Beruflich Dokumente
Kultur Dokumente
Barry Hudson Desktop Systems Team Lead SRNS Aiken, SC 29808 barry.hudson@srs.gov 803/725-8463
1
Abstract
SRS has approximately 10,000 PCs, the majority of which are centrally managed. The major project for 2008 was to secure these desktops by removing routine user of Administrator accounts. This was completed in parallel with a project to employ all applicable FDCC Group Policies. In less than 8 months, all managed desktops were converted to the Secure Desktop model. Over 9000 XP systems were converted to NTFS, administrator privileges removed, and software called BeyondTrust Privilege Manager was used to elevate privileges when needed for routine operation and software updates. This presentation will outline the challenges and solutions used to make the transition to Secure Desktop without making it Desktop Lockdown. It was achieved ahead of schedule, with existing staffing levels, and with fewer than 100 visits to the desktops.
Manual Internal Netstat (Network Statistics tool) Supplemented with Selective External NMAP (Network Mapper open source network security Audit Tool including identifying services offered) scans on a weekly basis
Nikto / Web Application scans to Capture vulnerabilities on a monthly basis (Nikto is open source web server scanner performing multiple checks
V&P M
IVIS
(Nessus Based Engine) Data
Alter routine scans to incorporate port info found IVIS VPM Reports IVIS Low Hanging Fruit / Easily Exploitable Vulnerabilities Report
VPMT Weekly Meeting to review, status & track High risk vuln. to closure within 45 days or exile from network Daily review by VPM Rep and remedy of LHF within 24 hrs or exile from network
No
Data
Quarterly Scan Results
Routine Scans
Follow Up Scans
Ad Hoc Scans
Yes
Nessus Scans
Scan lists are created from ARP Table such that the entire site is covered within 1 week. Secondary Secondary Network Secondary Network Network Secondary Network
Every hour devices on the network are checked for record of scan in last 7 days; if not full scan commences.
Cisco Ops Ware/ NAS Policy Compliance Check run by Networks And reported monthly.
Secondary Network
(Stand Alone)
SRSNet
Project Scope
Remove routine use of users with Administrator privileges
Limits Malware propagation Users would be limited to install approved, standard applications (i.e. WinInstall Applications). Restricts implementation of local peripherals.
Implement FDCC policies Work in parallel with other scanning, patching, and security initiatives Finish quickly, in time for the Going 4 Green audit
10
Activities requiring administrative privileges must be performed by IT support personnel or special accounts for the users Existing supported applications will be assessed and modified to install and run in this environment User supplied applications will be accommodated or converted to managed applications
SRS Secure Desktop Project Running Without Administrator Privileges
11
Planning Assumptions
Barry, youre no longer in the customer service business, you are in the security business Things will break Processes will fail, but not always immediately We will learn as we go Some systems will be easier to migrate than others Focus on Managed Desktops first (8500) - XP Only
Review of WinInstall applications Review of local applications Pick the least likely to fail systems first Pilot migration of some tough systems
Then tackle controllers and shared systems (1000) And finally specialty systems (500) And hope everything runs at FY year-end closure
SRS Secure Desktop Project Running Without Administrator Privileges
12
Design Assumptions
The site needs to do business in the manner they are accustomed to Proactive planning will establish working footprint but likely anticipate only <80% of the issues Costs: Software, Staffing, Lost Productivity
$500,000 + 10 FTE + TBD > $1.5 million
Increased support staff, apps review, new processes Not enough time to test all standard apps will load and run Things will break, Processes will fail, We will learn as we go
40,000 apps that we have not idea how to test
We will allow deferrals (the thorn in my side) Doing FDCC and Secure Desktop at the same time
Makes it hard to determine what broke it
SRS Secure Desktop Project Running Without Administrator Privileges
13
Staffing requirements
What we asked for:
Desktop Team: 2 people fulltime for 1 year Field Support: 2 visits per year x 1 hour x 10,000 systems = 20,000 hours = 10 FTEs
What we got:
2 Help Desk Agents Desktop Team delayed priorities for 6 months An accelerated schedule (Get the pain over quicker)
14
Selling It
Tell them why, when, and how Pick a non-threatening name
Secure Desktop vs. Desktop Lockdown
Publicity campaign, Sitewide Emails, Roadshows to Customers Involve customers, Computer Security, IT, and management
Weekly meetings of 20+ stakeholders 100+ issues and concerns
IT and DOE Security goes first (walk the talk) Provide a safety-valve (add the user back as Administrator) Things will break, Processes will fail, We will learn as we go I made a Promise
If you cant still do your job with Secure Desktop, that means I have not done my job right.
SRS Secure Desktop Project Running Without Administrator Privileges
15
Publicity Campaign
16
Early Discoveries
Life as Non-Admin (life changes)
Restricts access to registry, printer installs, software installs Cant setup scheduled tasks
Some apps might need to be modified or sections of PC opened up for them to run
SRS Secure Desktop Project Running Without Administrator Privileges
17
18
Examples of Rules
Rules can permit or elevate based on 1. GUID or URL-specific ActiveX controls 2. Residence in a particular Folder 3. Hash of the file 4. MSI that is being installed 5. Specific Path of the file 6. Other attributes Recommendations: 1. Use a Hash when possible Multiple versions (eg Flash4 and Flash5) are allowed 2. Avoid Path and Folder rules if you do not control the fileshare Dont open a path or share where anyone can drop an installer or EXE 3. Look for inadvertent inheritance to downward processes An elevated DOS box can be a big hole
SRS Secure Desktop Project Running Without Administrator Privileges
20
21
RunAs and Remote Administration Non-secured machines that are offline are identified and secured within 2 days of connection Daily inventory to check settings, TRAP abuse, lost sheep returning
SRS Secure Desktop Project Running Without Administrator Privileges
22
Ask for volunteers (motivate them with get better help before the storm) Verify laptop, VPN, and off-line operations Email campaign with magic button to migrate now
Sent to users with no known extra applications (Dear User:)
Allow Deferrals only for Good Reason (preferably classes of systems, eg Doc Mgt, Maintenance, Controllers) Publicize your success, acknowledge your weaknesses
SRS Secure Desktop Project Running Without Administrator Privileges
23
The Schedule
The Planned Schedule 10-12/07 proof of concept 1/08-3/08 100 user pilot 30 days to regroup 4/08-5/08 1000 easy systems 6/08-12/08 6000 total migrated The Forced Schedule 10-12/07 proof of concept 1/08-2/20/08 50 user pilot 2/25/08 500 users added 2/26-3/5/08 1500 easy systems 3/08-5/08 6000 total migrated 6/08-12/08 deferrals 1/09-2/09 who is hiding?
24
Migration Rate
Secure Desktop Rate
10000 9000 8000 Total Numb er S ecured 7000 6000 5000 4000 3000 2000 1000 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13
350 300 250 500 450 400 10,134 Desktop Secured in 2008 Number Secured Per Day
Month
The 2000 jump-start provides confidence. Sure, they are still running but what about at the end of the month?
200 150 100 50 0 4/7/2008 5/5/2008 6/2/2008 2/11/2008 2/25/2008 3/10/2008 3/24/2008 4/21/2008 5/19/2008 6/16/2008 6/30/2008 7/14/2008 7/28/2008 8/11/2008 8/25/2008 9/8/2008 9/22/2008 10/6/2008 11/3/2008 10/20/ 2008 11/17/ 2008 12/1/2008 12/15/ 2008
25
12/29/ 2008
Repair
Elevate the program (hash vs. path) Liberalize rights on sub-folders or files (CACLS) Change program configuration (set INI file or prefs files to write elsewhere)
27
All Windows 2000 were re-built on-site as Secured Deliver As-Secure at the end of the project
Local Admin used only to add to domain Then remove all Admins
28
Unexpected Issues
Chicken and Egg situations
Have to be an Admin to become secured But our goal is to eliminate Admin users
How to pre-build a secured machine Dealing with the absence of a universal Administrator account
There is no local administrator to break in with 90 day lost of trust issues Cached login with last good user
Ongoing Maintenance
Daily Un-TRAP of Admin Restores
Look for abuse Propagate PA and PC-SPPT-xx accounts
Verify new installs are secured All scanning and remdiation activities must be Secure-Desktop aware Add rules as issues arise (about 4 per month)
New products Stuff breaks Updates to existing rules
Summary
Project success despite objections from users and reluctance of IT staff
Early 500/day was a crazy idea but provided valuable insight and confidence Almost finished before we had planned to get started
Questions
Barry Hudson
Desktop Systems Team Lead SRNS Bldg 773-51A Aiken, SC 29808 barry.hudson@srs.gov 803/725-8463
32