With Windows Server 2016 we get device guard https://www.microsoft.com/en-us/cloud-platform/windows-server-security
Enhance the protection of your applications on-premises or running in the cloud. Help ensure only trusted software runs on the server with Device Guard.
This means that we can now create policies on what are allowed to run on our servers in a more secure way than we know from applocker on desktops
In this example we have a Windows Server 2016 with Veeam installed and we want to protect against rouge applications / ransomware (this is not a veeam problem but just used as a example)
First off we block SMB in the firewall so don’t have a risk from a compromised workstation.
To get started with device guard i highly suggest the blogs from Matt Graeber @mattifestation / http://www.exploit-monday.com
A big thank you to Matt for posting his amazing content online
Windows Device Guard Code Integrity Policy Reference
http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html
Device Guard Code Integrity Policy Auditing Methodology
I have been following his guidelines on merging different policy’s to allow Veeam to function under the lockdown of the host
This post will show the start and the end result of the policy and additional post will show anything in between , its not a five minute now everything is working plan , there are mutiple issues with application spawning scripts and dynamic unsigned applications , but for many workloads this is very fast to get start with and give a very high return on time used
Following the procedure for whitelisting , i found that all of Veeam’s own binarys was signed with a few different certificates to they was easy to add to the policy
That left some files that looks to be from 3rd parties that wasn’t signed they have been added to the allow list on a file hash level , this means when there is new update our for veeam we need to add any updated files to the policy and reapply it
On the server running veeam we enabled device guard
Select a policy file that will be generated from the xml file with rules , from a security point of view anyone locally on the box can change the policy file so ACL needs to apply if logged on the box , or move to default system32 and for added security the policy can be signed
So with our policy applied and server rebooted , we have a functioning veeam and windows install
Now imagine a few the steps you have to go though to loose your data
1 , Logon on the veeam server
2, Open outlook is installed of some odd reason / Open webmail (if the server have internet acess for some off reason)
3,
Download the odd worded email , click on the hml link that downloads a zip file and have a java script inside
Ignore the warning and click once more
and a few seconds later we have encrypted all our files including the backup data (bypassing both local defender client and firewall scanning)
Again the numbers of crazy decisions you have to go though to get this far is crazy, and still we see it
So what happends on our device guard protected server
We do the same as before
But with a different result
And we can see that device guard prevented the script from running and saving the day