Defense

Mapping Attack Methodology to Controls

Posted on Updated on

I’m handler for today and I’ve got a post up about mapping controls.  One of the key points is to make sure you do this for each attach method you respond too.

Advertisements

BSides Augusta Slides

Posted on

Had a great time at Bsides Augusta 2016. Heres my slide deck ir-awakens.

Kippo Honeypot Cousin Cowrie

Posted on

I’m ISC handler of the day and I’ve got a great post on setting up Apparmor, SQlite3, and Dshield with Cowrie. Please drop by ISC and check it out.

Automated Phishing Analysis

Posted on Updated on

I’m  Handler for the day at the Internet Storm Center. Check out my post on how to automate phishing analysis and metrics.

 

 

AppLocker and OSSEC 2.8

Posted on

I’m the Handler for today at the Storm Center. I have a great post on getting OSSEC and AppLocker working.  Stop by and check it out.

https://isc.sans.edu/forums/diary/AppLocker+Event+Logs+with+OSSEC+2+8/18539

Monitoring Windows Event Logs (Part 1)

Posted on

I’m ISC Handler today and I’ve got a great post on how to use syslog to monitor important Windows event logs. This will have multiple parts as it will go deeper into special config.

How to use Java in the Enterprise while Limiting Exposure with IE Trusted Sites

Posted on Updated on

Update May 2014: Thankfully Java released a better way to do this. Please use there Java deployment ruleset at https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets. The below article is still valid for version below 7.40

Summary

Java has become a difficult software to wrangle in the past 18 months due to the number of exploits released. Unfortunately, most enterprises have at least one critical application that relies on this technology. To limit its attack surface, I suggest using a whitelist approach. For the most compatibility in corporate environments, I’m using IE as the browser that has Java enabled and manage these settings in GPO. To make sure users do not have other browsers with Java enabled on the same system, we will disable it for both Google Chrome and Mozilla Firefox.

Currently, it does not appear to be a good way to whitelist “Java Web Start” applications. Due to this issue, my recommendation is to currently disable this feature at this time. You may need to create an exempt group if this is a required feature for certain individuals or group in your organizations.

Deployment Options

These settings will need to be applied every time Java or when your web browsers are updated at minimum. It’s best to have these settings applied via GPO or at every log in. The GPO.bat file can be replaced by adding the registry setting into a GPO preference.  The files can be found here.

Note: Even though these setting have been tested on both XP and Win7 please test them in your environment before deploying. All settings are based on 32-bit Java. If you are running the 64-bit version, these setting can easily be modified to meet that need.

GPO

To deploy these settings using GPO you will need to:

  1. Add to the Trusted Sites
  2. Implement the GPO section for each of the implementation sections below
  3. Deploy the gpo.bat and disable_java_firefox.vbs, via GPO,  The gpo.bat only makes registry changes not directly manageable from GPO.
  4. Disable Java in Chrome.

Windows Batch

If you are planning to use the batch only option they should be ran with Admin privileges.

  1. Add to the Trusted Sites via GPO
  2. Disable Java in Chrome
  3. Copy the java.bat and disable_Java_firefox.vbs to a network share and make sure its ran with Admin privileges on all systems

Implementation

Adding Trusted Sites

To manage this setting via GPO

User Config > Admin Templates >Windows Components > Internet Explorer >Internet Control Panel >Security Page> Site to Zone Assignment list

To add a zone the Value name is the site you want to whitelist and the value is what zone you want to add it to. To add to trusted zone always set the value to 2.

*.wordpress.com 2

To add a specific site and not an entire domain

http://www.mywebsite.com 2

Disable Java in Firefox

The Disable_Java_firefox VB script by @integrisec modifies the pluginreg.dat file in the Mozilla profile directory and sets the Java plugin to disabled. I had to modify the version from his the website to better adjust the disable logic. This is called by my batch script and needs to be in the same directory as the batch file.

Disable Java in Chrome

The easiest way to disable Java in Google chrome is by changing the shortcut to chrome.exe –disable-java. Setup a batch file to copy a new one from a network share to the user’s desktop/start menu.

Via GPO

  • You can change the shortcut using GPO
  • You can fully manage Chrome from GPO if you import the template. This is cumbersome if you are only using this to manage Java, but it you are already managing it this way below are the settings.

Computer Config > Admin Templates > Classic Admin Template >Google > Google Chrome > Specify a list of disable plugins > Enable

  • Add *Java*

Internet Explorer

We are going to lock-down all the ways Java can be called and make sure that it will use the IE trusted zone list. The post at greyhathacker.net does an awesome job breaking down many of the issues and prevention methods and several of the suggestions are implemented below.

Java Applet settings

Disable the Java applet from running in any zone except in Trusted Zone.

Via GPO

Admin Template > Windows Components > Internet Explorer > Internet Control Panel > Security Page

> Intranet Zone >

  • Java Permissions-> Enable Plugin >Disable Java

>Internet Zone >

  • Java Permissions-> Enable Plugin >Disable Java

>Trusted Zone

  • Java Permissions-> Enable Plugin >Enable Java

>Restricted Zone

  • Java Permissions-> Enable Plugin >Disable Java

Via Registry

For all zones the registry setting 1C00 DWORD value should be set to 0 except for the Trusted and Intranet zone which should be 0x00010000.

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1” /v 1c00 /t REG_DWORD /d 0x00 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2” /v 1c00 /t REG_DWORD /d 0x00010000 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3” /v 1c00 /t REG_DWORD /d 0x00 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4” /v 1c00 /t REG_DWORD /d 0x00 /f

Disable scripting of Java applets in other zones

Via GPO

Admin Template > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone >

  • Scripting for Java applets > Enable Plugin > Disable

> Intranet Zone >

  • Scripting for Java applets > Enable Plugin > Disable

>Restricted Zone

  • Scripting for Java applets > Enable Plugin > Disable

Via Registry

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1” /v 1402 /t REG_DWORD /d 0x03 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3” /v 1402 /t REG_DWORD /d 0x03 /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4” /v 1402 /t REG_DWORD /d 0x03 /f

Java Object Tags

Java object tags are handled differently in IE. You will need to modify the ActiveX control to only allow trusted sites to call these objects.

Limit Java Objects tags

According to Microsoft, If you remove the ‘*’ then it will not load the object tags from the Internet zone and only the trusted zone and Intranet zone.

Registry Only

reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8AD9C840-044E-11D1-B3E9-00805F499D93}\iexplore\AllowedDomains” /f

reg delete “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8AD9C840-044E-11D1-B3E9-00805F499D93}\iexplore\AllowedDomains\*” /f

Prevent users from adding sites to the trusted Java plug-in list.

This prevents the Security Band from popping up when visiting non-trusted sites.

Registry Only

reg add “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND“ /v iexplore.exe /t REG_DWORD /d 0x00 /f

Do not allow users to add/remove sites from the Trusted sites

Via GPO

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer > Security Zones: Do not allow users to add/delete sites

Via Registry

Reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings” /v Security_options_edit /t REG_DWORD /d 0x01 /f

Break Functionality of Java Web Start

Java Web Start downloads a java file and executes java outside the browser. Currently I have not found a way to force this to use IE zones before it’s executed. Therefore we cannot limit its access so we must break this function.

Registry Only

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command” /t REG_SZ /d “iexplore.exe” /f

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile” /t REG_BINARY /v EditFlags /d 00000000 /f

reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}” /v “Compatibility Flags” /t REG_DWORD /d 00000400 /f

reg add “HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}” /v “Compatibility Flags” /t REG_DWORD /d 00000400 /f

Disable Java Development Toolkit Active X control

Registry Only

Reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}” /t REG_DWORD /v “Compatibility Flags” /d 00000400 /f

Sites to test java settings.

Below is a list of sites to test the Java settings are working correctly. While most of these sites simply demonstrate specific ways to call java, sites have not been analyzed for malware and should be considered dangerous. Once configured none of them should be able to load Java in the browser unless it’s listed as a trusted site. Only visit them on a virtual machine and have it reverted back to previous settings once it’s tested.

https://eyeasme.com/Shayne/XHTML/appletObject.html

http://www.w3.org/2000/07/8378/object/java/clock

http://www.brainjar.com/java/parameters/demo.html

http://www.java.com/en/download/testjava.jsp

http://www.codebrain.com/java/navajo/index_embed.html

http://www.twainconnect.com/jnlp/Default.aspx

http://source.db4o.com/db4o/trunk/objectmanager-swing/webstart/sample.html