active directory in ics: lessons learned from the field

L L d f th Fi ldLessons Learned from the FieldActive Directory in ICSHPS Industrial Cyber Security Services DigitalBond S4x15 January 2015

AbstractAbstract

• Many control systems don’t have domains or leverage them l f th ti ti Th i t d d t h lonly for user authentication. They are intended to help

centralize the maintenance and management of a large group of member computers, as well as huge productivity gains for administration, implementing change, and consistency. This , p g g , ysession will cover lessons learned of Active Directory domains and their use with control systems, from someone who deals only with control system environments. What works, what to avoid guidance on how to plan & implement certain featuresavoid, guidance on how to plan & implement certain features, and useful things you may not have known about. This is not an introduction to Active Directory, it is intended for those that have familiarity with Active Directory, its purpose, basic administration

d li tand group policy management.• 45 minutes

Honeywell Proprietary

22015

SpeakerSpeaker• Donovan Tindill, Senior Security Consultant – Honeywell Industrial

Cyber Security (formerly Matrikon)Cyber Security (formerly Matrikon)– For almost 15 years, specialized in defending cyber security for

industrial automation & control systems (IACS) to most every industry and countless ICS.R ibl f l l j t l i t i i k– Responsible for large scale project planning, enterprise risk management, security program development, training, vulnerability assessments, industry compliance, NERC CIP, etc.

– ISA99/IEC62443 contributor, and co-chair of Working Group 6 on IACS g ppatch management.

– Assessed and designed LOTS of ICS networks and domains, cyber security assessments (people-process-technology), developed ICS cyber security programs etccyber security programs, etc.

– Email: http://tinyurl.com/DonovanAtHon; Please connect on LinkedIn and mention this conference.

The views and opinions expressed here are my own and don’t necessarily representThe views and opinions expressed here are my own and don t necessarily represent the views or opinions of Honeywell.

Honeywell Industrial Cyber SecurityHoneywell Industrial Cyber Security

Honeywell Industrial Cyber Security is the leading provider ofy y y g pcyber security solutions that help protect the

availability, safety, and reliabilityof industrial control systems (ICS) and plant operations.

Leveraging our industry leading process control andLeveraging our industry leading process control andcyber security experience, our expertise, and technology,

we deliver proven solutions designed for thewe deliver proven solutions designed for thespecific needs of process control environments.


42015

Cyber Security = Process Availability, Safety and Reliability

Honeywell ProtectsHoneywell Protects

From the Inside Out and Outside In

• Build security into our productsEmploy same risk-management mechanisms for cyber security– Employ same risk-management mechanisms for cyber securitywe design for safe industrial operations

• Strengthen security with proven end-to-end solutions– Security architecture, security controls and best industrial practices– Services delivered by global team of experts

A ti d t ti d ili• Assure continued protection and resilience– Situational awareness– Monitoring, management and training services


52015

Industrial Cyber Security Solutions FrameworkIndustrial Cyber Security Solutions FrameworkEmbedded Security Is Just the Start

Security Security AwarenessAwareness

Cyber Security Assessments, Monitoring and Situational Awareness

Cyber SecurityAssessments, Monitoring and Situational Awareness

Security Security Security Security TECHNOLOGY

Used to Drive Secure Architectural

Leveraging Network, Host &

Used to Drive SecureArchitectural

Leveraging Network, Host & yy

DesignDesignyy

ControlsControls Architectural Design andBest Practices

Operational Security Controls

Architectural Design andBest Practices

Operational Security Controls


62015

We Address Industrial Cyber Security End-to-End

Complete Industrial Cyber Security SolutionsComplete Industrial Cyber Security Solutions• Security Assessments• Network & Wireless Assessments• Security AuditsAssessmentsAssessments

& Audits& Audits

• Current State Analysis• Design & Optimization• Zones & Conduits

& Audits& Audits

Architecture Architecture & Design& Design

ResponseResponse& Recovery& Recovery

• Backup and Restore• Incident Response

• Firewall• Intrusion Prevention• Access Control

P li D l t

• Continuous Monitoring• Compliance &

Reporting• Security Analytics

NetworkNetworkSecuritySecurity

SituationalSituationalAwarenessAwareness

TECHNOLOGY

• Policy Development

• Patching & Anti-Virus • Application Whitelisting• End Node Hardening

• Security Analytics• Security Information

& Event Management (SIEM)• Security Awareness Training

EndpointEndpointProtectionProtection

• Portable Media & Device Security


72015

Managed Industrial Cyber Security ServicesManaged Industrial Cyber Security Services

Secure ConnectionSecure tunnel for servicesSecure tunnel for services

Protection ManagementQualified anti-malware files & operating system patchesQ p g y p

Continuous Monitoring and AlertingMonitoring of system, network & cyber security performance 24/7 alerting against thresholds

Intelligence ReportingWeekly compliance and quarterly trend reports

Perimeter and Intrusion ManagementFirewall: Configuration rules + log file review and reporting

Weekly compliance and quarterly trend reports


82015

Firewall: Configuration rules + log file review and reportingIPS: Signature update validation + log file review and reporting

Why Honeywell Industrial Cyber SecurityWhy Honeywell Industrial Cyber Security

Global team of certified experts with deep experience across all industries

Industry Leading People and ExperienceGlobal team of certified experts with deep experience across all industries100’s of successful PCN / Industrial cyber security projectsLeaders in security standards ISA99 / IEC62443

Proprietary methodologies specific for process control environment & operationsBest practices developed through years of delivering solutions

Industry Leading Processes and Expertise

Best practices developed through years of delivering solutions Comprehensive understanding of unique process control security requirements

Industry Leading Technology First to obtain ICS product security certification with ISASecureLargest R&D investment in cyber security solutions and technologyStrategic partnerships with best in class security product vendors

y g gy


92015

Trusted, Proven Solution Providerg y

TopicsTopics

Technical Level

100

Time SynchronizationDNSAD ReplicationDC MaintenanceDC MaintenanceBackup and Restore

200User and Group GuidelinesICS Group Policy200 ICS Group PolicyGroups.xml Vulnerability

300 DC Through FirewallFine Grained Password Policies

400 AppLocker

If common sense were common we wouldn’t have to fix these over and


102015

If common sense were common, we wouldn t have to fix these over and over…

TerminologyTerminology

• NTDS – NT Directory ServicesNTDS NT Directory Services• AD – Active Directory (aka. NTDS)• DC – Domain ControllerDC Domain Controller• FSMO – Flexible Single Master Operation• DNS Domain Naming Service• DNS – Domain Naming Service• GPO – Group Policy Object• SCW Security Configuration Wizard• SCW – Security Configuration Wizard


112015

Time Synchronization

Ft McMurray Oilsands Conference 2015

122009

Drifting from Reality

Time SynchronizationTime Synchronization

• Accurate time sync is a fundamental component of AD h i i Ti d if l i d i dauthentication. Time drift can result in domain decay

and mysterious authentication issues if it exceeds 4 minutes between domain members.

• Actual Event:– One group of computers cannot authenticate with other PCs

in the same domain. Some logons work, some don’t, not i t t th i tconsistent across the environment.

– Root Cause: Time drift greater than 5 minutes between DCs results in replication failure, domain members polarize with a DC and ‘islands’ of authentication resultDC and islands of authentication result.

– Solution: It’s ugly! Force demotion of bad DC, fix time sync, promote to DC again.


132015

Time SynchronizationTime Synchronization

• Identify the ‘PDC Emulator’ role. It is the timeIdentify the PDC Emulator role. It is the time master for the entire domain.

• Get a GPS or other accurate (i.e., Stratum) time ( , )source; otherwise, the cheap clock on motherboard is used.

• w32tm /config /manualpeerlist:“X.X.X.X Y.Y.Y.Y” /syncfromflags:manual/reliable:yes /update

• w32tm /query /status• w32tm /query /peers


142015

Sources:- How to configure an authoritative time server in Windows Server, http://support.microsoft.com/kb/816042.

Domain Naming Service (DNS)


152009

What’s your address again?

Domain Naming Service (DNS)Domain Naming Service (DNS)

• DNS allows humans to use hostnames to communicate with network devices. AD uses DNS to store DC roles, help DCs find each other, and domain members find DCs.

• Every DC has a copy of the same DNS database and is continuously synchronized.

• If a domain controller cannot communicate with DNS, you’re in trouble!

• If a domain member cannot communicate with DNS, onlypreviously cached credentials will work.


162015

DNSDNS

• Actual Event:– Domain controller network driver update/change fails, after

reboot it cannot find peer DNS server, cannot logon!– Root Cause: Its local IP address was not included in DNSRoot Cause: Its local IP address was not included in DNS

server list.– Solution: DNS1 should be neighbor DC, DNS2 should be

another neighbor, DNS3 should be 127.0.0.1. Have at least 2another neighbor, DNS3 should be 127.0.0.1. Have at least 2 real DNS servers, last one loopback IP.

– When a DC first boots, it is member only. It must first find other DCs thru DNS and replicate DNS & NTDS databases,other DCs thru DNS and replicate DNS & NTDS databases, before it can authorize itself to authenticate users (including logons at console). Otherwise really slow or failed logon.

– Always stagger DC reboots!


172015

Always stagger DC reboots!Sources:-DNS servers on NIC should include 127.0.0.1 but not as first entry, http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx. -Microsoft Best Practice for DC DNS settings, http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest.

DNSDNS

• Replicate to all DNS servers in forest.p• Dynamic Updates: Secure Only

– ipconfig /registerdns (used to refresh local DNS records on-demand)

T i / i f ll f d d• Turn on aging/scavenging for all forward and reverse lookup zones (i.e., check the box).

• Zone Transfers: Explicitly• Zone Transfers: Explicitly specify servers or turn off.

• In ICS, you can delete list of, yroot hint servers. StopsDNS noise before firewall.


182015

Active Directory Replication


192009

Working Together

Sites and Services (NTDS Replication)Sites and Services (NTDS Replication)

• AD Sites and Services is used to specify theAD Sites and Services is used to specify the interval, protocol, and links for AD database (which may contain DNS) to replicate between domain controllers.

• If subnets are specified and associated with sites (e.g., an area of the plant), members will prefer DCs in their subnet/site.Li k t ti ll t d f ll h d• Links are automatically created as full mesh and replicated every 3 hours.


202015

Sites and Services (NTDS Replication)Sites and Services (NTDS Replication)

• Actual Event:– User accounts created on specific domain controller

never work in other areas of the plant.Root Cause: NTDS replication links missing– Root Cause: NTDS replication links missing.

– Solution: Re-architect links, verify all DCsparticipate in bi-directional replication.

– Some scenarios require customNTDS replication architecture

• In ICS 15 minute replication• In ICS, 15 minute replicationinterval is fine (default 180).

• repadmin /syncall


212015

p y

DC MaintenanceDC Maintenance

• dcdiagdcdiag


222015

DC MaintenanceDC Maintenance

• Actual Event:– Patches are installed on DC holding FSMO roles, during

reboot it suffers critical failure and will not boot.– If FSMO roles are forcibly seized and transferred to anotherIf FSMO roles are forcibly seized and transferred to another

DC while it is offline, its hostname is now blacklisted. Must force removal of DC role and reinstall OS with new hostname.

– Root Cause: FSMO roles were not transferred before maintenance occurred on DC.

– Solution: Transfer roles before/after using PowerShell:Solution: Transfer roles before/after using PowerShell:• Import-Module ActiveDirectory• Move-ADDirectoryServerOperationMasterRole -Identity “ServerName”

-OperationMasterRole 0,1,2,3,4• netdom query fsmo


232015

netdom query fsmoSources:-Transfer or Seize FSMO Roles, https://support.microsoft.com/kb/255504/en-us,- How to remove data in Active Directory after an unsuccessful domain controller demotion , https://support.microsoft.com/kb/216498. - Why not to reuse server names, http://www.jackcobben.nl/?page_id=403.

Backup and Restore


242009

Prepared for Failure

Backup and RestoreBackup and Restore

• DCs are peers that share and continuously replicate the AD d t b C t tl h i !AD database. Constantly changing!

• Disk images (e.g., Acronis, Ghost, Clonedisk) of your DCs should not be used for restoration as it will include stale

f AD d t b A f b k i k !copy of AD database. Age of backup is key!• Microsoft only supports Windows Server Backup Full

System and ‘System State’ backups, which contains Active Directory contentsDirectory contents.

• Schedule backup from 2+ DCs, store on different server, at least once per day. Also, use ntdsutil for ad-hoc snapshots Used by Directory Service Repair Modesnapshots. Used by Directory Service Repair Mode.

• Microsoft recommends ntdsutil to remove failed DCs, then clean OS install and dcpromo for new ones.


252015

Sources:-AD Backup and Restore, http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx. System State Recovery of a Domain Controller; Taking Active Directory Snapshots.

Users and Groups


262009

“We use Administrator for everything”

User and Group GuidelinesUser and Group Guidelines

• Don’t use domain or local Administrator account toDon t use domain or local Administrator account to run any applications!– Not due to security risk, but to decouple dependency

upon it for password changes.• Rename local Administrator (e.g., LocalAdmin)

d d i Ad i i t t ( Ad i i)and rename domain Administrator (e.g., Admini).• Avoid use of local or domain administrator

t l i di id ll i daccounts, rely upon individually assigned user accounts with similar privilege.


272015


• Create two (2) user accounts per person.Create two (2) user accounts per person.– User-level account (e.g., jdoe) with application

privileges. Standard password.– Admin-level accounts (e.g., admin_jdoe) with

administrator privileges. Strong password.Logon regularly with user level account use admin level– Logon regularly with user-level account, use admin-level only when needed. Works very well with Windows 2008/Vista/7 UAC).


282015


• Create ‘Service’ user accounts for each major application ( hi t i i t f d t b h d l d t k(e.g., historian interfaces, databases, scheduled tasks, OPC services, backup software) so they can be used for running DCOM and Windows Services.

Examples: dc backup task acronis backup service– Examples: dc_backup_task, acronis_backup_service, historian_opc_service

• Running programs and services as Administrator is the single biggest reason why password changes don’tsingle biggest reason why password changes don t happen!– Changing Administrator password in many environments will

require, or result in, process shutdown.• Application specific service accounts clearly identify their

purpose and localizes their impact if/when their passwords are changed.


292015


• Restricted Resource group: grants a specificRestricted Resource group: grants a specific access level to a specific device/ system/ application. Defined owner for each.

• Control System– Product Admins– Engineers

• Domain Members– Domain Administrators– Remote Desktop Users

– Supervisors– Operators

• Domain Controllers

– Domain Users

• Network Infrastructure– Read-Only

– Enterprise Admins– Administrators– Group Policy Mgrs– Password Update

– Read-Write

• Applications– Administrators

E i / D l


302015

– Engineers / Developers– Users

Group Policy


312009

Shouldn’t they all be the same?

Group Policy SettingsGroup Policy Settings

• Group Policies allow single step roll out of computer i l ll d i bsettings to select or all domain members.

• GPO settings can be applied to users and computers, commonly based on group membership or y g p porganizational unit.– Windows 2008 Active Directory and Group Policy

Preferences allows almost limitless selection criteria. With t h th t d b Wi d XPpatches, they are supported by Windows XP+.

• Examples:– Password policy, security logging policy, disable unnecessary y y gg g y y

services, disable unnecessary Windows components and features, local group membership, Windows Firewall rules, Start Menu and Desktop appearance, startup scripts, etc.


322015

Sources:-Group Policy Preferences, Windows 2008, http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx.-Group Policy Preferences, Windows 2012, http://technet.microsoft.com/en-us/library/dn581922.aspx-Group Policy Preferences Patch, for Windows XP, 2003, and Vista: http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx.

Recommended Group Policy SettingsRecommended Group Policy Settings

• Minimum password length, complexity, and ageE bl it diti ( t l t t t l• Enable security auditing (account logon events, account mgmt, logon events, policy change, system events)

• Increase default event log file size.• Disable LM authentication potentially NTLMDisable LM authentication, potentially NTLM.• Disable unnecessary services. In ICS, you can disable:

– WinHTTP Auto-Proxy, SSDP Discovery, Smart Card, HomeGroup Listener, HomeGroup ProviderSecurity Configuration Wizard (SCW) is excellent at hardening Windows Server– Security Configuration Wizard (SCW) is excellent at hardening Windows Server 2003 SP1 and newer (e.g., Disables unnecessary services; Windows Firewall rules; prepare Group Policies)

• Disable unnecessary Windows components and features. In ICS, you can disable:can disable:– AutoPlay, Games, Desktop Gadgets, NetMeeting, Outlook Express,

HomeGroup, Windows Messenger, Windows Media Player, Windows Media Center,

• Uninstall unnecessary software (e g Adobe Java Office)


332015

• Uninstall unnecessary software (e.g., Adobe, Java, Office).Sources:-Security Configuration Wizard, http://technet.microsoft.com/en-us/library/cc754997.aspx

Advanced Group Policy SettingsAdvanced Group Policy Settings

• Modify allow/deny User Rights Assignment for:– Logon locally (e.g., keyboard console)– Remote Desktop– Access Computer via network (e.g., Network Share, DCOM Service)– Logon As Service– Logon As Service– Logon As Batch (i.e., Scheduled Task)

• Windows Firewall rules. In ICS, you might choose to control which IP address ranges (e.g., Local Subnet) can access:g ( g , )– Network Discovery, Remote Desktop, File & Print Sharing, – Part of SCW

• AppLocker application execution rules. In ICS, you can use A L k ’ hit li ti li tiAppLocker as poor man’s whitelisting application.– More on this in later slides…

• Do not perform above on production environment without prior testing!!!


342015

testing!!!

Groups xml VulnerabilityGroups.xml Vulnerability

• If you use Group Policy Preferences to automateIf you use Group Policy Preferences to automate resetting of local user passwords – Don’t!

• The encryption used in the groups.xml file is weak yp g pand disabled in MS14-025.

• Implement via PowerShell scriptp p– See MS14-025


352015

Sources:-How To Automate Changing The Local Administrator Password, http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx.-MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege, http://support.microsoft.com/kb/2962486,

DC Through Firewall


362009

Fitting Just Right

DC Through FirewallDC Through Firewall

• DCs will often be in different zones and across firewalls. Really they should be in enclaves due to their importanceshould be in enclaves due to their importance.

• Domain Controller Default Ports: KB179442– DNS TCP/UDP53– NTP TCP/UDP123– Kerberos TCP/UDP88– RPC TCP135– NetBIOS UDP137-138, TCP139– File Sharing TCP445File Sharing TCP445– kpasswd TCP/UDP464– http-rpc-epmap TCP594– Global Catalog TCP3268

RPC (Windows 2003/XP and older): TCP1025 5000– RPC (Windows 2003/XP and older): TCP1025-5000– RPC (Windows 2008/Vista and newer): TCP49152-65535– Not Used in Field: UDP500, TCP636, TCP3269, UDP4500, UDP5355,

TCP9389 (based on actual results 2008R2 at ICS site)


372015

Sources:-Service overview and network port requirements for Windows, http://support.microsoft.com/kb/832017. -How to configure a firewall for domains and trusts, http://support.microsoft.com/kb/179442.


• Registry changes can be applied to changeRegistry changes can be applied to change dynamic ports to fixed, or specify smaller range.

• Set NTDS to 32901• Set NTFRS to 32902• Set NetLogon to 32903Set NetLogon to 32903• Set DFSR to 32904 (if used)• Set WMI to 32905 (if used)Set WMI to 32905 (if used)

Sources:Restricting Active Directory RPC traffic to a specific port http://support microsoft com/kb/224196


382015

-Restricting Active Directory RPC traffic to a specific port , http://support.microsoft.com/kb/224196.-How to restrict FRS replication traffic to a specific static port , http://support.microsoft.com/kb/319553.-Configuring DFSR to a Static Port, http://blogs.technet.com/b/askds/archive/2009/07/16/configuring-dfsr-to-a-static-port-the-rest-of-the-story.aspx.-Setting Up a Fixed Port for WMI, http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx. -IANA ports 32897-33122 Unassigned, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt.


• KB154596: Configure gRPC/DCOM range by Registry or dcomcnfg exedcomcnfg.exe– TCP 45000-45999– 1000 ports is sufficient for

most applicationsmost applications.• Used by all listening

RPC services.• Best effect on Win2003 and

earlier OS as it moves awayfrom 1025-5000


392015

from 1025-5000.Sources:-How to configure RPC dynamic port allocation to work with firewalls, http://support.microsoft.com/kb/154596. -IANA ports, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt.


• Before:Before:

RPC RangeRPC Range49152-65535


402015


• After:After:

Registry HacksRegistry Hacks32901-32905

RPC Range45000-45999


412015

Fine Grained Password Policies


422009

Something for Everyone

Fine Grained Password PoliciesFine Grained Password Policies

• By default, there is only one domain password policy.y , y p p y• Starting Windows 2008 domain functional level,

different password policies can apply to different AD usersusers.– Set your Default: 12-char, 60-day expiry, never lockout.

• Defined by Default Domain Policy

Ad i L l 20 h 180 d i– Admin Level: 20-char, 180-day expiry.• Create and Assign to Group ‘Pass 20c 180d NoLock DL Group’

– Service Accts: 32-char, never auto-expire, never lockout.• Create and Assign to Global Group ‘Pass 32c NoExpire NoLock DL Group’• Create and Assign to Global Group Pass 32c NoExpire NoLock DL Group

• Implemented manually with ADSIedit in Windows 2008; Wizard-driven in 2012. Rely on SIEM to detect


432015

Sources:-Fine Grained Password Policies, Windows 2008, http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx.

multiple logons

Fine Grained Password PoliciesFine Grained Password PoliciesParameter Admin Level Policy Service Accounts

Common-Name Passwd-20char-MaxAge180d-NoLockout

Passwd-32char-NoMaxAge-NoLockoutNoLockout NoLockout

msDS-PasswordSettingsPrecedence 8 5(low number is higher precedence)

msDS-P dR ibl E ti E bl

FalsePasswordReversibleEncryptionEnabled

msDS-PasswordHistoryLength 20 32

msDS-PasswordComplexityEnabled TruemsDS PasswordComplexityEnabled True

msDS-MinimumPasswordAge “-864000000000”, 9-zeros, 1 day

msDS-MaximumPasswordAge “-155520000000000”10-zeros, 180 days

“-9223372036854775808”never expire10 zeros, 180 days never expire

msDS-LockoutTreshold 0

msDS-LockoutObservationWindow 0

msDS LockoutDuration 0


442015

msDS-LockoutDuration 0

msDS-PSOAppliesTo Windows Account:Pass 20c 180d NoLock DL Group

Windows Account: Pass 32c NoExpire NoLock DL Group

Fine Grained Password PoliciesFine Grained Password Policies

• ‘Pass 20c 180d NoLock DL Group’ members:Pass 20c 180d NoLock DL Group members:– Administrators, Domain Admins, Backup Operators,

Schema Admins, Enterprise Admins, Account Operators, Server Operators,

– DCS Administrators, Network Admins,Any other application specific groups or user accounts– Any other application-specific groups or user accounts with privilege to change the system.

• ‘Pass 32c NoExpire NoLock DL Group’ members:Pass 32c NoExpire NoLock DL Group members:– Service Accounts


452015

AppLocker


462009

Use What You’ve Got

AppLockerAppLocker

• Poor man’s application white listing to ensure onlyPoor man s application white listing to ensure only specified executables, scripts, and installers run.

• It’s free-but:– No “learning mode” or management tools.– Weaker protections than commercial white listing

solutions (e.g., injection, overflows)• Use-cases: Windows 7 Ent, 2008 R2, and higher

– Application inventory, unwanted software, standardization, change control, etc.

– DMZ Hosts Engineering Stations Operator Stations


472015

DMZ Hosts, Engineering Stations, Operator StationsSources:-AppLocker Step-by-Step Guide, http://technet.microsoft.com/en-us/library/dd723686(v=ws.10).aspx.

AppLocker Base PolicyAppLocker Base Policy

• Create group policy, link it to specific OU where the C ill b l dtest Computer will be located.

• Computer Policy > Windows > Security > Application Control Policies:– Executable Rules:

• Allow BUILTIN\Administrators All Files• Allow Everyone All files in the Windows folder

– Requires testing per-site to determine what executables are used commonlyRequires testing per site to determine what executables are used commonly.

– Windows Installer Rules:• Allow BUILTIN\Administrators All Windows Installer files

– Script Rules:• Allow BUILTIN\Administrators All Scripts

• Application Identity service Startup Mode: Auto• Group Policy loopback processing mode: Replace


482015

p y p p g p

AppLocker Per-App PolicyAppLocker Per App Policy

1) Identify the application you want to run (e.g., R D k C i )Remote Desktop Connection)

2) Create Global Group (e.g., RDP Client Run) and add users.

3) Create GPO (e.g., RDP Client Run GPO), link to same OU as base AppLocker policy.

4) Modify GPO with Executable Rule allowing global4) Modify GPO with Executable Rule allowing global group to access specified executables (e.g., mstsc.exe).

a Some applications may require multiple executables toa. Some applications may require multiple executables to function (will be confirmed during testing).

5) Logon as Test User > Execute > Check Logs > Tune GPO


492015

Tune GPO.

AppLockerAppLocker

• With Loopback processing, only affects specified p p g, y pcomputers in the OU, and only users when they logon to that computer.

• One GPO and group per application Once setup just• One GPO and group per application. Once setup, just add users to the AD group as well as link GPO to OUs.– Will need AppLocker GPOs for antivirus, backup tools, etc.

• Ensures change control procedures are followed!• When implemented by qualified personnel with• When implemented by qualified personnel with

testing discipline will increase system performance, reliability, and security posture.


502015

QuestionsQuestions

• Time Synchronization• DNS• AD Replication• DC Maintenance• Backup and Restore• User and Group Guidelines• ICS Group Policy• Groups.xml Vulnerability• DC Through Firewall• Fine Grained Password Policies• AppLocker

The views and opinions expressed here are my own and don’t necessarily represent


512015

The views and opinions expressed here are my own and don t necessarily represent the views or opinions of Honeywell.

Th k YThank You• Donovan Tindill, Senior Security Consultant• Email: http://tinyurl com/DonovanAtHon; Please• Email: http://tinyurl.com/DonovanAtHon; Please

connect on LinkedIn and mention this conference.• Credits: Connor, Liam, Roger J.

active directory in ics: lessons learned from the field

Technology

cyber security employ

security controls

matrikoncyber security

build security

security program development

process control environments

control systems dont

safe industrial operations