Motivation

I wanted to transition from software development to cyber security, but since I lacked the practical work experience and a clear idea of what role I wanted within the cyber security space, I decided to look for a position in system adminstration because I wanted to gain experience managing the technological infrastructure of a business.

Automated Printing pipeline

My first major project at Hayward Lumber was building an automated printing pipeline for labeling products in each branch.
When you walk into Target or any major retailer, every item you see on the shelf is labeled with a sticker which has the name of the product, the product’s pricepoint, skew, quantity on hand, zone, binloc, vendor name, etc.
So how do these items that exist as rows in a database on a server somewhere become stickers on shelves that organize the merchandise for customers who are shopping at a store?

Well hopefully through a well thought out automation that:

• Accounts forc hanges in vendors, price points, product attributes
• Is relatively easy for the employees in store to use without contacting IT
• Is Easy for me to maintain or for someone else to pick up

First, I created a task that runs a python script which runs a SQL query that scans each product in Hayward’s datawarehouse by the Universal Product Code (UPC) for the version of the product with the newest date-time. Second, the script aggregates the set of products with the newest UPC’s into a new table that is returned to the python script which sorts each item in the returned table by branch. Third, the script writes a cvs file to a folder on a print server that runs an automatic label printing software called Bartender that periodically checks for changes on said folders and initiates a print job when said changes are detected.

CIS Version 8 Control 10 Malware Defenses

The next major project I had at Hayward Lumber was a crash course in the Center for Internet Security (CIS) framework and Active Directory Group Policy. Regularly updating software is crucial to staying ahead of CVE’s. Per CIS, I placed admx templates in C:\\Sysvol to create registry based group policies to control browser updates for all browsers used on the Hayward network, which includes Chrome, Firefox, and Edge.

CIS Version 8 Control 14: Security Awareness Training Program

Using Barracuda Phishline I set up a phishing campaign to promote cyber awareness at Hayward. Phishline is pretty cool as it comes which a bunch of predefined templates from a variety of popular banks including Bank of America, Chase, Wells Fargo, etc. These templates basically mean that I didn’t have to use javascript or any frontend frameworks like Vue to create convincing emails. I approached this project by scraping our Active Directory for user emails with powershell, then mined Hayward’s email spam filter (which contains legitimate emails and emails that have been flagged) for common vendors that Hayward employees would expect to get emails from. Then I wrote a script which randomly transposes letters in an email so for instance [email protected] could become [email protected]. I’ve found that transposing letters is something that people miss because when you receive an email typically you trust the banner of the email so you take it at face value that because the email includes the logo of the company it must be from the company. As you might imagine this was a rather amusing project.

Dell ProDeploy

The next major project I had at Hayward Lumber was managing the replacement of ~ 55 computers. I accomplished this using Dell’s Image Assist and Prodeploy service alongside Vmware. This project was pretty fun because it involved building a dynamic image of Windows which Dell preinstalled on each computer before shipping the computers out to the branches. I created an unattendend.xml which configures the local administrator account, auto sets the computers’ hostname using Hayward’s naming convention, and auto joines the Hayward domain on first boot. I used Vmware Workstation (because it’s stable) to build the dynamic image and install various softwares that we wanted pre-installed in the image. There were some caveats, certain softwares required connection to a management server (i.e SEPM) so I ended up created a GPO which became the default policy for workstations at Hayward. For the GPO to work (and be tested!) I ended up prestaging all of the new computers (as I said we have a naming convention for hostnames) in our Active Directory. This is what basically allowed software to auto install via group policy update after having joined the Hayward domain; because the computer objects already existed in their respective OU’s linked to the workstation policy I created. Suffice it to say it was very gratifying to have the machines be domain joined and then from the domain controller force a gpupdate on a given OU and get notifications that a new client had been added.
This project further solidified my confidence in administering an Active Directory domain because along with configuring GPO’s for installation of anti-virus software, among other software packages, I used delegation to create a vendor account on the Hayward domain for the Dell technicians. I delegated permission to Dell’s vendor account to add computers to the domain and run the Dell Migration Tool (DMT haha) which auto migrates user profiles and data from one computer to another. This was pretty interesting because in order to run the DMT you have to be a member of the local administrators group, so basically by re-using the infrastructure I built when I prestaged the computers I was able to create targeted local admin privileges on specific computers instead of doing something silly like adding a local admin account for a vendor to all computers in the Hayward domain. That wouldn’t be following the concept of least privilege. I learned in my PEN-200 course that from a security standpoint that granting local admin privileges is huge security risk because NT Authority\\System or any account that is a member of the Builtin\\Administrators group has the ability to dump the LSASS and DPAPI. While completing this project I also learned about an Interesting registry hack for single label DNS resolution. Single-label domains are not fully qualified domains, and thus are not resolveable by DNS which makes them unsuitable for an AD environment. Microsoft actually warns against single label domain names from windows Server 2008 and up. Basically a single label domain would be something like zinhart instead of zinhart.io.

Backup Migration(Current)

A couple weeks after finishing up the Dell ProDeploy project, Hayward decided to centralize their backup strategy for remote and local users because at this point in time we had two backup solutions, one for the machines that had already replaced (The ~ 55 ProDeploy machines) and the computers that weren’t old enough to replace yet. Hayward is a Dell shop so we went with Dell’s EMC Druva backup solution. Aside from the standard air-gapped backup techniques the Druva team uses a technique called data sharding. Basically they split up all the data a company wants backed up into small pieces or shards which are (presumably) equal in length but random in order with some meta data that holds the original order of the shards. What’s interesting to me is that from an attackers perspective if the meta data was to be stolen or lost the shards by themselves would be worthless.

CIS Version 8 Control 16 Application Software Security

I used Symantec endpoint manager to create an application policy which blocks tor.exe from being run. Reference

CIS Version 8 Control 12: Network Infrastructure Management

At Hayward’s Corporate Office, alongside a contractor I configured, multiple vlan’s through managed switches. This technique is called Network Segmentation and the primary benefit I see with it is that it makes lateral movement through the network much harder. Every endpoint(user workstation & personal printer) exists by itself on virtual subnet so unless an attacker was able to leak the DNS names of devices through a zone transfer, said attacker would have to know beforehand the ip’s of any machine they wanted to pivot to AND have permissions to do so, while circumventing ACLS’s at the switch level.