Chapter 9 - 04 - Application Security Testing Techniques and Tools - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Using ManageEngine Desktop Central for Application Blacklisting O Desktop Central helps in restricting the usage of blacklisted applications as well as portable executables, which can be accessed without installation m('\?:«"' @ » Block Executable Features Enables security professionals to + e °M-'v Block applications using the i R 2 Pathrules = o s Lot 0t R SRS — Lttt b b st b of — et taat — P T. P Hash values Siesatitn @ | | mne S¥a Ouetus S D. following: * ; T applications/executables » Barinis s o e block the required. o e e res — W a Ot 3% 3014 1634 70 — [ D Sredon tasn https//www.maonogeengine.com Using ManageEngine Desktop Central for Application Blacklisting (Cont’d) L] H Prohibited Software Feature § g QO Enables automatic detection and removal of blacklisted applications (prohibited applications) QO Security professionals can perform the following: Y. » Y. * 5. " - i e ' AcrorizA TrueA ImageA Workstation(9.1.3887) kt{vx.t Norton Online Backugd1.215.0) g AetheChnt 186141100 1] ActiClient x64(6.2) H il { Identify blacklisted application in the network P i ABCDEFGHIIKLMNOPQRSTUVWXYZA :::;::mm:;:;“““’ e " Blacklist applications and block blacklisted applications 5 ActivCliont 6.1 x84{6.01.00034] ActivClient x84(6.2) Active Diectory Authentication Ubrary for QL Sen Active Directory Authentication Library for SQU Sen Active Directory Management Pack Helper Object|d Active Directory Migration Toct (ADMTY ) i ] Active Directory Rights Maragement Services Client Active Ubrary Explorer 6.1(-) H H Active Library Explorer 9.1() Explorer 9.3() Active Ubrary Explorer 7.4() Active Litrary | Y i i i i Auto-uninstall the blacklisted applications H -uni i i Exempt computers from the auto-uninstallation routine ]| Y Y o Add Prohibited Software Generate a report on prohibited software : ekl ActiveBarcode-Trial 5.40(560) ActiveCheck compenert for HP Active Supgort Libra Activecneck HP Active Supgort Libr: " e~ mtro=pr for i [ e IR https://www.manogeengine.com Using ManageEngine Desktop Central for Application Blacklisting Source: https://www.manageengine.com ManageEngine policies. Desktop It helps executables, which Central prevents in restricting can the be accessed blacklisted applications based on the organization’s usage without of blacklisted applications installation. The Block as well Executable as portable and Prohibit Software features of ManageEngine Desktop Central can be used for Application Blacklisting. Module 09 Page 1203 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Block Executable Feature The Block Executable feature enables security professionals to block applications/executables. It is possible to block executables in all computers or block them for specific users/computers. There are two methods to block an executable/application. = A path rule can be used to block all versions of specific applications based on the name of the executable and its file extension. = A hash value can be used to block executables even if they are renamed. ManageEngin@ W) JumptoSDP Desktop Central 10 Home Configurations Patch Mgmt Software Deployment Inventory MDM Tools Reports Admin License Build No92118 @ Support agmin~ A ‘ Q < Block Executable Views ~ Add Policy ) Computers &1 Harcware O Custom Group® : AY Computers Group Software Executables to be blocked for all O Alerts Description B9 1nventory Reports E Application Control -~ P & Prohibt Software Application ER—— e Actions / Settings + Add Exncutable * comouters inthe Network X Remove Q Daecutable Version e paexR Bock Rule Last Modified Time Path Wed Oct 05 2016 16:16 PM Action -~ £ Scan Systems n D Software Metering Cancel @ Manage Licenses O Manage Software Category 0} Configure Alerts B Schedule Scan Figure 9.17: Screenshot of ManageEngine Desktop Central Steps to Block an Executable/Application Using the Block Executable Feature = (Create a policy Create a policy to block an executable for a specific target. Creating a policy involves selecting the target system, selecting and adding the executable to the list, and applying the block rule as a path or hash. It is possible to create two different policies for a single executable, where one uses a path rule and the other uses a hash rule. The system must be restarted to let the changes take effect. = Block executables for all users/computers By default, the Desktop Central features a custom group that comprises all the managed systems. Choose the All Managed Computers group and select the executable to be blocked if the blocking is to be applied to all the managed systems. Create a policy by specifying the target and the executable to be blocked. Module 09 Page 1204 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security = Exam 212-82 Block executable for specific users/computers Create a new custom group or use existing custom groups to block an executable only for specific targets (users or computers). Create a policy by specifying the target and the executable to be blocked. Prerequisites for Blocking Executables/Applications = Enable Local Group Policy on the target machine o GotoRun. o Enter gpedit.msc. o Click Group Policy. o Click Turn Off Local Group Policy Objects Processing in the right pane. = Local Group Policy Editor File Action View Help &% a2m=Edm Y = Local Computer Policy v & Computer Configuration » [ [ v [ Software Settings Windows Settings Administrative Templates , 1 Control Pane! » 1 | Network Printers [ | v [ Start Menu and Taskbar System ] Access-Denied Asaist, ] Audit Process Creatio 1 Credentials Delegatio » ] Device Installation Device Redirection | ] Disk NV Cache Disk Quotas » ] | | ] ] | Distributed COM Driver Installstion Early Launch Antimal Enhanced Storage Ac File Classification Infr File Share Shadow Co > | Filesystem < 31 sesing(s) Setting E](oflhgure software Installstion policy processing Edit policy sething E]Configure disk quota policy processing EConfigufe EFS recovery policy processing [;]Conhgure folder redurection policy processing E]CoMugure Internet Explorer Maintenance policy processing []Configure 1P security policy processing Description: This pelicy setting prevents Local Group Policy Objects (Local GPOs) from being apphed. By default, the Local GPOs are domain-based settings. These & mmlow cross-forest user policy and roaming user profiles Requirements: At least Windows Vista Server | Turn off Local Group Policy Objects processing mConfigure registry policy processing [;]Configure scnipts policy processing E]Con‘hgurt secunty policy processing policy settings in apphed before any GPO policy policy settings can DConfigure wired policy processing mConfigme wireless policy processing F]Spefl!) workplace connectivity wait time for policy process.... apply to both users and the local Doflcrmmc if interactive users can generate Resultant Set of.., computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applhied. if you enable this policy setting, the system does not process and spply any Local GPOs, if you disable or do not configure this policy setting, Local GPOs continue to be applied, E]Tum off Group Policy Client Service AOAC optimization mTum off background refresh of Group 2 Policy DRemovt users’ ability to invoke machine policy refresh E.]Configute Group Policy Caching mimble Group Policy Caching for Servers BConhgwe Group Policy slow link detection QS& Group Policy refresh interval for computers < v > \ Extended / Standard/ Figure 9.18: Select “Turn Off Local Group Policy Objects Processing” Policy Setting Module 09 Page 1205 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security o Exam 212-82 Choose Not Configured and click OK. & Tumn off Local Group Policy Objects processing a mTumoflLocaIGtwpPoficyOO}empmxssing 3 me 'P s0u Sets 1T Next Seti X 1 Comment: O Enabled O Disabled Supperted on: At least Windows Vista Help: Options: This policy setting prevents Local Group Pelicy Objects (Local GPOs) from being apphed. By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied. If you enasble thiz pelicy setting, the system does not process and apply any Local GPOs. If you disable or do not configure this policy setting, Local GPOs continue to be applied. Note: For computers joined to 2 domain, it is gly recommended that you only configure this pelicy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to 2 workgroup. o] e i Figure 9.19: Selecting Not Configured option = Enable Local Group Policy on the target system o Right-click Local Computer Policy in the Local Group Policy Editor, select Properties, and check Disable Computer Configuration Settings. 4 Local Group Pelscy Editor File Action - View am - Help = v @& Computer Config > [ Software Setti > > v i, > > » B dows Lecal Computer Policy Properties Hm ? Genersl Help Settirrgy L Adminatratre Templates User Configuration [ Software Settings [ Windows Settings L Adminitratre Templates éj Local Computer Summary Croated BAn-157 3641 AN Modfied 02-Sep-1530528 FM Feazors Deman: 1190 Computer). 954 (User) NA Ursque name N/A Te mprove pedormance, use these optens to dsable unused parts of ths Group Policy Obyect \ Opmthpmdubgbufwhcmuw A 1k Figure 9.20: Disabling Computer Configuration Settings Module 09 Page 1206 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Set the default security policy as “Unrestricted” o Go to Local Computer Policy = Windows Settings = Security Settings = Software Restriction Policies. o Click Security levels and double-click Unrestricted in the right-side pane. 4 Local Group Polkcy Editor Fle Action e View Hdp amE3/@m & Local Computer Policy - v & Computer Configuration L Scftware Settings v [ Windows Settingt 1] Name Reschaion Pobicy 1. Scripts (Startup/Shutdown) Name Descrption “+ Dnallowed Software will not run, regardiess of the access nghts of the e Bazc User iififiiii(utnlmlmmmwh 2 mm Deployed Printers v @ Secunty Settings & Account Policies (4 Local Policies ] ~ Windows Firewall with Advenc (0 Network List Mansger Pokaes (1] Public Key Policies Festriction Pehicies 1 C E&uflylaflt > ules 1] Application Control Policies & 17 Security Policies on Local Ce ] Advenced Audit Pelicy Config oy Policy-based QoS » ] Admanistrative Templates v i, User Configuration < Figure 9.21: Setting Security Levels o Click Set as Default in Unrestricted Properties window and click OK. & r File Action o 2m View Help B J Unrestricted Properties E General =/ Local Computer Policy v A& Computer Configuratiot —_— > [ Software Settings R v ] Windows Settings > [ Name Resolutior 2 Scripts (Startup/¢ » =% v Description Deployed Printer Security Settings > @ Account Poli > L@ Local Policies > ] Windows Fire ] Network List > (] Public Key Pc v ] Software Rest | Security -Addition'j > ) Application C Status: Not defauk level. Tomdceflismgddefugdmnylevdfad software, cick Set as Default. > &, IP SecurityPc 5 ] Advanced Au > )i Policy-based Qo > | Administrative Temg v % User Configuration OK < Figure 9.22: Setting the Properties of “Unrestricted” Security Level Module 09 Page 1207 C ertified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security = Exam 212-82 Enable Local Group Policy for the administrator o Go to Local Computer Policy = Computer Configuration = Windows Settings = Security Settings = Software Restriction Policy. o Double-click Unrestricted in the right-side pane. o Click Set as Default in Unrestricted Properties window and click OK. File Action 5 ‘ = View Help ; Y n ——— = * Local C Policy Local Computer Policy " Enforcement Properties 7 v P Computer (°""?”m'°" v n. Name Resolution Policy - Dw ~ v E | & Enforcement " e 3 F Senpts (Startup/Shutdown) f md B R 2 nnters Uemgnated @& Account Policies 28 Local Policies ] O o ~ N sghtware fi ware fles Fihe defaut lovel 13 Deallowod. spohing scftware restcton peices 1o lbrares requires you to set rules for al the ibranes used by a progam ordetL0 use the program (O n gos N vagrs excent local adminstratons Vihen acplying software restiction policies Level O Exforoe cenficate nies Addrional Rules @) lorore cetficate nies 7] Application Control Policies A, &, 1P Secunity Policies on Local Ce ] O A gotware fies excest ibranes (auch 23 DLLs). QN 7 Network List Manager Policies | ] Public Key Policies Software Restriction Polic ] Security Genersl Foplyplbem——— software retacton polces to the folowng users ey | Windows Firewall with Advanc 1 TIE Trusted Publish -‘ Secunty Settings X Aoply scftware restaction polces to the folowing Dasational Rule v Ss‘:: s9 : S:fr:: i L © Object Type [Csecurity Levels ? Advanced Audst Policy Config Nete: Cotficate res wil negatively imoact the pedomance of your machne ol Policy-based QoS vk®, 7 Administrative Templates User Configuration g v oK < - -m- 2poly - Figure 9.23: Applying Software Restriction Policies to All Users o Double-click Enforcement and select All Users. o Click OK. Prohibit Software Features ManageEngine Desktop Central’s Prohibited Software feature or module fully automates the detection and removal of prohibited applications. Steps to Prohibit Applications Using Prohibit Software Feature = Add prohibited software to a list o Navigate to Prohibit Software from the Inventory tab to view the details of all the software that have already been prohibited. o Click Add Prohibited Software. The dialog Add software detected in the managed details of the software here. Module 09 Page 1208 Prohibited Software lists all the systems. Scan the OS at least once to know the Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Add Prohibited Software Available Software (1322) Prohibited Software (0) ABCDEFGHIJKLMNOPQRSTUVWXYZAI AcronisA AcronisA AcronisA AcronisA AcronisA DiskA TrueA TrueA TrueA TrueA DirectorA Home(11.0.216) Image(9.0.2323) ImageA Home({10.0.4942) ImageA Home{13.0.5055) ImageA Workstation(9.1.3887) Activate Norton Online Backup(1.2.15.0) ActivationManager(-) ActivClient 6.1 x86(6.1.100) ActivClient 6.1 x86(6.01.00034) ActivClient x64(6.2) ActivClient x86(6.2) Active Directory Authentication Library for SQL Ser Active Directory Authentication Library for SQL Sen >> Active Directory Management Pack Helper Object(1 Active Active Active Active Active Active < Directory Migration Tool (ADMT)(-) Directory Rights Management Services Client Library Explorer 6.1(-) Library Explorer 7.4(-) Library Explorer 9.1(-) Library Explorer 9.3(-) Active@ UNDELETE Professional(-) ActiveBarcode-Trial 5.60(5.60) ActiveCheck component for HP Active Support Libra ActiveCheck component for HP Active Support Libra ActivePerl 5.14.2 Build 1402(5.14.1402) 3 o Figure 9.24: Add Available Software to Prohibited Software Select the software and move it to the Prohibited List to be blacklisted. Adding a Software Group under the Prohibited Software List blacklists all the software in that group. O = Click Update to confirm the addition of the software to the prohibited list. Auto-uninstall the identified prohibited application The steps below should be followed to configure the auto-uninstall policy to automatically uninstall prohibited software detected on the system. O Select the Auto-Uninstall Policy tab and check Enable Automatic Uninstallation. o Specify the maximum number of software that can be uninstalled from during the subsequent refresh cycle. Note: Increasing the number of software will cause high CPU a system usage during uninstallation. If the prohibited software count is detected to exceed the allowed maximum number of software to be uninstalled, the remaining software will be uninstalled during the subsequent startup. Check Notify User before Uninstalling and specify a custom message to prompt the user before the software uninstallation. Module 09 Page 1209 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Note: The Exam 212-82 user is given an alert message during login and whenever the agent identifies prohibited software. This functionality is applicable only if the Notify User Settings is configured. Specify a number for the wait window for software uninstallation if the software are to be removed a few days after detection. o Click Save. By default, the auto-uninstallation option is available for.msi and.exe applications and requires silent switches. (o] Steps to auto-uninstall.exe-based software e Select the Prohibited SW tab and click Not Configured link under Uninstall command against the.exe application. e The Add/Edit Uninstall Command window pops up. e Choose any one of the following options: » Pre-fill Uninstall Command—This of the Add/Remove command fetches the uninstall command Programs application and displays it. Specify only the silent switch. » | Will Specify Myself—Enter the uninstall command and silent switch manually. Test the uninstallation command manually to verify its correctness. e Click Save. e Verify the status in the Auto Uninstallation Status tab. Note: The uninstallation occurs based on the configured auto-uninstall policy. e Select Detailed View under Auto Uninstallation Status to view the status and remarks. Note: Uninstalling a software by configuring the auto-uninstall policy does not prevent users from installing a software. Once a software is installed, it will get uninstalled automatically. = Exempt computers from auto-uninstallation routine The following are the steps to exempt computers from the auto-uninstallation routine to allow the usage of prohibited software for certain users: o Navigate to Prohibit Software from the Inventory tab to view the details of all the software that are already prohibited. o Select the checkbox corresponding to the specified software and click the link under the Exclusions column to open the Add Exclusions dialog. o Select whether to exclude custom groups or groups/computers, and move them to the Excluded list. Module 09 Page 1210 computers, select the Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security o = Exam 212-82 Click Save. Approve requests to use prohibited software o Select the specific prohibited software from the list of prohibited software from the agent tray icon. o Handle requests from Desktop Software = User Requests. Central web console = Inventory = Prohibit Users are allowed to install and use the prohibited software they request once the request is approved. = Notify admin and end users when prohibited software is detected The following are the steps to notify the admin and end users when prohibited software is detected: o Navigate to the Inventory tab. o Click Configure E-mail Alerts in the left pane under Actions/Settings. o Under Notifications, specify when the notifications should be sent, and configure alerts based on requirements. = o Specify the email address or addresses to which the notifications must be sent. o Click Save. Generate a report on prohibited software The following are the steps to generate a report on prohibited software to find the computers in the network using applications at any point of time: o Select the Inventory tab. o Choose the Prohibited Software link under moving the mouse over Inventory Reports. Module 09 Page 1211 the Software Reports category by Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.