*Offers updated on March 26, 2020

Most enterprises are getting slammed with employees working from home. Most of us designed our remote user VPN’s for the occasional "snow day" ...right. Now we have an entire workforce, working from home full time for weeks…maybe months …oh yeah, and using a full suite of applications including voice… crazy. No really!

Many of you have contacted SynerComm to get additional VPN licenses/concentrators, endpoint security controls, and help designing and spinning up "new ways" to get employees connected securely. During these crazy times some of our vendors are stepping up and trying to make a difference.

To help you we would like to share a few solutions/offers from our vendors:

Vendor	Offer	Details
Palo Alto Networks	Free 90-day GlobalProtect VPN subscription license for mobile devices like iPads, etc. (Other GP is already free)	Customer logins into their own support portal and select trial licenses
Pulse Secure	Flexible Pulse Connect Secure licensing	Valid through May 31st
CrowdStrike	Surge relief for 60 days (existing customers) CrowdStrike Falcon Prevent home use licenses	Expiration TBD
SentinelOne	Free trials: SentinelOne Core: AI-powered prevention, detection, and automated response in a single, autonomous lightweight agent; legacy antivirus replacement across Windows, Mac, and Linux operating systems with no connectivity or network dependency. Deployment services: remote deployment assistance to ensure rapid installation and customized configuration	Offer expires May 16th
Armorblox	No charge offer to help businesses with 100+ employees during these challenging times.	Expiration TBD
Extreme Networks	Work from Home bundle discount Extreme Networks and Tech Data have created a Portable Branch Office Kit to enable your customers to connect, secure, and manage remote sites and remote workers quickly and easily. Combining SD-WAN, Wi-Fi, and cloud management into an easy to deploy, plug and play solution, this kit offer delivers the ability to provide an enterprise-class experience for all connected users, regardless of where they reside.	Discounted
Lastline	Lastline Analyst at no cost for 90 days to organizations with 500+ employees.	Offer expires June 30, 2020
Proofpoint	Free trial - Scalable secure access for increasing your mobile workforce.	Offer expires September 30, 2020
UBIQ	Free trial to Trusted File Manager	Offer expires June 20, 2020

[vc_empty_space height="20px"][ult_buttons btn_title="Contact Us" btn_link="url:/contact/|title:Contact%20Us||" btn_align="ubtn-center" btn_size="ubtn-large" btn_title_color="#ffffff" btn_bg_color="#0569b3" icon_size="32" btn_icon_pos="ubtn-sep-icon-at-left"][vc_column_text el_class="large-blue"]

Have questions or want some guidance with taking advantage of these vendor offers?

Practicing good remote access hygiene in times of uncertainty

As the business world reacts to the current health crisis, companies are offering remote access to any role that can work from home. Taking a cue from the changing environment, cyber-criminals are already taking advantage. Already (03/15/2020) the US Health and Human Services Department suffered a cyber-attack with the intention of distributing false information.

Here are some recommendations on continuing to practice good information security hygiene as more of the access moves outside of the physical office.

Security Awareness Training

• New Remote Access Users
  Remote access privileges come with a new set of responsibilities. Ensure that the newly enabled group of remote access participants are aware of and follow company procedures with regards to remote access. This isn’t just about good Wi-Fi practices (discussed later), it should also include activities like plugging in personal flash drives or downloading movies to company owned equipment. If employees can connect with personal devices, there are even more risks to consider.

• Help Desk Personnel
  A popular attack that will gain attention in the coming weeks will be password reset requests against the helpdesk teams. Establishing and training on proper verification and secure password reset techniques will be essential for the helpdesk to identify who they should be helping and who they should be hanging up on.
  

Access and Data Storage

• Multifactor Authentication (MFA)
  Extending remote access to company networks and data should be accompanied by a requirement for MFA use. Properly implemented MFA makes it much more difficult for a bad actor to gain access to any account. This isn’t the time to wonder how many users have weak and easily guessed passwords like “Winter20”.

• Secure Data Storage
  Devices that will be used to perform remote work may or may not have encrypted storage. Make sure care is taken when employees work with company data and remind them not store that data in unsecure locations or media.

• Wireless Access Points
  While users may not be going to many coffee shops or hotels the next few weeks, the guidelines for performing safe wireless access still apply. When connecting to public Wi-Fi, ensure you are using a VPN and examine the name of the network closely to avoid evil twins. [Evil twins are Wi-Fi hotspots that look legitimate but have a small change in the lettering: HOTSpot vs. H0TSpot.] When setting up wireless access points at home, use WPA2 encryption with a long and difficult to guess passphrase.

• Endpoint Security
  Whether it is company owned equipment or employee owned equipment, endpoint controls are crucial for protecting the information assets they will be working with. Ensure endpoint software is in place, properly configured, and up-to-date before allowing these devices to connect to the enterprise network.

• Split Tunneling
  This one might be tougher to deal with, especially with employee owned equipment. Split tunneling is the process of allowing a remote VPN user to access a non-corporate network at the same time that the user is allowed to access the corporate network via the VPN. This method of network access enables the user to access corporate devices, such as a network data share, at the same time as accessing non-corporate network devices, like a home network printer. With split tunneling there is increased risk of exposing company IT assets to external threats and attacks.

Incident Response Planning

• The Right Tools
  Incident response plans often call for the assembly of the incident response team. With those team members possibly being remote, ensure that the tools they need are available where they are working.

CEO Fraud Prevention

• You Will See More
  Count on an increase in attempts by fraudsters to impersonate company executives. Their goal is to trick employees into sending information or wiring funds to less than desirable recipients. It will no longer be as easy as peeking your head through the boss’s door to ask if the email request for all of the W-2 information came from him this morning was legitimate.

• Establish Secure Verification Procedures
  Email addresses, caller ID, and even voice messages face the possibility of being spoofed. When confirming the authenticity of a request, use a different channel than how the request was initiated. If you received an email, call a known number to verify (not a number that came from the email.)

• Review Wire Transfer and Other Vulnerable Financial Controls
  Controls that require actions by multiple people may have to be modified to accommodate the increase in remote workers. Review those procedures to make sure they are remote workforce capable.

The need to immediately increase remote access capabilities is here, much sooner than a lot of companies were prepared for. But just as it is not prudent to take shortcuts to meet a deadline from your boss, now is not the time to sacrifice security for expedience or convenience. We have already seen examples of people sharing links to private company meetings via social media sites, virtually opening the meeting to anyone who happens upon the link. It is essential that these users who now have new methods of access, understand and protect that access. The bad guys are actively looking to prey upon those who are unprepared.

Risks and Considerations for IT: A Pandemic

What can IT do to prepare?

We all know the stats of the Coronavirus, although they are changing by the minute. We know what to do personally and for our families but what about for our Company?

Many customers do have Business Continuity Plans or Enterprise Risk management plans, but do they include plans for a Pandemic such as this?

A few things to consider:

1. Remote access for employees. Can employees continue their normal work from home? Phones for customer calls? Do you have enough licenses to support large numbers of SSL VPN connections?
2. Customer & vendor meetings. Many companies have started to stop all onsite meetings to protect their employees. This is where collaboration software is king. Do you have enough licenses for GoToMeetings, Zoom, or others?
3. Communications plans. (Pre and Post Pandemic) Is there effective means to communicate with employees should the business (or schools) require to close its doors? Email, mobile phones, Teams, etc?
4. Insurance. Many corporate insurances plans (Business interruption clauses) have Pandemic inclusions…. does yours? Maybe dust it off and know your coverage.
5. Travel Insurance. Even if your company has not issued a stop on travel many other companies have. Can existing travel plans be changed without forfeiture or fees?

Just a few things to think about for your best practice preparedness plans.

Palo Alto Networks firewalls have the ability to create security policies and generate logs based on users and groups, and not just IP addresses.  This functionality is called User-ID.

User-ID™ enables you to map IP addresses to users on your network using a variety of techniques. The methods include using agents, monitoring domain controller event logs, monitoring terminal servers, monitoring non-AD authentication servers and syslog servers, and even through captive portals (that prompt the user for login). In addition to its use in policies, logging access and threats by user can be invaluable in incident response and forensics. To take full advantage of this feature, it is ideal to map as many IP addresses to users as possible.

With all these great methods to map users to IP addresses, we often miss many systems. They include non-domain joined systems, Linux/Unix systems that don’t centrally authenticate, and potentially many other devices (phones, cameras, etc.). Palo Alto has yet another feature for mapping users, but one that comes with great risk.

To identify mappings for IP addresses that the agent didn’t map, the firewall can probe and interrogate devices. The intention is to only probe systems connected to trusted internal zones, but a misconfigured zone could even allow sending probes out to the internet. Taking that misconfiguration aside, client probing is still a significant security risk. By default, Palo Alto agents send out a request every 20 minutes to all IP addresses that were recently logged but not mapped to a user. It does this assuming that the IP belongs to a Windows system and it uses a WMI probe to log into the unmapped system.

SynerComm believes that a large number of PAN customers have enabled WMI and/or NetBIOS Client Probing within the User-ID settings.  Our AssureIT penetration testing team is regularly detecting this on internal pentests. SynerComm recommends disabling Client Probing in the User-ID Agent setup due to the risk. 

The Vulnerability:

Many networking and network security devices use Microsoft WMI probing to interrogate Windows hosts for things like collecting user information.  For authentication purposes, a WMI probe contains the username and hashed password of the service account being used. When a domain account is used, an NTLMv1 or NTLMv2 authentication process takes place.  It has come to our attention that our penetesters are finding Palo Alto firewalls that are using insecure User-ID methods. Specifically, those that are using WMI and NetBIOS probes to attempt user identification. This allows an attacker to obtain the service account’s username, domain name, and the password hash (more likely the hashed challenge/nonce). Because the service account requires privileges, this becomes a serious security exposure that could be easily abused.

An October 30, 2019 Palo Alto Advisory “Best Practices for Securing User-ID Deployments” recommends ensuring that User-ID is only enabled on internal/trust zones, and applying the principal of least privilege for the service account.  Again though, SynerComm recommends also disabling WMI probing completely.

The Attack….

(By: Brian Judd, VP Information Assurance)

In a perfect world, we could trust that every device on our internal network is owned, managed, and monitored by our company and our staff. That includes having full trust that no systems are already compromised, and that no intruder or insider could place a rogue device on our network. Because this is rarely, if ever the case, it’s a stretch to think that it’s safe to share valid domain credentials with any device connected to an internal network.

Using well-known penetration testing tools like responder.py, it is trivial to setup a SMB server that that can listen for and respond to NTLM authentication requests. When good OPSEC isn’t a factor, responder.py also includes abilities to respond to LLMNR and NetBIOS broadcasts to poison other local systems into authenticating to its listening SMB server. It then stores the username and the hashed challenge (nonce) from the authentication messages. Depending on the strength of the password, these captured “hashes” could be cracked and the account could be used to log into other systems.

While all of that sounds scary, it isn’t the concern of this article. If configured to use “Client Probing”, Palo Alto firewalls and their User-ID agents make WMI and NetBIOS connections to map unknown IP addresses to their logged in user. Also, because WMI is IP based, it’s possible to probe any reachable (retable) network/system. To be effective, User-ID almost always uses a domain service account so that it can access any domain member system. An attacker with the ability to run responder.py on an internal network is likely to receive authentication requests from Palo Alto User-ID agents without any need for noisy poisoning attacks. By default, the agent probes every 20 minutes and anytime a new log is written to the firewall without user identification.

OK, let’s make this a bit worse… What if we didn’t need to crack the service account’s password? What if we could just relay the agent’s authentication request to another system and trick it into authenticating the attacker instead? Again, this is trivial and easy using well-known tools like ntlmrelayx.py or MultiRelay.py. Even worse, these tools are not exploits, this is how NTLM authentication was designed to work. If the relayed account’s privilege is sufficient, ntlmrelayx.py will even dump the system’s stored hashes from the SAM database, or execute shell code.

Oh, remember earlier when I mentioned that Palo Alto’s agent probes anytime a new log is written by an unmapped IP address? Using this “feature”, we can script something as simple as a DNS lookup or wget request to generate access logs on the firewall and trigger a User-ID authentication request. With a little time, these logins could be relayed to log into every other system on the network. Considering that older Palo Alto documentation was vague with regards to the necessary service account privileges, it is common to find them as members of highly privileged groups including Domain Administrators. To an attacker, this could be game, set, match in just a few minutes.

SynerComm Recommends:

1. Disable (Do NOT Enable) Client Probing within Palo Alto’s User-ID Agent configuration
   1. Didn’t you read the title of this article, “Stop Sharing Your Password with Everyone”
2. Configure the User-ID service account with the minimum required privileges, NO domain admin!
3. Ensure that User-ID is only enabled on trusted internal zones and further restrict it to the specific source IP addresses of its agents
4. Set a very strong random password for the User-ID agent’s service account
   1. 20 characters is usually sufficient, but it’s always ok to make it longer!
5. Enable SMB Signing on Windows workstations and servers
   1. While not specific to Palo Alto, this control prevents most NTLM relaying attacks
6. Disable LLMNR and NetBIOS in the local security settings of Windows operating systems
   1. Again, nothing to do with Palo Alto, but this prevents LLMNR and NetBIOS poisoning attacks
7. Disable NTLMv1 and NTLMv2 authentication
   1. Kerberos can replace NTLM, but it’s not backwards compatible with older operating systems.  Be sure to research and test first, and always have a backout plan.
8. Perform annual internal and external penetration tests to uncover hidden weaknesses that leave your networks and systems vulnerable to attack

Palo Alto User-ID Security Best Practices

Specify included and excluded networks when configuring User-ID

The include and exclude lists available on the User-ID Agent, as well as agentless User-ID, can be used to limit the scope of User-ID.  Typically, administrators are only concerned with the portion of IP address space used in their organization.  By explicitly specifying networks or preferably a host address /32,  to be included with or excluded from User-ID, we can help to ensure that only trusted and company-owned assets are probed, and that no unwanted mappings will be created unexpectedly. See above image.
 

Disable WMI and NetBIOS Client Probing

WMI, or Windows Management Instrumentation, is a mechanism that can be used to actively probe managed Windows systems to learn IP-user mappings.  Because WMI probing trusts data reported back from the endpoint, it is not a recommended method of obtaining User-ID information in a high security network.  In environments containing relatively static IP-user mappings, such as those found in common office environments with fixed workstations, active WMI probing is not needed.  Roaming and other mobile clients can be easily identified even when moving between addresses by integrating User-ID using Syslog or the XML API and can capture IP-user mappings from platforms other than Windows as well.  

On sensitive and high security networks, WMI probing increases the overall attack surface, and administrators are recommended to disable WMI probing and instead rely upon User-ID mappings obtained from more isolated and trusted sources, such as domain controllers.

If you are using the User-ID Agent to parse AD security event logs, syslog messages, or the XML API to obtain User-ID mappings, then WMI probing should be disabled.  Captive portal can be used as a fallback mechanism to re-authenticate users where security event log data may be stale.

Use a dedicated service account for User-ID services with the minimal permissions necessary

User-ID deployments can be hardened by only including the minimum set of permissions necessary for the service to function properly.  This includes DCOM Users, Event Log Readers, and Server Operators.  If the User-ID service account were to be compromised by an attacker, having administrative and other unnecessary privileges creates significant risk.  Domain Admin and Enterprise Admin privileges are not required to read security event logs and consequently should not be granted.

Detailed process to create dedicated secure Windows service account

When you use a NON-DOMAIN ADMIN account for User-ID Agent, then additional steps are needed on the server

Deny interactive logon for the User-ID service account

While the User-ID service account does require certain permissions in order to read and parse Active Directory security event logs, it does not require the ability to log on to servers or domain systems interactively.  This privilege can be restricted using Group Policies, or by using a Managed Service Account with User-ID (See Microsoft TechNet for more information on configuring Group Policies and Managed Service Accounts.)  If the User-ID service account were to be compromised by a malicious user, the impact could be reduced by denying interactive logons.
 

Deny remote access for the User-ID service account

Typically, service accounts should not be members of any security groups that are used to grant remote access. If the User-ID service account credentials were to be compromised, this would prevent the attacker from using the account to gain access to your network from the outside using a VPN. 

Configure egress filtering

Prevent any unwanted traffic (including potentially unwanted User-ID Agent traffic) from leaving your protected networks out to the Internet by implementing egress filtering on perimeter firewalls

Additional Information

For more information on setting up and configuring User-ID see the following or contact SynerComm today:

User-ID, PAN-OS Administrator's Guide
https://docs.Palo Altonetworks.com/pan-os/9-0/pan-os-admin/user-id/user-id-concepts/user-mapping/client-probing.html
Getting Started: User-ID
Create User Groups for Access to Whitelist Applications, Internet Gateway Best Practice Security Policy
User-ID Resource List on Configuring and Troubleshooting
https://www.helpnetsecurity.com/2019/06/11/microsoft-ntlm-vulnerabilities/