The great cyber security expert Sami Laiho returned as a keynote speaker with the theme of Zero Trust, but this time from the point of view of securing endpoint applications.
Sami Laiho is an internationally renowned and recognized specialist in access rights and endpoint security. In this webinar, Laiho and Centero's Juha Haapsaari discussed the Zero Trust model and securing endpoint applications – even in environments of over 100,000 workstations.
These are some of the themes we covered:
• How to ease your workload with allow-listing.
• Is allow-listing difficult? (A hint: it is not.)
• Implementing AppLocker to trim down your application portfolio.
• Restricting admin rights to control your IT environment.
• Managing and updating applications after allow-listing operations.
Zero Trust is a new paradigm for cyber security in organizations. Modern IT environments are complex by nature, and both users and devices are constantly on the move. Traditional methods are not sufficient to properly secure this kind of environment, and that’s where Zero Trust comes in.
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
1. 1
Zero Trust And Best Practices for
Securing Endpoint Apps
Webinar starting soon…
Speakers:
⬅ Sami Laiho (Adminize) and Juha Haapsaari (Centero) ➡
💬 Present questions in the chat.
5. 5
Sami’s Agenda
• How to ease your workload with allow-listing.
• Is allow-listing difficult?
• Implementing AppLocker to trim down your application portfolio.
• Restricting admin rights to control your IT environment.
• Managing and updating applications after allow-listing operations.
6. 6
Sami Laiho
Senior Technical Fellow
adminize.com / Sulava
• IT Admin since 1996
• MCT since 2001
• MVP in Windows OS since 2011
• ”100 Most Influencal people in IT in Finland” – TiVi’2019,2020
• Specializes in and trains:
• Troubleshooting
• Windows Internals
• Security, Social Engineering, Auditing
• Centralized Management, Active Directory
• Trophies:
• Ignite 2018 – Session #1 and #2 (out of 1708) !
• Best Speaker at NIC, Oslo 2016, 2017, 2019 and 2020
• Best External Speaker at Ignite 2017
• TechDays Sweden 2016, 2018 – Best Speaker
• Best Session at AppManagEvent 2017, 2018, Utrecht
• Best Sessions (#1 and #2) at TechTalks 2017, Helsinki
• TechEd Europe and North America 2014 - Best session, Best speaker
• TechEd Australia 2013 - Best session, Best speaker
• TechEd Europe 2013 - Best Session by an external speaker
11. 11
”An ounce of prevention is worth a
pound of cure”
Benjamin Franklin
12. 12
Why Zero Trust?
• Empower your users to work more
securely anywhere and anytime, on
any device
• Enable digital transformation with
intelligent security for today’s
complex environment
• Close security gaps and minimize
risk of lateral movement
15. 15
My Take on Secure Environment
• Up to date hardware and software inventory
• BitLocker
• Principle of Least Privilege
• Allow listing
• Tier Model for AD
• Using PAW-model
• Authenticating/Encrypting all network traffic
• MFA, strong authentication
• Monitoring (SIEM & SOC)
26. 26
Allow-Listing options
• Windows NT4
• User Policy driven whitelist for exe names
• Windows XP/2003
• Software Restriction Policy
• Windows 7 Enterprise+ / Server 2008 r2+
• AppLocker
• Windows 10 Enterprise+ / Server 2016+
• Hypervisor-based Code Integrity (HVCI)
• Third Party…
27. 27
Common things about Allow-listing
• Allow-listing is the most effective way to increase a companys
security!
• Effective Allow-listing works only when combined with the Principle
of Least Privilege
• Windows Defender Application Control works for admins as well… if it works…
• No builtin reporting in native options
• Allow-listing is a security barrier – Deny-listing is not!
• For servers things are a little different (RDS vs others)
29. 29
SRPv1 – Software Restriction Policy
• Allow-list or Deny-list
• One ruleset
• Executables
• Dlls
• Scripts
• Windows Installers
• Extensible list of filetypes
• Targeted at the computer level
• Can rule out admins
• SRP supports four types of rules:
• Hash
• Path
• Signature
• Internet zone
• No support for Universal Apps
• No Audit mode
• No rule exceptions
• No import/export
32. 32
AppLocker
• Blacklisting and Whitelisting
• Can target computers, users or groups
• All software needs to be preapproved in some way
• Location, hash or signature based
• Is based on a native function of the Windows OS since Windows 7
• Requires Enterprise version of Windows (unless you have inTune)
• Requires the AppIDSvc-service and uses a Kernel Mode driver for
enforcement
34. 34
File/Folder Rules
• You can allow a Folder as c:folder*
• You can allow a certain file like c:folderfile.exe
• You can also use wildcard * like c:users*appdatalocalSoftware1*
• AppLocker doesn’t support Windows variables
• Sysvol or NETLOGON require all DC’s to be added separately
• dc1SYSVOL*
• dc2SYSVOL*
• dc3SYSVOL*
• UNC-paths might need to be added in three different formats
• Server1Share*
• server1.domain.localShare*
• 172.16.0.21Share*
• R:*
35. 35
Publisher-rules
• Best option after Path-rules
• Try to stick to Company-level instead of certain filenames or versions
• *-rule says that any file signed by a trusted signer is OK to run
• Trust your own certificate or buy an externally trusted certificate
36. 36
Hash-rules
• Don’t use unless you can’t use Path-rules or Publisher-rules
• Usable exception if the binary doesn’t change often
37. 37
AppLocker HOW TO
• Keep to containers not items – Folders vs Files, Publishers vs Hashes
• Remember to audit your installation with AccessChk!
• Remember NO ADMIN RIGHTS!!
40. 40
Signing
• 95% of Malware is not signed – just something to think about
• You can sign apps yourself
• Use Timestamp if possible!
• If you have the cert on your computer installed:
• Signtool sign /v /s MY /n MyPrivateCert
/t http://timestamp.verisign.com/scripts/timstamp.dll FileToSign.exe
• If not:
• Guide: https://blogs.msdn.microsoft.com/winsdk/2009/11/13/steps-to-
sign-a-file-using-signtool-exe/
49. 49
Hardening Whitelisting
Make sure your containers don’t leak (this is one batch file) – CHECK THE LATEST FROM GITHUB!
https://gist.github.com/api0cradle/95cd51fa1aa735d93311
86f934df4df9#file-accesschk-bat
51. 51
Tools to help
• Oddvar Moe’s
• Ultimate AppLocker ByPass List
• https://github.com/api0cradle/UltimateAppLockerByPassList
• PowerAL
• https://github.com/api0cradle/PowerAL
• AaronLocker
• https://blogs.msdn.microsoft.com/aaron_margosis/2019/01/28/aaronlocker-
moved-to-github/
• Microsoft’s list of what to block: https://docs.microsoft.com/en-
us/windows/security/threat-protection/windows-defender-
application-control/microsoft-recommended-block-rules
55. 55
Device Guard
• Single purpose machines
• Currently for example Office is super difficult
• No user exceptions
• VERY HARDCORE!!
• Especially with Hypervisor level enforcement
• Drivers need to support it
• Some really don’t…
• IO-MMU to make it bulletproof
59. 59
Allow-Listing can stabilize what you
have…
But now that you have a strict list of what you allow you still need to keep those up
to date!
60. 60
Installed apps are always up to date without distracting users
Initial app deployment
Forced by admins Available for users
Available apps are allow-listed by organization policies
User friendly application deployment
61. 61
End-users
New features and bug fixes to
applications
Don’t need to worry about
installations, updating etc.
Always up-to-date tools
IT department
Standartized and managed
endpoint environment is easier
to maintain.
It also produces less support
requests to contact center
License management is simpler
Organization
Saves end users’ and IT
derpartment’s time
Improves cybersecurity a lot
Why endpoint applications should be managed?
💬 Present questions in the chat.
63. 63
What annoys end users on app updates?
40 %
Confusion
40 %
Lost time
20 %
Wrong
time
20 %
Too much
💬 Present questions in the chat.
64. 64
Keeping applications up to date ”manually”
Monitoring
software
versions and
vulnerabilities
Repeats
every working
day.
Downloading
an installation
package
Packaging
Testing
Upload to a
management
system
Configuring a
deployment
Repeats for every new application version.
💬 Present questions in the chat.
65. 65
Installed apps are always up to date without distracting user
Centero Software Manager
Initial app deployment
Forced by admins
Silently on background
Available for users
Self-service (Company Portal, Software Center etc.)
Available apps are allow-listed by organization policies
AppLocker
User friendly application deployment
66. 66
CSM is built to automatize your application management
💬 Present questions in the chat.