You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I’ve been asked to secure a small warehouse network, things like disable USB storage, prevent unauthorised devices connecting, so on.
On the network are less than 10 Windows 10 Pro machines (no domain controller) with local accounts.
One requirement is to notify admin on suspicious login activity, say multiple failed attempts. Software does exist, like Malwarebytes Endpoiint Protection, but this starts at $699.99/year (10 machines) and seems a bit excessive in a secure warehouse with a couple of staff.
I’ve got to implement some form of MFA on logins, Azure AD is on my radar only because it’s Microsoft, and it seems they might do some of the login monitoring on the cloud too, possibly for free.
Maybe it’s all simpler than I think and I should just bite the bullet and create emails and
proper Microsoft accounts (rather than local) for the users.
These requirements are not optional even if they are overkill.
If anyone has experience of suggestions (products, scripts, settings) that might help me out or at least point me in the right direction?
Have a look at Duo. I played with it last year and it was a breeze to set up. I think it's free for an estate your size too.
Might not be an option if you're knobbling USB, but look at FIDO keys. They've come down in price vertically since Google bought into it.
Really though, a lot of this stuff is why domains exist. I'd be migrating to an AD domain before even contemplating any of the other stuff. Either that or move everything onto Microsoft 365 (formerly Office 365). Do it now whilst it's small and uncomplicated, you're just asking for pain otherwise.
Not worth it for 9 boxes. You’re adding a massive attack surface (ad or o365) to protect a handful of machines. Talk to whoever set the policies and do something sensible instead.
Have a look at Duo. I played with it last year and it was a breeze to set up.
Actually, I should caveat that. I was evaluating Secret Server at the time, Duo was a piece of cake to set up to work with SS. How well it works without SS I don't know.
Not worth it for 9 boxes. You’re adding a massive attack surface (ad or o365) to protect a handful of machines. Talk to whoever set the policies and do something sensible instead.
Er, what massive attack surface would that be? And I would have thought he OP might have been looking for something more concrete in the advice department than "do something sensible".
What Cougar said might be worth looking at although MFA might not be free. You may need some Premium licenses for the advanced things you might want to do but having the machines Azure AD Joined will give you the option of adding monitoring and threat detection. Does the warehouse use anything else cloud related or office related eg email, office apps or is it all just a standalone entity? If it is a standalone entity then doing all these things might seem more expensive than the benefits it brings.
Microsoft 365 with Microsoft Endpoint Manager could be what you're looking for.
https://www.microsoft.com/en-us/microsoft-365/microsoft-endpoint-manager
Not worth it for 9 boxes.
It may have changed now, it's been a while since I last had to deal with this stuff. But MS's guidance for when to consider moving from (what was then) a workgroup to a domain was around ten users.
But that's not the point. You're wanting to implement a bunch of security restrictions. Do you want to do all your configuration ten times, and have to make any subsequent changes ten times in perpetuity, or do you want to do it centrally once? Doing all this crap manually is barking, the reason we have computers is so that we don't have to do repetitive tasks.
Talk to whoever set the policies and do something sensible instead.
This however is good advice. The proposition shouldn't be "I have to implement x, y and z" but rather "this is the problem we're trying to fix." Eg, you want to notify admin on "suspicious login activity" - why? What's that intended to achieve?
Only once you've defined the problem can you ever hope to fix it, and it doesn't sound like that's been done. If the sole reason is "because I've been told to and my protestations have fallen on deaf ears" then well, if it were me I'd be starting jobhunting first thing tomorrow morning because life's to short to work for morons who don't trust their staff. I've seen this countless times, not empowered to do your job yet held accountable when it inevitably goes to shit. Giraffe testicles to that.
Shirley it depends on what the warehouse is holding and what any end customer requirement might be in the warehouse in question?
This smells a lot like Cyber Essentials, and really I would suggest taking a long hard look at what the IT budget for the company is and how that compares to other business critical services it pays for.
You pays your money and you get your service.
for context I’ve ran a cyber security firm for 7 years, been in the industry for over 20 and smashed into more networks than I could possibly remember.
If you think you 10 pc,s in a warehouse will be improved by adding that extra complexity then fine. I’d disagree. I’ve advised a number clients in industrial settings with similar setups and isolation was a better strategy. I’m not rattling full solutions in because A) things are never simple and there will be all sorts of technical and business reasons restricting what you can do. And B) I normally charge a lot of money for that sort of thing.
But hey, I leave this one to the experts...
Kula, you have said don’t without knowing any context. You sound like me in Dad mode.
If you think you 10 pc,s in a warehouse will be improved by adding that extra complexity then fine. I’d disagree.
Like I said, it's the wrong question.
We've both pulled solutions out of our arses based on minimal information and vaguery. You could well be absolutely right, airgapping it all could be a perfect solution, or it could be wholly inappropriate. The OP as presented is something I'm happy to roll around ideas about on a mountain biking forum but it's not a scenario I'd be prepared to bank a reputation on.
It’s 9 pc’s. I’ve got more at home. It’s not a big deal, it needs keeping simple. OP can take or leave that advice, but I’m happy to pm him my credentials so he can gauge it’s worth.
What are the endpoints used for? do they even need USB ports? For example a lockable case around the PC, or even just epoxy resin the ports on the PC's
Without understanding how they are used, what network resources do they need. What's to stop someone plugging in a hub/switch/wireless AP into a switch port, or even having another internet connection coming directly into an endpoint that's then shared with the rest of the network. You will see all sorts of crap on production networks that have 'evolved' rather than being deployed to a set of design/security standards.
Work on a full set of requirements, understand all of the various use cases. Eg manager with laptop on WiFi that uses it at home and gives it to their kids to use for their school homework (that must be why there were dodgy sites in the browser history) grungy PC's dotted about warehouse used for XYZ app and pirated games for the nightshift, unsecured WiFi devices used by stock pickers that don't even support any sort of WPA...
There's a view developing that you should not trust any device connecting to the network and treat it as such, before allowing it granular access to the resources specific for that device/user. But in the real world how the heck do you go about supporting all the crap that's been stuck on the network for the past 20+ years...
Even the Network Admission Control can be a nightmare.
For a quick dirty job, format everything, fresh patched install, stick something like Bitdefender on, lock down any unused switch ports, change all the password and don't let anyone have admin access.
Or howabout dumb terminals rather than PC's?
So work on a full set of requirements/use cases, work out how to address them, get sign off then implement, test and have some process in place for moves/add/changes, patching, who monitors and does what for security alerts etc..
There's so many options, But in the real world I'd side with Kula as most likely budget/time constraints, odd devices will be king.
Russell96 is wise.
@cougar I’ve pm’d the op with my work address and offered some free advice. I can’t see what’s in it for me to post it here.
I’ve pm’d the op with my work address and offered some free advice. I can’t see what’s in it for me to post it here.
By that argument, what's in it for you to offer free advice in the first place?
I was curious, was all. I wondered if our respective companies had crossed paths at some point, I deal with a lot of 'cyber security' companies and professionals. And as you were keen to stress your experience I thought you'd appreciate the opportunity to tell us more about your company.
The whole point of threads like this is to share knowledge, running off to PM kinda defeats the point of its existence. If you're willing to offer free advice then why not post it up here for the benefit of any other readers who might later have the same questions?
This has all got a bit weird if I'm honest.
There's too much knowledge in the collective to be posted up here I guess.
I come from a networks background, deploying WAN/LAN+WiFi/NAC etc.. on a global basis, mainly utilities and production. Doing design and deployment from sites where you get followed round by some nice people with machine guns, right thru to happy go lucky flip flop wearing IT teams responsible for prod lines, where multi million Euro robots were run off hubs on a LAN.. (sigh)
If I had my way, it would be a locked down switch network with no WiFi, all devices replaced with Raspberry Pi's used to access network based apps. For a quick and cheap(ish) deployment.
@cougar I don’t understand your interest in me. Op wanted advice, I gave him mine, you picked on it and now want to pick on my credentials or reasons for offering it. What’s your beef? It’s weird.
@Russel96 I started in networks too, at isp’s in the mid 90’s. spent most of the last 20 years penetration testing with departures into security architecture, intrusion detection, security officer stuff and back full circle. Mostly in banks early on but have all sorts of clients now. Keeps me busy!
Kula, you gave a very abrupt piece of advice without any context of the issue and then got a bit of a flounce on and CV waving when questioned about it.
37 years of telecoms and RF here, taking a break for a couple of years for a MSc, then I'll be back into it, well if anyone will have me then 🙂 job hint!
My mantra I guess, passwords, patches, policies. If people (not systems) got those right things would be in a much better place. Well okay listen and pay notice to the battle worn techie when they do that in-drawn breathe when asked a question....
@peterno51 It wasn’t abrupt, it was concise and I stand by it. It’s 9 boxes, I don’t need much context. I’ve done 50k boxes, that did!
@Russell96 you get it. It’s the simple stuff. The hardest networks are the ones where the basics are nailed, not the ones who blow their budget on flashing lights and “AI powered, blockchain, neural net, next gen, quantum, cyber stuff”!
I don’t understand your interest in me.
I've literally just explained my interest, I'm not sure what else I can add. Given your 'credentials' I thought I might have heard of you or even know you outside of the forum, was all. SecOps isn't exactly the largest of arenas in this country.
Op wanted advice, I gave him mine, you picked on it and now want to pick on my credentials or reasons for offering it.
I wasn't picking on anything, I was having a discussion. That's how forums work. Hell, that's how advice works, peer review, I could easily be talking bollocks and if I am I'd rather know.
What’s your beef?
Why the aggression?
Difficult to argue with such a comprehensive rebuttal.
@kula72 Not quite sure why the attitude. I thought Cougar's request was perfectly reasonable and well defined. He wasn't looking to drill you - just curious as he clearly works in the space where he may have come across you. And in your original reply I think it's fair to say that you didn't actually offer any advice beyond "do something sensible" which, given the nature of the question, hardly qualified as advice. And woohoo, you've got 10 machines at home. So? How do you manage them? Are they part of your business network? In which case that's a quite different situation to the OP.
Personally, I don't have a problem with you messaging the OP - decent thing to do. However your responses on this thread don't do you any favours and based on them your firm is not one I would be looking to do business with.
Just to explain we're handling 3rd party data and these are non negotiable requirements to continue to do so. In some ways having to raise our game is a good thing, it helps us consider everything we do.
There's a whole load more going on in this project (encrypt data at rest, data retention policy, locked down network) which is all in hand but it's MFA and active reporting of login patterns that I've not set up before.
Is the bloke who opens the warehouse in a morning a security risk we need to mitigate? I don't think so but I'll be able to check the time he logs on vs the time he says he started work! But if we are audited and these things are not in place we'll get quite a slap.
@kula72 thanks for the input and PM it's appreciated. At this moment I just want a sounding board and see if someone else had already implemented similar.
@Cougar I think you are right about AD I should start there, I've resisted so far doing it may way for a couple of decades...
these are non negotiable requirements
Set by whom? Are you aligning to any industry standards?
@fooman - without a domain in place you're just setting yourself up for a nightmare, both to implement and also to maintain. Security config needs to be monitored and enforced for it to be effective and most tools that do that rely on a domain.
Some of the things you list can be done with built-in tools such as local security policy (or if you have a domain elsewhere create GPOs and use the localGPO tool to convert them to local policies).
For logins it's part auditing settings (in the local security policy) but also you're going to need to centralise the logs (or at least collect a copy, preferably in real-time - hacking101 is delete the logs to cover your tracks), I've only done log collection in domain settings though. We send logs to an object store configured as a read-only archive so they can't be tampered with.
You can take it to another level with software like Spector 360, even down to keystroke logging, but again I've only used it in domain environments.
2FA without a domain (or at least something like RADIUS) in place would be a nightmare to.
I do agree with Kula72 though that by introducing a domain (and/or cloud services) you're also then adding complexity and the overall attack surface and the warehouse PCs could end up inadvertently becoming weak points of entry into your corporate domain. You can partially mitigate that with separate forests and one-way trusts etc. but then you're starting to add even more complexity.
Depending on requirements you may also need to think about who is monitoring what security solutions you implement. I work in a high-security environment myself and although we implemented the various security elements and provide the overall IT service to the client we're not the ones that monitor the security events, another independent company does that (so the client has assurance that what we do is also properly monitored).
I do agree with Kula72 though that by introducing a domain (and/or cloud services) you’re also then adding complexity and the overall attack surface
This may well be true and there a number of risks inherent here, lateral movement or privilege escalation for instance. But on what planet is a centralised, managed and audited domain less secure than multiple standalone local logins half of which have a password of 'password'? I know which I'd rather attack. What's your patch cadence like?
and the warehouse PCs could end up inadvertently becoming weak points of entry into your corporate domain.
I assumed that there wasn't a corporate domain at all? The "small warehouse network" implied isolation, there's nothing to suggest that it needs access to anything else. But this is what I was getting at earlier, we don't know as we've not defined the problem, instead we're just throwing random solutions around.