Tag Archives: Trusted zones

Is Micro-Segmentation the new universal remedy?

28 May 2015

On Saturday, I blogged about globally defined service accounts and their impact on the attack surface. In my opinion, rigorous avoidance of globally defined service accounts, combined with the concept of trusted administration zones, is an effective means to boost IT security.

In the past month I was involved in discussions about a network segmentation, which is a common means to increase IT security. The relatively new and less spread micro-segmentation technology is hailed as universal remedy.

Let me quote briefly from the VMWare white paper ‘Data Center Micro-Segmentation, A Software Defined Data Center Approach for a ”Zero Trust” Security Strategy’:

“Micro-segmentation of the data center network can be a huge help to limit that unauthorized lateral movement”

That’s true, but if you use globally defined service accounts for administration of the systems in segmented networks, the ‘huge help’ will be considerably lower. This is because e.g. the Active Directory services are working on network layers where segmentation has no impact.

The old rule still applies: Isolated security measures do not necessarily increase the overall security level.

But the combination of network segmentation with strict avoidance of globally defined service accounts and trusted administration zones will make the difference.

Have a good day!

Keep the attack surface small – Avoid using globally defined service accounts!

23 May 2015

Restarting a complex application is a tough task, in particular when many interconnected services have to be restarted in the correct order. A restart becomes a great challenge in a mixed Linux/Windows server environment with dozens of databases, applications and web services.

Some application administrators developed a smart tool to simplify restart jobs. A graphical representation of the application system, with services represented as blocks and dependencies as connections between the blocks, allows the controlled restart of single services as well as the entire application system. Even a restart simulation is possible.

For every service a restart procedure is implemented. If the service receives a restart command, the restart procedure on the respective server is executed. Works perfect, even in a mixed Linux/Windows environment.

I first came across this smart tool during a security assessment of a complex application. On a Windows server I found an SSH service which ran in the context of a globally defined service account. This globally defined service account was member of the local administrator group. For security reasons the local login with this service account was disabled. Really clever!

Unfortunately, each globally defined service account increases the attack surface of your IT system. Once an attacker compromises such an account he gets privileged access to every system where the account is used for administrative tasks. In the worst case, without segmentation in trusted zones, an attacker could get access to all your Windows servers.

How to mitigate this vulnerability? The fast way is to ‘Deny login from the network‘ for this service account in addition to ‘deny login locally’. This will hamper an attacker from exploring your network with a compromised account. If an administrator must configure a service he must sign in with his personal administration account. To change the service he has to enter the service account’s password.

In addition I recommend to question the use of globally defined service accounts in general. As mentioned above such accounts increase the attack surface of your IT system.

With this I recommend: Before you use a globally defined service account for an administrative tasks, ask yourself the question: Can I imagine to do this with a locally defined service account?

If your answer is Yes, and the extra effort is low, you should implement the service with a local account. Make this approach mandatory for all IT staff to keep the attack surface of your IT system sustainably small.

Wishing all a Happy Memorial Day weekend!

Some thoughts about ‘Mitigation strategies for data-wiping malware’

21 May 2015

In article ‘Mitigation strategies for data-wiping malware’ published on Security Think Tank in January 2015, Peter Wenham talks about mitigation strategies for data-wiping malware.

Peter’s proposals for creating a prevention strategy, training and strict refusal of local administrator access for employees, can be implemented quickly and at a fair price.

To complement this, companies should add a trusted zone concept for administrative tasks. A server administrator should never sign in to a server from a system at a lower trust level, e.g. from the laptop he uses to connect from outside the company network to a server. A trusted admin zone concept will prevent the lateral drift of attackers within the company network once they got access through e.g. a phishing attack and a RAT (Remote Access Trojan).

Have a good day!

IT Security Matters

Klaus Jochem

Tag Archives: Trusted zones

Is Micro-Segmentation the new universal remedy?

Some thoughts about ‘Mitigation strategies for data-wiping malware’

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: