Friday, March 17, 2017

Breach resistance security in Windows Server 2016 (Device Guard, Credential Guard)

Breach resistance security in Windows Server 2016 (Device Guard, Credential Guard)

Objective

Scenario

Virtual Machines

  1. DC
  2. SVR1
  3. SVR2

Credential Guard

In this exercise, you will be using Svr1 to accomplish the following:
  • Enable Credential Guard using Group Policy
  • Verify Credential Guard status on the server

Credential guard protects the passwords, NTLM hashes and Kerberos tickets in the LSASS process memory. It prevents the common pass the hash attack.
  1. Enable Credential Guard using Local Group Policy
    1. Logon on server Svr1 (IgniteLab\Administrator with a password of Ignite2016)

    2. Open a PowerShell Window, type gpedit.msc

    3. Navigate to Computer Configuration -> Administrative Templates -> System -> Device Guard

    4. Open Turn On Virtualization Based Security by double clicking on it in the right pane

    5. Select Enabled radio button

    6. Under Credential Guard Configuration, select “Enable with UEFI lock” option in the dropdown box.

    7. Click Apply -> OK

    8. Return to the PowerShell Window, type Gpupdate /force

    9. Run Restart-Computer –force cmdlet in the PowerShell Window.
  2. Verify Credential Guard status
    1. Logon on server Svr1 after it reboots.

    2. Open a PowerShell Window, type msinfo32, it opens System Information
    3. Under System Summary:
    • Check the Device Guard Security Services Configured, Value column shows Credential Guard
    • Check the Device Guard Security Services Running, Value column shows Credential Guard


    You can also use powershell cmdlet Get-ComputerInfo DeviceGuard* to get the system information.

Remote Credential Guard

In this exercise, you will be using Svr2 as the RDP client, and Svr1 as the RDP server to accomplish the following:
  • Configure the RDP Server to allow RDP client to connect using remote guard
  • Establish RDP connection using remote guard
  • Connect to file shares from the RDP server


  1. Configure RDP Server
    1. Logon to Svr1 as IgniteLab\Administrator

    2. Open PowerShell Window

    3. Type CD C:\users\administrator.IgniteLab\Desktop\

    4. Run .\RemoteGuardConfig.ps1
    The RemoteGuardConfig.ps1 script will set the registry on the RDP server, which allows the RDP client to use remote guard for the RDP connection.
  2. RDP using remote guard
    1. Logon to Svr2 as IgniteLab\Jake

    2. Open PowerShell Window

    3. Type mstsc /v:svr1 /remoteguard

    Note: No user credential is required
  3. Connecting to a file share in the RDP session
    Once the RDP session has established, open the PowerShell Window in RDP session to Svr1

    1. Type net use Z:  \\labdc\Jake

    2. Type Z:

    3. Type Dir

    You can see all the data under the share, no user credential provided in the steps
  4. Connect to a file share after RDP session is over
    1. Continue the exercise on Svr2 RDP session to Svr1

    2. Type CD C:\Users\Jake\Desktop

    3. Type .\DelayCon.ps1

    4. Observe the RDP session has been closed, and wait for 20 seconds

    5. Run mstsc /v:svr1 /remoteguard in the PowerShell Window on Svr2 again

    6. After the RDP session reconnects, notice the file share connection was not established

    Note: The connection fails because the RDP session is disconnected, and RDP server doesn’t have the credentials to establish the connection.

    7. Disconnect the RDP session.
    You can open the DelayCon.ps1 script to examine the content. At a high level, the script will reconnect to the same file share, but disconnect the RDP session first. This is to demonstrate RemoteGuard will prevent connection to another server if the RDP connection is not active.

Device Guard

In this exercise, you will be using Svr1 to accomplish the following:
  • Enable HVCI and verify
  • Create a new Code Integrity (CI) policy
  • Run an app which is not covered by the CI policy, and check the eventlog
  • Change the audit CI policy to enforcement mode
  • Run the same app again, it is blocked by the CI policy

  1. Enable Hyper-V Enforced Code Integrity (HVCI)
    1. Logon to Svr1 as IgniteLab\Administrator

    2. Open PowerShell Window, type gpedit.msc

    3.  Navigate to Computer Configuration -> Administrative Templates -> System -> Device Guard

    4. Open Turn On Virtualization Based Security by double click on it on the right pane

    5.  Check Enabled radio button

    6. Under Virtualization Based Protection of Code Integrity Configuration, select “Enable with UEFI lock” option in the   dropdown box.

    7. Click Apply -> OK

    8. Back to the PowerShell Window, type Gpupdate /force

    9. Run Restart-Computer -force cmdlet in the PowerShell Window.
  2. Verify HVCI is running
    1. Logon on server Svr1 after it reboots.

    2. Open a Powershell Window, type msinfo32 to open System Information

    3. Under System Summary:
    • Check the Device Guard Security Services Configured, Value column shows Hypervisor enforced Code Integrity
    • Check the Device Guard Security Services Running, Value column shows Hypervisor enforced Code Integrity
  3. Create Code Integrity policy
    1. Open PowerShell Window by clicking the PowerShell Icon on the taskbar

    2. Type New-CIPolicy –Filepath c:\ci\audit.xml –Level Publisher –UserPEs –Fallback hash

    3. This cmdlet will run for 30 mins, to save time, you can type Ctrl+C to cancel the progress, and use the file “Svr-audit.xml” created for this exercise.

    4. Type ConvertFrom-CIPolicy -XmlFilePath “C:\CI\Svr-audit.xml” -BinaryFilePath “C:\CI\Svr-audit.bin”

    5. Type Copy-item “C:\ci\svr-audit.bin” “c:\windows\system32\CodeIntegrity\Sipolicy.p7b”

    6. Type restart-computer -force
  4. Run blocked app in audit mode
    1. Logon to Svr1 as IgniteLab\Administrator

    2. Open a PowerShell Window

    3. Type C:\CI\Tools\npp.exe
    4. Follow the wizard to install it

    5. Open the eventvwr by click the eventvwr icon on the task bar

    6. Navigate to the Application and Services Logs -> Microsoft -> Windows -> CodeIntegrity -> Operational
     
    7. Check the files not covered by the CI policy are logged in the event log, as informational event
    The npp.exe is a file copied to the server after CI policy has created. This is demonstrate under audit mode, the file can still run on the server, but you will see an event log about this file.
  5. Change CI from audit to enforcement mode
    1. Open PowerShell Window by right click the PowerShell Icon on the taskbar

    2. Type Copy-item “C:\CI\Svr-audit.xml” “C:\CI\Svr-enforced.xml”

    3. Type Set-RuleOption –Filepath C:\CI\Svr-enforced.xml –Option 3 –Delete

    4. Type ConvertFrom-CIPolicy “C:\CI\Svr-enforced.xml” “C:\CI\Svr- enforced.bin”

    5. Type Copy-item “C:\ci\svr- enforced.bin” “c:\windows\system32\CodeIntegrity\Sipolicy.p7b”

    6. Type restart-computer -force
  6. Run blocked app in enforcement mode
    1. Logon to Svr1 as IgniteLab\Administrator

    2. Open a PowerShell Window

    3. Type C:\CI\Tools\npp.exe

    4. Observe it is being blocked by CI

    5. Open the eventvwr by click the eventvwr icon on the task bar

    6. Navigate to the Application and Services Logs -> Microsoft -> Windows -> CodeIntegrity -> Operational


    7. Check the files not covered by the CI policy are logged in the event log as Errors

No comments: