WEBVTT

00:00.990 --> 00:07.410
Hardening host is an absolutely critical part of securing your I.T. infrastructure.

00:07.410 --> 00:09.070
It's also one of the more boring ones.

00:09.090 --> 00:15.180
A lot of these are almost platitudes like good passwords and things like that but they are important.

00:15.210 --> 00:19.760
Keep in mind in this episode we're talking about hardening just the host itself.

00:19.770 --> 00:22.680
We're not talking about the applications on the host.

00:22.680 --> 00:27.320
We're not talking about it's network interfaces those are handled in other episodes.

00:27.420 --> 00:29.880
We're talking about the core host itself.

00:29.880 --> 00:36.930
Now to do this I'm going to be using a Windows 10 system but in no way is it limited to a Windows host.

00:36.930 --> 00:39.730
We can do this with any operating system.

00:39.840 --> 00:44.790
In fact we could do it with virtually any type of box as well so let's go ahead and start hardening

00:44.790 --> 00:48.900
this hose and probably going to start with one of the most important things that we always should do

00:48.900 --> 00:52.400
and that is disabling unnecessary services.

00:57.490 --> 01:03.320
Any operating system is going to have tons of services running and the vast majority you probably need

01:03.760 --> 01:09.590
but it is critical that we actually go through the process of disabling unnecessary services.

01:09.590 --> 01:15.600
Now if we take a look here on my Windows 10 system and this is pretty much a default Windows 10 installations

01:15.610 --> 01:21.580
so there's nothing in here that totally terrifies me but what I want to do right here is make sure we

01:21.580 --> 01:22.460
understand.

01:22.630 --> 01:27.220
You notice we have a number of running services and that's fine but there are a lot of these that are

01:27.220 --> 01:32.490
set to Manual so you'll think oh they're not running so that's not an issue that that's not true.

01:32.680 --> 01:37.250
If a particular program needs a service to light up it can easily do that on its own.

01:37.300 --> 01:42.280
So it's important for us to be able to go through any anytime we have an issue with something and we're

01:42.280 --> 01:46.220
worried about a particular service we can go ahead and turn it off.

01:47.120 --> 01:56.320
By actually going into the properties and truly disabling it like you see right there now I'm not going

01:56.320 --> 02:03.520
to go through and tell you which services you can disable and which version of Windows or OS 10 or Linux

02:03.520 --> 02:08.020
or whatever you might be using what it is important for you to understand is that you need to disable

02:08.020 --> 02:08.540
these.

02:08.550 --> 02:15.160
There are entire web sites there are entire services you can buy that will help you determine what needs

02:15.160 --> 02:18.130
to be turned off and what needs to be left on.

02:18.160 --> 02:24.100
Now while we're talking about services the other thing I want to bring to mind here is that there are

02:24.190 --> 02:31.420
a lot of programs out there that don't necessarily show an interface but they are still applications

02:31.420 --> 02:36.970
and that they're not running as a service however they act like a service so like on this system right

02:36.970 --> 02:39.040
here.

02:39.280 --> 02:43.450
So if I open up a command prompt I'm going to run an old net stat real quick.

02:43.450 --> 02:46.870
So if we run a net stat I want you to look right up at the top here.

02:46.870 --> 02:50.750
I have listening ports on 22 and 80.

02:50.920 --> 02:57.540
What's happening here is I have an S S H server running and I also have a web server running.

02:57.550 --> 02:58.870
Do I really need these.

02:58.870 --> 03:00.010
Is that an important thing.

03:00.010 --> 03:04.710
They're not truly services in the classic sense of the word but they're hidden.

03:04.710 --> 03:10.000
To me it's not easy for me to see that they're up there so while they're technically not services they

03:10.000 --> 03:13.260
still act enough like services to me that I want to bring them up.

03:13.420 --> 03:17.720
So you probably want to go through and be shutting those things off as well if they're unnecessary.

03:17.740 --> 03:19.970
The system here needs NASA has as a server.

03:19.990 --> 03:21.420
I'm going to keep that running.

03:21.490 --> 03:22.080
OK.

03:22.240 --> 03:25.170
The next thing I want to talk about is default passwords.

03:30.260 --> 03:35.870
I have probably three different episodes where I hammer on the importance of good passwords but that's

03:35.870 --> 03:37.500
not what I'm talking about right now.

03:37.640 --> 03:42.620
What I'm talking about is not using default passwords.

03:42.620 --> 03:48.830
Now look we're all grown up people here and we're all pretty good with for example in our windows systems

03:48.830 --> 03:53.380
or OS 10 systems of always changing the default passwords.

03:53.390 --> 03:58.400
In fact you can't even install Windows or Linux or OS 10 without changing the administrator password

03:58.400 --> 04:04.670
and things like that so we're pretty much in good shape when it comes to desktop style operating systems

04:05.090 --> 04:10.600
where we really get into trouble with default passwords and all the Internet of Things devices.

04:10.700 --> 04:18.320
Some of the worst bot that attacks we have seen Cayne not by people infecting desktop computers or smartphones.

04:18.320 --> 04:25.850
They did it by infecting cameras home lighting systems thermostats all of these different little devices

04:25.850 --> 04:33.380
the big Internet of Things devices hundreds of thousands of these we're still using the default password.

04:33.380 --> 04:39.050
So it doesn't matter to me if you've got a home thermostat or a camera or a smartphone or whatever it

04:39.050 --> 04:44.930
is the first thing I do with that magic box is you change the default password and go ahead and not

04:44.930 --> 04:50.000
only change the default password but use good password methodologies to make sure that bad guys can

04:50.000 --> 04:51.280
hack into it.

04:51.290 --> 04:51.800
All right.

04:51.830 --> 05:02.160
Next I think we should talk about all of those extra user accounts on your systems.

05:02.250 --> 05:08.730
If there's one thing that can easily take place on any networked environment and that is you can start

05:08.730 --> 05:14.820
generating lots of user accounts in lots of groups and over time you just don't need them.

05:14.820 --> 05:21.600
So I've set up a demonstration here of probably about every bad habit you could do in a Windows domain.

05:21.600 --> 05:24.430
So this is just one example of where we can be naughty.

05:24.450 --> 05:30.030
So I've got my server manager running this is an old copy of Windows 2003 Server still runs great.

05:30.150 --> 05:36.770
And what I've done is I'm showing you all of the domain groups and then the domain accounts.

05:36.780 --> 05:40.310
So a couple of things in here I want you to notice it's particularly bad.

05:40.350 --> 05:43.490
Like for example here's a group called management one.

05:43.530 --> 05:43.980
OK.

05:44.040 --> 05:46.850
A lot of people have management groups is nothing wrong with that.

05:46.860 --> 05:53.190
But look here here's a management to what is probably happening here is that people are not taking good

05:53.190 --> 05:55.740
care of dealing with least privilege.

05:55.920 --> 05:57.540
And something happened.

05:57.540 --> 06:02.950
They got another management person to come in instead of generating a proper hierarchy of groups.

06:02.970 --> 06:06.940
They just threw another one in and that can create all kinds of problems.

06:07.050 --> 06:08.690
Now let's take another look here.

06:08.910 --> 06:14.790
So here I've got something here so here's accounting for example.

06:14.850 --> 06:18.420
A lot of times a lot of lot of accounting groups are pretty common.

06:18.510 --> 06:23.970
But look underneath there here's bookkeeper's so I'm going to actually be taking a moment look at what

06:24.030 --> 06:29.060
actual privileges these users need that require them to have this type of group division.

06:29.070 --> 06:34.620
I'm not saying this is bad but just the naming alone sets up a red flag for me and again I'm going to

06:34.620 --> 06:40.290
be looking at what these people are doing and I might be deleting some of these groups now going down

06:40.290 --> 06:43.020
to users we've got a number of issues here.

06:43.080 --> 06:46.560
For example I know and here's here's one goes.

06:46.560 --> 06:47.440
That scares me right.

06:47.450 --> 06:49.580
They are going to have to see what that's all about.

06:49.850 --> 06:51.110
Guest.

06:51.210 --> 06:56.370
You have a built in guest account but that's usually going to be disabled and in our case if you look

06:56.370 --> 07:00.060
really closely you can see it is disabled so that's good.

07:00.060 --> 07:05.810
Here's a user named Dudley and there is a deadly lemur who's my partner here.

07:05.850 --> 07:06.810
Total seminars.

07:06.930 --> 07:08.790
But then there's a deadly too.

07:08.910 --> 07:10.260
Now what's going on here.

07:10.290 --> 07:16.850
Now we talk about in other episodes that we don't want to have a user with multiple accounts that type

07:16.850 --> 07:19.080
of thing and that is a huge red flag.

07:19.100 --> 07:22.400
So I'm going to really be going through here and cleaning this up.

07:22.400 --> 07:27.480
Now keep in mind in this particular situation I'm only talking about a Windows domain.

07:27.650 --> 07:29.380
You can run in this situation.

07:29.390 --> 07:33.410
You can have an S-sh server that has unnecessary user accounts.

07:33.410 --> 07:39.620
You can have a router that you're using that has a number of accounts on it so it can happen anywhere.

07:39.650 --> 07:46.640
So good tight controls always concentrating on the idea of least priviledge is always very very important.

07:46.640 --> 07:51.270
All right so those are some good examples so what's the next thing I want to do to harden my host.

07:51.290 --> 07:52.760
Oh I know patch management

07:57.980 --> 08:02.620
anybody who owns a modern operating system deals with patches.

08:02.690 --> 08:08.180
Windows update all of these tools that are built in are fantastic tools but what we talk about patch

08:08.180 --> 08:12.160
management I want to talk about it more from an enterprise level.

08:12.170 --> 08:17.060
Also keep in mind that what we're talking about patching things we're not just patching desktop systems

08:17.060 --> 08:24.350
or laptops we could be patching our networking hardware we could be patching cameras we could be patching

08:24.740 --> 08:27.010
smartphone's it doesn't matter what it is.

08:27.050 --> 08:32.180
The process of patching when you look at it at an enterprise level is very different than the you and

08:32.180 --> 08:35.970
I just clicking and allowing windows to update itself automatically.

08:35.970 --> 08:40.230
Now Windows Update is a powerful tool and it's something we should always take advantage of.

08:40.280 --> 08:44.090
However in an enterprise environment you have to be a bit more careful.

08:44.120 --> 08:50.540
Even here at total seminars we did a big windows 10 update not that long ago and it ended up messing

08:50.540 --> 08:57.050
up one of our accounting systems so even a little tiny company like this a little jurisprudence is probably

08:57.050 --> 08:58.220
not a bad idea.

08:58.400 --> 09:02.300
OK so let's go through a patch management process.

09:02.300 --> 09:05.480
Now there are hundreds of patch Manjit processes out there.

09:05.540 --> 09:09.080
You're not really going to be tested on what are the four steps to patch management.

09:09.080 --> 09:12.920
This is just my opinion but they're pretty good and they'll get you through the exam.

09:12.920 --> 09:16.450
So the number one thing we have to do is monitor.

09:16.610 --> 09:23.420
We have to be out there on the street listening being updated being aware of patches that are coming

09:23.420 --> 09:29.120
out now for desktop operating systems that's pretty easy because the manufacturers do a really good

09:29.120 --> 09:33.100
job of updating us and letting us know that patches are out.

09:33.110 --> 09:39.830
The problem we run into is for little unmanaged devices or even manage devices my cisco router Cisco

09:39.830 --> 09:46.610
does not automatically patch my router so I have to be on top of it and I'm monitoring the news monitoring

09:46.610 --> 09:51.300
the industry monitoring my suppliers to be aware of what's out there patch wise.

09:51.530 --> 09:53.330
So patches start rolling in.

09:53.330 --> 09:57.030
So the first thing I'm going to do with a patch is I'm going to test it.

09:57.130 --> 09:59.990
I should have tested it on that Windows 10 update I never would.

09:59.990 --> 10:03.240
Got caught with that silly accounting software problem.

10:03.350 --> 10:06.940
But we get a sandbox type system and we test it.

10:06.950 --> 10:09.220
We install what we need to install We run it.

10:09.230 --> 10:15.290
We see what the upsides and downsides are and then we go ahead and see if this patch is good at some

10:15.290 --> 10:21.500
point and here we're also evaluating to simply take every patch that comes down the pike is not necessarily

10:21.500 --> 10:22.590
a good idea.

10:22.610 --> 10:26.360
So we do tend to take a jaundiced eyes when we hear about some patch we go.

10:26.360 --> 10:28.990
Is this an important patch for us.

10:29.090 --> 10:35.060
OK so we know things are pretty good so that we go about actually deploying the patch now in a smaller

10:35.060 --> 10:35.880
environment.

10:35.990 --> 10:37.130
That's not that big of a deal.

10:37.130 --> 10:42.920
Usually you just press a button and go however in an enterprise environment this could be really really

10:42.920 --> 10:46.200
important in terms of how you schedule this stuff.

10:46.220 --> 10:51.530
Large organizations where the actual patching process could end up taking many many hours that could

10:51.530 --> 10:52.270
be a problem.

10:52.280 --> 10:55.060
So good scheduling comes into play as well.

10:55.460 --> 11:01.640
And last as you might imagine you document keeping up to date in terms of what is being patched and

11:01.640 --> 11:02.260
what isn't.

11:02.260 --> 11:03.840
It's really really important.

11:03.860 --> 11:08.540
In fact it's so important that for most people when it comes to patch management they're going to rely

11:08.720 --> 11:10.280
on third party tools.

11:10.280 --> 11:15.320
There's so many of them out there it's almost hard to count them all that do all this for you they do

11:15.620 --> 11:17.000
all the monitoring for you.

11:17.000 --> 11:19.190
They will help you in your testing.

11:19.190 --> 11:23.840
They will help you through the deployment process and they'll give you a single source of documentation

11:24.110 --> 11:31.100
so that you know what to do when it comes to patch mantid.

11:31.310 --> 11:37.760
I don't think anybody listening this video is not aware of the fact that you should be writing anti-malware.

11:37.760 --> 11:43.130
And that's really not what I want to talk about here what I want to talk about is yes you are running

11:43.190 --> 11:49.790
anti-malware but from a security standpoint particularly when you're an enterprise things change a little

11:49.790 --> 11:50.470
bit.

11:50.720 --> 11:55.600
So we know everybody's running anti-malware now as part of patch management.

11:55.610 --> 12:02.030
We always want to make sure that our anti-malware is updated as often as possible as often as necessary.

12:02.030 --> 12:06.950
Now one of the things that will happen is we can use centralized tools I'll talk about those in a minute.

12:06.950 --> 12:10.810
But before we get into that there's a lot of basic steps that people forget about.

12:10.880 --> 12:16.920
Number one training your number one line of defense on malware are users.

12:16.940 --> 12:21.080
They should be comfortable with recognizing what's going to be taking place if malware is running on

12:21.080 --> 12:22.070
their system.

12:22.070 --> 12:27.200
They should recognize what happens if the anti-malware flagged something there should be procedures

12:27.200 --> 12:30.640
in place that if they see malware they need to be able to recognize it.

12:30.710 --> 12:35.100
They need to be able to deal with it at whatever level your organization wants them to.

12:35.330 --> 12:37.610
In a lot of cases they clean it themselves.

12:37.610 --> 12:42.070
But mainly what we'll see is that people make a report and somebody from I.T. comes down.

12:42.110 --> 12:44.560
It's not that your users can't do the clean themselves.

12:44.630 --> 12:49.250
It's just that I.T. needs to get their eyes on it so they can see how it's going to affect the enterprise

12:49.250 --> 12:49.940
as a whole.

12:51.000 --> 12:56.670
So part of that training is not just recognizing that but also recognizing good practices proper use

12:56.670 --> 13:01.020
of US B and things like that that become very very important.

13:01.050 --> 13:06.760
Now from an enterprise standpoint the big thing we're doing when it comes to malware is that we're monitoring.

13:06.910 --> 13:15.030
So we're watching our security logs We're monitoring the network flow diagrams to see if there's a bunch

13:15.030 --> 13:19.410
of computers that are starting to try to phone home in ways that we don't like.

13:19.440 --> 13:26.520
We checked DNS to see if individual computers are trying to connect and no naughty DNS servers so we

13:26.520 --> 13:28.770
can use monitoring we can use either yes.

13:28.860 --> 13:32.070
So intrusion detection systems can often do this for us as well.

13:32.250 --> 13:38.540
But if you really want to get serious we usually turn to third party enterprise anti-malware tools.

13:38.700 --> 13:41.220
Malware Bytes is one of my favorite companies that do that.

13:41.310 --> 13:45.900
What they do is they basically take everything you've got to do here in training but they'll do everything

13:45.900 --> 13:51.150
else for you and they'll do all of the monitoring for you they'll make sure all your anti-malware is

13:51.150 --> 13:52.750
updated and in good order.

13:52.830 --> 13:58.470
And for a few extra pennies it really really makes a big difference to make sure that malware doesn't

13:58.470 --> 14:00.550
hit your individual homes.

14:00.830 --> 14:01.270
OK.

14:01.290 --> 14:04.530
So the last thing I want to talk about are host firewalls

14:09.430 --> 14:13.810
every computer in your network should have a host firewall.

14:13.810 --> 14:18.760
Pretty much every operating system today comes with some type of firewall and they generally do a good

14:18.760 --> 14:20.460
job in and of themselves.

14:20.470 --> 14:25.780
However when we're talking about hardening whoas one of the downsides of firewalls is that they're only

14:25.780 --> 14:31.860
as good as the operator that's actually monitoring that and that operator tends to be the user themselves.

14:31.870 --> 14:37.030
So in an enterprise environment we tend to do some little bits of extra control to make sure our firewalls

14:37.060 --> 14:39.480
do the best job that they can do.

14:39.490 --> 14:44.540
Keep in mind that firewalls work pretty much on an application level basis.

14:44.650 --> 14:50.200
Some program starts running on that computer and then it starts trying to do something on the network

14:50.290 --> 14:52.020
and that flags the firewall.

14:52.030 --> 14:57.460
So one of the big things that we do in an enterprise environment is we will white list or blacklist

14:57.730 --> 14:58.950
applications.

14:58.960 --> 15:04.330
So what you'll see in a lot of places is that they'll have a white list that means these are the only

15:04.330 --> 15:06.820
programs that you can install if it's not on this list.

15:06.910 --> 15:13.780
You can install it more difficult to do as a blacklist blacklist will make a list of no naughty programs

15:13.780 --> 15:19.610
that you shouldn't install but of course that does not prevent somebody from finding yet another program

15:19.610 --> 15:22.780
that they shouldn't install and putting on their systems.

15:23.390 --> 15:28.490
If you're using a white list you can actually do some pretty interesting controls with firewalls when

15:28.490 --> 15:30.710
you're using centralized management.

15:30.710 --> 15:37.190
For example one of the things I love about a Windows domain is that I can set firewall rules for the

15:37.190 --> 15:42.830
entire domain so I can generate a security policy that's basically going to say that unless you're an

15:42.830 --> 15:50.120
I.T. God you do not have the right to go ahead and let a firewall run a particular program through the

15:50.120 --> 15:51.000
firewall.

15:51.020 --> 15:52.990
So it's a very very powerful tool.

15:53.000 --> 15:56.480
And again a great motivator for centralized management tools

16:12.450 --> 16:15.710
is.