Windows Service Hardening
-
Upload
digital-bond -
Category
Technology
-
view
456 -
download
4
Transcript of Windows Service Hardening
Windows Service Hardening Applied to Securing PI Interfaces
S4x15 OT Day
Bryan S Owen PE [email protected]
Service Hardening is a Defensive Prac5ce • Part of ‘Assume Breach’ mindset • Strive to limit damage poten?al
Reality: Services are A?rac5ve Targets
• Readily discoverable • Open network ports • No user interac?on • Elevated privileges
Countermeasures
Whitelis?ng approach for: 1. Specific Privileges 2. Allowed Communica?on
Service Hardening
ACL
File system
Registry
Network
Windows Service Hardening Kernel changes in Windows 6.0 (Vista/2008 and later)
D D D
• Reduce size of high risk layers
• Segment the services
• Increase number of layers
Kernel Drivers D
D User-mode Drivers
D D D
Service 1
Service 2
Service 3
Service …
Service …
Service A
Service B
Built-‐in Users/Groups
• System
• Administrators
• Network Service
• Users, Local Service
• Virtual Service Account (NT Service\ServiceName)
Most Privilege
Least Privilege
Opportuni5es
• Network access restric?ons • Service isola?on
File system and registry permissions
• Specify required privileges • Service accounts
Harden
Ha
rden
Ha
rden
Harden Harden Harden
PI SNMP Interface Data flow
SNMP capable ICS device
PI SNMP Interface Node (collect and buffer services)
PI Server PINET pr
otocol Harden Harden Harden Harden Harden
SNMP pro
tocol
Harden Harden Harden Harden Harden
Service Hardening Scope
1. Service Recovery Policy 2. Reduce Privilege 3. Protect File System 4. Firewall Service Rules
Service Process Privileges
SeChangeNo?fyPrivilege SeCreateGlobalPrivilege SeImpersonatePrivilege
SeAuditPrivilege SeChangeNo?fyPrivilege SeCreateGlobalPrivilege SeCreatePagefilePrivilege SeCreatePermanentPrivilege SeCreateSymbolicLinkPrivilege SeDebugPrivilege SeImpersonatePrivilege SeIncreaseWorkingSetPrivilege SeLockMemoryPrivilege SeProfileSingleProcessPrivilege SeSystemProfilePrivilege SeSystemProfilePrivilege SeTcbPrivilege SeTimeZonePrivilege
SeChangeNo?fyPrivilege
System Network Service Minimum Required
Quiz
By default, is “Network Service” allowed to write then execute from disk?
Hint: • “ICACLS %SystemRoot%\system32” • “ICACLS %SystemDrive%”
Service ‘Hopping’ with Built-‐In Accounts
• Shared Logon: Network Service
ACL Network Service
Service1 Service2
Virtual Service Account
• Creates a security iden?fier based on service name • Alterna?ve to sharing built in service accounts
• NT Service\service name • Local account
• Windows networking iden?ty • Domain: machine name$ • Workgroup: anonymous
• Passwords • Automa?cally generated, non-‐expiring, cannot be locked-‐out • 240 bytes, cryptographically random.
Enable Virtual Service Account (example)
C:\>sc qsidtype pisnmp1 [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: pisnmp1 SERVICE_SID_TYPE: NONE C:\>sc sidtype pisnmp1 unrestricted [SC] ChangeServiceConfig2 SUCCESS
SID Types
• None No virtual service account SID available.
• Unrestricted Access token “NT SERVICE\ServiceName”
• Restricted Access token with RESTRICTED,MANDATORY flags:
• NT SERVICE\ServiceName • NT AUTHORITY\WRITE RESTRICTED • Everyone • NT AUTHORITY\S-‐1-‐5-‐5-‐0-‐….. (Logon SID, A unique SID is created for each logon session).
Service Isola5on Grant permission to Virtual Service Account
Default ACL Full Access
Logon: Local System
ACL NT Service\pisnmp1 – r/w
Logon: NT Service\PISNMP1 More secure
Any File Program Files\PIPC\Interfaces\SNMP
PISNMP1 PISNMP1
Specify Required Privileges
C:\>sc sidtype pisnmp1 unrestricted [SC] ChangeServiceConfig2 SUCCESS C:\>sc privs pisnmp1 seChangeNoPfyPrivilege [SC] ChangeServiceConfig2 SUCCESS C:\>sc qprivs pisnmp1 [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: pisnmp1 PRIVILEGES : seChangeNoJfyPrivilege ** Restart the service **
Quiz
• Find a Windows service that has an ‘unrestricted’ SID with minimal privileges.
Hint: • use “sc query | findstr SERVICE_NAME” • Then “sc qsidtype servicename” • And “sc qprivs servicename” (scheduler, spooler, etc…)
Network Service Restric5ons
PI SNMP
Port *
PI SNMP Port *
PI SNMP Port *
Port
5450
Port 53
Define Required Communica?on Endpoints and Ports for each Windows Service
DNS Server
Port 161
PI Netw
ork Manag
er
Port *
(Proxy fo
r PIBufSS
Service
) PI Server
SNMP ICS Device
PI SNMP Interface
Quiz
• Why did the PISNMP service need a separate firewall rule for DNS?
Hint: • Browse firewall rules for "Core Networking -‐ DNS (UDP-‐Out)"
• (Alt) redirect output to file and search file “netsh advfirewall firewall show rule name = all verbose”