A big part of my work lately has been describing, tracking and managing the risk involed with moving data from the traditional datacentre with it’s firewalled perimiter to public cloud. The NIST Cyber Security Framework was useful as a way of grouping and classifying risks.
https://www.slideshare.net/AlexMagnay/risk-management-for-public-cloud-projects
I gave a talk on cloud security.
Before companies will start using Public Cloud they need to know it’s safe to use. There’s plenty of stories in press about security breaches, but AWS for example makes it clear in their “Shared Responsibility Model” that you still have to use security best practices such as least rights privilege, network segmentation (eg a DMZ) to contain any breach.
https://www.slideshare.net/hentsu/cloud-security-for-regulated-firms-securing-my-cloud-and-proving-it-65384157?qid=6a90d703-73bf-4892-b99d-cb1da1b9fcbd&v=&b=&from_search=2
While hunting for some Hyper-V videos, I came across recorded sessions from the 4th Nordic Infrastructure Conference. No sales pitches, only some great talks from field hardened consultants. The sessions are focused on Enterprise Infrastructure (Microsoft Windows Server, System Centre, Azure, PowerShell DSC, Identity Management, Security/hacking).
Session Info http://2015.nicconf.com/sessions Recorded sessions: https://www.youtube.com/channel/UChu8zqu8d1mjWxNRLlGXUAw
I’ve done a couple of other posts on using AD credentials with AWS API. You setup AWS IAM to trust AD Federation Services (ADFS) for authentication. You get temporary access keys to use with the AWS API. This is safer than making lots of IAM accounts with long term passwords (Secret Access Keys) that end up embedded in code and stored who knows where. See previous posts for an overview of AD authentication to AWS.
Quick post about how to disable User Account Control for administrators on servers. Group Policy setting: Computer Configuration > Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate withouth prompting User Account Control: Detect application installations and prompt for elevation = Disabled User Account Control: Run all administrators in Admin Approval Mode = Disabled Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA=0
Query for Bitlocker recovery keys (properties of machines) and then getting the owner of key. Using the useful (and free) Quest ActiveRoles commandlets but you can do this with regular activedirectory powershell module too. add-pssnapin quest.activeroles.admanagement -ErrorAction Silentlycontinue $DesktopsOU= "OU=Win7,OU=Workstations,DC=companyname,DC=com" # or whatever your machine OU is Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer -SearchRoot $DesktopsOU | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {Split-Path -Path $_.ParentContainer -Leaf} | Select-Object -Unique The following page links to a script which will give you a CSV report http://blog.
Hey there Enterprise Administrator! Avoid storing AWS API keys by using Windows authentication instead[/caption]
Are you an Enterprise investigating AWS? Don’t want to become a security news story like these guys? https://www.google.co.uk/search?q=news+aws+secret+access+key+hack Are you used to multiple levels of physical and logical security for access to your equipment? https://www.youtube.com/watch?v=_qc5TG2ulx8 Is access to your VPC config shielded by nothing but some AWS API credentials? (which are probably stored in plain text..) Can your AWS credentials be used from the public internet (instead of only from the Office)?
When you get started with Amazon Web Services (AWS) one thing to do early is secure access to the web console. Rather than manage another set of user accounts you can reuse your corporate directory (Microsoft Active Directory) to login to the AWS console. You use AD Federation Services to do this. Also, if you keep your ADFS server internal, then your AWS console is not accessible from the public Internet.
Update to previous post on older BES version ( “Test intranet access from Blackberry and other mobile platforms”). For BES12 create a krb5.conf file and upload to the “Single-sign on” profile (obv. switch mycompany.com to your own FQDN. And specify the FQDNs for one or more domain controllers. This has been case sensitive in the past.)``` [libdefaults] default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 des3-cbc-sha rc4-hmac default_realm = MYCOMPANY.COM [realms] MYCOMPANY.COM = { kdc = tcp/DC1.
Hide Select a location for the network When you deploy Windows 7 you get a prompt: “Select a location for the network”. Laptop users also see this when they connect to a new network or WIFI service. You must pick the local network type. This helps Windows firewall decide if the local network is trusted (Private) or untrusted (Public). Rather than leave this as a manual choice for PC deployment staff and laptop users, you can automate this.