1 / 23

Safe Harbor

Safe Harbor. Using PowerShell to Configure Secure Environments and Delegated Administration. Using PowerShell to C onfigure S ecure E nvironments and Delegated A dministration. Typical Corporate Environment. Personal health information (PHI). Personally identifiable information (PII).

shaine-sanders
Download Presentation

Safe Harbor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safe Harbor Using PowerShell to Configure Secure Environments and Delegated Administration Using PowerShell to Configure Secure Environments and Delegated Administration

  2. Typical Corporate Environment Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property

  3. “New” Threat Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property

  4. Mitigations

  5. Demo Scenario • Single corporate domain • Multiple domain admins • Many domain users have been granted more access than required because it was easier • Recently discovered that domain environment has been compromised • Business critical information on 3 different file servers • Suspected source of compromise is within corporate domain

  6. Environment Servers containing critical information DHCP Dept. Head P.A.P.A Domain (Corporate.Contoso.Com) User Domain Admin Domain Controller

  7. Plan of Attack • Create Isolated Environment • Limit Access • Add Servers Securely • Configure Servers • Separate Domain Controller • DSC Pull Server • JEA Management head (Jump box) • Domain Admins • Firewall Ports • Resources • Never on Corp domain • Boot to pull server for configuration • Configure and copy critical information

  8. Environment Servers containing critical information DHCP Dept. Head P.A.P.A Domain (Corporate.Contoso.Com) User Domain Admin Domain Controller

  9. Create Isolated Environment DHCP Dept. Head P.A.P.A Corporate Safeharbor (safeharbor.contoso.com) User SH Admin Domain Admin DSC Pull Server SH DC Requests One Way Trust

  10. Create Isolated Environment Demo

  11. Domain ControllerConfiguration • Create Isolated Environment ConfigurationDomainController { Import-DscResource-NameDemo_Computer,Demo_Domain,Demo_DNSTransferZone Node $AllNodes.Where{$_.Role -eq"DomainController"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer MachineName { Ensure ="Present" Name =$Node.MachineName DependsOn="[Script]NoIPv6" } WindowsFeatureADDS { Ensure ="Present" Name ="AD-Domain-Services" DependsOn="[Computer]MachineName" } Domain Forest { Name =$Node.DomainName AdministratorCredential= (Import-Clixml$Node.DomainCredFile) DependsOn="[WindowsFeature]ADDS" } } }

  12. DomainTrustConfiguration • Create Isolated Environment ConfigurationDomainTrust { Import-DscResource-NameDemo_DomainTrust,Demo_DNSSecondaryZone Node $AllNodes.Where{$_.Role -eq"DomainController"}.NodeName { if($Node.TrustDomainName) { DomainTrustTrustDomain { Ensure ="Present" SourceDomain=$Node.SourceDomainName TargetDomain=$NOde.TrustDomainName TargetDomainAdminCredential=Import-CliXMl ($Node.TrustDomainCred) TrustDirection=$Node.TrustDirection TrustType=$Node.TrustType } } } }

  13. configurationDSCServer { Import-DscResource-NameDemo_DSCService,Demo_Computer Node $AllNodes.Where{$_.Role -eq"PullServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure ="Present" Name =$Node.MachineName DomainName=$Node.DomainName Credential = (Import-CliXML$Node.DomainCredFile) DependsOn="[Script]NoIPv6" } WindowsFeatureDSCServiceBin { Ensure ="Present" Name ="DSC-Service" DependsOn="[Computer]NameAndDomain" } DSCServiceODataEP { Ensure ="Present" Name ="PSDSCPullServer" CertificateThumbPrint=$Node.PullCert DependsOn="[WindowsFeature]DSCServiceBin" } Script SmbShare# Script to configure SMB Shares {...} } } DSCServiceConfiguration • Create Isolated Environment

  14. Limit Access Run As DHCP M.A.T.A Dept. Head P.A.P.A Corporate Mgmt Server Safeharbor (safeharbor.contoso.com) User SH Admin Domain Admin DSC Pull Server SH DC One Way Trust

  15. ManagementServerConfiguration • Limit Access configurationDelegatedAdmin { Import-DscResource-NameDemo_Computer,Demo_SessionConfiguration Node $AllNodes.Where{$_.Role -eq"DelegatedAdmin"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} Computer NameAndDomain { Ensure ="Present" Name =$Node.MachineName DomainName=$Node.DomainName Credential = (Import-CliXML$Node.DomainCredFile) DependsOn="[Script]NoIPV6" } PSEndpointSecure { Ensure ="Present" Name =$Node.EPName RunAsCredential= (Import-CliXml$Node.RunAsCredFile) SDDL =$Node.SDDL ConfigurationFile=$Node.ConfigurationFile DependsOn="[Computer]NameAndDomain" } } }

  16. Limit Access Demo

  17. File Servers • Add Servers Securely Run As DHCP M.A.T.A Dept. Head Allow WSMAN & SMB (In) HTTPS only P.A.P.A Corporate Jump Box Safeharbor (safeharbor.contoso.com) User SH Admin Domain Admin DSC Pull Server SH DC One Way Trust

  18. Add Servers Securely Demo

  19. ConfigurationFileServer { Import-DscResource-NameDemo_Computer,Demo_Firewall Node $AllNodes.Where{$_.Role -eq"FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} # Remove all built-in firewall rules foreach ($rulein$Node.AbsentInRules) { Firewall $rule.Name { Ensure ="Present"; DisplayName=$rule.DisplayName; Direction ="Inbound"; State ="Disabled"; Protocol =$rule.Protocol; DependsOn="[Script]NoIPv6" } } Firewall HttpsForPullServer { Ensure ="Present" Access ="Allow" DisplayName="DSC HTTPS" RemotePort="8080"; Protocol ="TCP"; Direction ="Outbound"; State ="Enabled"; DependsOn="[Script]NoIPv6" } Computer MachineName { Ensure ="Present" Name =$Node.MachineName DomainName=$Node.DomainName Credential = (Import-Clixml$Node.DomainCredFile) DependsOn="[Script]NoIPV6" } WindowsFeatureFileServer { Ensure ="Present" Name ="File-Services" DependsOn="[Computer]MachineName" } WindowsFeatureWebServer { Ensure ="Absent" Name ="Web-Server" DependsOn="[Computer]MachineName" } # Remove all built-in File firewall rules foreach ($rulein$Node.AbsentInFileRules) { Firewall $rule.Name { Ensure ="Present"; DisplayName=$rule.DisplayName; Direction ="Inbound"; State ="Disabled"; Protocol =$rule.Protocol; DependsOn="[WindowsFeature]FileServer" } } # Open selective ports & protocols foreach ($rulein$Node.AllowedInRules) { Firewall $rule.Name { Ensure ="Present"; Access ="Allow"; DisplayName=$rule.DisplayName; LocalPort=$rule.Port; Protocol =$rule.Protocol; State ="Enabled"; Direction ="Inbound"; DependsOn="[WindowsFeature]FileServer" } } Group MATA { GroupName="Administrators" Ensure ="Present" MembersToInclude= @("safeharbor\MATA") Credential = (Import-Clixml$Node.DomainCredFile) DependsOn="[Computer]MachineName" } User Administrator { Ensure ="Present" UserName="Administrator" Disabled =$true } } } ConfigurationFileServer { Import-DscResource-NameDemo_Computer,Demo_Firewall Node $AllNodes.Where{$_.Role -eq"FileServer"}.NodeName { Script NoIPv6 # Script to disable IPv6 {...} # Remove all built-in firewall rules foreach ($rulein$Node.AbsentInRules) { Firewall $rule.Name { Ensure ="Present"; DisplayName=$rule.DisplayName; Direction ="Inbound"; State ="Disabled"; Protocol =$rule.Protocol; DependsOn="[Script]NoIPv6" } } Firewall HttpsForPullServer { Ensure ="Present" Access ="Allow" DisplayName="DSC HTTPS" RemotePort="8080"; Protocol ="TCP"; Direction ="Outbound"; State ="Enabled"; DependsOn="[Script]NoIPv6" } Computer MachineName { Ensure ="Present" Name =$Node.MachineName DomainName=$Node.DomainName Credential = (Import-Clixml$Node.DomainCredFile) DependsOn="[Script]NoIPV6" } WindowsFeatureFileServer { Ensure ="Present" Name ="File-Services" DependsOn="[Computer]MachineName" } WindowsFeatureWebServer { Ensure ="Absent" Name ="Web-Server" DependsOn="[Computer]MachineName" } # Remove all built-in File firewall rules foreach ($rulein$Node.AbsentInFileRules) { Firewall $rule.Name { Ensure ="Present"; DisplayName=$rule.DisplayName; Direction ="Inbound"; State ="Disabled"; Protocol =$rule.Protocol; DependsOn="[WindowsFeature]FileServer" } } # Open selective ports & protocols foreach ($rulein$Node.AllowedInRules) { Firewall $rule.Name { Ensure ="Present"; Access ="Allow"; DisplayName=$rule.DisplayName; LocalPort=$rule.Port; Protocol =$rule.Protocol; State ="Enabled"; Direction ="Inbound"; DependsOn="[WindowsFeature]FileServer" } } Group MATA { GroupName="Administrators" Ensure ="Present" MembersToInclude= @("safeharbor\MATA") Credential = (Import-Clixml$Node.DomainCredFile) DependsOn="[Computer]MachineName" } User Administrator { Ensure ="Present" UserName="Administrator" Disabled =$true } } } FileServerConfiguration • Add Servers Securely

  20. File Servers • Configure Servers Run As DHCP A C T I O N M.A.T.A Request Dept. Head A C C E S S P.A.P.A Corporate Jump Box Safeharbor (safeharbor.contoso.com) User SH Admin Domain Admin DSC Pull Server SH DC One Way Trust

  21. Configure Servers Demo

  22. Opportunities • Remove domain trust from isolated environment • Remove domain from isolated environment • Regularly change Domain Admin password • JIT/JEA • Limit all isolated environment access through the management head • Provide necessary escape hatch • Workflows with approvals, etc. • Use Role Base Access Control (RBAC) • …

  23. Summary • Assume corporate environment is not secure • Example of way to use PowerShell to create a secure environment for critical information. • Move critical data into isolated environment • Remove “Administrator” role • Provide specific access to users information • Further enhance security of isolated environment • Expand on this example • Create custom solutions

More Related