Friday, July 31, 2015

Windows 10 and Citrix Netscaler VPN does not work

A quick post:
We have found that our users that have updated themselves to Windows 10 have effectively locked themselves out of the network, from remote locations.  It seems Windows 10 is not supported by our Citrix Netscaler VPNs.  Of course we put a note out to our worldwide users, but some "had" to update.  Hopefully there will be a patch or fix soon.

At the moment, we don't support Windows 10 in the infrastructure.  That doesn't stop some of our users from updating anyway.

Found a Windows 2003 Server - now to Remediate

I've always known that we have a handful of Windows 2003 servers.  And with the retiring of Windows 2003 on July 14th I started beating the drum towards migrating to newer (supported) servers.  When I last looked, I think that there was two or three servers left in existence.  Flash forward to today, and our weekly external vulnerability scan.  One of the scans picked up a Windows 2003 server in the publicly facing DMZ, and flagged the finding as critical.  I can support that, it's a pretty serious finding.  The scan also noted IIS 6.0, another finding.

After consulting with the Sysadmins, we found that there are only two applications being utilized on the server.  Off I went to query the application owners as to migrating the applications off the server to something supported.  Here's one of the responses:



I will speak with my management regarding making the migration of what's on there a priority to move. The wrinkle is that some of the code is old and needs to be rewritten/ported into the current project and that is an effort that I have yet to get permission to put the hours in on.

So for now, we need to leave it where it is and I'll try to get everything off of there as soon as possible.


Sigh.

Security education only goes so far.  The fact that there are exploits out there does nothing for the application owners...they're willing to take the risk.  I have their acceptance of risk in writing; but a lot of good that will do if/when something happens to the server.

Wednesday, July 15, 2015

Failed a Pentest...Stake in the Ground

I've been with the company a little over a month and a half.  I've run numerous gap analysis, and I know where we are deficient.  And some of it is  not good.  I've compared ourselves to the SANS Top 20, and again, it's not good.  Management wanted an internal pentest, to get a feel for the security posture.  We in IT wanted a good boutique pentesting company, but we were told to use the company that already audits the finance department.  Fortunately, these guys were good.

We failed the pentest, miserable.  Most of my guesses as to how it would happen came to pass.  And I'm ok with that.  Heck, they had domain admin in about a day.  There were some good surprises, and there were some good wins.  I'm good with it; as it confirmed most of what I have been raising to management for the past year.  The hope is that management will open their eyes and start making changes.

So mentally, I've put a stake in the ground.  I want to see how long it takes for any real change to take place.  I'm waiting to see when management starts mandating change in the form of implementation of controls in order to raise the security posture of the company.  Or, is management just checking a box that an audit was performed.

I'll update as controls start being implemented.

P.S.: I have to say, as a former auditor, it was interesting to experience the audit from the other side of the fence.  I was able to understand what the auditors were looking for and better able to answer their questions since I had been in their shoes.

Wednesday, December 31, 2014

2015 To Do: The Low-Hanging Fruit

I'm not going to try and recap this last year it's been great.  I know I've done good things and improved the security posture at the company as best I could.  Sure, there's more I could do, there's more I want to do, there's been battles won, and battles lost.

So, as a mental note, and to set a baseline, I'm outlining these mini-projects I want to get done as fast as possible.  I'll try to revisit this so I can see how long it took to complete these endeavors (and hoping that they get done.)  And this is not in any particular order.

1.  I'd like to get Two-Factor Authentication (2FA) on all the servers.  We use 2FA for VPN connections and it works well.  However, I would like to get it added to all of our production servers so we can (a) better track logins to these servers, and (b) add the extra authentication step to critical and production servers.  One challenge here will be leveraging our existing 2FA infrastructure and add it to servers.

2.  We have many proxy services employed in the network infrastructure.  Headquarters has a slew of them, depending on where network connections start and finish.  (Layers :-) )  When the headquarters (and data center) moved in October and November, our Zscaler connection was knocked off line.  This did not hamper headquarters much due to the other proxy services, but some of our branch offices rely on Zscaler as the primary proxy service.

3.  Our firewall solution is pretty robust - we have a lot of rules defined (that's a whole separate project.  Cleanup.)  The firewall has an IPS blade that receives signature updates from the vendor.  However, the network team has not implemented the signatures "because it's too hard / will block too much (!) / might cause a load on the firewall."  I want to come up with an automated solution where we can "auto-approve" most signatures.  For example, it would be great to come up with a policy where all Critical and High signatures get applied automatically.  Further, anything else that has a high confidence and low to medium impact we would apply as well.  The rest we can look at.  It would be a start at keeping the IPS in tune with current threats.

4.  Our GPO is used more for creating accounts and putting those accounts into business groups.  It is not really used to enforce security controls.  As such, there are a bunch of low-hanging fruit type controls we could implement without causing much pain.  Controls like locking screen savers, account lockout polices, and some password policies would be easy wins.

5.  We have an AV solution, it updates, and it appears to do it's job.  However, we don't have scheduled scans automatically turned on.  The users complain.  However, I suspect the AV will miss things without a scheduled scan to look.  Already, I've piloted turning on scheduled scans with a group to see what the real issues are.

6.  Our firewall and managed SIEM do a great job of alerting on known threats.  Our process to block some of those known threats is manual, though.  When we get an alert, we have to research the activity, then add the source address to a blocklist.  Manually.  There has to be a method to automagically block those sources on the first "malicious" event.  We need to turn this on.

7.  One of our FireEye appliances was taken offline due to the move.  We need to get this appliance back up and running.

I feel this list is simple enough; where completion of the items on the list will raise the security posture of the organization without many costs.  We'll see.

Thursday, December 4, 2014

EMET 5.1 - Windows 7 64bit - IE 11

Our user machines are deployed with Windows 7 64bit and IE 11 installed.  I notice that when I go to sites that check the browser, the sites respond that "browsers less than version 8 are not supported" or words to that effect.  Usually, the browser works fine and there are no issues.  I have been trying to get Microsoft's EMET to work with this configuration since version 4.0; and I have not been successful.  Internet Explorer crashes with EMET running.

I read that a new version, 5.1, might fix this.  After setting up EMET, and tweaking it to my environment, I checked Internet Explorer, and it still crashes.  Are there fixes or workarounds for this issue?

Wednesday, August 20, 2014

Finding Users Who Use the Conference Room Computers as a Proxy to Surf

I received an interesting alert today, indicating that a host in a conference room was attempting to reach out to a site hosting an exploit kit.  This is not the first alert I have received on this machine, so I was a little puzzled.  So, I went to the machine in order to remediate; and noticed that the AV software on the machine had blocked the connection attempt.  I ran both AV and Malwarebytes to ensure nothing is found.

The machine was clean.

Just before I logged out, I noticed that Windows Update had run and needed to restart the computer.  As I clicked to restart, the warning notice that other people connected to the machine would lose their connection.  Hmmm....what's really going on here?

A little digging showed that you can find out who is/has logged into a machine via RDP by examining the Event Logs.  Open Event Viewer, and navigate to:

Applications and Services Log -> Microsoft -> Windows -> Terminal Services - LocalSessionManager.

There you will find events for who logged in, with what account, and from what source.

Now to go find some users......

(And yes, we need to fix our policy on conference room computers...but that's a battle for another day.)

Friday, May 16, 2014

Finding a Specific Microsoft Patch on a Host

After the Word (.rtf) 0-day was announced at the end of March, we turned on an alert to let us know when an .rtf file was delivered to the company.  Until the patch was applied, we actually blocked the incoming mail, inspected it, and if it was clean, we allowed it to reach its destination.  After the patch, we just alerted on the incoming mail. 

It's been a couple of months, and we are still getting the alerts.  Before I turned off the alerts, I wanted to ensure that the patch was on my host.  A quick script I ran to look for the specific patch was:

wmic qfe | find "KB2953095"

It seemed to work ok.

If there are better/easier ways to do this, leave a comment.

Somewhat off-topic....I can't believe the number of people that still send documents as .rtf.  Why not just use Word?  Or a text document?  The number of incoming .rtf documents was way higher than I would have guessed.  Most were resumes or travel booking documents.

Monday, May 12, 2014

SANS SIFT 3 and the Desktop Share

I had the new SIFT 3.0 downloaded for a while, but I haven't been using it as much as I would like.  I've been using the older 2.x version. One of the main reasons is that on the 2.x version of SIFT, there was a desktop shortcut that took me directly to a directory of the host OS.  This is missing in the 3.0 version of SIFT.  I fully admit, I don't know linux as well as I know Windows.

Quickly reading up on the issue, and I found that this mount to the guest OS should be found in mount_points/hgfs.  I had that directory, but nothing was populated there.  And, in the Virtual Machine Settings, I had the Shared Folders set to Always Enabled.  Still nothing.

On a reboot, I noticed that there was an update to VMWare Player.  I updated, and checked the mountpoints directory, but still nothing.  One last google suggested running vmware-config-tools.pl.

Sure enough, after answering the questions, that did the trick.  Now, in the mout_points/hgfs folder, I see a subfolder for "C".  Bingo.

Now I have to get used to Unity and finding what I used to be able to find in SANS SIFT 2.x.

If anyone else has tips on making that transition, feel free to leave advice in the comments.

Friday, May 9, 2014

Finding Inactive Accounts

The SANS Top 20 Controls has a control named Account Monitoring and Control.  Within that control is a Quick Win:  Ensure that systems automatically create a report on a daily basis that includes a list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire. This list should be sent to the associated system administrator in a secure fashion.

We don't have an automated report of those types of accounts, and quite frankly, we have very poor visibility into account control.  Coming from a DoD environment, I'm not used to having such lax controls.  Slowly, I'm starting to push the company forward, but it is taking time.

My first thought was to look at the inactive accounts.  I figured that these accounts would be low enough of the low-hanging fruit to start with, and here's how I have gone about finding them.

(Note: that I have created a master script that will do more than what this post details...I'm only describing inactive accounts at this time.)

1.  This command is in a batch file:  dsquery user -inactive 4 -limit 3000 > accountout.txt

Call the output file what you like.  The -inactive 4 parameter tells dsquery to look for accounts that have been inactive for at least four weeks.  I picked four to start with, as I realize that we have users that travel extensively.  My hope is that once we manage the output, I'll be able to lower that number.

2.  I took the output of the file, and copied it to Excel.  From there, I went to Data>Text-to-Columns in order to break up the data nicely.

3.  Column 2 seemed to be where I could differentiate between user and non-user accounts.  I filtered on just user accounts and copied that to a new sheet.

My results were staggering.  There are way too many accounts.  My next step is to find or create a process to validate that these accounts are a) legitimate, and b) truly inactive.  Spot checking a bunch of these users revealed users that are contractors.  And, if I have to guess, they are no longer with the company.  Prime targets to attack - which is why they should be disabled or deleted.

Once that's done, I'll need to automate the process and schedule it to run weekly or so.  As for locked-out, disabled, and password length checking...those will be added in time.

Thursday, April 17, 2014

Letter to Management

This letter was posted today....and it could have been sent to our management.  (It's not.)  Many of the points echo exactly what is happening here.  I would say, the biggest excuse I hear is that management does not want to disrupt the corporate culture in implementing security controls.

I fear that a breach or severe incident will be the catalyst for change and implementing controls.  Yes, I've had many small wins, but there is lots to do.