IC L04 How To Secure Your Data Center Using CSP Course Description: Securing your Data Center using CSP At the end of this lab, you should be able to: Understand the different components of CSP to protect Understand How CSP Understand the CSP vSphere detection policies Understand how to deploy the polices How CSP can be used to help meet the Vmware Hardening Guidelines Notes: Username for CSP Mgr windows box is admin password Symc4now! Username for CSP login is symadmin password Symc4now! Username for Windows 2003 Enterprise box is Administrator password Symc4now! Username for Backtrack is root password toor LAB AGENDA Lab Exercise 1: Lock Down A Domain Controller Topic 1: CSP provides prevention policies that lock down the vSphere components preventing unauthorized changes to configurations, binaries and access to the SSL certificates 10 min Lab Exercise 2: Protecting SSL Certificates Topic 2: The prevention policy out of the box protects the SSL certificates from being tampered with or accessed by anyone who is not authorized or by any application other than vSphere. 15 min Lab Exercise 3: Protecting vCenter Configurations Topic 3: The prevention policy out of the box protects the vCenter configuration files and logs from being tampered with by anyone that is not authorized. 15 min Lab Exercise 4: Monitoring configurations, host and log files on ESXi host Topic 3:
Transcript
IC L04 How To Secure Your Data Center Using CSP
Course Description: Securing your Data Center using CSP
At the end of this lab, you should be able to:
Understand the different components of CSP to protect
Understand How CSP
Understand the CSP vSphere detection policies
Understand how to deploy the polices
How CSP can be used to help meet the Vmware Hardening Guidelines
Notes:
Username for CSP Mgr windows box is admin password Symc4now!
Username for CSP login is symadmin password Symc4now!
Username for Windows 2003 Enterprise box is Administrator password Symc4now!
Username for Backtrack is root password toor
LAB AGENDA
Lab Exercise 1: Lock Down A Domain Controller
Topic 1:
CSP provides prevention policies that lock down the vSphere
components preventing unauthorized changes to configurations,
binaries and access to the SSL certificates
10 min
Lab Exercise 2: Protecting SSL Certificates
Topic 2:
The prevention policy out of the box protects the SSL certificates
from being tampered with or accessed by anyone who is not
authorized or by any application other than vSphere.
15 min
Lab Exercise 3: Protecting vCenter Configurations
Topic 3:
The prevention policy out of the box protects the vCenter
configuration files and logs from being tampered with by anyone
that is not authorized.
15 min
Lab Exercise 4: Monitoring configurations, host and log files on ESXi host
Topic 3:
2 of 24
CSP RFS monitors for changes and parse for critical events
occurring at the host level. It monitors ESX.conf and VMXD files
for changes as well as monitor log files for errors.
15 min
Lab Exercise 5: Monitoring vCenter Server Topic 3:
CSP provides a policy called vSphere Application Detection
Policy this policy is used to monitor binaries, SSL certificates,
configuration files and logs on the VCenter server
15 min
Lab Exercise 6: Monitoring vCenter Server System
Topic 3:
CSP provides a policy called vSphere Windows Baseline Policy
this policy is used to monitor activity on the vCenter system.
This policy will monitor user and system activity as well as
monitor critical OS files and registry keys for changes
30 min
Lab Exercise 5: vSphere Reporting Topic 3:
CSP provides a out of the box queries to report on events
generated by the vSphere policies.
15 min
3 of 24
Lab 1: Locking Down a Domain Controller
Lock down a domain controller from being compromised 30 min
Protect Your Domain Controller
Understanding your Network Infrastructure and Policies
Before deploying SCSP, It is important that you understand and set your enterprise policies in place using the group policy editor on your DC. Usually these policies have minimum standards set such as Kerberos authentication; user accounts type and other password policies etc.
Understanding your network infrastructure, allowing specific subnet of clients to authenticate and separating them in groups/organizational unit would be the next step.
Once in place, deploying SCSP and setting an additional layer of security would be the next step. This creates a defence in depth strategy/layered security for your network.
SCSP has almost ready to go out of the box policies to protect your domain controller. This covers addressing and protecting key components in your enterprise network such as blocking/allowing of known good/bad network ports and IP addresses, lowering down/de-escalation of admin privileges, denying execution of unrestricted programs and protecting logs/assets important to an administrator .
With fine tuning to the out of the box policies (steps given below), SCSP will create a security posture for your environment that is every administrator’s dream.
4 of 24
Setting Network Controls/Firewall rules Login to the CSPMGR windows box Username:admin password:Symc4now!
Login to the CSP Console Username:symadmin password:Symc4now! In the SCSP Management Console, under the Policies > Preventions screen, you will find
sym_win_protection_strict_sbp (Windows Strict Prevention Policy). Right click and edit this policy. It does not matter which one you use.
Under policy settings, click on Global Policy Options >Network Controls and specify inbound hosts that want to give access to the domain controller. For e.g. edit the inbound network rules. Click on Add and enter Remote IP as the IP address of machine e.g. 192.168.0.1/24 manually or use the import button to import a list of IP addresses.
The ports required for active directory communication are predefined in the policy and allowed to communicate with any hosts that are defined in the inbound, global or process sets.
By default all inbound (connections coming in) is set to deny.
Press OK
Right mouse click on the policy Apply the policy to the Test-win2003 server Take the new option settings
Click Finsh
5 of 24
Securing Domain Controller Assets Protecting active directory database files such as ntds.dit, edb.log, and temp.edb can be
done easily using SCSP. These are critical AD files which hold information such as user objects, groups, membership information etc. To learn more,
In the SCSP Management Console, under the Policies > Preventions screen, you will find sym_win_protection_strict_sbp (Windows Strict Prevention Policy). Right click and edit this policy. You can use the same policy that you used in the above example
Under policy settings, click on Global Policy Options > File Rules > Writeable Resource list > Allow modification to these files, Click on Add and create 3 entries with
Resource Path as %systemroot%\ntds\ntds.dit with Program Path as %systemroot%\System32\lsass.exe
Resource Path as %systemroot%\ntds\edg.log with Program Path as %systemroot%\System32\lsass.exe
Resource Path as %systemroot%\ntds\temp.edb with Program Path as %systemroot%\System32\lsass.exe
6 of 24
Under policy settings, click on Global Policy Options > File Rules > No Access Resource list > Block all access to these files, Click on Add and create 3 entries with
Resource Path as %systemroot%\ntds\ntds.dit Resource Path as %systemroot%\ntds\edg.log
Resource Path as %systemroot%\ntds\temp.edb
If you intent to do maintenance on active directory database files, please add ntdsutil.exe under Policy Settings > Interactive Program Options > Specify interactive program with full privileges > Add Program Path as %systemroot%\System32\ntdsutil.exe
Press OK Right mouse click on the policy
Apply the policy to the Test-win2003 server Take the new option settings
Click Finsh This will protect the database files from getting into the wrong hands
7 of 24
Lab Exercise 2: Denying Execution of Unknown Progams Topic 1:
The prevention policy out of the box protects the system against unknown applications from running
15 min
If a system account somehow gets compromised, you would want to at least make sure that
attacker is blocked from stealing critical information. This is usually done by an attacker in the form of deploying executable tools such as pwdump.exe, malware.exe etc.
SCSP’s biggest strength is denying these tools from getting copied on the system. Even further it denies its execution. This is done by simply deploying sym_win_protection_strict_sbp (Windows Strict Prevention Policy)
This policy also deescalates admin privileges and treats every administrator as a regular/local user.
With the previous policy deployed Login to the Windows 2003 Enterprise Server Username: admin password: Symc4now!
Try and launch the Malware.exe
8 of 24
Lab Exercise 3: Monitioring Data Center Servers Topic 1:
Monitor activity on your data center servers. 15 min
Symantec provides an out of the box Windows Baseline Detection Policy which is found under Detection View > Policies screen. This policy acts as a baseline (a Symantec recommendation and a standard) for
User/Group Monitoring. Active Directory Monitoring.
Login Activities. Hardening Monitor. File and Directory Monitor.
Right mouse click on the policy Apply the policy to the Test-win2003 server Take the new option settings
Click Finsh Login to Windows 2003 Enterprise Server Username: Administrator Password: Symc4now! Go to the Active Directory Users and Computer under Administrave tools. Enable and disable the Guest User Account and the Support account . Modify the Domain Admins Group and add the Guest accout to it Go back to the CSP Console and go to the monitor tab
Look at the Detection events for the ones that indicated the above changes to the system
10 of 24
Lab Exercise 4: Monitoring PCI Assetts in the Data Center Topic 1:
CSP Can be used to help meet several of the digital dozen
requirements that are enforced by PCI. 15 min
PCI Requirement 10 - Track and monitor all access to network resources and cardholder data
Requirement 10.2.1: To monitor any modifications or access attempts made specifically to creditcard.txt file, open the SCSP management console, under the Policies > Detections screen, you will find Windows_template_policy. The template policy will be used here to write custom rules for meeting this requirement. Right click and edit this policy. Click on My Custom Rules
Hit the (+) sign to create a new custom rule. Enter display name and identifier as PCI_Requirement_10_2_1. You can also create your own identifier and display name. Select category as file watch rule. Hit finish. You will see a new rule created in the template policy. Edit this rule and
Enable the rule by checking on the file watch rule options Fill in the Rule Name with PCI Fill in the Severity with 90 Change the Search depth to 3 Enable file create option (this is optional) Enable file delete option (this is optional) Enable the “Monitor file modification” (this is mandatory for this requirement) Enable Report file diffferences Enable file access option (this is mandatory)
Enable Files to watch option and hit Edit (+) and Add value c:\cardholderdata\*
Enable Additional Patterns to match on and Add value as * Enable Record Event to SCSP Console.
Apply the policy to the test-windows2003 system
If someone modifies/accesses the creditcard.txt file, a file monitoring event will be generated real time which will provide audit trail information as mentioned in
Requirement 10.3.1: User Identification. Requirement 10.3.2: Type of event. Requirement 10.3.3: Date and time. Requirement 10.3.4: Success or failure indication. Requirement 10.3.5: Origination of event. Requirement 10.3.6: Identity or name of affected data, system component or
resource.
11 of 24
Login to the Windows 2003 Enterprise Server Username: Administrator Password: Symc4now!
Go to the cardholderdata folder c:\cardholderdata Open the creditcard.txt file and make and modification to it. Go to the CSP console
Go to the monitor tab Look for events that got generated showing a change to the creditcard.txt file
12 of 24
Symantec also provides an out of the box Windows Baseline Detection Policy which is found under Detection View > Policies screen. This policy acts as a baseline (a Symantec recommendation and a standard) for
User/Group Monitoring. Active Directory Monitoring. Login Activities. Hardening Monitor. File and Directory Monitor. Registry Monitor. Symantec Software Monitoring. External Device Activity Monitoring. System Attack Detection.
Symantec recommends that you apply this policy on all systems for PCI :
Requirement 10.2.2: All actions taken by any individual with root or administrative privileges are logged
Requirement 10.2.3: Access to all audit trails are logged Requirement 10.2.4: All Invalid logical access attempts. Requirement 10.2.5: Identification and authentication mechanisms are logged. Requirement 10.2.6: Initialization of audit logs is logged. Requirement 10.2.7: Creation and deletion of system level objects
2.5 PCI Requirement 11.5 - Deploy file integrity monitoring tools for monitoring unauthorized modification of critical system and configuration files.
The Windows Baseline Detection policy can also be used to monitor system executables, application executables, configuration files etc... The options to monitor these files are enabled by default .
A sub-option that is not enabled by default is under System File and Directory Monitor > System Filewatch Monitor > Monitor System Critical Files > Monitor File Modification
If modification is made to the critical file, this option generates old checksum (hash), new checksum (hash). The file integrity component can use signification resources to generate this hash, Hence this option should be enabled conservatively (e.g. disabled during windows system update). Also system activity and other factors likes memory available should be taken into consideration before enabling this sub option
13 of 24
Lab Exercise 5: Protecting Critical Data in your Data Center Topic 1:
CSP provides the ability to lock down data or configuration files
from being accessed by someone who is not authorized. 15 min
Restricting acess to critical data storded on servers is important part of preventing data
leakage
In the SCSP Management Console, under the Policies > Preventions screen, you will find sym_win_protection_strict_sbp (Windows Strict Prevention Policy). You can use the same one that you used in previous exercises. Right click and edit this policy. You can use the same policy that you used in the above example
Under policy settings, click on Global Policy Options > File Rules > No Access list > Click on Add and create the following entry
Resource Path as C:\cardholderdata\*
Press OK Apply the policy to the Test-Windows2003 box. Wait a few secs Login to the Winows 2003 box username: Administrator password: Symc4now! Try and access the cardholderdata folder
Looking at the CSP Monitor tab you should also see an event saying that it was denied.
14 of 24
Lab Exercise 6: Protecting a Data Center Server from Targeted Attacks Topic 1:
CSP prevention policies protect critical servers from
targeted attacks and enchanced memory attacks.
30 in
In the CSP management console, click Assets
Then right click test-win2003
Click Edit Policy
Disable Prevention by clicking the Prevention Enabled button until it turns red in
the top left corner
15 of 24
Click OK
Login to the BT5R3 VM System username: root password: toor
Type Startx
Launch Armitage follow the below picture
16 of 24
Answer Yes to the following
You will get another dialog that you will answer Connect to
Your opening screen should look like
17 of 24
Right mouse click on the host 192.168.0.13
Perform a Scan (This is a typical scenario of what hackers do once find systems in
your network. They will scan them to figure out what type of system it is and what
types of attacks to use against it
Once the Scan is finished click on Services
18 of 24
Perform a Scan (This is a typical scenario of what hackers do once find systems in
your network. They will scan them to figure out what type of system it is and what
types of attacks to use against it
Once the Scan is finished click on Services
Go to Attacks and then click on Find Attacks
19 of 24
Go and Launch Hail Mary
Your host should come back looking like
20 of 24
Right mouse click on the Host and launch a Command Shell
Go to the cardholderdata folder and view the creditcard.txt file
21 of 24
Without proper prevention on your critical server a hacker can gain access through
exploits and gain access to critical data.
Go to the CSP Mointor tab and you can see the attacks against the system
22 of 24
Go back to the CSP console
Go to the Asset Tab
Right mouse click on the Test-win2003 system
Edit the policy
Reenable prevention
Press Ok
23 of 24
Go back to the BT5R3 VM
Armitage should still be open
Right mouse click on the Test-win2003 system
Kill the session
Go back to the BT5R3 VM
Armitage should still be open
Right mouse click on the Test-win2003 system Kill the session
Relaunch the attack.
The attack should not be successful.
24 of 24
Go back to the CSP Console
Go to the Monitor Tab
You should see an event showing the attack was stopped by CSP.
