نمایش نتایج: از شماره 1 تا 2 از مجموع 2

موضوع: Using a Group Policy Object (GPO) to Harden Service and Registry Key Entries

  
  1. 2010-03-02, 05:47 PM #1
    patris1
    patris1 آنلاین نیست.
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Using a Group Policy Object (GPO) to Harden Service and Registry Key Entries

    کد:
    http://itprosecure.com/blogs/fcs_administration/archive/2009/04/26/forefront-client-security-using-a-group-policy-object-to-harden-service-and-registry-key-entries-for-the-forefront-client-security-sp1-agent-on-a-windows-vista-enterprise-sp1-workstation.aspx
    Using a Group Policy Object (GPO) to Harden Service and Registry Key Entries for the Forefront Client Security SP1 Agent on a Windows Vista Enterprise SP1 Workstation


    In order to improve availability of the Forefront Client Security SP1 Agent on Target Workstations and Servers it is important to reduce the number of Users and Groups who can manage these Services. This concept termed 'least privilege' is part of the broader goal of improving Service Availability while permitting appropriate access to the Forefront Client Security SP1 Graphical User Interface (GUI) for Administration or Response to an indentified threat by the Agent. In the following Lab Exercise Lesson I spend time configuring a Group Policy Object to reduce the ability of even Local Administrators to Stop, Start, Restart, Modify or Delete Specific Services used by the Forefront Client Security SP1 Agent. Additionally, I will modify the Access Control Lists (ACLs) for specific Registry Keys used by Forefront Client Security.
    If you have ever considered the following questions, this Blog entry will be of value:

    • How do I harden the Forefront Client Security Agent?
    • Which Services does the Forefront Client Security Agent use?
    • Which Registry entries does the Forefront Client Security Agent use?
    • How do I configure Group Policy Object (GPO) settings to harden the Forefront Client Security Agent?
    • How do I keep Local Administrators from modifying the Forefront Client Security Agent settings?

    The setup for this Blog entry incorporates a number of Server and Workstations. The summary for devices is as follows:

    1. Windows 2008 Active Directory Domain Controller - includes the Group Policy Management Console function with a Host Name of 'a01-dc01'.
    2. Forefront Client Security SP1 Server - includes all Forefront Client Security Roles, Group Policy Management Console, Windows Server Update Services 3.0 SP1 running SQL 2005 SP2 on Windows 2008 with a Host Name of 'a01-fcs01'.
    3. Vista Enterprise Edition SP1 - Client Workstation with a Host Name of 'a01-cli06'.

    The User IDs for this Blog entry are as follows:

    1. fcs_admin - Forefront Client Security Server Administrator.
    2. administrator - Domain Administrator and Local Administrator on the Client Workstation
    3. tg6_admin_1 - Domain User and NOT a Local Administrator on the Client Workstation - but Administrator of the defined Forefront Client Security Services (Services and Registry Entries).

    I begin initially by reviewing the Group Policy Object (GPO) created both by the Forefront Client Security Policy and specific GPO Settings I configured separately for Services like the Windows Firewall and Automatic Update Settings.


    1. I begin by opening the Group Policy Management Console (GPMC) SP1 on a Windows 2008 Domain Controller. A quick review of the 'Numbered Items' above is as follows:

    • Item 1 - The Domain Global Security Group (DGSG) titled 'FCS Target Group 6'. The purpose of this DGSG is to add specific Client Workstations (or Servers) as Group Members to focus the Forefront Client Security Client Policy (the Settings for FCS).
    • Item 2 - The Domain Global Security Group titled 'FCS Target Group 6 Service Admins'. The purpose of this DGSG is to add specific User IDs or other DGSGs whose Membership permits Starting, Stopping and Restarting the Forefront Client Security Services, in addition to editing Forefront Client Security related Registry Entries.
    • Item 3 - The User ID titled 'tg6_admin_1'. The purpose of this User ID is to be added as a Member of the 'FCS Target Group 6 Service Admins' to Permit Administration of Forefront Client Security Services and Registry Entries.




    2. I then move and Login as a Local Administrator to the Client Workstation with a Host Name of 'a01-cli06'. This Workstation runs Windows Vista Enterprise SP1. This will be our Target Client Workstation for modifying both the Services and Registry Entries for the Forefront Client Security SP1 Agent. Before beginning to work with Forefront Client Security (FCS) I will validate both the Operating System Updates are current as well as the Forefront Client Security Definition Updates.



    3. Only a few Applications are installed Locally on this Client Workstation. Upon examining those Applications I then begin to validate what Group Policy Objects (GPOs) are processed for the Computer Object.



    4. Issuing the 'gpresult /v /scope computer' will provide 'verbose output' (/v Switch) of the Group Policy Result Command Utility scoped only to view the 'Computers' Group Policy Objects.



    5. The output from this Group Policy Object Query offers the detailed of the 'Applied Group Policy Objects'. Note there are several GPOs specifically focused around Forefront Client Security. Here's the detail on those GPOs:

    • FCS - FCS Policy - Target Group 6 - {YYYYYYYYY-YYYYYYY-YYYYYY}-3 - the Enforced Group Policy Object dynamically generated by the Forefront Client Security Console with the detailed FCS SP1 Agent Settings.
    • FCS WSUS Server Automatic Update Group Policy - Target Group 6 - the Automatic Update Settings for Target Group 6. This GPO ensures placement of the Registry Values to configure Automatic Updates to use the WSUS Server. In this configuration the FCS Client Agent Definition Updates are 'automatically' pulled from the WSUS Server.
    • FW Settings Managed Workstations - this GPO provides the Windows Vista Firewall Settings to permit proper Network and Service Access.




    6. Before beginning to create any new GPOs I will ensure this Client Workstation is current with the Operating System Patches necessary. I observe 10 Important Updates and initiate the Installation Process of these Updates.



    7. Here is the detail on the 10 Important Updates. I initiate Installation of those Updates and a Reboot of this Client Workstation.



    8. I move to Login to the Forefront Client Security Server running Windows 2008. This is identified as a 'Single Server Topology running Windows 2008' for reference. I will begin to review the existing Group Policy Objects in advance of creating the new GPO to harden FCS Services and Registry entries.



    9. With a focus on the 'Target Group 6' Organizational Unit I observe a number of GPOs 'Inherited' by this OU. On the left side of the Screen we see the FCS Client Policy (GPO titled 'FCS-FCS Policy - Target Group 6-{YYYYY-YYYYY-YYYY}-3') while on the right side of the Screen we view the 'Inherited Policies' from the Domain and various OU Levels.



    10. In a separate exercise I have previously configured other 'Service Access Restriction' GPOs for both 'Target Group 2' and 'Target Group 4'. I have noted this only to communicate I could 'copy' one of these GPOs and Edit the GPO Settings. Instead I will create a new GPO from scratch for 'Target Group 6'. Again, the purpose of this new GPO will be to restrict access to specific Forefront Client Security Services and Registry entries.



    11. Creation of the GPO begins with selection in the GPMC of 'New' Group Policy Object followed by providing the GPO a title.




    12. I title this GPO 'FCS Target Group 6 Service Access Restriction' and move to modify Settings.



    13. Editing the GPO begins. We will focus on the specific System Services required by Forefront Client Security initially.



    14. The Forefront Client Security Services to be modified are as follows:

    • Microsoft Forefront Client Security Antimalware Service
    • Microsoft Forefront Client Security Management Service
    • Microsoft Forefront Client Security State Assessment Service
    • Microsoft Operations Manager 2005 Service (MOM)

    I will edit each of these Services with 2 Objectives: 1) remove the current Local Administrators Access Control Entry (ACE) and 2) place a new ACE of the defined 'Service Administrators Group' with Full Control.



    15. I follow the same repetitive process on all 4 System Services listed in Step 14 above. The steps summarized (and shown in subsequent Screen Captures) are as follows:

    1. Select 'Define this Policy Setting'.
    2. Select 'Automatic' for the 'Select Service Startup Mode'.
    3. Select 'Edit Security' Button to modify Access Control Entries.




    16. I have selected the 'Edit Security' Button on a specific Forefront Client Security Service (the Microsoft Forefront Client Security Antimalware Service, in this example) and observe the default Access Control List (ACL) with individual Access Control Entries (ACEs). It is important to note the 'System' Group must retain 'Full Control' over all Services associate with the Forefront Client Security environment.



    17. Here I select the 'Add' Button and Add the Domain Global Security Group (DGSG) titled 'FCS Target Group 6 Service Admins'. This is our DGSG that is permitted to Administer Services and Registry Entries associate with the Forefront Client Security SP1 Agent. I provide the 'Permissions' for this DGSG of 'Full Control'.




    18. I then select the 'Local Administrators' Group and select the 'Remove' Button. I have removed the Local Administrators Group and replaced it with the DGSG of 'FCS Target Group 6 Service Admins'. This replacement of the individual ACE for the 'Local Administrators' Group allows the Services supporting Forefront Client Security not to be 'tampered with' even by Local Administrators. This functions because the individual Computer Account (the Client Workstation) consistently receives Group Policy Objects (GPOs) from Active Directory.




    19. Notice that upon completion of the individual Edit of each of the associated Forefront Client Security Services the value for 'Startup' is denoted as 'Automatic'. I follow this process for each of the Forefront Client Security Services in repetition.




    20. Here all 4 of the Services that directly support (not Dependent Services) the Forefront Client Security SP1 Agent have been modified. Once this GPO is modified I am ready to either 1) Link it to an Organizational Unit, or 2) configure Security Filter of a Group Policy Object against a defined Domain Global Security Group (or Groups). Before this GPO is 'Linked' or 'Security Filtered' I begin modifying the Registry Entries in a similar fashion. I will edit the Registry Entries by modify the Access Control List (ACL) to 1) remove the 'Local Administrators' ACE and 2) add the 'Service Administrators' ACE (our Service Administrators DGSG is titled 'FCS Target Group 6 Service Administrators'.




    21. Here I begin editing a specified Registry Key by selecting the 'Registry Node' of this GPO and 'Right-Mouse Clicking' then selecting 'Add Key'. This allows the option to select a Registry Key from the current Computers Hive. Again, my Target Registry Key is those associated with configuring the Forefront Client Security SP1 Agent.



    22. I follow the path of 'HKLM\Software\Microsoft\Microsoft Forefront'.




    23. The Registry Path of 'HKLM\Software\Microsoft\Microsoft Forefront' is our Target. I then select 'OK' to make this the Registry Key of focus for modifying the ACLs.




    24. The Properties of the Registry Key Path of 'HKLM\Software\Microsoft\Microsoft Forefront' appear with Default Values. Again, be certain to 'observe and preserve' the values for the 'System' Group.




    25. In a similar fashion to modifying the ACLs for the System Services supporting Forefront Client Security I 1) Add the 'FCS Target Group 6 Service Admins' ACE and 2) Remove the 'Local Administrators' ACE.




    26. The 'FCS Target Group 6 Service Admins' ACE receives 'Full Control' Permissions.




    27. The ACE for 'Users' typically should include at least the 'Read' Permission. Testing indicates without at least 'Read' some/many functions generate Error Messages. I remove the 'Read' ACE for the 'Users' Group for testing purposes only.



    28. With the 'Read' Permission for the 'Users' Group removed I proceed.




    29. The Final Editing Step for this Registry Entry includes selecting how to 'Configure This Key'. In this example I select 'Replace Existing Permissions on all Subkeys with Inheritable Permissions. This writes the configured ACEs into the ACL.



    30. Back in the Group Policy Management Console SP1 I review the GPO Settings in advance of either 1) Linking the GPO to an OU or 2) Security Filtering the GPO by DGSG.



    31. The GPO looks good. I will continue a further review of Settings including double-checking the ACLs.



    32. Here are the ACEs for the System Services. All looks fine.



    33. And, here are the ACES for the Registry Keys (did you notice the second Key I added without placing Screen Captures? - just seeing if you are watching closely!).



    34. Here is the final product - the GPO intended to improve System Service and Registry Key availability by removing 'Local Adminstrators' ability to modify Settings while providing a designated Domain Global Security Group with those Administrative functions.



    35. I am ready to 'Link the GPO to an Organizational Unit (OU)'. I select the Target OU then 'Right-Mouse Click' and select 'Link an Existing GPO'.



    36. I select the newly created Group Policy Object (GPO) titled 'FCS Target Group Access Restriction' and link it to the OU titled 'Target Group 6' where the Client Workstation Computer Account (Machine Account) is located.



    37. The GPO is placed and now I am ready to update the Group Policy Object on the Target Client Workstations to 'force' Settings to apply.



    38. I Login to the Client Workstation titled 'a01-cli06' as a Local Administrator. I then issue the Command 'gpupdate /force' to Update the Group Policy Settings.



    39. After issuing an 'Update' Command I then issue the 'GP Result' Command as 'gpresult /v /scope computer' (outlined previously in this Blog entry). My intent is to examine which Group Policies were applied and validate the newly created GPO to 'Harden Services' is included.



    40. The GPO titled 'FCS Target Group 6 Srevices Access Restriction' is included. I can begin 'Testing' if the GPO functions to truly Harden Services supporting Forefront Client Security.



    41. I issue the 'whoami' Command to validate my User Context.



    42. Then, I issue the 'net start' Command to list the Services 'started' focusing on the Forefront Client Security Services.



    43. I then open the 'Services' MMC and move to the Forefront Client Security Services. Note that although I am a Local Administrator on this Client Workstation I am unable to 'Edit' the function of these Services.



    44. The same holds true (the inability to 'Edit Services') for the second and subsequent Services that support Forefront Client Security.



    45. I included the 'MOM Service' as it provides the 'Reporting Function' for Forefront Client Security. Again, a valuable Service to improve Service Availability for the Forefront Client Security SP1 Agent.






    موضوعات مشابه:
  2. 2010-03-02, 05:49 PM #2
    patris1
    patris1 آنلاین نیست.
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://itprosecure.com/blogs/fcs_administration/archive/2009/04/26/forefront-client-security-using-a-group-policy-object-to-harden-service-and-registry-key-entries-for-the-forefront-client-security-sp1-agent-on-a-windows-vista-enterprise-sp1-workstation.aspx

    46. The detail of the Permission for each ACE removes the ability to change 'Properties' on a Service. I begin 'walking the Tabs' for this Service to detail what is 'Disabled' as a result of this GPO.



    47. Note all of the 'Buttons' (Stop, Start, Pause, Resume) are 'Greyed Out' as a result of this GPO. Again, even for Local Administrators.



    48. The 'Log On' Tab completely 'Greyed Out'.



    49. The 'Recovery' Tab completely 'Greyed Out'.




    50. The 'Dependencies' Tab completely 'Greyed Out'.



    52. Next I move to the Registry Editor (Insert Normal Warning Here!) to the 'HKLM\Software\Microsoft\Microsoft Forefront' Subkey. I can 'observe' values.



    53. When I select the 'HKLM\Software\Microsoft\Microsoft Forefront' Subkey I can observe the new Permissions. Note the Permissions of 'Full Control' for the 'FCS Target Group 6 Service Admins' Group.



    54. I then select the 'Delete' Key function from the Registry Editor. Don't try this unless you believe all Configuration Settings are correct. If your GPO Settings are incorrect you are Re-installing the Application at the very least!



    55. The Modal Dialogue Window provides the final 'Yes/No' Option. I select 'Yes' and then observe the outcome!



    56. Yes. I did not run my feet over with my own car! (in this one example by the way). I cannot 'Delete' the Registry Key because the ACE Permission does not Permit my User Context to do so!



    57. Finally, to show the effect of a Login as a Member of the 'FCS Target Group 6 Service Admins' I Login as 'tg6_admin_1' to identify if I am able to 'Stop/Start' Services or 'Modify' Registry Entries. The User ID 'tg6_admin_1' is a Member of the DGSG added to the Registry Keys and Services that support Forefront Client Security.



    58. Notice right away that the Menu Options when selecting the Registry Key referenced above are all available (Expand, New, Find, Delete, etc.).



    59. Upon further examination and selection of 'Permissions' for the Registry Key I observe the 'Full Control' Permission for this Registry Key. A sure sign I can 'Edit/Modify/Delete' this Registry Key Value while in the User Context of 'tg6_admin_1'.


    If you'd like to 'Learn Advanced IT' - check out our new website exchangesummit.net! Use coupon code 'ITPS-777' for $100 off (through 9/1/2009) the Forefront Client Security SP1 Single Server Topology on Windows 2008. Detailed Course Description -15 hours of video training. Free video content as well!

    Summary: In this Blog Entry I use a Group Policy Object to modify Security Settings for both Services and Registry Keys critical to Forefront Client Security. This GPO removes Local Administrator ability to modify the Forefront Client Security Services and Registry Entries while providing the Administrative Capabilities to a separate Domain Global Security Group (DGSG) designated as Forefront Client Security SP1 Agent Administrators



« موضوع قبلی | موضوع بعدی »

کلمات کلیدی در جستجوها:

1

3

5

server harden group policy

آنتنadministrators stop and start services change registry settings OU permissions GPOharden the keysacl harden group policy4wsusgpo regedit services start stop greyhardening computers with GPOregedit acl gpovpnچیستsetup cannot modify or create the registry entry2replace registry key group policyusing gpo to hardenpermit modify registry with gpoadd group domain to administrators permission on local workstation using gposoftware windows server update servicesグループポリシー 画面 windows update gpmc14windows update greyed after gpupdate /forcegroup policy management of forefront client security registry

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •  

قوانین انجمن