DSS 2015 Riga

Ethical Hacker in Action @DSS2015 that took place in Riga on 22-Oct-2015:



I know that got failed a lot of times during this presentation. But I know, you gonna seal your webcam, anyway .)

Продолжить чтение этой записи

How to find out how many PCs in your domain are SRP-compliant?

During Application Whitelisting (AWL) implementation throughout an Enterprise, it is essential to easily find an answer for questions like «how far we have come?» Running a fairly complex Active Directory (AD) structure, you can never guess for sure. Instead, you may choose to implement some objective monitoring tool, let’s call it «AWL Compliance Report«. You don’t have SCCM? Not a problem, we will make it happen using built-in Group Policy (GP) mechanism.

For example, it’s quite easy to figure out the presence (or absence) of Software Restriction Policies (SRP) by querying particular values in HKLM\Software\Policy\Microsoft\Windows\Safer\CodeIdentifiers Registry key:

Продолжить чтение этой записи

Centralized SRP Event Auditing

Application Whitelisting technologies such as Software Restriction Policies or AppLocker provide a great level of protection against malware and unwanted software. When blocking launch of an unwanted program, the policy generates a record in the Application Log on a local computer. This allows an administrator to maintain security for a given system and perform policy updates, if needed. However, examining event logs on multiple computers requires too much administrative effort, thus making auditing reactive, not proactive. You can greatly improve control over Application Whitelisting policies by configuring an automatic notification mailing when a particular event is written to the log.

Продолжить чтение этой записи

Configuring Windows to run applications with Standard User privileges

1. Why should we separate privileges and configure permissions?

        The separation of privileges is a computer security and antivirus protection fundamental. Usually, all the users log on to the computer with individual accounts that belong to either of two categories: administrative, which are designed to configure and maintain the system; and standard, designed for everyday work. Administrators can do anything they want — install and remove software, update device drivers, infect computer with a virus etc. Standard Users are able to surf Internet, work with documents and e-mail, watch movies. But it is impossible for them to break anything in a system.

Продолжить чтение этой записи

Using Windows Auditing to track user activity

        Time to time something happens that requires us to answer ”who did it?” question. Those occasions are not as frequent, but important ones. A systems administrator is to be ready and prepared to address such issues.

        In most companies there are departments like Project Managers, Accountants, Developers and other employee categories that collaborate and work together with groups of documents being stored in some shared folders on a fileserver or possibly workstations. Occasionally, someone deletes a particular important document or folder with a bunch of documents, resulting in a mission-critical data loss. Considering the described incident, few questions immediatelly arise:

  • At what date and time the incident took place?
  • Which backup should be used to restore the data?
  • Was that an accident or an intentional user action?
  • Or maybe that was some system failure that could happen again?

Продолжить чтение этой записи

Why Microsoft made managing NTFS Permissions even more complex?

        Working with Windows NT 5.0/5.1/5.2 (Windows 2000/XP/2003) systems for a quite long time, I am used to configure NTFS Permissions the way it was. However, the successor NT versions (2008/Vista/7) managed to unpleasantly surprise me. Let’s assume you want to re-configure an access to some particular NTFS folder. For example, the folder containing users’ home directories. This is the way it looks (with NTFS permissions attached) on one of my Windows Server 2003 R2 computers:

Продолжить чтение этой записи

Preventing computer malware by using Software Restriction Policies.

1. What does protection from viruses and other malware begin with?

        Protection from computer viruses, ’trojan horses’ and stuff like that strictly depends on the privilege level you use when working on a computer. Usually, all the user accounts are divided into two categories – administrative, which is designed to be used to install programs and configure the system; and standard (with limited rights), which is designed for everyday work. Do you want to configure the software or install something new? Log on as an Administrator. Are you going to watch movies, write some e-mails or communicate through instant messenger? Log on as a Standard User.

        The situation is that normal users do not have enough rights to install programs and tune up the system, thus make it working in a very stable, reliable and secure manner. The users simply cannot mess something up or break something important, because their rights are not enough to do that. A computer virus is not any ‘voodoo magic‘ at all but just usual software, a computer program, that’s why a standard user is not able to infect the system with it. And even more, it does not matter for a computer if the virus is a new or old one, a very complex or primitive one – if the current permissions are not enough, it is not possible to copy virus body to the system folders or add it’s autorun to the Registry, anyway. Продолжить чтение этой записи