Category: Security Hardening

Posted on

SMB Signing : Windows Client Server Hardening Part 2

Server Message Block SMB Signing is a security mechanism used in windows for digitally signing data at the packet level. Digitally signing the traffic enables the client and server to verify the origination and authenticity of the data received.

SMB signing can either be set through Group Policy Objects (GPO) or in the registry. Whilst this does increase security for clients and servers it does have a performance hit requiring extra computational power to deal with the hashing involved. This should be taken into consideration when looking into enabling this option, further more this should be tested out thoroughly before changing in a production environment. Domain Controllers (DC) digital sign there communications by default, this is set in the ‘Domain Controllers’ GPO however member servers and clients do not have this set (other than communication to the DC).

This Post will go through the different options to enable SMB signing for both Windows server and workstation.

SMB Signing through the Registry

To enable this in the registry we need to create the following client registry key and amend the value data to 1 (ie to switch on):

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters\RequireSecuritySignature

SMB Signing
SMB Signing

Server registry key is:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\RequireSecuritySignature

SMB Signing
SMB Signing

SMB Signing through Group Policy

In order to set via a group policy object you will need to create a new policy and change the below settings for the client:

SMB Signing GPO Setting
SMB Signing GPO Setting

And for the server:

SMB Signing GPO Setting
SMB Signing GPO Setting

It clearly goes without saying you should first test these methods for yourself in a safe test environment first before diving into your main production domain environment.

Posted on

Windows Client/Server Hardening Part 1: Remote Desktop

We can harden the Windows Client/Server Remote Desktop Protocol (RDP) in several ways using either local settings or preferable through Group Policy. As a minimum we should harden RDP in the following ways:

  • Using Network Level Authentication (NLA).
  • Setting Terminal Services Encryption Level to High.
  • Force the use of TLS 1.0 protocol as a transport layer for the service.
  • Setting the local security policy of the either the server or client to use only FIPS-140 compliant cryptography.

This post will we go through how we can accomplish these tasks.

Network Level Authentication (NLA)

Network level authentication allows the client to authenticate earlier in the remote connection process rather than the normal process.  This option is most commonly seen in the Remote Desktop settings in the system properties as below:

RDP - NLA
Remote Desktop Settings – Network Level Authentication

However it is far easier to set this via Group Policy and distribute to all your Servers as below:

RDP- NLA GPO
Remote Desktop Services – Network Level Authentication GPO

This can be applied to both Servers and workstations from Windows Vista and above.

Setting Terminal Services Encryption Level to High

Setting the Encryption level to High encrypts data sent from client to server and server to clients using 128 bit encryption. Like with the above example we can set the Terminal Services Encryption level to High either locally on the server or via Group Policy. In a domain environment the GPO is the way to go. With windows server 2008 this could be set locally through the GUI by navigating from the start menu–>Administrative Tools–>Remote Desktop Services–>Remote Desktop Session Host Configuration, then double clicking on the ‘RDP-TCP’ connection in the middle of the screen. The Encryption level can be found on the General tab as below:

Remote Desktop Services - Encryption Level 'High'
Remote Desktop Services – Encryption Level ‘High’

Unfortunately Microsoft removed the  ‘RD Session Host Configuration’ options as standard with Server 2012 R2. Rather than adding in the whole RDS role to apply this option in the GUI you can apply it via GPO which will in turn apply to both 2008 and 2012 as below:

RDP - Encryption Level High GPO
Remote Desktop Services – Encryption Level High GPO

Force the use of TLS 1.0 protocol as a transport layer for the service

Forcing the use of TLS 1.0 mitigates the risks associated with SSL 3.0 protocol. Like with the previous option this can only be set in the GUI locally on Windows Server 2008. With this being said, and from a management perspective GPO is our preferred option, in order to apply this setting to both Windows Server 2008 and 2012.

This option is set in Windows Server 2008 locally by navigating from the start menu–>Administrative Tools–>Remote Desktop Services–>Remote Desktop Session Host Configuration, then double clicking on the ‘RDP-TCP’ connection in the middle of the screen as below:

RDP - TLS 1.0
Remote Desktop Services – Security Layer TLS 1.0

The GPO is located here:

RDP - TLS 1.0 GPO
Remote Desktop Services – Security Layer TLS 1.0 GPO

Setting the local security policy of the either the server or client to use only FIPS-140 compliant cryptography

This hardening technique can be accomplished by enabling the ‘System Cryptography’ through the Local computer policy editor or through GPO via the domain. It will force the use of FIPS-140 compliant cryptography for either the client or server across the system. This is windows system setting rather than an RDP setting, however by setting this you will be forcing the use of FIPS-140 compliant cryptography for Remote Desktop settings. If this setting is enabled only the FIPS-140 approved cryptographic algorithms are used: 3DES and AES for encryption, RSA or ECC public key for TLS key exchange and SHA256, SHA284 and SHA512 for TLS hashing. In the case of Remote Desktop it will only use 3DES.

Adding through the local computer policy can be achieved by opening a Microsoft Managment Console (MMC) adding a snap in; Group Policy Object Editor. As below:

RDP - FIPS-140
Remote Desktop Services – FIPS-140 ‘Enabled’

Setting via GPO can be achieved as below:

RDP - FIPS-140 GPO
Remote Desktop Services – FIPS-140 GPO

Hardening RDP – GPO Settings

Putting all these settings together in one GPO would look something like this:

Hardening RDP - GPO settings
Hardening RDP – GPO settings

It clearly goes without saying you should first test these methods out for yourself in a safe test environment first before diving into your main production domain or web servers. Adding higher grade encryption to your communications across the domain may have extra computation costs in terms of performance on your network.

Posted on

Patch Management

Having good Patch managment is essential, and being able to keep on top of your microsoft patching is paramount to good security. It is all too easy to get caught behind in keeping systems upto date, since almost all software needs patching these days. Clawing your way back from out of date patches on servers can be a nightmare however automating patch managment if setup correctly with correctly configured maintenance windows makes life easier. Using products like WSUS, or better still SCCM 2012 R2 and having well built resiliant system architecture, can remove the pain from this task. Having a robust patching policy, and management buy in from the business is also essential. This enables the IT team to bring servers down at an appropriate time for that inevitable reboot is just  as important and can make the process run far more effectively. Does this bring into question whether this is an IT issue, a resourcing issue or a business strategy issue? Getting down time approval from a section of the business can be tricky without managment buy in, however, not letting the IT team take down that all important business critical system for patching is in itself a risk. A risk assement needs to be carried out by the business as to whether they delay remediating that zero day vulnerabilty vs letting the IT team patch the server and losing potential revenue whilst the server is down vs patching the system which subsequntly causes a system failure. All businesses should be asking themselves ‘what are my vulnerabilities?’. Subsequently what is the impact vs likelihood of this resulting in my overall risk? Of course this will be a case by case decision, with multiple factors, ie what is the patch fixing, the system archetecture etc. This needs to be weighed up against the consenquenses of not applying a patch ie can you afford to be hacked…

What are your thoughts?

Posted on

SSL/TLS cipher suite selection and breakdown.

How do I know which cipher suites to select for my web server?

This is a common issue, sysadmins have their web servers up or vpn servers configured. However they are often using older SSL protocols and older cipher suites that are now vulnerable to attack in certain scenarios. We need to understand what a cipher suite is actually doing in order to select the correct ones.

For SSL/TLS connections a cipher suite is selected based on a number of tasks that it has to perform, the client uses a preferred cipher suite list and the server will normally honor this unless it also has a preferred list, set by the sysadmin.

Initial Key Exchange, the Asymmetric Encryption: This will most commonly be RSA, however the following are options; RSA ( Ron Rivest, Adi Shamir, and Leonard Adleman), DH (Diffie-Hellman) or  ECDH (Elliptic Curve Diffie-Hellman).
RSA key length should be 2048 bit minimum. ECDH and others should be an equal strength, note the ECDH key length will be significantly lower due to the way the algorithm works! The Asymmetric Encryption is only being used in the initial key exchange and for the session symmetric encryption key. The Asymmetric encryption method could be used for the data transfer however the computational power needed is far higher than the symmetric Encryption due to the key size.

Session data, the Symmetric Encryption: The most commonly used three ciphers we see in use being RC4, 3DES and AES, careful selection of ciphers is required here:

  • RC4 (Rivest Cipher 4) although used almost everywhere is now considered weak, and being phased out by Microsoft. This should be avoided.
  • 3Des (Triple Data Encryption Standard) uses DES and encrypts three times hence the ‘triple’. The original DES uses a weak key length and is considered weak.
  • AES (Advanced Encryption Standard) 128 bit block size using 128, 192 and 256 bit keys to encrypt data, is all good.

Many other options are available that are not so common include Blowfish, Twofish, Serpent etc. I won’t be going into the different ciphers here or the difference between Block (3DES+ AES) and Stream (RC4) on this page, I’ll save this for another blog.

Digital Signature – The digital signature is used to verify the server.

Integrity check – Here SHA-2 or SHA 256 (Secure Hash Algorithm) should be used. MD5 and SHA1 are being phased out due to weaknesses. SHA1 will still be seen on certificates however Google Chrome will now show a warning for this since October 2014. Microsoft has a deprecation policy indicating SHA1 issued certificates should not be used after 1/1/2017.

With all that being said, lets look at a typical cipher suite. Below is what you might commonly see in the likes of Firefox if you click on the padlock in the address bar and then click on more information.

Cipher suite in use in Firefox
Cipher suite in use in Firefox

Lets look at the cipher suite below for an example. We’ll break down the individual blocks to see what it actually all means.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS – The protocol in use
ECDHE – Elliptic Curve Diffie-Hellman key-exchange using ephemeral keys. More on ephemeral keys later, however this is what is going to give you that all important ‘Perfect Forward Secrecy’. Marked with the E at the front or behind for Ephemeral.
ECDSA – Elliptic Curve Digital Signature Algorithm, used to create the digital signature for authentication.
AES_128 – Advanced Encryption Standard 128 bit key size, used for the session encryption method for data.
GCM – Galois/Counter Mode an operation for block ciphers designed to provide both data authenticity (integrity) and confidentiality. GCMAC – provides authentication only.
SHA256 – Secure hashing Algorithm 256bit used for message integrity.

With the above knowledge and knowing the current vulnerabilities in SSL and TLS we can now make an informed decision and build the cipher suites we would like to use in Windows and Linux.

Posted on

Changing SSL TLS Cipher Suites in Windows and Linux

Changing SSL TLS cipher suites on Windows Server 2012 R2I have added a basic guide for changing SSL TLS cipher suites that Windows Server IIS and Linux Ubuntu Apache2 use. Allowing only secure ciphers to be negotiated between your web server and client is essential. This guide will go through how to change and select the different ciphers for both Windows server 2012 R2 and Ubuntu 14.04 in order to help mitigate some of the vulnerabilities in the SSL/TLS protocols.

Read further on the Resource page for changing SSL TLS Cipher Suites here.

Posted on

Linux Firewall

Linux FirewallCheck out the Linux Firewall mini setup guide which demonstrates the use of iptables in Linux. Here I demonstrate a few basic commands and rules and explained how we can allow and deny specific traffic on your Linux server. The scenario is for typical web server allowing only HTTP, HTTPS and SSH. Host based firewalls are often overlooked relying solely on perimeter defenses however are an important aspect of protecting your endpoint whether that is on a server or workstation. Iptables in built into Linux is a pretty capable command line based stateful firewall. Once you have the hang on the syntax it is fairly straightforward to implement and customize to your own requirements.

Linux Firewall iptables
Linux Firewall iptables

Click to check out the full Linux Firewall iptables mini guide here.

 

Posted on

Installing VirtualBox Guest Additions in Kali Linux v1.x

A brief summary of the commands needed to install VirtualBox Guest Additions in Kali Linux v1.x. Having the Guest Additions installed is very useful, being able to copy and paste text like bash lines like the below is extremely useful. There is also the extra screen options such as the transparency mode. Being able to copy files in and out of the system into the host is also very useful.

Linux headers need to be updated.

#apt-get update && apt-get install -y linux-headers-$(uname -r)

Copy the VBoxLinuxAdditions.run file to the Desktop.

Restart.

#cp /media/cdrom/VBoxLinuxAdditions.run /root/Desktop/
#cd /root/Desktop/

Make it executable:

#chmod 755 VBoxLinuxAdditions.run

Install it:

#./VBoxLinuxAdditions.run
kali Virtualbox
Installing VirtualBox Guest Additions on Kali Linux version 1.x

Reboot for a final time.

After it has successfully installed you will now be able to go full screen, add in file sharing options, copy and paste and clipboard functionality. Enjoy.

 

Posted on

Cisco ASA in GNS3

Having spent many hours over several days trying to get to a point were I could run a Cisco ASA in GNS3 in stable condition has proven to to be harder than first thought. However I now have a set of configuration options specific to the Cisco ASA to keep it running in a stable manner in GNS3. Check it out under my  Labs and Projects menu here, let me know your thoughts or any other better ways to achieve this.

Follow the link here to creating a Cisco ASA in GNS3 here : https://www.adamcouch.co.uk/labs-projects/cisco-asa-firewall-in-gns3/

Cisco ASA in GNS3