THREAD: all that "free" management software your server vendor gives you more to manage, introduces new attack vectors, and makes OS patching & upgrades harder. Remove it. You don't need it.

1/25

You should be ordering TPMs with all your new servers. They look optional when you order servers, but are not if you care at all about security. Moving forward, every OS will be crippled without one.

2/25

When you get your new server, take a look at that nifty management controller, and disable absolutely everything on it unless you really need it. It's all attack vectors.

3/25

Pay special attention to the "USB NICs" and stuff those management controllers have. There is usually zero reason to enable that as a backdoor between the hardware and the OS. If you want to manage the OS, go in through the OS management front door.

4/25

Management controllers are great, don't get me wrong. However, you can upload firmware to them and monitor the hardware through them WITHOUT all the other software installed.

5/25

For example, racadm for Dell iDRACs is great. Upload firmware updates to the iDRAC, tell it to wait until the next reboot... very slick. You don't need any other software on the OS to get that done (you might need their repo manager and a web server, though).

6/25

Same thing for hardware monitoring. That iDRAC or iLO can be polled via SNMP from something like Observium and can tell you when you lose a drive or have a memory error. Don't need anything else installed.

7/25

"But what about monitoring the OS?" you ask. What about it? The hardware monitoring tools aren't good at monitoring the OS. Use something that's built for that and can be secured well. Think about the Solarwinds attacks and how good fences make good neighbors.

8/25

Hardware management controllers should be on their own VLAN, too, secured heavily, only allowing the people that will actually fix the OS or the hardware to get in.

9/25

And speaking of that, when you use AD for both authentication AND authorization you make it so an attacker who breaks into AD can just add themselves to your "Storage Admins" or "iDRAC Admins" groups. Then they can just log in.

10/25

Same is true for a group in AD called "Firewall Admins" or "Network Admins." Think about that for a moment, and then go manage the firewall authorizations some other way.

Also, if this is you you need to audit your firewall rules.

11/25

AD is a huge target for attackers because it has EVERYTHING in it, and organizations use it for both authentication AND authorization, which makes things easy for organizations... and attackers.

12/25

Most orgs don't patch in a timely manner so there's still Zerologon and the DNS vulns, and even if it is patched there's credentials lying around everywhere because it's easier to give someone admin rights than figure it out.

13/25

BTW, Bloodhound AD is a cool tool for this. You should run it in your own org, see what the attackers see.

https://github.com/BloodHoundAD/BloodHound

14/25

"AD is important so we only patch twice a year" makes me scream. This is the attitude that results in reports of breaches to 300 million people.

Systems that are important should be patched rapidly and in an automated way.

15/25

Think about the things you can do if you're an attacker and you control DNS, too. Especially if there's DNS-based access controls in place.

Use of AD in core enterprise infrastructure needs to be rethought in most places.

16/25

Another thing when you're installing that new server, or rebuilding an old one: before you wipe it and install from a fresh ISO from the OS vendor, go into the BIOS and make sure it's set to UEFI, Secure Boot is enabled, and TPM is enabled the way you need it for your OS.

17/25

These things are table stakes for OS security moving forward, and they're much harder to enable after the fact.

18/25

Then, once you've got things installed, don't add more to it. Infrastructure is like soup -- more stuff doesn't make the soup better, it makes the soup worse.

Good soup and good infrastructure are both stupidly simple.

19/25

This goes 100x for people looking for the mythical "single pane of glass." When you invent one of those you pointlessly tie a lot of stuff together so that they all have to be upgraded together.

Net result: you won't ever upgrade or patch because it's now REALLY HARD.

20/25

If you need to configure your storage system, go to your storage system's management interface to do it.

If you need to work on your backup system, go to the backup management interface.

21/25

Don't tie this stuff together because you also lose isolation. You integrated your backup system into your virtualization management? Neat. Now whoever gets into that (usually via AD) can delete or corrupt all your backups.

22/25

The goal is to make it harder on the enemy, so that it either stops them or makes it take longer to figure your stuff out, and that increases the chance of detection.

23/25

Speaking of detection, you need honeypots in your network. They're fake services that when someone scans them they send you an alert. You deploy them and you never touch them. They're great. Look them up.

24/25

But, in all this, don't make it miserable for yourself, either. When you make things miserable to patch, or monitor, or fix, then you won't do those things. That's a problem, too.

Security is a balance, and kind of an art.

25/25