8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
1/32
1
SRS Secure Desktop Project
Running Without AdministratorPrivileges
Barry Hudson
Desktop Systems Team LeadSRNS Aiken, SC [email protected]
803/725-8463
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
2/32
2SRS Secure Desktop Project Running Without Administrator Privileges
Abstract
SRS has approximately 10,000 PCs, the majority of which arecentrally managed. The major project for 2008 was to secure thesedesktops by removing routine user of Administrator accounts. Thiswas completed in parallel with a project to employ all applicableFDCC Group Policies.
In less than 8 months, all managed desktops were converted to theSecure Desktop model. Over 9000 XP systems were converted toNTFS, administrator privileges removed, and software calledBeyondTrust Privilege Manager was used to elevate privileges whenneeded for routine operation and software updates.
This presentation will outline the challenges and solutions used tomake the transition to Secure Desktop without making it DesktopLockdown. It was achieved ahead of schedule, with existing staffinglevels, and with fewer than 100 visits to the desktops.
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
3/32
3SRS Secure Desktop Project Running Without Administrator Privileges
Drivers and Background
PC configuration management has been aconsistent OIO audit finding since 2001
Various policies, procedures, andprocesses have been implemented overtime but the administrative privileges havenot been removed from the user
Another Audit was scheduled forSeptember 2008
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
4/32
4SRS Secure Desktop Project Running Without Administrator Privileges
This Is Just 1 Piece of The Puzzle
Overview of Comprehensive DesktopManagement at SRS WSUS patching, WinInstall updates, Symantec
AntiVirus Cisco Clean Access Posture Check and
Remediation
IVIS scanning
Vulnerability and Patch Management Team(VPMT)
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
5/32
5SRS Secure Desktop Project Running Without Administrator Privileges
Routine Scans Follow Up Scans UnseenHost Scans
SRSNet
SecondaryNetwork
SecondaryNetwork
SecondaryNetwork
SecondaryNetwork
Secondary Network(Stand Alone)
Nessus Scans
Data
QuarterlyScan Results
IVIS VPM Reports
IVIS Low Hanging Fruit / EasilyExploitable Vulnerabilities Report
Every hourdevices on thenetwork are
checked for recordof scan in last 7days; if not fullscan commences.
If IVIS scansshow vulnerabilities,follow up scans
occur daily.
Scan lists arecreated from ARPTable such that
the entire site iscovered within 1week.
IVISIVIS(Nessus(Nessus
BasedBased
Engine)Engine)
Ad HocScans
AutomatedDaily Sans
Top 20Scans viaHercules
and IVIS
Data
Manual Internal Netstat (NetworkStatistics tool) Supplemented withSelective External NMAP (Network
Mapper open source network securityAudit Tool including identifying
services offered) scans on a weekly basis
Nikto / Web Application scans toCapture vulnerabilities on a
monthly basis(Nikto is open source web server
scanner performing multiple checks
Alter routine scans toincorporate
port info found
Oracle OscannerScans on a
quarterly basis
Delayed scanrequest run
within 30days?
Yes
No
VPMT WeeklyMeeting to review,status & track High riskvuln. to closurewithin 45 days or exilefrom network
Daily review by VPMRep and remedy ofLHF within 24 hrs orexile from network
HP Jet AdminScanning Function runDaily for discovery.
Cisco Ops Ware/NAS Policy ComplianceCheck run by Networks
And reported monthly.
*Ad hoc scans are requested with a VPMT rep
List of devices
Requiring manual vuln.& web application scans*
V&PM
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
6/32
6SRS Secure Desktop Project Running Without Administrator Privileges
Project Scope
Remove routine use of users with Administratorprivileges Limits Malware propagation Users would be limited to install approved, standard applications
(i.e. WinInstall Applications).
Restricts implementation of local peripherals. Security configuration management is strictly enforced
Users less able to install vulnerable software Group Policy enforcements where possible
Implement FDCC policies
Work in parallel with other scanning, patching, andsecurity initiatives
Finish quickly, in time for the Going 4 Green audit
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
7/32
7SRS Secure Desktop Project Running Without Administrator Privileges
What PCs Are Out There?
Operating Systems 7000 Windows XP
2000 Windows 2000 (Reload with XP)
1500 Controllers and specialty systems Owner is Admin, others have non-Admin access
Software Inventory Results Almost 200 Centrally-managed Applications (WinInstall)
Over 40,000 identified self-installed applications Will they continue to run? What happens if they need to be reinstalled or updated?
About 2500 systems had no additional software
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
8/32
8SRS Secure Desktop Project Running Without Administrator Privileges
But Wait! Removing AdministratorRights Doesnt Buy You Much
Programs can be installed in the user space
Current User registry is not protected from Run,RunOnce, etc.
Why not whitelist all approved applications
And scan more often
And it will cost $500,000 or more to implement
Our time would be better spent doing more ofwhat works
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
9/32
9SRS Secure Desktop Project Running Without Administrator Privileges
But Wait! Removing AdministratorRights Doesnt Buy You Much
Programs can be installed in the user space
Current User registry is not protected from Run,RunOnce, etc.
Why not whitelist all approved applications
And scan more often
And it will cost $500,000 or more to implement
Our time would be better spent doing more ofwhat works
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
10/32
10SRS Secure Desktop Project Running Without Administrator Privileges
Orders From Headquarters
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
11/32
11SRS Secure Desktop Project Running Without Administrator Privileges
Impacts to the Business & Status Quo
Users will not be able to perform activities that requireadministrative access. Installing software from CDs
Creating file shares
Adding software drivers such as scanners and printers Certain other system modifications
Activities requiring administrative privileges must beperformed by IT support personnel or special accountsfor the users
Existing supported applications will be assessed andmodified to install and run in this environment
User supplied applications will be accommodated orconverted to managed applications
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
12/32
12SRS Secure Desktop Project Running Without Administrator Privileges
Planning Assumptions
Barry, youre no longer in the customer service business,you are in the security business
Things will break Processes will fail, but not always immediately We will learn as we go Some systems will be easier to migrate than others Focus on Managed Desktops first (8500) - XP Only
Review of WinInstall applications Review of local applications Pick the least likely to fail systems first
Pilot migration of some tough systems Then tackle controllers and shared systems (1000) And finally specialty systems (500) And hope everything runs at FY year-end closure
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
13/32
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
14/32
14SRS Secure Desktop Project Running Without Administrator Privileges
Staffing requirements
What we asked for: Desktop Team: 2 people fulltime for 1 year
Field Support: 2 visits per year x 1 hour x
10,000 systems = 20,000 hours = 10 FTEs What we got:
2 Help Desk Agents
Desktop Team delayed priorities for 6 months An accelerated schedule (Get the pain overquicker)
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
15/32
15SRS Secure Desktop Project Running Without Administrator Privileges
Selling It
Tell them why, when, and how Pick a non-threatening name
Secure Desktop vs. Desktop Lockdown
Publicity campaign, Sitewide Emails, Roadshows to Customers
Involve customers, Computer Security, IT, and management Weekly meetings of 20+ stakeholders 100+ issues and concerns
IT and DOE Security goes first (walk the talk) Provide a safety-valve (add the user back as Administrator)
Things will break, Processes will fail, We will learn as we go I made a Promise
If you cant still do your job with Secure Desktop, that means I have notdone my job right.
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
16/32
16SRS Secure Desktop Project Running Without Administrator Privileges
Publicity Campaign
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
17/32
17SRS Secure Desktop Project Running Without Administrator Privileges
Early Discoveries
Life as Non-Admin (life changes) Restricts access to registry, printer installs, software
installs Cant setup scheduled tasks
Life as Non-Admin with NTFS (life gets reallyinteresting) NTFS Restricts access to files and folders (eg
c:\Windows, c:\Program Files, Local Apps, defaultprofiles, and more)
Cant read other users or All Users profiles Some apps might need to be modified or
sections of PC opened up for them to run
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
18/32
18SRS Secure Desktop Project Running Without Administrator Privileges
Technical Tools to Make It Work
BeyondTrust Privilege Manager to elevate privileges when needed Approx 160 rules in place To install software To run some software Elevate System processes (eg TCP/IP Configure, Add Local Printer, VPN
Firewall, Plug and Play) Provides Inheritance so that auto-installers can retain rights
Use CACLs to tighten or loosen file and folder permissions Approx 100 exceptions needed Some apps write INI files to c:\program files
Refine Registry permissions (CACL or BeyondTrust)
Some apps change HKLocalMachine or HKClassesRoot Add and manage Non-person domain account with privs
For hands-on support For system updates and automated processes
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
19/32
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
20/32
20SRS Secure Desktop Project Running Without Administrator Privileges
Examples of Rules
Rules can permit or elevate based on1. GUID or URL-specific ActiveX controls2. Residence in a particular Folder3. Hash of the file
4. MSI that is being installed5. Specific Path of the file6. Other attributes
Recommendations:
1. Use a Hash when possibleMultiple versions (eg Flash4 and Flash5) are allowed2. Avoid Path and Folder rules if you do not control the fileshare
Dont open a path or share where anyone can drop an installer or EXE3. Look for inadvertent inheritance to downward processes
An elevated DOS box can be a big hole
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
21/32
21SRS Secure Desktop Project Running Without Administrator Privileges
BeyondTrust Configuration Screen
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
22/32
22SRS Secure Desktop Project Running Without Administrator Privileges
Process Tools to Make It Work
How to permit users and field support to regain Administrator rightswhen needed Locally written tool to add Admin back to PC and log the reason
Temporary Restoration of Administrator Rights (TRAP) 20-30 per day added by Help Desk
TRAP process should be followed by a scan after user does install 200+ Admin Restores exist at any point in time
The PA process and PC-SPPT-xx groups PA Personal Admin account allows selected users to support their PC PC-SPPT-xx groups added to specific Workgroup PCs (shadow support)
The CS/DA process
Computer Support accounts for installers and Field Support Desktop Admin accounts for my staff
RunAs and Remote Administration Non-secured machines that are offline are identified and secured
within 2 days of connection Daily inventory to check settings, TRAP abuse, lost sheep returning
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
23/32
23SRS Secure Desktop Project Running Without Administrator Privileges
Who Gets to Go First?
Management champions IT and DOE Security goes first (walk the talk) SRNL gets a gold star (150 of the 1st volunteers)
Ask for volunteers (motivate them with get better help
before the storm) Verify laptop, VPN, and off-line operations Email campaign with magic button to migrate now
Sent to users with no known extra applications (Dear User:)
Convincing users to participate. Not everyone is special
Look, SRNL did it and is still running! Allow Deferrals only for Good Reason (preferably classes of
systems, eg Doc Mgt, Maintenance, Controllers) Publicize your success, acknowledge your weaknesses
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
24/32
24SRS Secure Desktop Project Running Without Administrator Privileges
The Schedule
The Planned Schedule
10-12/07 proof of concept 1/08-3/08 100 user pilot
30 days to regroup
4/08-5/08 1000 easysystems
6/08-12/08 6000 totalmigrated
The Forced Schedule
10-12/07 proof of concept 1/08-2/20/08 50 user pilot
2/25/08 500 users added
2/26-3/5/08 1500 easysystems
3/08-5/08 6000 totalmigrated 6/08-12/08 deferrals 1/09-2/09 who is hiding?
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
25/32
25SRS Secure Desktop Project Running Without Administrator Privileges
Migration Rate
Secure Desktop Rate
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
0 1 2 3 4 5 6 7 8 9 1 0 11 12 13
Month
TotalNumberSe
cured
Planned
Actual
10,134 Desktop Secured in 2008
Number Secured Per Day
0
50
100
150
200
250
300
350
400
450
500
2/11/2
008
2/25/2
008
3/10/2
008
3/24/2
008
4/7/2
008
4/21/2
008
5/5/2
008
5/19/2
008
6/2/2
008
6/16/2
008
6/30/2
008
7/14/2
008
7/28/2
008
8/11/2
008
8/25/2
008
9/8/2
008
9/22/2
008
10/6/2
008
10/20/2
008
11/3/2
008
11/17/2
008
12/1/2
008
12/15/2
008
12/29/2
008
The 2000 jump-start provides confidence.Sure, they are still running but what about atthe end of the month?
Push it till it breaks
Deferrals releasedPush it till it breaks
Dont run out of licenses!
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
26/32
26SRS Secure Desktop Project Running Without Administrator Privileges
Automating the Migration Process
Make all of WinInstall BeyondTrust Aware NTFS Conversion via email Magic Button invitations and forced WinInstall
Pre-req before getting added to the Scheduler list The Secure Desktop Scheduler
Triggers at login if you are on the list, NTFS, and an Administrator
Launches the upgrade process in WinInstall One giant WinInstall Install BeyondTrust Privilege Manager Install Basic CACLS to secure additional selected folders (approx 10) Add Local Printer shortcut Temporary folder for 16 bit applications in location not under c:\windows Remove Administrators from Computer and randomize local password Move Computer to BeyondTrust Container Apply Common CACLS to open additional selected subfolders (approx 100)
Write all done logfile About 100 systems did not migrate and required reload
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
27/32
27SRS Secure Desktop Project Running Without Administrator Privileges
What Broke It and How to Remedy It
Secure Desktop gets blamed for everything! Diagnosis
App wont install or wont run? Is everything broken or something specific? Is BeyondTrust running? Do you have the current rules?
Add user back as Admin and see if it fixes it This is your safety net Keeps the business running while you figure it out
Look for activity in the NTFS-protected folders (Program Files, Windows,System32, etc)
Look for activity in the Registry Triage to identify commonalities
Repair Elevate the program (hash vs. path) Liberalize rights on sub-folders or files (CACLS) Change program configuration (set INI file or prefs files to write elsewhere)
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
28/32
28SRS Secure Desktop Project Running Without Administrator Privileges
Phase-in of New Secure Desktops
Unfair to put installers on the front lines Deliver and add user as Admin
Permit users or installer to add software
Scan the system for vulnerabilities Add to the SD migration list after 3 days
All Windows 2000 were re-built on-site as Secured
Deliver As-Secure at the end of the project
Local Admin used only to add to domain Then remove all Admins
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
29/32
29SRS Secure Desktop Project Running Without Administrator Privileges
Unexpected Issues
Chicken and Egg situations Have to be an Admin to become secured But our goal is to eliminate Admin users
How to pre-build a secured machine Dealing with the absence of a universal Administrator account
There is no local administrator to break in with 90 day lost of trust issues Cached login with last good user
Set Owner Issues Some files are owned by the installer and cannot be accessed by others or
have provided unwanted access to install folders
Essential things did not work and need elevation Defrag, Clock, Ipconfig, RunOnce after installs Issues with multi-user systems
No unrestricted place to put turnover files Screensaver locked at shift change
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
30/32
30SRS Secure Desktop Project Running Without Administrator Privileges
Ongoing Maintenance
Daily Un-TRAP of Admin Restores Look for abuse
Propagate PA and PC-SPPT-xx accounts
Verify new installs are secured All scanning and remdiation activities must be
Secure-Desktop aware
Add rules as issues arise (about 4 per month)
New products Stuff breaks
Updates to existing rules
BeyondTrust product enhancements
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
31/32
31SRS Secure Desktop Project Running Without Administrator Privileges
Summary
Project success despite objections from usersand reluctance of IT staff Early 500/day was a crazy idea but provided valuable
insight and confidence
Almost finished before we had planned to get started
Critical success factors Publicity campaign
Top level management support
Acknowledgement that things would break
Availability of a relief valve (Restore Admin user)
Ability to select and throttle the update list
8/3/2019 SRS Secure Desktop Project-Running Without Admin-Barry Hudson
32/32
32SRS Secure Desktop Project Running Without Administrator Privileges
Questions
Barry Hudson
Desktop Systems Team LeadSRNS Bldg 773-51AAiken, SC 29808
803/725-8463