my personal blog about systemcenter

Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Categories: BeyondCorp, NoVPN, ScaleFT, Security
Comments Off on Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Testing ScaleFT access from admin workstation to remote server through remote desktop protocol but without VPN or Remote Desktop Gateway

ScaleFT creates a BeyondCorp secure style access to internal resources without publishing them over VPN or direct connection from the internet

This setup will cover a basic integration between one pc and one server, ScaleFT provides a free version for personal use for up to 5 servers, so this is a large step forward in providing secure access to your resources

Signup at https://www.scaleft.com/ , and there is excellent documentation in place and instant trial access

This is my first go at a BeyondCorp install and so far its looks very good

This is a simple test without the full security integration so no AzureAD or Okta , room for more improvements

Overall process

1 , Register Trial

2 , Setup Client

3 , Create Project

4 , Add Server to Project

5 , Add Permission to Project

6 , Use Secure BeyondCorp access to your internal resources

Protocol available Web Applications, Remote Desktop and SSH

And the Step by Step

clip_image002

Logging in to the interface there is no clients for now

Adding a client is as simple as downloading and running

sft enroll –team “tenant name”

clip_image004

ScaleFT does not require local admin rights to function on the machine where access is started form

clip_image006

Adding the client to the team require authentication , from the initial testing with Edge I saw some issues that needs a bit of time to repro , but running with chrome works

clip_image008

And we can now see my pc in the portal

clip_image010

To Enroll a Server we need to create a project

clip_image012

clip_image014

And then we can go to enrollment tokens to create a token for server to enroll

clip_image016

Setup token name and save the token

On the server we can install the scaleFT server side tools with powershell

PS C:\ScaleFT> Import-Module .\Install.psm1

PS C:\ScaleFT> Install-ScaleFTServerTools -EnrollmentToken

Downloading https://dist.scaleft.com/server-tools/windows/latest/ScaleFT-Server-Tool

C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi is signed by ScaleFT

Starting msiexec on C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

MSI Log path: C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.log

Removing C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

Starting Service scaleft-server-tools

True

clip_image018

clip_image020

And 2 minutes later we have it installed (on my slow connection)

clip_image022

And we now have a server to access

clip_image024

As we deal with zero trust we need to create a group that gives access

clip_image026

Groups can give either local admin or local user permissions, for this test we will use Admin

clip_image028

Back to my client and run sft list-servers

clip_image030

Getting prompted for access to ScaleFT and allowing access

clip_image032

I can now see my server

clip_image034

And we try to login

clip_image036

And in this environment we have locked down NTLM , and ScaleFT proxy through local host so we need to allow that

clip_image038

And adding local host to NTLM exceptions

clip_image040

And we can now logon through our tunnel.

clip_image042

And when we are done working we can issue a sft logout

clip_image044

And we have a full audit history

clip_image046

Can you tell if a PC remoted in from a unencrypted machine in your environment ?

So, what does ScaleFT do on our Windows Box to create access and users

After initial authentication we can see ScaleFT creating the admindemo user (that is my ScaleFT user) , adding it to local admin and terminal server users)

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Creating local user ‘admindemo’ based on user:’1d55549f-d4c9-7adc-2463-3b3414354e7c'” goal=user_create

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Administrators’ based on group:’BUILTIN-A3FC-7CF8FAD6C251′” goal=group_member_add

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Remote Desktop Users’ based on group:’BUILTIN–B750-50F1D33462FE'” goal=group_member_add

clip_image048

ScaleFT cycles password at each logon so a test from here shows

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/127.0.0.1

* Password : C1Vi5JqadyEZjW%HuskZcWM3cI3JkXOPDx#JApF3HvgB#%ZxpMZ3D4wBKPGdcT4n

And after next logon

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/127.0.0.1

* Password : i7GYIDBh%[email protected]

So that looks good

Upgrading Local ATA1.8 to 1.9

Categories: Advanced Threat Analytics, ATA
Comments Off on Upgrading Local ATA1.8 to 1.9

image

Finally got to the first upgrade from ATA 1.8 to ATA 1.9  , so Windows Update

image

And first change , no option to retain data only partial data migrated this is afaik new for 1.9

image

And running

image

3-4 minutes later and we are upgraded

image

and portal can see out of data gateways

image

and from the time to took to drill down first agent was updated

first major change noticed is adding custom groups to monitor for changes , very welcome change

Time to play

´Windows Defender APT , Blocking unwanted applications

Categories: Defender, Device Guard, WDAPT
Comments Off on ´Windows Defender APT , Blocking unwanted applications

One of the features of Windows Defender ATP is to block all non microsoft binaries from running , so if a machine is under attack or suspected compromised one of the steps is locking down the device so rouge applications will stop working and machine can be examined (other step is network isolation will test that in 2nd post)

First test is enable restrictions on a device without any prior policy then try on one with existing polisy signed and unsighed

Result of the post to avoid reading Smile device still works due to MS signed drivers on a Lenovo Laptop X1 Yofga

image

In the Windows Defender Security Center , there is a option to run restrict app execution , the concern before testing how would a non Microsoft hardware device do , so i took a Lenovo added Windows 10 and Lenovo System Update

image

Go Go

image

a few seconds later the device is restricted

image

and since i didnt have a evil exe i tested with Chrome and it was blocked as designed

image

and after a test reboot we can see that a bit more was blocked

C:\program files (x86)\google\chrome\application\chrome.exe
C:\program files (x86)\google\update\googleupdate.exe
C:\program files (x86)\lenovo\system update\tvsushim.exe
C:\program files\conexant\caudiofilteragent\sacpl.exe
C:\program files\dolby\dolby dax2\dax2_api\dolbydax2api.exe
C:\program files\dpr\dpr.exe
C:\users\fr-\appdata\local\openlivewriter\update.exe

but in reality nothing important , all drivers was MS signed so device still functioning Smile

image

and all blocked easily traced in the defender security center portl

image

and reverse is just as easy

http://seclists.org/fulldisclosure/2018/Feb/33 , Skype Updater Escalation Prevent through GPO

Categories: Uncategorized
Comments Off on http://seclists.org/fulldisclosure/2018/Feb/33 , Skype Updater Escalation Prevent through GPO

There was published a issue with the skype installer

http://seclists.org/fulldisclosure/2018/Feb/33

This can elevate normal users on a pc to system on older OS that don’t use Windows 10 Apps

On windows 10 you can install version 8 only if you set the installer to Windows 7 or 8 , when testing that the update service was not installed

On the 7.x branch the update service was added on my test pc , but wasn’t visible on the 8 branch

Its recommended to stay on the newest version and use Windows 10 Apps when possible

For the workaround (that will break automatic updates but preserve security)

image

Create a new Group Policy

image

Go to Windows Settings , Security Settings , System Settings

Select the Skype Update Service and select disabled

image

Verify its set to disabled

image

Set the gpo filter for testing

image

Link the gpo (testing to root acceptable)

image

Run a gpupdate /force or wait a bit , after that the settings is set to disabled and cant be modified

Adding OpenLiveWriter to a DeviceGuard Protected Machine

Categories: Device Guard, Security
Comments Off on Adding OpenLiveWriter to a DeviceGuard Protected Machine

I wanted to add OpenLiveWriter to my pc but since its protected by device guard it required a few additional steps

Following Matt Graeber (@mattifestation http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html guide to merging policies i ended up with the folowing

PS C:\Windows\system32> $OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ –UserPEsimage

Scanning the install directory

New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level PUBLISHER -UserPEs

image

“Unable to generate rules for all scanned files at the requested level.  A list of files not covered by the current policy can be found at C:\
Users\Flemming Riis\AppData\Local\Temp\tmpD089tmp.  If it is safe to not include these files, no action needs to be taken, otherwise a more c
omplete policy may be created using the -fallback switch”

image

First run was with publisher , but the majority of the files isn’t signed so i changed the policy to HASH , this laves a issue with autoupdate so the icon was changed to openlivewriter.exe instead of the update.exe

image

image

We now end up with a rather large list of allowed files

And putting it all together

$MasterRuleXml = ‘BASE.xml’ (this was my T460s baseline)

$OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ -UserPEs

New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level HASH -UserPEs

$OpenLiveWriterRules = New-CIPolicyRule -DriverFiles $OpenLiveWriter -Level HASH

Merge-CIPolicy -OutputFilePath FinalPolicy.xml -PolicyPaths $MasterRuleXml -Rules $OpenLiveWriterRules

ConvertFrom-CIPolicy -XmlFilePath .\FinalPolicy.xml -BinaryFilePath SIPolicy.p7b

And after a reboot i can now run openlivewriter on my device guard protected pc Smile