1 / 28

Typical Corporate Environment

PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT). Typical Corporate Environment. Personal health information (PHI). Personally identifiable information (PII). Trade secrets.

aisling-crehan
Download Presentation

Typical Corporate Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PowerShell Desired State Configuration for Securing SystemsJeffrey SnoverDistinguished Engineer (MSFT)Hemant MahawarSenior Program Manager (MSFT) #devconnections

  2. Typical Corporate Environment Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property

  3. “New” Threat Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property

  4. Scenario Environment Servers containing critical information Phish Dept. Head Domain (Corporate.Contoso.Com) User Domain Admin Domain Controller

  5. SideNote on Exploits • Post exploit toolkits (like mimikatz) allow bad guys to spider their way through the network compromising systems and users • Makes it very hard to have confidence that you’ve remediated an attack • Consider what happens with a restore

  6. Scenario Recap • Corporate domain • Admin rights sprawl • Bad guys are in the environment and have compromised: • One or more users • One or more machines • One or more machine admin accounts • One or more domain admin accounts • Business critical information on file servers

  7. One Solution • Build a new datacenter with an air gap • Create a new AD • Provision new machines • Set up application/service • Users go into the datacenter to use the applications #devconnections

  8. Safe Harbor Approach • Experimental PowerShell DSC module • Uses PowerShell DSC, JEA and virtualization to script a “Safe Harbor” where servers are highly isolated, locked down and tightly managed • Benefits • Implementable • Simple (once the base components are available) • Safe and Secure #devconnections

  9. Starting Environment Servers containing critical information Dept. Head Domain (Corporate.Contoso.Com) User P.A.P.A Domain Admin Domain Controller

  10. File Servers Safe Harbor Configuration A C T I O N ( W S M A N O N L Y ) Request A C C E S S ( S M B O N L Y ) Dept. Head Corporate Safe Harbor (Safe Harbor.contoso.com) P.A.P.A Jump Box Hyper-V User Domain Admin DSC Pull Server SH DC One Way Trust

  11. Safe Harbor Scenario

  12. Demo: Safe Harbor - Users can access File Servers - Specified users enabled to for specific admin actions - No other admin actions allowed #devconnections

  13. Mitigations Used

  14. How we did it

  15. Safe Harbor Steps Create Projected Environment Limit Access Add Servers Securely Configure Servers • Separate Domain Controller • DSC Pull Server • JEA Management head (Jump box) • Domain Admins • Firewall Ports • Resources • Never on Corp domain • Boot to pull server for configuration • Configure and copy critical information

  16. Implementation Options • GUI tools • PowerShell Scripts • PowerShell Desired State Configuration PowerShell DSC dramatically simplifies complex composition

  17. DSC Supports Composition • Declarative approach • Allows you to safely refactor and abstract to your hearts content • Supports distributed definition of resources and nodes • DSC does the aggregation • Couldn’t I just do this with scripts? • Yes but No

  18. Demo: Evolution of SMBShare #devconnections

  19. DSC Simplification Traditional Scripts Configuration Intent Dependency Resolution DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Intent Logging & Error Handling Reboot Resiliency Repeatable Automation EnvironmentalSide effects Resources Technology Specific

  20. DSC Decouples … • Intent • WHAT: Structural Configuration • Stays same irrespective of the environment • WHERE: Environmental Configuration • Changes as system goes through different env. • Dev  Test  Production Configuration Intent DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way Resources Technology Specific

  21. Make It So Yes Sir!

  22. DSC and Security • The things that thwart security: • Complexity • Scale • Drift • DSC is designed to address these

  23. Demo DSC addresses: - Complexity - Scale - Drift #devconnections

  24. File Servers Remember Safe Harbor? Run As A C T I O N Request M.A.T.A A C C E S S Dept. Head Corporate Safe Harbor (Safe Harbor.contoso.com) P.A.P.A Jump Box User SH Admin Domain Admin DSC Pull Server SH DC One Way Trust

  25. Configuring Safe Harbor for File Server #devconnections

  26. Components Assert-SafeFileServer FileServer in a Safe Harbor Environment Configuration Data Environment Configuration Data Environment Configuration Data + Safe FileServer Structural Configuration => SafeHarborResource SafeHarborResource SafeHarborResource DSC Resource DSC Resource DSC Resource DSC Resource DSC Resource DSC Resource DSC Resource DSC Resource #devconnections

  27. Summary • Safe Harbor is an experimental PowerShell DSC module • Address the problem of creating a very secure environment to run services/applications • Users can access the applications • Specified users can use a JumpBox to perform a limited set of admin functions • Domain Admins can’t get at these machines/resources • Security requires large scale configuration of complex configurations which don’t drift • PowerShell DSC dramatically simplifies configuration of complex environments

  28. Rate with Mobile App: Rate This Session Now! Tell Us What You Thought of This Session Select the session from the Agenda or Speakers menus Select the Actions tab Click Rate Session Be Entered to WIN Prizes! Rate Using Our Website: Register at www.devconnections.com/logintoratesession Go to www.devconnections.com/ratesession Select this session from the list and rate it

More Related