected to the network.. 1 SetLA 1. Checks whether user is an administrator 2. Prompts for entry of a reason which it logs to a site information system 3. Warns user of privilege removal and session log off after 24 hours 4. Reminds of elevated privilege every hour 5. Five minute count down before log off 2 3 17 5 4

Privilege Management Register persistent LA usage Site Account Management System (AMS) modified to register and authorize each user needing persistent LA rights to a specific computer. AMS registrations are reauthorized on an annual basis. 18

Privilege Management Control legitimate LA usage Syslogon process controls LA privileged use at network logon. Enforces removal of all user accounts in Local Administrators group of Windows XP computers not registered in the Account Management System (AMS). 19

Privilege Management Reporting on LA usage for computers & users Syslogon process audits to an information system database. SetLA tool audits privilege elevation events to a system database. Auditing is enabled on Windows XP computer security event logs for privilege escalation occurrences. All Windows XP computer event logs are collected to a site SIEM. Local Group Machine Enumeration (LGME) runs periodically to assess potential of nested domain group membership in the Local Administrator group of the Windows XP computer, and audits to a system database. 20

Privilege Management Document legitimate LA usage Annual justification of persistent LA usage is required for user accounts and groups. Cyber risks of persistent LA usage is reassessed periodically for acceptance by the site DAA. 21

Completion of Controls Phase 2 All membership in the LA group of the client computer by local or domain accounts, or domain groups must be registered to AMS, and controlled by members of the domain Support group, their delegates or domain group policy. Control the membership of domain groups added to the LA group. Local user accounts as LA reduced to the least number possible and actively monitored. Monitor setla privilege elevation usage and limit to a set number per-user per-period, or else an AMS justification required. Goal is upgrade to Windows 7 with User Account Control (UAC). 22

Gotchas & Other Lessons Learned SetLA initially allowed any domain User to elevate their privilege to LA, whether it was their own computer or not. Since many users connect remotely to their computers, the Remote Desktop Users (RDU) group was adapted to manage privilege elevation. SetLA time bomb messages added warning of automatic log off. Laptops have special needs for LA use as compared to Desktops. 23

Big wins! Reduced attack surface of site computers. Protection from malware installs, unintentional file downloads and configuration changes. LARP project identified unregistered applications (additional 50%) and got them registered in the Software Inventory application. LARP helped tighten up computer configuration management. Users really have to go out of their way now to download and install unapproved software or make configuration changes on their Windows XP computers. 24

Mission Accomplished Before LARP Project: ~68% of all Windows XP computers ran as LA. After LARP Project (on any given day): <6% of Windows XP computers ran as LA, and <4.5% of Hanford users ran as LA. And our stakeholders didn t kill us!! 25

Questions? Eric Anderson Ernest_A_Eric_Anderson@RL.GOV Lockheed Martin 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information