Securing the Desktop

Transcript

1. SECURING THE DESKTOP Guy Leech (@guyrleech) Citrix Technology Advocate (CTA)

   Citrix User Group Community, June 2019

2. WHY PROTECT THE DESKTOP & FROM WHOM? • Data loss

   • Sensitive documents, code, etc. stolen for sale, competitors, bribery, etc. • Encrypting ransomware • Malware • Destruction • Denial of Service • Reputation • Credential stealing • Productivity • Time is money • Who • Disgruntled/bribed/threatened employee(s) • External hacker/criminal

3. IS AV & PERIMETER FILTERING ALONE ENOUGH? • NO! •

   Not everything bad is classified as a virus/malware • NO! • Can you really block all file sharing sites? (anyone use Office 365?) • Whitelisting web sites – that’s a fun full time job! • NO! • I’ll show you things you may not have seen before which can be immune

4. HOPEFULLY YOU’VE DONE THE BASICS • Disable SMB 1.0 •

   Deprecated Cipher Suites • Patching • Upgrading • Security Baselines • National Cyber Security Centre (NCSC) guidance (part of GCHQ) • Microsoft Security Compliance Toolkit • Firewall at machine level • Education

5. DEMONSTRATION NOTES • Standard User • Standard privileges • Standard

   file system & other permissions • Windows Defender enabled • But sethc/utilman hijack via IFEO allowed (not all AV covers this attack vector) • GPO/registry set to disallow cmd & regedit • Only freely available free tools used • No exploit code/details released into the wild by me • All kept encrypted • Think “curiosity, naivety, boredom, targeted attack, etc” not “clever user” • Not trying to show PowerShell is a hacking tool, could be done in VBA • Nothing up my sleeves

6. THREAT EXAMPLES #1 • Renamed Executables • Trick users into

   revealing data • Introduce difficult to detect tools, games, etc. • Timestamps easily changed (PowerShell 1 liner) • Microsoft Office Macros • Can run any VBS script including calling Windows APIs & displaying Windows Forms • Policy proof tools • Edit binaries with freely available GUI tools • Rename policy registry keys if have admin/system access • Base64 encoding (MIME) • Steal via plain text including binary files • Paste into documents/emails • One line of PowerShell to encode (& decode isn’t much more)

7. THREAT EXAMPLES #2 • CreateProcess API treats executable as PE

   binary • Copy .exe to any innocuous file type and run • Explorer, thankfully, uses ShellExecute which uses FTAs based on extension • Sethc/utilman hijacking • System account access on lock screen/console or can disable security software • Via boot media (nothing fancy, even installation media) or hard drive caddy • File replacement or IFEO registry keys • Can be used for good – password resets, debugging a single user OS • NTFS/ReFS Alternate Data Streams • Hide data in files/folders • Embed executables • Kind of like steganography but NTFS only • File concatenation/stuffing

8. THREAT EXAMPLES #3 • ? • ? • ? •

   …

9. WHAT ELSE SHOULD BE USED? • Non-admin users! • LUA

   • Group Policy • Restrict what can be seen/accessed/run • Auditing/recording • Assume that it will happen but who has time to routinely review? • Drive Encryption • AppLocker/WDAC • MFA • BIOS passwords & TPM • Don’t allow non-hard drive booting • Privileged account password solutions (e.g. LAPS)/changing (but not std users) • Third party security products

10. FOOD FOR THOUGHT • Don’t think “my users aren’t that

    clever/stupid” • Risk assess, prioritise & protect • To thwart the hacker/thief you have to become the thief/hacker • Citrix/RDS for highly sensitive apps data (but secure that too) • Don’t neglect physical security/access • Educate • Not all threats are high tech – shoulder surfing, social engineering, cameras, etc. • Printouts • Have Emergency Response Teams & Procedures in place

11. GUY LEECH • Independent consultant, developer, trainer, adviser, troubleshooter, comedian

    • @guyrleech • [email protected] • guyrleech.wordpress.com • linkedin.com/in/guyrleech/ • github.com/guyrleech • Available for hire