How To Safely Block Service Accounts with Symantec DCS

Access Denied

Why block specific users from being able to log on interactively into systems using Symantec’s Data Center Security Server (DCS) aka Critical System Protection (CSP)?

 

Answer: Service Accounts

 

Windows service accounts are prized by malicious actors since more often than not they have elevated privileges and are exempt from a password change policy. There are tools and methods different admins use to address the password change issue but there is often uncertainty on whether there are any holes that could still be exploited. I’ve seen some of the best IT shops in the world still fall victim to a breach because of a hacked service account. How do we address this without going crazy on scripting and expensive tools that just solve one aspect of the service account issue?

 

Unfortunately AD treats service accounts no different than user accounts because they’re the same thing… But you knew that already. The point is that they are extremely different in their function. Service Accounts do not need to access a desktop, browse the internet, change files or the registry. However they can do those things and easily bypass security oversight because its normal to see service account activity in the AD Security Event logs.

 

Symantec’s Data Center Security Server is known for hardening systems and applications. What may not be clear is it’s ability to control what users can and cannot do based on AD users and groups. Sometimes referred to as “Privilege De-escalation”.

 

The good news is it’s relatively simple to accomplish in under 15 minutes!

 

Here’s a quick how-to on getting it done!

In the Prevention Policy section of the Console click on the “Add” button

Launch the Custom Policy Builder

Block Users 2

Name the new policy to whatever you want like “Block Windows Users

Block Users 3

Add a new Application Rule. For the “Type” select Application.

Block Users 4

Give the Application Rule a name like “Allow Services to Start

Allow services to start 5.1

In the Process List click on the “Add” button
-> For the Program Path enter an asterisk * 
-> Leave the User Name field blank for now.

Block Users 6

Click OK. Then click the bottom right corner “Add” button to save the rule.
-> Make sure to change the Sandbox to the Full Control with Self Protect Enabled under the Generic section from the drop down list:

Block_Users_5-2

Add a second Application Rule. For the “Type” select Application.

Block Users 4

Give the Application Rule a name like “Block All Applications for Specific Users

Block Users 5

In the Process List click on the “Add” button
-> For the Program Path enter an asterisk * 
-> Leave the User Name field blank for now.

Block Users 6

Click OK. Then click the bottom right corner “Add” button to save the rule. You don’t need to add another process or program.
-> Make sure to change the Sandbox to the Deny Sandbox under the Generic section from the drop down list:

Block Users 7

You should have 2 rules in you Application Rules list:

Block_Users_5-3

Now click on the Save button to save the policy.
______________

We’re not done yet…

_____________

Next step: Edit the custom policy you just created

Click on the Advanced button in the bottom right hand corner so that you see all the options in the policy
-> Click on the “My Custom Sandboxes and Lists” link

Block Users 8

Click on the Plus sign

Block Users 9

-> For the “Display Name” you can put anything you want that makes sense.
-> For the “Category” it’s very important to choose “This is a list of items to be referenced later”
-> For the “Identifier” you cannot have any spaces so I use underscores. In my example I use lowercase blocked_users

Block Users 10

Click on the Finish button
Now we have our new list. Notice the name it is given in brackets [gen_blocked_users_list]. The blocked_users identifier is prepended with gen_ and appended with _list automatically. This is the name we need to use in the Application rule.

Block Users 11

Go ahead and edit the list by clicking on the blue Edit[+]
-> Tick the checkbox to enable the list.
-> Add your users in this list.

Block Users 12

Create a second list for the services that you want to protect:

Click on the Plus sign

Block Users 9

-> For the “Display Name” you can put anything you want that makes sense.
-> For the “Category” it’s very important to choose “This is a list of items to be referenced later”
-> For the “Identifier” you cannot have any spaces so I use underscores. In my example I use lowercase protected_services

Block_Users_10-1

Click on the Finish button
Now we have our second list. Notice the name it is given in brackets [gen_protected_services_list]. The blocked_users identifier is  This is the name we need to use in the Application rule.

Block_Users_11-1

Edit the list by clicking on the blue Edit[+]
-> Tick the checkbox to enable the list.
-> Add the Process Path to each service in this list. In my example I’m protecting the FileZilla FTP Server service.

Block_Users_12-1

You can manage the list of services with Excel as a CSV file. Then use the Export and Import features to update the list.

Use the breadcrumbs at the top to go back “Home

Block Users 13

Go to the Application Rules

-> Edit your “Block All Applications for Specific Users” rule
-> Edit your previous entry for the Process Rule that has the asterisks for the Program Path
-> In the Program Path field, change from the asterisks to reference the list we created for Protected Services. When you reference a list, you use the name the system gave it with percent % signs surrounding it.
-> In the User Name field, we need to reference the list of users. When you reference a list, you use the name the system gave it with percent % signs surrounding it.

Block_Users_14-1

Click OK to save the Process List, then OK to save the Application Rule.

Next Edit your “Block All Applications for Specific Users” rule

-> Edit your previous entry for the Process Rule that has the asterisks for the Program Path
-> In the User Name field, we need to reference the list of users. When you reference a list, you use the name the system gave it with percent % signs surrounding it.

Block Users 14

__

-> Ensure you have the Application Rules listed with “Allow Services to Start” first. Then Block All Applications for Specific Users second always or risk the services not being able to start.

Block_Users_14-2

-> Click OK, then OK, then OK again to save the policy.
-> Apply the Policy to a Test group in the Assets->Prevention view
-> Move a test system to the Test group.

Result: After logging in with the blocked users credentials they will only see a blank desktop. All applications are blocked including Explorer.exe.

Blocked_Users_15

The Windows Service that the account is tied to should stop and start normally. Double and Triple Check before testing this in production.

Blocked_Users_15-1

 

Caveat: The user can still issue a CTRL-ALT-DEL command to shutdown or reboot the system.

Blocked_Users_16

NOTE: To address the shutdown button use GPO. See: http://www.thewindowsclub.com/prevent-users-shutting-down-restarting-windows-computer

Blog | | Comments Off on How To Safely Block Service Accounts with Symantec DCS

Comments are closed.

« »