Tag Archives: Policies

iPhone

Restricting Access To Sites On iOS Devices

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. The best, in my experience, has been using a proxy.

In Apple Configurator 1.2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps.

Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator.

The above has I am all about layered defense, though. Or if a proxy is not an option then having an alternative. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator, see the below profile.

Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access.

In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watch, Mobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others.

While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

Mac OS X Mac OS X Server Mac Security Mass Deployment

Pentesting Mac OS X Server With Nessus 5

One of my favorite tools for penetration testing is Nessus from Tenable Network Security. Nessus 5 is the latest release in the family of vulnerability scanners that is probably amongst the most prolific. Nessus 5 does discovery, configuration auditing, profiling, looks at patch management and performs vulnerability analysis on a variety of platforms. Nessus can also run on a Linux, Windows or Mac OS X and can be used to scan and keep track of vulnerabilities for practically any platform, including Mac OS X.

To install Nessus, go to the Nessus site and click on the Download button, around the middle of the page. Agree to the download agreement and then choose the version that is right for you (Mac OS X in this case).

Download Nessus for Mac OS X

Download Nessus for Mac OS X

The software will then download and need to be installed. Once downloaded, open the Nessus dmg and extract it. Inside will be the Nessus 5 package installer.

The Nessus Installer pkg

The Nessus Installer pkg

Open the installer and click through the defaults to perform a basic installation.

Installing Nessus

Installing Nessus

Once done, you’ll have the Nessus Server Manager and Nessus Client.url in a Nessus folder in the Applications directory.

The Nessus Applications

The Nessus Applications

Open the Nessus Server Manager and authenticate as an administrator when prompted. When you downloaded the software you would have been prompted for registration. Provide that information in the registration field. Then click on Update plugins to make sure all of the Nessus plugins are running the latest version. Finally, click on Manager Users… to create your users.

Nessus Server Configuration

Nessus Server Configuration

At the list of Nessus users, click on the plus sign and create a new user, likely making the user an admin (I see few vulnerability scanning stations that have non-administrative users, which would just be for viewing reports and the such). Click Save to create the user and then close at the List of users screen.

Create Nessus Users

Create Nessus Users

If the Nessus server isn’t started, click on Start Nessus Server. Then click on the Nessus Client.url file back where the Nessus Server manager was accessed. At the Nessus login screen, provide the username and password for the Nessus server that was previously created.

Authenticate to Nessus

Authenticate to Nessus

Once authenticated, you will be placed in the Scans screen. Before we configure any scans, we’re first going to create a Policy (which defines how a scan operates for the most part). To do so, click on Policies and then click on the Add button. There are four policy tabs (aligned on the left sidebar). In the General pane, you will configure the name for the Policy, “Mac Servers” in this example. Then we’re going to check the boxes in the Scan section for Designate Hosts by their DNS Name, Log Scan Details to Server, Stop Host Scan on Disconnect and Avoid Sequential Scans. Then check the boxes in the Port Scanners section for TCP, SYN, SNMP, Netstat SSH and Ping Host. Leave the Port Scan Range set to default and the Performance options at their default values as well. These are useful when you’re done tinkerating to get better performance out of the system, but we’re not really there just yet.

Nessus' General Policy Settings

Nessus' General Policy Settings

Click on the Next button to define any credentials you’ll use during scans. Initially, I’d leave this blank, although you can provide SMB information for up to 4 accounts to see what kind of access users have. You can also define Kerberos, SSH and various cleartext credentials as well. We’re going to skip that for now and click Next to define the Plugins.

Giving Nessus Credentials To Your Boxen

Giving Nessus Credentials To Your Boxen

At the Plugins screen, we’re initially going to leave all of the plugins on. The reason for this is that many of the Lion Server services are similar to those of the various Unix and Linux variants and we can scan SMB with the Windows plugins. These can’t hurt, they might just waste a little time though. Clicking on a Family and then a plugin will show you what each does. Clicking on the green light for each will disable it.

Choosing Nessus Plugins

Choosing Nessus Plugins

Click on Preferences and define any preferences that you need. Amongst the plugin preferences I usually enable network printer scanning, CGI scanning, Enable experimental scripts, set my Report verbosity to Verbose, provide any certificates needed and then hit Submit to create the new Policy.

Defining Nessus Options

Defining Nessus Options

Next, let’s click back on Scans in the navigation bar on the screen. As you can see here, I’ve created a few template scans, but we’re going to create a new one by clicking on the Add button.

Adding A Nessus Template

Adding A Nessus Template

Provide a name for the scan and then choose the Policy you just created. Set the Type to Run Now (since we’re just testing) and put the IP address of a target into the Scan Targets field. You can also import a large set of targets using the Brows button and a csv file or use Schedule or Template rather than Run Now in the Type field to schedule scans or create a template scan. Click Launch to kick off the first scan.

Running a Manual Test Scan

Running a Manual Test Scan

Once started, click on the Reports button in the top nav bar to see the status of the scan.

Completed Nessus Scan

Completed Nessus Scan

Once the scan is finished, click on the scan to see a list of vulnerabilities and open ports, sorted by the severity of issues. Here, double-click on the host.

Nessus Scan Results Overview

Nessus Scan Results Overview

The Report screen then shows each service and the vulnerabilities found for that service. Click on one of the vulnerabilities to see what Nessus thinks is problematic with it.

Nessus' Service List

Nessus' Service List

Now for the fun part. Each of the vulnerabilities listed will have CVEs attached.

Nessus Vulnerability Listing

Nessus Vulnerability Listing

By default, Nessus is just looking at the service banners to determine vulnerabilities. If you look up the CVE at CVE Details or PacketStorm you’ll see that it was patched a few months ago by most vendors. Now Nessus can get things wrong with Mac OS X. The issue is that Apple forks the code for many open source projects, not always updating version numbers on banners. Looking up or testing whether a vulnerability is still applicable can be tedious but would likely need to be done per service according to your internal security policies.

An easy way to test these vulnerabilities is to use Metasploit, a tool I’m long overdue to write an article on. Another way is to try and run the exploit against the host. Apple does a pretty good job of addressing CVEs in their security updates, so don’t waste a lot of time trying things if Apple has already patched them. I have found a really good tool for automatically attempting to exploit via msf + nessus to be Carlos Perez’ auto exploit tool, available on github.

Finally, Nessus is a great tool for scripting. One of the big differences that throws off many an experienced Nessus operator off with the version for the Mac is the location of the Nessus binaries. They are in /Library/Nessus/run/bin. In here you’ll find nasal, nessus, nessus-fetch, nessuscmd etc. The command line control here is pretty awesome. Let’s run nessuscmd to scan a net mask of hosts (192.168.210.0/24):

sudo /Library/Nessus/run/bin/nessuscmd 192.168.210.0/24

There are tons of other options for nessuscmd, such as adding ssh keys, smb logins, scanner options, using a remote nessus server, etc. Or use the nessus binary to kick off scans using a nessus config file. The nessus.conf file is also stored in the /Library/Nessus/run/etc/nessus directory, worth looking into.

Mac OS X Mac OS X Server Mac Security Mass Deployment

LoginWindow: PolicyBanners and Backgrounds

The Login Window in OS X is the screen you see while you’re typing in a username and password. There are a number of customizations used in some environments to make the system easier for users to use, or to make it more specific to a given user environment. One such is customizing the Login Window’s background, which can be done by replacing this file with one that you would like to use:

/System/Library/PrivateFrameworks/LoginUIKit.framework/Versions/A/Frameworks/LoginUICore.framework/Versions/A/Resources/appleLinen.png

You can also configure a message to be shown to users. This message, often referred to as an Acceptable Use Policy, can be used as a policy banner that users must accept in order to log into a computer. To set a policy banner, create a file called PolicyBanner.txt, PolicyBanner.rtf, or PolicyBanner.rtfd with the information you want displayed for end users. Save this file to /Library/Security. Then, the contents of the file will be used as a login banner users will be required to click on the Accept button in order to login.

/Library/Security/PolicyBanner.txt

You can also use Profile Manager and Managed Preferences to manage the items from the System Preferences pane and set a message at the LoginWindow as well. These are available under the Login Window section of Profile Manager.

Update: Those crazy kids at AFP548 have posted a video on YouTube with additional info on Profile Manager. That video can be found here.

Update2: For

Windows XP

Windows XP: Deploying Policies for Microsoft Office

You can set various policies for Microsoft Office.  When you install the Office Resource Kit (orktools.exe) you will be able to go into the Start->Programs->Microsoft Office Tools-> Microsoft Office Resource Kit -> System Policy Editor to do so. 

Mac OS X Server

Mac OS X Server: Pushing Out Policies Using Open Directory

Now if you’re looking to push policies out from a centralized directory service that is not Active Directory then you will have slightly more work to do.  You will be using the poledit.exe utility rather than gpedit.msc.  The poledit.exe tool is stored on a Windows 2000 Server CD.  If you install the Admin Tools using the driveletteri386adminpak.msi installer then you will be able to build a policy file in adm format that can then be distributed.  When you open the Poledit.exe application you will click on File-> New New Policy.  From here you will see Default User and Default computer (much as with it’s successor gpedit.msc). 

Options in poledit.exe for Computers include a variety of settings.  One of the more important here is the Local Computer->Network->System Policies Update->Remote Update which can be used to identify where the system will be getting policy updates and how they will be updated.  To set/create the policy file (Ntconfig.pol), first remove all #if version and #endif statements from the System.adm, Inetres.adm and conf.adm files on the local workstation in order to prevent the unintended loading of these files by the Poledit.exe tool.  This isn’t absolutely necessary. 

Next, save your policy settings as Ntconfig.pol. Save the file to the Netlogon share of the Windows NT 4.0 domain controller.  But, what if you do not have a Netlogon share or a replication service to replicate between shares.  Well, create the share by adding the following lines to your SMB config:

[netlogon]

comment = Network Logon Service

path = /path/to/your/adm/files

guest ok = Yes

browseable = No

Obviously you will replace the /path/to/your/adm/files with the actual directory you will store the data on your server.  This directory needs to allow everyone read only access.  Copy the ntconfig.pol file into this directory and you will now be pushing the policy out to your users.

Options in poledit.exe for users include policies dealing with Control Panels (restrict access to display), Desktop (wallpaper and color scheme), Shell (Start Menu controls and Network Neighborhood controls), System (Run Dialog), Windows NT Network ($ hidden shares), Windows NT Printers (beeps and priorities), Windows NT Remote Access (dialup networking), etc.

Finer Grained controls in Policy Editor

If you are building your policies from a system that has been bound into Open Directory then you can use the Add Groups option and then browse to the group you would like to build policies for.  This allows you to have one overarching policy hosted in the netlogon share. 

Another way to access obtain more finely grained access to policies is to deploy settings using the login scripts.  You can build multiple policy files and deploy them or deploy actual registry edits using login scripts.  

Mac OS X Mac OS X Server

Mac OS X: Bluetooth

Ever wonder what the process is that manages Bluetooth on your machine? Well, it’s blued.  Now, I’ve had the occasion where I wanted to outright disable blued, so I’ve actually renamed it or removed it from my system image. But what if you want to set any preferences for Bluetooth? Well, those are stored in the com.apple.Bluetooth.*.plist file. The * here is due to the fact that it’s based on your machine, thus a ByHost Preference. The location is /var/root/Library/Preferences/ByHost. So if you take that preference file and copy it to another machine it won’t actually work. The other machine will create another as it has a different machine address. So, to configure it you would essentially need to implement login hooks (older revisions you could replace the machine address with an *, which is why I used that here). For more information on login hooks, check out this site (no reason for me to reinvent the wheel here):

http://www.bombich.com/mactips/loginhooks.html

Mac OS X

Mac OS X: Automatically Open Expanded Viewing

The open and save dialogs can automatically have the expanded view opened by default rather than having you need to open it manually each time you go to open or save a file. To enable this setting, use the following command:
defaults write -g NSNavPanelExpandedStateForSaveMode -bool TRUE