Active Directory in ICS: Lessons Learned From The Field

 Technology

 4 views
of 52
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Description
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
Share
Transcript
  • 1. L L d f th Fi ldLessons Learned from the Field Active Directory in ICS HPS Industrial Cyber Security Services DigitalBond S4x15 January 2015
  • 2. AbstractAbstract • Many control systems don’t have domains or leverage them l f th ti ti Th i t d d t h lonly for user authentication. They are intended to help centralize the maintenance and management of a large group of member computers, as well as huge productivity gains for administration, implementing change, and consistency. This, p g g , y session will cover lessons learned of Active Directory domains and their use with control systems, from someone who deals only with control system environments. What works, what to avoid guidance on how to plan & implement certain featuresavoid, guidance on how to plan & implement certain features, and useful things you may not have known about. This is not an introduction to Active Directory, it is intended for those that have familiarity with Active Directory, its purpose, basic administration d li tand group policy management. • 45 minutes Honeywell Proprietary 2 2015
  • 3. SpeakerSpeaker • Donovan Tindill, Senior Security Consultant – Honeywell Industrial Cyber Security (formerly Matrikon)Cyber Security (formerly Matrikon) – For almost 15 years, specialized in defending cyber security for industrial automation & control systems (IACS) to most every industry and countless ICS. R ibl f l l j t l i t i i k– Responsible for large scale project planning, enterprise risk management, security program development, training, vulnerability assessments, industry compliance, NERC CIP, etc. – ISA99/IEC62443 contributor, and co-chair of Working Group 6 on IACSg p patch management. – Assessed and designed LOTS of ICS networks and domains, cyber security assessments (people-process-technology), developed ICS cyber security programs etccyber security programs, etc. – Email: http://tinyurl.com/DonovanAtHon; Please connect on LinkedIn and mention this conference. The views and opinions expressed here are my own and don’t necessarily representThe views and opinions expressed here are my own and don t necessarily represent the views or opinions of Honeywell.
  • 4. Honeywell Industrial Cyber SecurityHoneywell Industrial Cyber Security Honeywell Industrial Cyber Security is the leading provider ofy y y g p cyber security solutions that help protect the availability, safety, and reliability of industrial control systems (ICS) and plant operations. Leveraging our industry leading process control andLeveraging our industry leading process control and cyber security experience, our expertise, and technology, we deliver proven solutions designed for thewe deliver proven solutions designed for the specific needs of process control environments. Honeywell Proprietary 4 2015 Cyber Security = Process Availability, Safety and Reliability
  • 5. Honeywell ProtectsHoneywell Protects From the Inside Out and Outside In • Build security into our products Employ same risk-management mechanisms for cyber security– Employ same risk-management mechanisms for cyber security we design for safe industrial operations • Strengthen security with proven end-to-end solutions – Security architecture, security controls and best industrial practices – Services delivered by global team of experts A ti d t ti d ili• Assure continued protection and resilience – Situational awareness – Monitoring, management and training services Honeywell Proprietary 5 2015
  • 6. Industrial Cyber Security Solutions FrameworkIndustrial Cyber Security Solutions Framework Embedded Security Is Just the Start SecuritySecurity AwarenessAwareness Cyber Security Assessments, Monitoring and Situational Awareness Cyber Security Assessments, Monitoring and Situational Awareness SecuritySecuritySecuritySecurity TECHNOLOGY Used to Drive Secure Architectural Leveraging Network, Host & Used to Drive Secure Architectural Leveraging Network, Host & yy DesignDesign yy ControlsControls Architectural Design and Best Practices Operational Security Controls Architectural Design and Best Practices Operational Security Controls Honeywell Proprietary 6 2015 We Address Industrial Cyber Security End-to-End
  • 7. Complete Industrial Cyber Security SolutionsComplete Industrial Cyber Security Solutions • Security Assessments • Network & Wireless Assessments • Security AuditsAssessmentsAssessments & Audits& Audits • Current State Analysis • Design & Optimization • Zones & Conduits & Audits& Audits ArchitectureArchitecture & Design& Design ResponseResponse & Recovery& Recovery • Backup and Restore • Incident Response • Firewall • Intrusion Prevention • Access Control P li D l t • Continuous Monitoring • Compliance & Reporting • Security Analytics NetworkNetwork SecuritySecurity SituationalSituational AwarenessAwareness TECHNOLOGY • Policy Development • Patching & Anti-Virus • Application Whitelisting • End Node Hardening • Security Analytics • Security Information & Event Management (SIEM) • Security Awareness Training EndpointEndpoint ProtectionProtection • Portable Media & Device Security Honeywell Proprietary 7 2015
  • 8. Managed Industrial Cyber Security ServicesManaged Industrial Cyber Security Services Secure Connection Secure tunnel for servicesSecure tunnel for services Protection Management Qualified anti-malware files & operating system patchesQ p g y p Continuous Monitoring and Alerting Monitoring of system, network & cyber security performance 24/7 alerting against thresholds Intelligence Reporting Weekly compliance and quarterly trend reports Perimeter and Intrusion Management Firewall: Configuration rules + log file review and reporting Weekly compliance and quarterly trend reports Honeywell Proprietary 8 2015 Firewall: Configuration rules + log file review and reporting IPS: Signature update validation + log file review and reporting
  • 9. Why Honeywell Industrial Cyber SecurityWhy Honeywell Industrial Cyber Security Global team of certified experts with deep experience across all industries Industry Leading People and Experience Global team of certified experts with deep experience across all industries 100’s of successful PCN / Industrial cyber security projects Leaders in security standards ISA99 / IEC62443 Proprietary methodologies specific for process control environment & operations Best practices developed through years of delivering solutions Industry Leading Processes and Expertise Best practices developed through years of delivering solutions Comprehensive understanding of unique process control security requirements Industry Leading Technology First to obtain ICS product security certification with ISASecure Largest R&D investment in cyber security solutions and technology Strategic partnerships with best in class security product vendors y g gy Honeywell Proprietary 9 2015 Trusted, Proven Solution Provider g y
  • 10. TopicsTopics Technical Level 100 Time Synchronization DNS AD Replication DC MaintenanceDC Maintenance Backup and Restore 200 User and Group Guidelines ICS Group Policy200 ICS Group Policy Groups.xml Vulnerability 300 DC Through Firewall Fine Grained Password Policies 400 AppLocker If common sense were common we wouldn’t have to fix these over and Honeywell Proprietary 10 2015 If common sense were common, we wouldn t have to fix these over and over…
  • 11. TerminologyTerminology • NTDS – NT Directory ServicesNTDS NT Directory Services • AD – Active Directory (aka. NTDS) • DC – Domain ControllerDC Domain Controller • FSMO – Flexible Single Master Operation • DNS Domain Naming Service• DNS – Domain Naming Service • GPO – Group Policy Object • SCW Security Configuration Wizard• SCW – Security Configuration Wizard Honeywell Proprietary 11 2015
  • 12. Time Synchronization Ft McMurray Oilsands Conference 2015 12 2009 Drifting from Reality
  • 13. Time SynchronizationTime Synchronization • Accurate time sync is a fundamental component of AD h i i Ti d if l i d i dauthentication. Time drift can result in domain decay and mysterious authentication issues if it exceeds 4 minutes between domain members. • Actual Event: – One group of computers cannot authenticate with other PCs in the same domain. Some logons work, some don’t, not i t t th i tconsistent across the environment. – Root Cause: Time drift greater than 5 minutes between DCs results in replication failure, domain members polarize with a DC and ‘islands’ of authentication resultDC and islands of authentication result. – Solution: It’s ugly! Force demotion of bad DC, fix time sync, promote to DC again. Honeywell Proprietary 13 2015
  • 14. Time SynchronizationTime Synchronization • Identify the ‘PDC Emulator’ role. It is the timeIdentify the PDC Emulator role. It is the time master for the entire domain. • Get a GPS or other accurate (i.e., Stratum) time( , ) source; otherwise, the cheap clock on motherboard is used. • w32tm /config /manualpeerlist:“X.X.X.X Y.Y.Y.Y” /syncfromflags:manual /reliable:yes /update • w32tm /query /status • w32tm /query /peers Honeywell Proprietary 14 2015 Sources: - How to configure an authoritative time server in Windows Server, http://support.microsoft.com/kb/816042.
  • 15. Domain Naming Service (DNS) Ft McMurray Oilsands Conference 2015 15 2009 What’s your address again?
  • 16. Domain Naming Service (DNS)Domain Naming Service (DNS) • DNS allows humans to use hostnames to communicate with network devices. AD uses DNS to store DC roles, help DCs find each other, and domain members find DCs. • Every DC has a copy of the same DNS database and is continuously synchronized. • If a domain controller cannot communicate with DNS, you’re in trouble! • If a domain member cannot communicate with DNS, only previously cached credentials will work. Honeywell Proprietary 16 2015
  • 17. DNSDNS • Actual Event: – Domain controller network driver update/change fails, after reboot it cannot find peer DNS server, cannot logon! – Root Cause: Its local IP address was not included in DNSRoot Cause: Its local IP address was not included in DNS server list. – Solution: DNS1 should be neighbor DC, DNS2 should be another neighbor, DNS3 should be 127.0.0.1. Have at least 2another neighbor, DNS3 should be 127.0.0.1. Have at least 2 real DNS servers, last one loopback IP. – When a DC first boots, it is member only. It must first find other DCs thru DNS and replicate DNS & NTDS databases,other DCs thru DNS and replicate DNS & NTDS databases, before it can authorize itself to authenticate users (including logons at console). Otherwise really slow or failed logon. – Always stagger DC reboots! Honeywell Proprietary 17 2015 Always stagger DC reboots! Sources: -DNS servers on NIC should include 127.0.0.1 but not as first entry, http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx. -Microsoft Best Practice for DC DNS settings, http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest.
  • 18. DNSDNS • Replicate to all DNS servers in forest.p • Dynamic Updates: Secure Only – ipconfig /registerdns (used to refresh local DNS records on-demand) T i / i f ll f d d• Turn on aging/scavenging for all forward and reverse lookup zones (i.e., check the box). • Zone Transfers: Explicitly• Zone Transfers: Explicitly specify servers or turn off. • In ICS, you can delete list of, y root hint servers. Stops DNS noise before firewall. Honeywell Proprietary 18 2015
  • 19. Active Directory Replication Ft McMurray Oilsands Conference 2015 19 2009 Working Together
  • 20. Sites and Services (NTDS Replication)Sites and Services (NTDS Replication) • AD Sites and Services is used to specify theAD Sites and Services is used to specify the interval, protocol, and links for AD database (which may contain DNS) to replicate between domain controllers. • If subnets are specified and associated with sites (e.g., an area of the plant), members will prefer DCs in their subnet/site. Li k t ti ll t d f ll h d• Links are automatically created as full mesh and replicated every 3 hours. Honeywell Proprietary 20 2015
  • 21. Sites and Services (NTDS Replication)Sites and Services (NTDS Replication) • Actual Event: – User accounts created on specific domain controller never work in other areas of the plant. Root Cause: NTDS replication links missing– Root Cause: NTDS replication links missing. – Solution: Re-architect links, verify all DCs participate in bi-directional replication. – Some scenarios require custom NTDS replication architecture • In ICS 15 minute replication• In ICS, 15 minute replication interval is fine (default 180). • repadmin /syncall Honeywell Proprietary 21 2015 p y
  • 22. DC MaintenanceDC Maintenance • dcdiagdcdiag Honeywell Proprietary 22 2015
  • 23. DC MaintenanceDC Maintenance • Actual Event: – Patches are installed on DC holding FSMO roles, during reboot it suffers critical failure and will not boot. – If FSMO roles are forcibly seized and transferred to anotherIf FSMO roles are forcibly seized and transferred to another DC while it is offline, its hostname is now blacklisted. Must force removal of DC role and reinstall OS with new hostname. – Root Cause: FSMO roles were not transferred before maintenance occurred on DC. – Solution: Transfer roles before/after using PowerShell:Solution: Transfer roles before/after using PowerShell: • Import-Module ActiveDirectory • Move-ADDirectoryServerOperationMasterRole -Identity “ServerName” -OperationMasterRole 0,1,2,3,4 • netdom query fsmo Honeywell Proprietary 23 2015 netdom query fsmo Sources: -Transfer or Seize FSMO Roles, https://support.microsoft.com/kb/255504/en-us, - How to remove data in Active Directory after an unsuccessful domain controller demotion , https://support.microsoft.com/kb/216498. - Why not to reuse server names, http://www.jackcobben.nl/?page_id=403.
  • 24. Backup and Restore Ft McMurray Oilsands Conference 2015 24 2009 Prepared for Failure
  • 25. Backup and RestoreBackup and Restore • DCs are peers that share and continuously replicate the AD d t b C t tl h i !AD database. Constantly changing! • Disk images (e.g., Acronis, Ghost, Clonedisk) of your DCs should not be used for restoration as it will include stale f AD d t b A f b k i k !copy of AD database. Age of backup is key! • Microsoft only supports Windows Server Backup Full System and ‘System State’ backups, which contains Active Directory contentsDirectory contents. • Schedule backup from 2+ DCs, store on different server, at least once per day. Also, use ntdsutil for ad-hoc snapshots Used by Directory Service Repair Modesnapshots. Used by Directory Service Repair Mode. • Microsoft recommends ntdsutil to remove failed DCs, then clean OS install and dcpromo for new ones. Honeywell Proprietary 25 2015 Sources: -AD Backup and Restore, http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx. System State Recovery of a Domain Controller; Taking Active Directory Snapshots.
  • 26. Users and Groups Ft McMurray Oilsands Conference 2015 26 2009 “We use Administrator for everything”
  • 27. User and Group GuidelinesUser and Group Guidelines • Don’t use domain or local Administrator account toDon t use domain or local Administrator account to run any applications! – Not due to security risk, but to decouple dependency upon it for password changes. • Rename local Administrator (e.g., LocalAdmin) d d i Ad i i t t ( Ad i i)and rename domain Administrator (e.g., Admini). • Avoid use of local or domain administrator t l i di id ll i daccounts, rely upon individually assigned user accounts with similar privilege. Honeywell Proprietary 27 2015
  • 28. User and Group GuidelinesUser and Group Guidelines • Create two (2) user accounts per person.Create two (2) user accounts per person. – User-level account (e.g., jdoe) with application privileges. Standard password. – Admin-level accounts (e.g., admin_jdoe) with administrator privileges. Strong password. Logon regularly with user level account use admin level– Logon regularly with user-level account, use admin-level only when needed. Works very well with Windows 2008/Vista/7 UAC). Honeywell Proprietary 28 2015
  • 29. User and Group GuidelinesUser and Group Guidelines • Create ‘Service’ user accounts for each major application ( hi t i i t f d t b h d l d t k(e.g., historian interfaces, databases, scheduled tasks, OPC services, backup software) so they can be used for running DCOM and Windows Services. Examples: dc backup task acronis backup service– Examples: dc_backup_task, acronis_backup_service, historian_opc_service • Running programs and services as Administrator is the single biggest reason why password changes don’tsingle biggest reason why password changes don t happen! – Changing Administrator password in many environments will require, or result in, process shutdown. • Application specific service accounts clearly identify their purpose and localizes their impact if/when their passwords are changed. Honeywell Proprietary 29 2015
  • 30. User and Group GuidelinesUser and Group Guidelines • Restricted Resource group: grants a specificRestricted Resource group: grants a specific access level to a specific device/ system/ application. Defined owner for each. • Control System – Product Admins – Engineers • Domain Members – Domain Administrators – Remote Desktop Users – Supervisors – Operators • Domain Controllers – Domain Users • Network Infrastructure – Read-Only – Enterprise Admins – Administrators – Group Policy Mgrs – Password Update – Read-Write • Applications – Administrators E i / D l Honeywell Proprietary 30 2015 – Engineers / Developers – Users
  • 31. Group Policy Ft McMurray Oilsands Conference 2015 31 2009 Shouldn’t they all be the same?
  • 32. Group Policy SettingsGroup Policy Settings • Group Policies allow single step roll out of computer i l ll d i bsettings to select or all domain members. • GPO settings can be applied to users and computers, commonly based on group membership ory g p p organizational unit. – Windows 2008 Active Directory and Group Policy Preferences allows almost limitless selection criteria. With t h th t d b Wi d XPpatches, they are supported by Windows XP+. • Examples: – Password policy, security logging policy, disable unnecessaryy y gg g y y services, disable unnecessary Windows components and features, local group membership, Windows Firewall rules, Start Menu and Desktop appearance, startup scripts, etc. Honeywell Proprietary 32 2015 Sources: -Group Policy Preferences, Windows 2008, http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx. -Group Policy Preferences, Windows 2012, http://technet.microsoft.com/en-us/library/dn581922.aspx -Group Policy Preferences Patch, for Windows XP, 2003, and Vista: http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx.
  • 33. Recommended Group Policy SettingsRecommended Group Policy Settings • Minimum password length, complexity, and age E bl it diti ( t l t t t l• Enable security auditing (account logon events, account mgmt, logon events, policy change, system events) • Increase default event log file size. • Disable LM authentication potentially NTLMDisable LM authentication, potentially NTLM. • Disable unnecessary services. In ICS, you can disable: – WinHTTP Auto-Proxy, SSDP Discovery, Smart Card, HomeGroup Listener, HomeGroup Provider Security Configuration Wizard (SCW) is excellent at hardening Windows Server– Security Configuration Wizard (SCW) is excellent at hardening Windows Server 2003 SP1 and newer (e.g., Disables unnecessary services; Windows Firewall rules; prepare Group Policies) • Disable unnecessary Windows components and features. In ICS, you can disable:can disable:
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks