05 May 2013

Internet Filtering Series -- Part V (DNS Filtering + Windows Domain)


As I ran through this lab, I noticed the eerie similarities between Parts IV and V. Essentially, the lab turned out the same, but the only difference is that the Windows PC was hooked up to a Windows domain, which is very common in medium and larger networks such as businesses, larger schools, and government offices.

This key difference though does have an impact on planning. A network that has Windows domains and has its end-user workstations with Windows means that an IT department can set central policies in terms of security and policy at the forest and domain levels that in turn can be harder for the average user to circumvent.

Further, the entire lab is done within VMware, although on two different physical machines. This setup enables the emulation of suitable "generic" PCs and servers with typical hardware while not draining either machine of its memory.

Typical Real-World Scenarios Addressed: 

  • Smaller governmental entities, such as a specific agency/bureau or a municipal or county/parish government
  • A medium-size business
  • A suburban or urban high-school
  • A smaller private college or university

Specific Scenario Details: 

Jane Naive is a sales rep for a major regional media firm. Godfathers Communications is a growing firm with about 220 employes currently at its headquarters--which runs both daily newspapers in Anyville, prints most of the local advertisements, runs a couple of radio stations, and has the area's largest newsroom staff. She has a small office, upon which sits a Windows PC. She logs in every morning at about 7:30am and logs out when she leaves at 4:30pm.

The company has decided on DNS filtering primarily to keep their employes focused on the job and save network bandwidth, but currently does not have money in the IT budget to get any sort of dedicated security devices until the start of the next fiscal year.

Technical Details:

Network

  • Forest and domain functional levels: Both at Windows Server 2008 R2
  • Domain has two Read-Write Domain Controllers (Barzini and Stracci)
  • Other servers: Corleone (Read-Only DC), Tattaglia (small SAN with Windows Server 2003 R2), Cuneo (email server running CentOS 6), Sopranos (help desk server running on CentOS 6).  
  • Network is subdivided using VLSM at the router and starts at 172.21.0.0
  • Base Netmask: 255.255.248.0 (CIDR notation: /21)
  • Forest Root Domain: godfathers.local 
  • Network has file shares and "network drives" that are mapped accordingly
  • DNS is configured with OpenDNS's nameservers in the forwarders within the domain's DNS.
  • Filtering Method: OpenDNS 
  • ISP: Acme Internet Services (Anytown, USA) with a premium business-class broadband connection 

Server

  • Hardware Simulated: Generic 64-bit Server with 4GB RAM; 4 disks at 18GB each in a software RAID-5 array [NOTE: VMware does not currently allow for emulation of hardware-based RAID arrays]
  • Operating System: Windows Server 2008 R2
  • Hostname: Barzini
  • Gateway: 172.21.2.129
  • IP address: 172.21.2.134
  • Netmask: 255.255.255.224 (CIDR notation: /27)
  • Domain: hq.godfathers.local
  • FSMO Roles: Primary Domain Controller, Domain Naming Master, RID Pool Master

Workstation

  • Hardware Simulated: Generic 64-bit business-class workstation with 3GB RAM, and using a hard drive with a 80 GB partition
  • OS: Windows 7 Professional SP1
  • PC is fully-updated
  • Anti-Malware: Microsoft Forefront, definitions and components up to date.
  • Several "typical" programs are installed including Microsoft Office 2010, iTunes, FileZilla, some general business/accounting software, TeamViewer, and Spybot
  • IP address of PC: 172.21.1.168
  • Netmask: 255.255.254.0 (/23 in CIDR notation)
  • Gateway: 172.21.1.1

Filtering Policy: Restrictive (e.g. to simulate a company's acceptable-use policy with additional filters in place to help prevent harassment claims and increase worker productivity)

Notes/Assumptions:


  • Physical access to the box is assumed, including the probability of unsupervised access as the machine sits in a small office--though one would only have 40 minutes or so while most of the rest of that part of the office is out at lunch. 
  • OpenDNS's nameservers are configured by the IT department into the domain controllers and Group Policy is set to "Prohibit access to properties of a LAN connection" for everyone outside of the IT department.
  • Jane is a 24 year old fresh out of college, somewhat easily-distracted, not really technically-savvy, and known to fool around while at work (such as by sneaking her boyfriend Charles into her office during lunch). 
  • Jane's boyfriend Charles is a 30 year old who's got a rather long rap-sheet for various crimes, including computer crimes. Relevant though is his connection to an identity-theft ring operating in the next state.
  • Jane loves Charles very much, and asks him to help her access Facebook, Victoria's Secret, and Craigslist, which all appear to be blocked by the filter.
  • BIOS is locked, and therefore cannot be changed to boot an alternative operating system.  
  • USB and CD/DVD drive are accessible within Windows and are therefore fully-enabled
  • There are active firewalls in place that also attempt to filter out most connections but loopback connections aren't filtered, as are connections that stay within the local network and those using common ports such as 20-22, 80, and 443. 

Goals of This Lab: 

Playing the role of Charles, attempt to bypass the OpenDNS filters at Godfather Communications so that Jane can access her sites while at work in 40 minutes or less.

Test Sites Used: 

  • Facebook (https://www.facebook.com) 
  • Victoria's Secret (http://www.victoriassecret.com)
  • Craigslist (http://www.craigslist.org) 

All three sites were verified to be blocked after the filter was set up.

Results: 

Methods used to circumvent: 

  • Anonymising software: I was able to smuggle the Tor browser bundle onto the test PC, successfully load it, and access all three sites by way of a 2GB USB stick. 
  • X11 Forwarding: Using a Linux machine that was under my control and unfiltered (in this case, a Hardened Gentoo install running SSH at port 22), I was able to forward Firefox and access all three sites.  

Methods attempted, but unsuccessful: 

  • Proxy sites. Like the last two labs, this one was literally a "one-trick pony"
  • Live Media. This one failed simply because the company's router had everything set to point to OpenDNS. All three sites were blocked when BackTrack 5 R3 was booted up. 
  • HTTPS edit. All three sites failed to go through by changing the address to https://[site]. OpenDNS noticed it right off the bat and automatically brought up the block page. 
  • IP address: OpenDNS figured the trick out right away and immediately redirected to its block page
    • Fun fact: pinging this will also give you OpenDNS's block pages.  

Methods Not Tried (some of which involves hacking): 

  • Microsoft Remote Desktop Protocol (RDP): It's plausible that this might work. However, it's also likely to raise suspicions in the IT security department, especially if they suddenly start to notice RDP connections originating from this particular machine
  • NoMachine NX: since this runs all over SSH, this would likely work. Even if they block the default SSH port, it wouldn't be hard to change the port to an open one and send SSH traffic over it. This might backfire though, especially if some IT staffer decides to pursue the suspicious-traffic claims. 
  • Bringing in a personal device (this is in VMware, after all). This would likely work, especially if the Internet connections are provided by the user and use a different network (e.g. that from a mobile carrier), especially if it's a phone or a tablet with built-in 3G capabilities. 
  • Anything that would involve gaining administrative access over the domain--while that would certainly work and enable the filtering to be disabled by removing the forwarders, it would certainly get Jane in enough trouble such that she would probably be fired.

Recommendations to Help Avoid Successful Circumvention of DNS solutions: 

  • Set a reasonable filtering policy, and consider allowing "relaxed" access to social networks, sports, and the like during lunch periods and after normal business hours or shift-changes (shift-change relaxation could be done, for example, by providing a relaxed PC in the break room with a note saying to make sure an employe clocks out before logging on). Do note that "relaxed" access may not necessarily be an option. 
  • Control what programs go on the computer. Some vendors offer additional products or services that can enhance the web filtering by scanning USB drives. It's also possible to get an IT consultant--or perhaps even the in-house IT staff to write policies or scripts that will prohibit non-administrators from running install programs and "portable" apps. 
  • The circumvention method involving the Tor browser bundle may be able to be prevented using a combination of employee policies, software, and Group Policy settings.
  • Group Policy settings to prohibit access to common tools such as Regedit and cmd are probably a wise idea--failure to draw a command prompt without domain admin or server-operator credentials limits options for crackers.  
  • It's also possible to use software-restriction policies to only allow known and trusted software to execute and either assign it domain-wide, or modify per organisational unit (OU)
  • Remember that no method is foolproof, and that anyone with sufficient resources and time WILL figure out ways to get in and circumvent the filtering.
End Notes: 
  • It appears that OpenDNS isn't blocking known Tor relays by default (rather, it would be incumbent on the administrator to manually add all of those sites into the network blocklist)
  • Chances are quite high that sooner or later, the IT department is going to notice the suspicious traffic, at which point it's entirely possible that Jane will face even bigger consequences for trying to skirt the policy--not to mention that technically speaking she could get busted for bringing in unauthorised personnel to her office and damaging corporate property. 
  • I would say that the method that's most likely going to work in the long-term would be for Jane to get a 3G-enabled iPad, don't connect it to the company networks, and only use it when she's "clocked out" for lunch. This way, her "for fun" browsing is 100% off the company's network and she's doing it at points when she's not working and being paid. 

Go back to Part IV

No comments:

Post a Comment