Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the Desktop

Securing the Desktop

Think your desktop is secure because you've got some Anti-Virus, group policies and network filtering at your perimeter? Think again!

This is the deck I've used at a number of events combined with demonstrations to show some less common attack vectors with a view to making people re-evaluate their security approaches and risk assessments.

Guy Leech

June 06, 2019
Tweet

More Decks by Guy Leech

Other Decks in Technology

Transcript

  1. WHY PROTECT THE DESKTOP & FROM WHOM? • Data loss

    • Sensitive documents, code, etc. stolen for sale, competitors, bribery, etc. • Encrypting ransomware • Malware • Destruction • Denial of Service • Reputation • Credential stealing • Productivity • Time is money • Who • Disgruntled/bribed/threatened employee(s) • External hacker/criminal
  2. IS AV & PERIMETER FILTERING ALONE ENOUGH? • NO! •

    Not everything bad is classified as a virus/malware • NO! • Can you really block all file sharing sites? (anyone use Office 365?) • Whitelisting web sites – that’s a fun full time job! • NO! • I’ll show you things you may not have seen before which can be immune
  3. HOPEFULLY YOU’VE DONE THE BASICS • Disable SMB 1.0 •

    Deprecated Cipher Suites • Patching • Upgrading • Security Baselines • National Cyber Security Centre (NCSC) guidance (part of GCHQ) • Microsoft Security Compliance Toolkit • Firewall at machine level • Education
  4. DEMONSTRATION NOTES • Standard User • Standard privileges • Standard

    file system & other permissions • Windows Defender enabled • But sethc/utilman hijack via IFEO allowed (not all AV covers this attack vector) • GPO/registry set to disallow cmd & regedit • Only freely available free tools used • No exploit code/details released into the wild by me • All kept encrypted • Think “curiosity, naivety, boredom, targeted attack, etc” not “clever user” • Not trying to show PowerShell is a hacking tool, could be done in VBA • Nothing up my sleeves
  5. THREAT EXAMPLES #1 • Renamed Executables • Trick users into

    revealing data • Introduce difficult to detect tools, games, etc. • Timestamps easily changed (PowerShell 1 liner) • Microsoft Office Macros • Can run any VBS script including calling Windows APIs & displaying Windows Forms • Policy proof tools • Edit binaries with freely available GUI tools • Rename policy registry keys if have admin/system access • Base64 encoding (MIME) • Steal via plain text including binary files • Paste into documents/emails • One line of PowerShell to encode (& decode isn’t much more)
  6. THREAT EXAMPLES #2 • CreateProcess API treats executable as PE

    binary • Copy .exe to any innocuous file type and run • Explorer, thankfully, uses ShellExecute which uses FTAs based on extension • Sethc/utilman hijacking • System account access on lock screen/console or can disable security software • Via boot media (nothing fancy, even installation media) or hard drive caddy • File replacement or IFEO registry keys • Can be used for good – password resets, debugging a single user OS • NTFS/ReFS Alternate Data Streams • Hide data in files/folders • Embed executables • Kind of like steganography but NTFS only • File concatenation/stuffing
  7. WHAT ELSE SHOULD BE USED? • Non-admin users! • LUA

    • Group Policy • Restrict what can be seen/accessed/run • Auditing/recording • Assume that it will happen but who has time to routinely review? • Drive Encryption • AppLocker/WDAC • MFA • BIOS passwords & TPM • Don’t allow non-hard drive booting • Privileged account password solutions (e.g. LAPS)/changing (but not std users) • Third party security products
  8. FOOD FOR THOUGHT • Don’t think “my users aren’t that

    clever/stupid” • Risk assess, prioritise & protect • To thwart the hacker/thief you have to become the thief/hacker • Citrix/RDS for highly sensitive apps data (but secure that too) • Don’t neglect physical security/access • Educate • Not all threats are high tech – shoulder surfing, social engineering, cameras, etc. • Printouts • Have Emergency Response Teams & Procedures in place
  9. GUY LEECH • Independent consultant, developer, trainer, adviser, troubleshooter, comedian

    • @guyrleech • [email protected] • guyrleech.wordpress.com • linkedin.com/in/guyrleech/ • github.com/guyrleech • Available for hire