How to frustrate hackers by adressing the elephant in the room

Track: Technical
Technical level
Time: 14:20
Amazon
As a security industry, we know for years that configuring the hostbased firewall correctly greatly reduces the attack surface. Still, configuring the host based firewall on an enterprise scale is hard, prone to errors and downtime, uncertainty if a specific service is used within the network or whether a share needs to be accessed from multiple hosts within the network, or allowing only a specific group of users access and restricting access to all others. By enumerating services, connections, shares and lots of other information, it is possible to answer questions such as "Is it a workstation or a server" or "Is the server really a fileserver or is the fileserver role just installed by default?". This data driven approach also gives the oppertunity to make decisions as well, such as: - Do not allow access on port 445 between workstations - Do now allow access on port 445 for servers that do not have the fileserver role installed - Do not allow access on port 445 for servers that do not have additional shares exposed, even though the fileserver role is installed Group policies can be created programatically and this is an ideal situation where these decisions can be used to transform all the data we enumerated, apply some logic and generate the GPOs that configure the correct firewall settings and apply that to AD groups that are propagated with all the relevant assets. To allow inbound connections from bastion hosts and/ or sysadmin users and block all others, it is possible to only allow connections from specific users and/ or hosts by forcing the user and computer account to authenticate first. This results in a solution that is flexibel and queryable: - Do you want to restrict WMI for every server, unless the server has SCCM installed? Query away. - Do you want to restrict access to WMI and SQL port on a SQL server, unless users are DBAs or users that need to execute queries on the SQL server? Query away and add them as an exclusion. This functionality is part of the Windows host based firewall and needs to additional tooling. To enumerate data, query the database and generate the group policies, additional tooling will be made open source. That way, the fiery elephant in the room gets addressed and we can all make the lives of hackers a little bit more frustrating.
Speakers in this session
Senior Security Expert, Hunt & Hackett
magnifier