Windows Group Policy

Windows Group Policy 

Group Policy is a feature of Windows that provides a multiple setting that network administrators can use to control the working environment of users and accounts in Active Directory. It essentially provides a centralized place for Server administrators to manage and configure operating systems, applications, and users’ settings. Basically, it is used for increasing the security posture of a network. Mostly required to keep secure of your data and core network.

Example:

• By using group policy, a network administrator or server administrator can block access to certain sections of the Windows control panel or set a specific website as the home page for every computer on the network.
• A Group Policy Object could be used to determine the home page that a user sees when they launch their web browser after logging onto the domain.

Group Policy object (GPO) is an object in Active Directory (AD) that contains configuration of group policy. GPOs can be related with a single or many Active Directory containers, including sites, domains, or organizational units (OUs). This is created using Microsoft Management Console (MMC) group policy editor. If you go creating a Group Policy Object, there may be the option of using a Starter GPO. 

The Starter Group Policy Objects are consequent from a Group Policy Object and provide the capability to store a collection of Administrative Template policy settings in a single object. You can import and export Starter GPOs, which makes them easier to distribute to other environments. A variety of System Starter GPOs are comprised with Windows Servers. 

In the Active Directory environment, the Group Policy Object need to be linked to other domains or sites under the container. If a GPO is linked at the domain level, it affects all users and computers in the domain. Even you can link one GPO to multiple domains/ containers through the GPMC (Group Policy Management Console).

There are containers which were configured for GPO are:

• L: Local
• S: Site
• D: Domain
• OU: Organizational Unit

In the GPMC, steps for creating group policy object can be as,

• On the domain controller, select Start, select Administrative Tools, and then select Group Policy Management. Or, select Start, select Run, type GPMC.MSC, and then press Enter.
• Expand the forest and then domains.
• Under your domain, select the OU where you want to create policy.
• Right-click the OU, and then select Create a GPO in the domain.
• Give the GPO a name, and then select OK. 
• Right-click the newly created Group Policy Object, and then select Edit to open Group Policy Management Editor.

In the other way, the GPMC allows to Import, export, copy, paste, delete, backup and restore 

If there is no AD available, then group policy available is known as Local Group Policy.  In Local Group Policy, you need to perform desktop management in a decentralized way, by accessing to each machine individually. 

The most quick and simple way to edit the Local Group Policy on a system is to click the “Start” button and run the command “GPEDIT.MSC” to start the Local Computer Policy Editor. 

Using Active Directory Manager Plus 'GPO Management', it becomes quite simple for the administrators to know all the required details and status of all the require GPOs, in quick.

Important Group Policy Settings

• Moderating Access to Control Panel
• Prevent Windows from Storing LAN Manager Hash
• Control Access to Command Prompt
• Disable Forced System Restarts
• Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives
• Restrict Software Installations
• Disable Guest Account
• Password policy
• Health checking
• Set Minimum Password Length to Higher Limits
• Set Maximum Password Age to Lower Limits

Feel free to provide your comments and suggestions.

-DR

Cyber Security | Zero-day attack

Zero Day Vulnerability

A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched by the developer or software engineer. As the vulnerability were exposed before security researchers and software developers became aware of them, and before they can issue a patch zero-day vulnerabilities pose a higher risk to users. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.

A zero-day vulnerabilities can happen in multiple ways and can be challenging to detect such as missing data encryption, missing authorizations, broken algorithms, bugs, problems with password security etc. Due to the nature and types of vulnerabilities, complete information on zero-day exploits can be available only after the exploit is identified.

One simple detection technique is behavior of the system, let it be database, operating system, browser application, software etc. When you can feel the different in normal behavior you can assume there is some gap or issue. Then you need to analysis all the traffics, packets, source of packet, attacks, log details. 

Some examples of zero-day vulnerability are as:

• Chrome zero-day vulnerability:2021
• Zoom app vulnerability:2020
• Microsoft Word vulnerability: 2017
• Stuxnet: 2010
• Apple ios:2020
• CVE-2019-2215: Kernel Privilege Escalation: 2019
• Aurora: 2010
• DNC hack:2019
• Sony zero-day attack:2014
• RSA zero-day attack through adobe flash player: 2011
• Adobe reader zero-day flaw:2021: CVE-2021-28550
• NetGear routers
• Firefox zero-day

Preventing a zero-day attack is most difficult, however some best practices can help in prevention such as;

• Adoption of advanced email security
• Keep your software and patches up to date by using latest releases
• Use of web application firewall for real time scanning on incoming packets
• Use intrusion prevention system (HIPS)
• Implement network access control to prevent unauthorized access
• Use IPsec protocol to encrypt all the traffic
• Use secure and private browser
• Block pop-ups
• Disable third party cookies
• Use reliable antivirus and internet security suite for home systems.
• Adopt online security habit for self

Do you have further suggestions, please post your comment.

Thanks

-DR

Zero Trust Network Access

Zero trust Network Access

Zero Trust Network Access (ZTNA) is a type of technology or product or service that provides secure remote access to applications and services based on well-defined access control policies and a logical access boundary or software defined perimeter (SDP). ZTNA gives users seamless and secure connectivity to private applications without ever placing them on the network. It verifies the user, who is accessing, and it provides a least privilege. 

As per latest Fortinet report, only 15% of organizations have completed a transition to a zero-trust security model, which does not automatically assume that anyone inside the network perimeter is trusted.

Considering the present pandemic situation due to covid-19, organizations have moved to work from office to work from home model. There are many challenges faced with respect to secure connectivity, network connectivity. Every organization was using traditional VPN connectivity to access the organizational internal network or server from remote locations as well as office location. While using VPN there are still number of issues or challenges arise such as;

• It may not create or enforce policies that protect credentials
• No third-party accountability 
• Hackers are using VPN too
• Attack surface is big 
• Increasing end point attack

Considering the above facts, we need an appropriate security solution to meet zero trust requirements while enabling BYOD and access to apps deployed in a cloud. Presently ZTNA offering more specific access and session control to applications located on-premises and in the cloud. It offers secure connectivity and reduces the attack surface. Users are authenticated and verified before they access to the resources. ZTNA leverages the concept of a dark cloud, preventing users from seeing any applications and services that they don’t have authorization to access. 

When plan to implement the ZTNA, organization must integrate the gateway devices, implement SDWAN (Software defined WAN). It requires a variety of components or it’s a combination of multiple devices as;

• Next generation Firewall
• Client Agent
• EMS Server
• Proxy Server
• Identity & Access Management
• Access Control
• Authenticator 

Considering many OEMs or vendors approaching for ZTNA, there are common required features which need to be implemented such as;

• The Zero Trust (ZT) Solution Architecture should be designed such that, Authentication and authorization must happen on a separate channel before allowing user to connect to any service / applications means only authentication and authorization controls to communicate via a specific port or control channel.
• The Solution should be capable of acting as single sign on identity provider for private web applications.
• The ZTNA should protect against password-based attacks, protection against Eavesdropping, protect against Application-Layer Attack, protect against Identity Spoofing, protect against Web based attacks like SQL injection, broken authentication and session management, Prevent Attacks from DDOS & DOS Attacks.
• The solution must support live monitoring of all user activities including failed logins, invalid access attempts, Two Factor Activity, provide alerts for specific incidents over Email, SMS and/or SNMP, must provide detailed logs for all solution administrator activities including login details, configuration changes etc.
• The multifactor solution must be indigenously developed on Software defined perimeter security framework and support automated and encrypted backup of configuration using a configurable schedule.

***

Feel free to provide your valuable suggestions. 

-DR