Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the Desktop

Securing the Desktop

Think your desktop is secure because you've got some Anti-Virus, group policies and network filtering at your perimeter? Think again!

This is the deck I've used at a number of events combined with demonstrations to show some less common attack vectors with a view to making people re-evaluate their security approaches and risk assessments.

Avatar for Guy Leech

Guy Leech

June 06, 2019
Tweet

More Decks by Guy Leech

Other Decks in Technology

Transcript

  1. WHY PROTECT THE DESKTOP & FROM WHOM? • Data loss

    • Sensitive documents, code, etc. stolen for sale, competitors, bribery, etc. • Encrypting ransomware • Malware • Destruction • Denial of Service • Reputation • Credential stealing • Productivity • Time is money • Who • Disgruntled/bribed/threatened employee(s) • External hacker/criminal
  2. IS AV & PERIMETER FILTERING ALONE ENOUGH? • NO! •

    Not everything bad is classified as a virus/malware • NO! • Can you really block all file sharing sites? (anyone use Office 365?) • Whitelisting web sites – that’s a fun full time job! • NO! • I’ll show you things you may not have seen before which can be immune
  3. HOPEFULLY YOU’VE DONE THE BASICS • Disable SMB 1.0 •

    Deprecated Cipher Suites • Patching • Upgrading • Security Baselines • National Cyber Security Centre (NCSC) guidance (part of GCHQ) • Microsoft Security Compliance Toolkit • Firewall at machine level • Education
  4. DEMONSTRATION NOTES • Standard User • Standard privileges • Standard

    file system & other permissions • Windows Defender enabled • But sethc/utilman hijack via IFEO allowed (not all AV covers this attack vector) • GPO/registry set to disallow cmd & regedit • Only freely available free tools used • No exploit code/details released into the wild by me • All kept encrypted • Think “curiosity, naivety, boredom, targeted attack, etc” not “clever user” • Not trying to show PowerShell is a hacking tool, could be done in VBA • Nothing up my sleeves
  5. THREAT EXAMPLES #1 • Renamed Executables • Trick users into

    revealing data • Introduce difficult to detect tools, games, etc. • Timestamps easily changed (PowerShell 1 liner) • Microsoft Office Macros • Can run any VBS script including calling Windows APIs & displaying Windows Forms • Policy proof tools • Edit binaries with freely available GUI tools • Rename policy registry keys if have admin/system access • Base64 encoding (MIME) • Steal via plain text including binary files • Paste into documents/emails • One line of PowerShell to encode (& decode isn’t much more)
  6. THREAT EXAMPLES #2 • CreateProcess API treats executable as PE

    binary • Copy .exe to any innocuous file type and run • Explorer, thankfully, uses ShellExecute which uses FTAs based on extension • Sethc/utilman hijacking • System account access on lock screen/console or can disable security software • Via boot media (nothing fancy, even installation media) or hard drive caddy • File replacement or IFEO registry keys • Can be used for good – password resets, debugging a single user OS • NTFS/ReFS Alternate Data Streams • Hide data in files/folders • Embed executables • Kind of like steganography but NTFS only • File concatenation/stuffing
  7. WHAT ELSE SHOULD BE USED? • Non-admin users! • LUA

    • Group Policy • Restrict what can be seen/accessed/run • Auditing/recording • Assume that it will happen but who has time to routinely review? • Drive Encryption • AppLocker/WDAC • MFA • BIOS passwords & TPM • Don’t allow non-hard drive booting • Privileged account password solutions (e.g. LAPS)/changing (but not std users) • Third party security products
  8. FOOD FOR THOUGHT • Don’t think “my users aren’t that

    clever/stupid” • Risk assess, prioritise & protect • To thwart the hacker/thief you have to become the thief/hacker • Citrix/RDS for highly sensitive apps data (but secure that too) • Don’t neglect physical security/access • Educate • Not all threats are high tech – shoulder surfing, social engineering, cameras, etc. • Printouts • Have Emergency Response Teams & Procedures in place
  9. GUY LEECH • Independent consultant, developer, trainer, adviser, troubleshooter, comedian

    • @guyrleech • [email protected] • guyrleech.wordpress.com • linkedin.com/in/guyrleech/ • github.com/guyrleech • Available for hire