Cyber Hygiene Basics

The following is a list of very simple cyber security things you can do to protect your digital life.

  1. Use a password manager.  I recommend LastPass as it is exceedingly useful, accessible from many devices and relatively cheap.  $2/month for premium users and includes feature called Security Challenge which allows you to evaluate the strength of your credentials.
  2. Patch and patch often, in fact just set windows update to automatic!  (Windows 7 and Vista, Windows 10)
  3. Anti-malware… Windows Defender (SCEP) comes standard on Windows 10 and you should be using it!
  4. Firewall… if it is disabled, you’ll have trouble.  Enable it and keep it running!
  5. Do not plug USB Flash/Thumb drives in that you do not own or are certain where it is coming from.
  6. Same goes for unknown software.  Be sure you are aware of what you’re installing and that it comes from a solid source.
  7. Do not click on links within emails!!!!  If you want to go to some site like your bank or something, open a web browser separately and access your bank the “normal” way you’ve been trained to do.  Even if the email looks legit… never click on the links!
  8. Never trust “open” or free wifi!!!!!   Look into tethering your cell phone’s data to your laptop or tablet rather than using that “free” internet from the local internet cafe.  If you’ve been trained in network security and protecting yourself, then you can get away with the risk… but if you are not… please do not connect to free wifi!
  9. Backup, backup, and backup!  Use a good online backup service like Crashplan to keep copies of your data.  They are cheap, roughly $10/month/device, but it is well worth the cost if your laptop is stolen, destroyed or hacked.

Lastly, I want to leave you with the simplest recommendation of all… keep track of all your computers and devices!

pfSense Firewall Rules for Tanium

This is a short article, more to capture the data than anything.

The following screenshot is the simple setup for adding a firewall rule to pfSense to allow Tanium traffic through.

12-23-2016 9-03-49 AM

The settings boil down to allowing all traffic on destination port 17472 to pass through to the specified destination ip address.

Monitoring Endpoint OS Changes

Microsoft has become rather aggressive with updating endpoints with their newest Windows 10 operating system.  As a result, I’ve had friends and family complain about waking up one morning to a whole bunch of changes to their computers.  Since these people are all attached to my lab instance of Tanium… figured I’d setup Tanium to monitor for these… so when I get these calls, I can sound more knowledgeable about their plight.

Monitoring this type of thing involves knowing what information you’d like to watch for… in this case

Get Computer Name and Operating System and Operating System Build Number from all machines

Saving this as a saved question, if monitored, would notify me whenever a major update gets delivered to computers under my management. 

To setup monitoring, you’ll need to have Tanium Connect:

  1. Setup a new Connection with Saved Question as the data source.  Use the saved question you saved above.
  2. MOST IMPORTANT, you’ll need to setup a “filter” for New Items with whatever learning period you’d like.  Larger the environment the longer you should set your learning period.
  3. My data destination is Email, but you could use any destination you use for monitoring.

That’s it.  Now whenever any of my managed endpoints have major updates delivered to them, i will receive an email with the computers name, OS, and build version.

Surveillance and Ubiquiti Video

My upcoming new office and home-lab space has inspired me to review some of my past technology choices.  The first review comes in the form of video monitoring.

The setup I’m using at my current home involves a NightOwl 16-camera DVR with cheap BNC cameras.  I was very pleased with it until I went to extend or even check for software updates… then I hit a serious brick wall!  I learned it is basically a cheap DVR that hasn’t been updated in, at least, a decade.  Well behind the curve for this tech geek.  Time to upgrade!

I began my research where I began… a DVR, but this time I’d have it professionally installed.  Well… the cost started to pile up very quickly.  At the end of the quote, each of the 7 cameras were going to cost $450 each!  That is insane!!  Back to the drawing board.

Having a fondness for networking, I started researching IP cameras again.  I’ve played with IP Camera software before (Blue Iris) and figured if I ever started over, I’d go that route.  My research quickly brought me back to them as a possible option.  I also discovered that my Synology NAS had a plugin Surveillance Station.  Ultimately I realized that IP Cameras were the direction I wanted to go and this was perfect timing for our new home construction.  I switched from the DVR/cameras to purely Cat6 network drops.  IMG_0065Tons of IP Cameras had PoE capabilities so I wasn’t concerned with powering them.  On the plus side, IP Cameras may range in price… but even the best options are below $450 per camera.

After research, I ordered a camera I thought had all the interesting features… A Ubiquiti Unifi G3 Dome camera.  Picked for the fact that it was an IP Camera, Wide angle lense and PoE.  Initial review… I am blown away by this camera, quality and features.

IMG_0066

It all starts with their software.  It requires either one of their NVR devices to connect, record and manage the camera or a Windows, Ubuntu or Debian computer running their NVR software which is free.  I installed it onto my workstation since I’m currently evaluating… and connected to the camera almost instantly.

I installed their iOS app and it was effortless to point it at my workstation where the NVR software was running and start viewing the camera.  This software blows NightOwl out of the water and well it should as NightOwl’s app is old as dirt.

I have only scratched the surface of what this camera and software can do… but I will be modifying my network diagram to include a custom built Ubuntu 1U server with DVR hard drives to run the NVR software locally.  Plus side, is the Ubuntu server I’m designing can be managed from my Tanium infrastructure and all the benefits that goes with that are included with this setup.

As a treat, here are a few of the images I captured from the iOS software after connecting to the Workstation NVR.

IMG_0074IMG_0073IMG_0071IMG_0069

Moran IT Content Signing

Tanium content published by Moran IT is signed with our organizations private key.  By placing our public key within a special directory of your server, you can safely import content Moran IT has signed and published.

We have put together a zip file with our public keys and an installer batch script.  If you download the zip file to your Tanium server and execute the batch script, as administrator, your infrastructure will be updated to accept signed content from Moran IT.

This content is published and shared on the Tanium Community website, and adding our keys keeps the security of content delivered from Moran IT safe.

If you would like to setup your own signing keys and process… feel free to ask questions here or contact your TAM and mention this blog.

If you’d like to explore the various solutions I’ve built for Tanium, you can browse them here.

Configuring Windows Update with Tanium

There really is only two ways to configure the Windows Update Agent:  Manually through UI or the Windows Update API.  Unfortunately as an enterprise admin, you need to use command line utilities to configure endpoints and Microsoft does not provide that.  Thus, I’ve put together a really quick command line utility that uses the Windows Update API to allow you to configure using our favorite platform… Tanium.

Download Solution Pack

First thing you must do is download the entire Tanium solution pack for Windows Update.   Once you’ve downloaded the Windows_Update.xml, you must import it through your Console->Authoring->Import Content.

wu1

You’ll find it contains multiple sensors, packages and saved questions for reading and changing the configuration.

Ensure Package Files Download

wu2One of the packages requires external files that are downloaded from files.danielheth.com.  These files are served up via https and thus you must configure my Certificate Authority in order for your Tanium Server to properly download from that location.  You must also configure a White Listed URL as well.  You can read more about doing this at https://danielheth.com/2015/02/02/secure-downloading-of-package-files-with-tanium/

OR you can simply download the three files manually and update the Distribute Windows Update Tools package.  We will explore this second option in this article:

Download all following files:

  1. https://files.danielheth.com/7za.exe
  2. https://files.danielheth.com/install-wu4tanium.vbs
  3. https://files.danielheth.com/wu4tanium.zip

Then edit the Distribute Windows Update Tools package by going to Console->Authoring->Packages, filtering by “Distribute Windows Update Tools” and edit the correct package.  Then “Delete” all three files linked to this package…

wu3

Now we will “Add Local Files…” for each of the three files we downloaded earlier.

wu4

Now that we have all three “local” files uploaded into the package we’re ready to start using this solution…

Windows Update Dashboard

Included in the solution pack is a new dashboard which groups all the functionality together in a single location.  Browse to that dashboard by looking under “Other Dashboards” and finding the one called Windows Update.

wu5

As you can see from the screenshot, there are two included saved questions.  One lets you know about the installation status of the special utility we’re using and the other uses that utility to return the current status of the Windows Update Agent using the API.

Deploy Windows Update Tools

I already have one system deployed with the utility, but my other 9+ systems do not have it.  I can drill down to determine what the names of these systems are and distribute to specific machines, but I want my entire infrastructure to have this utility.  Thus I will right click on the “No” answer and deploy the package we edited before, the Distribute Windows Update Tools package.  Complete the deployment of that action and within 10 or so minutes, you should start seeing the Windows Update Configuration appear in the right answer grid.

wu6

Configure Windows Update Status

The Windows Update Agent has a few modes of operation:

  • Not Configured means “not configured” by the user or by a Group Policy administrator.  Users are periodically prompted to configure Automatic Updates.
  • Disabled is self explanatory… Users are not notified of important updates for the computer.
  • Notify Before Download prompts users to approve updates before it downloads or installs the updates.
  • Notify Before Installation will download the updates but prompt users to approve the updates before installation.
  • Scheduled Installation will automatically install updates according to the schedule that is configured by the user or by the wu4tanium utility.

To make changing this mode-of-operation status easy, I’ve included a Configure Windows Update Status package with the above described options.  Select the configuration answers that are not configured as you want and launch this package to change it.

wu7

Configure Windows Update Schedule

If you chose to schedule the automatic installation of updates you can use the Configure Windows Update Schedule package to change the day and time updates will install.

I would like all my systems to download and automatically install updates every day at 1am.  To do that, select all the configurations that do not match your desires, Right click and Deploy Action.  Select the Configure Windows Update Schedule package from the dropdown and two parameters will appear.  One to specify the day of the week and the other the hour.  The hour is specified in 24-hour “military” time and is only configurable for on-the-hour.

wu8

After 10 minutes, the Windows Update Configuration answer grid will start updating with the newly configured schedule.  The Windows Update Config sensor is set with a max age of 10min, thus we must wait that long before the sensors script is executed again and the new configuration starts appearing in the answer grid.

Conclusion

I hope this helps those of you who wish to use the Windows Update Agent to update your systems rather than using a more involved patching solution. 

Note that this solution DOES NOT USE the Tanium file/shard downloading functionality… each endpoint will download updates directly from Microsoft.

Also I have only tested this on Windows 7 systems.  It is possible the Windows Update API will not function as coded on other versions of Windows.  If you wish to view the code for the wu4tanium utility, it is available on github.  Feel free to fork that project to add functionality or compatibility with other versions of Windows.