Remove PowerShell

Wait, what?  Okay, hear me out.  Don’t actually remove PowerShell, just remove version 2.0, and do it at your earliest convenience.  Microsoft has deprecated version 2.0, which should be the first clue to get rid of it.  Odds are it’s not even being used in your environment, or at the very least, you can remove it from nearly every user system on your network.

The great thing about it is the removal is incredibly simple, and later versions of PowerShell can remove it too.  Check to see if it’s enabled:

Get-OptionalFeature

Removing a feature from Windows is as easy as checking for the enabling of the feature:

Disable Optional Feature

Rerun the check to verify it’s been disabled.

Disabled Feature

Hmm…. Now if only there was a way to deploy a Windows Script to groups via some sort of policy or something of that nature…

Data Management Is Important

I like to brag about my background in data management.  I should really work on being humbler in this respect because I understand databases have changed a metric ton since I last picked up any real database administration.  Now that we have that out of the way, managing data makes me incredibly useful with Information Security, and I didn’t start realizing this until more recently as I’m doing a lot of work around events, correlation, and looking at relationships between systems that aren’t integrated with each other (although they could and should). 

What’s a data dude to do when all these systems aren’t integrating, and we’re getting overloaded with all the data because we can’t establish a baseline?  I have a gigantic internal conflict happening at the moment.  In every talk I’ve done over the past couple of years, I’ve discussed not doing exactly what I’m about to say, but we only live once, so screw it.  Log the hell out of everything you can possibly find on your network.  Dump it all into whatever you can dump it into and start working to get your normal baseline.  This might not work everywhere, but it’s horrendously important when walking into a new environment because it’s the fastest way to find the normal.  Weed through that normal, and then begin your behavioral plans.

Eventually, you will get that baseline, and you will need to start blocking things.  That’s going to be scary as hell, but trust me, it will not be as bad as it seems as long as you’re working your ass off to work through issues immediately and do not drag your feet in the process.  You will only lose credibility that way (you lose your credibility with IT ops and your life just became hell), so bite the rollout bullet and make it as smooth as possible, knowing there’s going to be those lumps.  Plan for them, so you can compensate that week / month of being overworked with some type of supplemental time, so your employees are able to decompress.

Coming soon, we’re going to look at ways to get at the data, and start turning that into some actionable items you can work through so you can eliminate false positives and look for things in the areas you should be looking and not chasing a ghost in the house of mirrors.

Vulnerability Management Pt. 1

We’ve established one thing I absolutely hate is inventory management, but with a few tricks up my sleeve it can become so much easier.  First, let’s look at device information, and what we’re missing.

Windows Management Instrumentation

Windows Management Instrumentation (WMI) is an amazing part of the Windows OS.  I’m amazed at the amount of information that can be pulled out of WMI, but also the number of IT Administrators out there that still don’t realize it’s there.  When I started moving into server administration WMI became an important part of my day to day operations.  After moving into Infosec, I use it just as much to gather information on domain systems that’s not readily available to help manage vulnerabilities.

In every talk I give on this topic, I seem to come back to the same classes for obtaining system information.

  • Win32_OperatingSystem
  • Win32_ComputerSystem
  • Win32_Process
  • Win32_Service
  • Win32_BIOS

Of these five Win32 classes, I pull the most information out of the OperatingSystem, BIOS, and ComputerSystem classes.

Putting it to work

The easiest way to get information out of WMI is with PowerShell’s Get-WMIObject cmdlet.  Example:

Get-WMIObject

This will return specific information as it pertains to the computer system.  Take advantage of PowerShell’s pipeline to export the data to CSV,  export to Excel using Doug Finke’s Import Excel Module, or use PowerShell and COM.  In my case, I have a local SQL database installed, and will export to CSV and import the data.

To get the data out of the computers on your network via WMI, add the -ComputerName parameter.  When combining with the Get-ADComputer cmdlet, you will read the data from all the systems joined to the domain.  We’ll put that to use later on in this series.

For more information head over to the Win32 Provider’s MSDN Page.

Now the why

Although it sounds a bit cliche, it really is impossible to protect what is unknown.  This will allow admins to get back to some of the fundamentals of information security and gaining an understanding of what is on the network.  If there is one thing I’ve learned, even though I hate inventory, it is a great feeling being able to know what the impact is to the systems on my network when a new critical vulnerability is released.  Using PowerShell and WMI gives me the ability to understand what exists without having to rely on expensive tools to do it for me, and I’m able to transfer my scripts to any Windows domain I’m working with relative ease.

Experiment with the different WMI classes, and see what more useful information can be pulled.  In the next part in this series, we’ll start looking at how to track vulnerabilities uncovered as a part of the inventory process.

EYE H8 Inventory

For the first part of this multi-part series on vulnerability management we’re going to take a trip down memory lane.  There was a time when I worked retail, and was somewhat decent at it.  The one part I hated more than anything was managing the inventory, and the monthly checklists of going through the stock to discover there was an item that was a whopping 95 cents that I had to adjust for.  At that point in my life, I knew that retail job was going to be a stepping stone into computers, and I was able to escape.

What the hell?!?  The first thing they wanted me to do when I got onto the help desk was to take an inventory of all systems and compare the serial numbers and locations to what we had on site.  I thought I was escaping this life, but here I am again with a checklist working a swing shift trying to account for the inventory and making sure no one had walked off with it, or it wasn’t replaced with a different system not accounted for.

Now for the fun fact for the people out there like me that hate doing inventory tasks.  It’s really really super duper important when managing enterprise vulnerabilities.  If it’s not accurate, the group in charge of managing vulnerabilities is going to have a ton of difficulties, and nothing is ever going to get accomplished in a reasonable amount of time.  After having built vulnerability management programs, I have come to respect that inventory management process.

Vulnerability management is a passion of mine, and something that will be a constant topic on this site moving forward.  Without properly managing vulnerabilities on the network, Infosec and IT teams (where Infosec is not readily available) end up running in circles, and often have difficulties getting the buy in necessary to build security functions into their daily operations.  They can also end up being seen as crying wolf every time a new major vulnerability drops, and they need to stop everything to run out to get it patched with no metrics on impact and success rates.  We’ll get to the tracking part later, we gotta start small…

The upcoming part one of vulnerability management will be to look at ways to fingerprint the devices on your networks when you need to, even if you can’t get to the physical location where the equipment is stored using some scripts and network tools.  Once we know what we have, we can start looking for ways to keep tabs on them.