Skip to content

Endpoint Security Windows

Understanding Windows OS and Security Concerns

Discuss Windows Security Components

Discuss various Windows Security Features

Discuss Windows Securiy baseline configurations

Discuss Windows user account and password management

Discuss Windows Patch Management

Discuss User access management

Windows OS security hardening techniques

Discuss Windows active directory security best practices

Discuss Windows network services and protocol security

Understanding Windows OS and Security Concerns

Windows Architecture includes user mode and kernel mode

The process of windows system work on 2 different modes of operations

user mode has limited access to resources

kernel mode unrestricted access to system memory and external devices

5:58 image

Windows OS provides various built-in security features, tools and technologies that allow users to secure their system from different types of threats and vulnerabilities

However, Windows security is still a concern for organizations as attackers have exploited number of security vulnerabilities in Windows OS in recent times and have been exposing security vulnerabilities day by day

Unpatched OS, improper configurations, weak passwords, lack of anti-malware software, leaving unnecessary services and processes enabled, etc. can provide a patch to attackers to compromise Windows system security.

Discuss Windows Security Components

Windows Security Components

Windows security model is a collection of user-mode and kernel processes for monitoring and managing the various OS security components.

List of core components of Windows Security

Security Reference Monitor (SRM)

Local Security Authority Subsystem (LSASS)

LSASS policy database

Security Accounts Manager (SAM)

SAM database

Active Directory (AD)

Authentication packages

Windows logon application (Winlogon)

Logon user interface (LogonUI)

Credential providers (PCs)

Network logon services (Netlogon)

Kernel Security Device Driver (KsecDD)

11:18 image

Security Reference Monitor (SRM)

SRM is responsible for controlling access of user (subject) to a resource (object).

SRM checks the privileges of the user in the access control list of the authorization database before granting or denying permissions to the subject.

SRM is a kernel component and has unrestricted level of access, which lets it log security events throughout the system for auditing.

Security Reference Monitor is a component in the Windows executive (%SystemRoot%\System32\ntoskrnl.exe)

Local Security Authority Subsystem (LSASS)

Local Security Authority Subsystem (LSASS) is a user-mode process (\Windows\System32\lsass.exe)

It is responsible for implementing local security policies for privileges granted to users and groups, system security auditing settings, user authentication, and sending security audit messages to the Event Log.

It issues security tokens to accounts and is a key component of the logon process.

LSASS policy database consists of the local system security policy settings

LSASS has the 3 following running services associated with it Security Accounts Manager (SAM), Credential Manager, CNG Key Isolation

LSASS database can be located in HKLM\SECURITY

Security Account Manager (SAM)

SAM is a service responsible for managing the database containing the user names and groups defined on the local machine.

The SAM service (%SystemRoot%\System32\samsrv.dll) is loaded into the LSASS process.

SAM Database

SAM is a database that stores and hashes logon credentials for local users and group accounts.

The SAM database is located in the Windows registry in ( %SystemRoot%\System32\config\SAM) and in the registry under HLKM\SAM\SAM

NLTM and NLTMv2 hashes stored in SAM

Active Directory (AD)

AD is a Windows OS directory services to manage permissions and access to networked resources for Windows domain networks

AD is a hierarchical structure that stores information about objects on the network

AD stores data as objects such as user, group, application or device

Container Objects

These objects can contain other objects inside them, and we can make a collection from them. For example: Site,. Domains, Organizational Units

Leaf Objects

These objects cannot contain other objects inside them. For example: users, computers, printers, etc..

Authentication Packages

Authentication pakcage are the DLLs that run in context of LSASS process and used to implement Windows authentication policy

kerberos.dll

Interactive Logon Manager (Winlogon)

Winlogon is a user-mode reunning process and is responsible for managing user authorization sessions

Windows logon is an application that is activated when the system switched is on and runs in the background.

Location of winlogon.exe (%SystemRoot%\System32\winlogon.exe)

Credential Providers (CPs)

CPs are in-process COM objects that run in the LogonUI process

CPs are used to extract username and password, smartcard PIN, or biometric data (such as a fingerprint)

The standard CPs are:

%SystemRoot%\System32\authui.dll

%SystemRoot%\System32\SmartcardCredentialProvider.dll

Network Logon Service (NetLogon)

NetLogon is a user-mode running process and is responsible for authenticating users and services within a domain

NetLogon is a dynamic link library file that is a services that runs continuously in the background

NetLogon is also used for ad logons

Location of netlogon.dll %SystemRoot%\System32\netlogon.dll

Kernel Security Device Driver (KSecDD)

Kernel Security Device Driver (KSecDD) is kernel-mode library of functions used by kernel-mode security components to implement advanced local procedure call (ALPC) and is used to communicate with LSASS in user mode

Location of KSecDD:

%SystemRoot%\System32\Drivers ksecdd.sys

Discuss various Windows Security Features

Windows Object Protection

Windows objects are assigned security descriptors to control access

Windows Kernel Object Manager is responsible to manages the securable objects

Security Objects

Files/directories on an NTFS files ystem

Named or anonymous pipes

Processes/threads

File-mapping objects

Access tokens

Windows-management objects

Registry keys

Windows services

Local or remote printer

Network share

Interprocess synchronization objects

Job objects

Directory service objects

WinObj – Sysinternals.com tools

Windows Access Checks

Access check is the decision to allow or deny a subject (user/process) to access a securable object comparing the information present in the user’s access token with the access control entries (ACEs) in the objects security descriptors

Access token is a kernel object attached to a process which describes the security context of a process or thread.

It is used to identify the user when a process attempts to access a secrable object

List of Known SIDs

SID – Group – Description

S-1-0-0 – Nobody – Used when the SID is unknown

S-1-1-0 – Everyone – Group including all users except anonymous users

S-1-2-0 – Local – Users logging to the terminal locally connected to the system

S-1-3-0 – Creator Owner ID – Security identifier to be replaced by the security identifier of the user who created a new object

S-1-3-1 – Creator Group ID – Security identifier to be replaced by the primary-group SID of the user who created a new object

S-1-9-0 – Resource Manager – Used by third-[arty applications performing their own security on internal data example: Microsoft Exchange

Access Token Contains:

User account SID (Security Identifier)

SIDs for the groups of which the user is a member

Logon SID to identify the current logon session

List of privileges (user or group based)

Owner SID

SID for the primary group

Default DACL for new securable obj. created without security descriptor

Source of the access token

Flag indicating if primary or impersonation token

Optional list of restricted SIDs

Current impersonation levels

Other statistics

Windows Access Checks: Security Identifier (SID)

Security Identifier (SID) is a unique value of variable length to identify a security principal or security group

View the SID of users or group to troubleshoot user or object access issues across domain system

View SID from sysminternal tool

Sysinternal tool PsGetsid domain\user

View SID of all users using CMD

wmic useraccount get name, sid

View SID of all users using PowerShell

Get-WmiObject win32_useraccount | Select name,sid

View SID of all users in Windows registry

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

You can find SID under the ProfileList key

ProfileImagePath value will contain the username corresponding to the SID

Windows Integrity Control

Windows Integrity Control (WIC)/Mandatory Integrity Control (MIC) is an access control mechanism for controlling the interactions between objects based on their integrity, or level of trustworthiness.

The integrity levels are assigned by the operating system and override the discretionary permissions to protect the computer system

The integrity level is determined based on the presence of specific groups in the TOKE_GROUPS structure

Integrity levels of objects:

Untrusted

Low

Medium

High

System

Installer

Group – SID – Integrity Level

Local System – S-1-5-18 – System

Local Service – S-1-5-19 – System

Network Service – S-1-5-20 – System

Administrators – S-1-5-21-500 – High

Backup Operators – S-4-5-32-551 – High

Network Configuration Operators – S-1-5-32-556 – High

Cryptographic Operators – S-1-5-32-569 – High

Authenticated Users – S-1-5-11 – Medium

Everyone – S-1-1-0 – Low

Anonymous – S-1-5-7 – Untrusted

Windows Integrity Control

Viewing integrity levels:

Tools such as process explorer from sysinternals can help viewing the integrity level of the process running on the system

Integrity levels of cmd.exe is medium with authenticated normal users

Integrity levels of cmd.exe is high with administrative privileges

Virtual Service Accounts

Virtual services accounts are special type of account to enhance the security isolation and access control of Windows services.

With virtual service account, each service runs under its own account having its own security ID

The name of the account is “NT Service\” followed by the internal name of the services

Virtual service account passwords are set and periodically change by Windows automatically

Use the SC (Services Control) tool to create a service that runs under a virtual service account

sc create TestService obj = “NT SERVICE\test” binPath=”C:\demo\test.exe”

Secure File Sharing

Files ar ecommonly shared in an organization. If unprotected files are shared among the network, unauthorized users or attackers can access these files.

Secure file sharing is to be implemented in the network by restricting access to users without privileges

Assign right permissions – Enable Password Protections

Grant access to permissions to share folders using CMD

net share SharedFolder=C:\SharedFiles /GRANT:Bob,READ

Grant access to permissions to share folders using PowerShell

Grant-SmbShareAccess -Name ShareFolder -AccountName Bob -AccessRight Read

Revoking access permissions to share folder for everyone using PowerShell

Revoke-SmbShareAccess -Name ShareFolder -Account Everyone

Security Auditing

Security Auditing helps enhance security by identifying attacks (successful or not) that pose a threat to the network

Windows security auditing can be enabled using:

Group Policy Object (AD environments)

Local security group (single computer)

Security Audit Events Categories

Audit account logon events

Audit account management

Audit directory services access

Audit logon events

Audit object access

Audit policy change

Audit privilege use

Audit process tracking

Audit system events

Get-WinEvent -ComputerName ‘pcname1’ -MaxEvents 1 -Logname ‘security’ -FilterXPath ‘*[System[EventID=4625]]’ | select -expand message

Discuss Windows Securiy baseline configurations

Windows security baseline is a group of Microsoft-recommended configuration settings for securing Windows

Security baseline is used for configuration settings to ensure that user and device configuration settings are compliant with the baseline

Security Compliance Toolkit (SCT) recommends security baseline that should be followed to secure Windows systems

Download and install Security Compliance Toolkit (SCT) to view the security baseline configurations

Checking Windows Security Baseline Configuration Using Security Compliance Toolkit (SCT)

SCT is a set of tools that helps folks analyze, test and edit Microsoft-recommended security configuration baselines for Windows.

The Security Compliance Toolkit includes:

Windows 10 security baselines

Windows Server security baselines

Microsoft Office security baselines

Tools

Policy Analyzer tool

Local Group Policy Object (LGPO) tool

Discuss Windows user account and password management

Folks should setup different user accounts if a system is accessed by multiple users

Windows allows the setup of 3 types of user accounts for user management:

Administrator Account – Has full control and access to all files and folders in the system

Standard Account – Has limited access and users can access their own account files and folders

Guest Account – Has only read and write access. Users are not allowed to install new applications or make changes to existing applications

User Account Management: Disable Guest Account

The guest account in the Windows OS can have access to the system without password

Even if guest accounts are temporary accounts, these accounts need to be disabled to prevent misusage in the long run.

Can be done via GUI

CMD to check

net user guest | findstr /C:”active”

CMD to disable

net user guest /active:No

Disable inactive user account that have been not used over long period of time

Do remember to disable user account of employees who have resigned from the organization

Attacker can gain access to system through compromised unused/inactive user accounts

CMD to get status of user

net user bob

Disabled unnecessary local administrator accounts

Local administrator account is often configured in different computers with a common password

If attackers know the SID of an administrator account, they can compromise the system even if the account name is changed

Enforce Password Policy

Security all the user accounts with a stronge password management policy

Enable password must meet complexity requirement will ensure that the passwords meet a set of guidelines for creating a strong password

This will help in preventing brute-force attacks

Enabling the Password Must Meet Complexity Requirements for Domain Password Policy using PowerShell

Set-ADDefaultDomainPasswordPolicy -Identity domain.com -ComplexityEnabled $True

Get-ADDefaultDomainPasswordPolicy

If password age is set too high, password will be valid for longer period of time. In such case, if attacker succeeds in gaining password anyway, he/she may get enough time to gain unauthorized access using password gained.

Set password age value to as low as possible

Set-ADDefaultDomainPasswordPolicy -Identity domain.com -MinPasswordLength 11

Get-ADDefaultDomainPasswordPolicy

Password Protection Using Credential Guard

Credential Guard secures login credentials by restricting their interaction with the components of the system

Credential guard protects the LANMAN password hashes and Kerberos ticket-granting ticket (TGT)

When credential guard is enabled, only privileged software can access the credentials

It protects against “pass-the-hash” attacks

Turn on Virtualization Based Security

Select Platform Security Level: Secure Boot and DMA Protection

Virtualization Based Protection of Code Integrity: Not Configured

Credential Guard Configuration: Enabled with UEFI lock

Discuss Windows Patch Management

Patch Management ensures appropriate and updated patches are installed on the system

It involves applying patches, service packs and/or upgrading Windows to a newer version

User patch management tools to identify the missing patches and install them on the system.

Patches are the small programs which apply a fix to a specific type of vulnerability

Service packs can fix vulnerabilities along with some functionality improvements

Version upgrades fix vulnerabilities and come with improved security features.

Patch Management Activities:
1. Choosing, verifying, testing, and applying patches

2. Updating previous version of patches to current ones.

3. Recording repositories or depots of patches for easy selection

4. Assigning and deploying applied patches

To apply patches to the operating system against security vulnerabilities and bugs, keep the system up to date enabled automatic updates

Automatic updates will check for important updates and install them automatically

Enabling Automatic Updates

Go to Start, Settings, Click Windows Updates and select option, Install update automatically

image here

Enable Automatic Updates

Registry value: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions REG_DWORD 3

PowerShell

sc.exe configu wuauserv start= auto

CMD

sc config wuauserv start= auto

Disable force system restarts

When a system gets an update, it suggests a force restart to install it

The unsaved work of the employees can go to waste if the system is force restarted

Third-Party Patch Management Tools

You can use a third-party Windows update tool for remote-desktop patch management

Remote patch management involved planning, deciding, and prioritizing updates to OS, software, and devices within a network.

BatchPatch, PRTG Network Monitor, IBM BigFix, SolarWinds Patch Manager, ManageEngine Patch Manager Plus, SysAid Patch Management, Itarian Patch Management, etc., are some examples of third-party patch management tools

Restricting Access to Files and Folders

Assign appropriate permission to individual users or group of users on to specific file or folder to restrict unauthorized access.

PowerShell

$acl = Get-Acl c:\test

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(“\bob”,”ReadPermissions”, “Allow”)

$acl.SetAccessRule($AccessRule)

$acl | Set-Acl c:\test

Prevent Unauthorized Change in System

User Account Control (UAC) Setting for Administrator Account

User Account Control setting ensures that the specific changes are accepted by administrator

It prevents malware to modify system security settings or disable antivirus software

Users cannot access or modify the sensitive information of other users on shared computers

User Access Control (UAC_ Settings for Non-Administrator account

Executing any application on non-administrator account, the UAC will restrict the user and asks them to login with the administrator account to execute the application

It prevents from unauthorized execution of application and programs on the non-administrator accounts

Turn on User Account Control (UAC) using PowerShell

New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 1 -Force

Disable Anonymous Security Identifiers Enumeration

If “Do not allow anonymous enumeration of SAM accounts and shares” feature is disabled, insiders can identify the users and groups associated to a system by searching the SIDs

Ensure that this feature is enabled

Network Access: Do not allow anonymous enumeration of SAM accounts and shares

Enable

Moderating Access to Control Panel

User with malicious intent and has access to control panel can alter administrative settings with ease, which may create impact on system integrity

Disable unnecessary access to control panel.

Prohibit access to Control Panel and PC settings

Control Access to Command Prompt

With Command Prompt commands, user can access details about the drives, their paths, ASCII codes, version of the windows, registry files, etc.

Any modification to this information can lead to the breakdown of the whole operating system and the OS has to be reinstalled.

Disable unnecessary access to Command Prompt

Prevent access to the command prompt

Enabled

Administrative Access Management Using Just Enough Administration (JEA)

Just Enough Administration (JEA) is used to limit the amount of cmdlets or administrative privileges of an account

PowerShell role capability file is created to determine the privileges of specific accounts

PS configuration files is created to determine who is allowed to perform the tasks that are described in the PowerShell role capability file

Features:

Whenever a user enters a PS session that incorporates JEA, it uses a virtual account for that session alone

Reduces the attack vectors as the credential are not saved in the computer

Windows OS security hardening techniques

Setup BIOS Password

Setting up a BIOS password is the first protection layer of the computer

It helpss you maintain OS security at a low level

Steps:

  1. Enter BIOS Setup Utility interface
  2. Select Security and set Supervisor Password. It will control the access to the setup utility

Prevent Windows from storing LAN Manager Hash

Windows generates LM hashs of passwords and stores them in Security Accounts Manager (SAM)

The LM Hashes are weak in nature and can be brute-forced easily

Do not allow Windows to store LM hash values

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLmHash REG_DWORD 1

Network security: Do not store LAN Manager hash value on next password change

Enable

Restrict Software Installations

The Security of the network may get compromised if an application from an untrusted source is installed.

Restricting the users to install an application in the system can prevent malware downloads from untrusted sources.

Prohibit User Installs

Enabled

Disable Unwanted Services

Attackers take advantage of security holes in the services to break-in to a computer.

Disable the following service on any machine other than a server

IIS

FTP

SQL server

Proxy services

Telnet

Universal plug and play

Viewing Windows Services and their state using PowerShell

Get-WmiObject -Class WIN32_Service -ComputerName test | Select __SERVER,Name,state,startName

Set-Service svsvc -StartupType Disabled

Install Antivirus Software

Intall up-to-date antivirus software to protect your system from virus infections

Either use built-in antivirus or third-party antivirus software

Built-in Antivirus for Windows 10: Windows Defender

Enable Windows Defender Firewall

Enable Windows Defender Firewall to filter the incoming and outgoing traffic on Windows System

Go to Control Panel, System and Security, and click Windows Defender Firewall

Enabling Defender Firewall using PowerShell

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled true

Viewing Firewall Status using Powershell

New-NetFirewallRule -RemoteAddress 10.0.0.0/24 -DisplayName “Local Subnet” -Direction inbound -Profile Any -Action Allow

Get-NetFirewallRule -Name *NTTP* | Select Name, Enabled, Direction, Action, PrimaryStatus

Monitor Windows Registry

Windows registry is central windows configuration database

It stores all the configuration settings of the applications and systems of the operating system

It maintains the registry keys for various user actions in terms of log, autorun locations, MRU lists, UserAssist, etc.

Regular monitoring and auditing of the registry can help user to detect traces of malicious activity on the system

Process Monitor utility is used to monitor registry activity in real time.

Windows registry can be accessed by executing ‘regedit’ command in command prompt.

Process Monitor – Sysinternals

Viewing registry key data using PowerShell

Get-PSDrive -PSProvider Registry | Select-Object -Property Name, Root

Set-Location HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion

Get-ChildItem

Discuss Windows active directory security best practices

Cleaning Domain Admins Group

Domain administrator account will be in the Domain Administration group by default

Microsoft recommends to clean the Domain Administration group to protect the accounts from attackers

Local Administrator Password Solution (LAPS)

LAPS is implemented to managed local administrator passwords

LAPS creates a password for individual administrator accounts and stores them in the active directory

Disable NTLM and NTLMv2 Protocols

Disable NTLM authentication so that Kerberos authentication is enabled in the AD domain

Network security: Restrict NTLM: NTLM authentication in this domain – disable

Monitor Activity Directory Events for Signs of Compromised

AD Events should be monitored regularly for signs of compromise

Events to Monitor

Changes to administrative groups

Wrong password attempts

Usage of locked out accounts

Account lockouts

Changes in the antivirus software settings

Activities performed by privilege accounts

PS Cmdlets for Security Active Directory

1 View default password policy

Get-AADefaultDomainPasswordPolicy

2. View accounts having password set to never expire

get-aduser -filter * -properties Name, PasswordNeverExpires

get-aduser -filter * -properties Name, PasswordNeverExpires | where {$+.passwordNeverExpires -eq “true”} | Select-Object DistingushedName,Name,Enabled

3. Force user to change password at next login

Set-ADUser -Identity bob -ChangePasswordAtLogon $true

4. Disable user account and liset all disabled accounts

Disable-ADAccount -Identity bob

Search-ADAccount -AccountDisabled | Select Name

5. Search-ADAccount -LockedOut

6. Search-AdAccount -LockedOut | Unlock-ADAccount

7. View users login details

$DC = Get-ADDomainController -Filter *

8. Disable inactive accounts

Search-ADAcount -UsersOnly -AccountInactive -DateTime ‘1/1/2022’ | Disable-ADAccount

$timespan = New-Timespan -Days 90

Search-ADAccount -UserOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount

AD Security Best Practices

  1. Manage local Administrator passwords (LAPS)
  2. Implement RDP Restricted Admin mode
  3. Remove unsupported OSes from the network
  4. Monitor scheduled tasks on sensitive systems like domain controllers
  5. Ensure that OOB management passwords (DSRM) are changed regularly and securely stored
  6. Use SMB v3+
  7. Default domain Administrator and KRBTGT password should be changed every year or when an AD administrator leaves
  8. Remove trusts that are no longer necessary & enable SID filtering as appropriate
  9. Wherever possible set all domain authentication to send NTLMv2 response only\refuse LM & NTLM
  10. Audit NTLM use and restrict it
  11. Block Internet access for domain controllers, servers, and all administration systems.
  12. Disable NetBIOS over TCPIP and turn off multicast name resolution (LLMNR)
  13. No user or computer accounts in administrator groups
  14. Consider all administrator accounts to be sensitive cannot be delegated
  15. Add all administrator accounts to “Protected Users” group
  16. Disable all inactive administrator accounts and remove from privileged groups
  17. Restrict AD administrator membership and use custom delegation groups
  18. “Tiered” Administration mitigation credential theft impact
  19. Ensure administrators only logon to approved administer workstations and servers
  20. Assign time-based, temporary group membership for all administrator accounts
  21. To protect administrator and critical systems, segment the network
  22. Deploy IDS to monitor the internal corporate network
  23. Network device and OOB management on separate network
  24. Protect Service Account Credentials
  25. LImit to systems of the same security level
  26. Implement (Group) managed services accounts
  27. Implement FGPP (DFL =>2008) to increase password requirements for service accounts and administrators (Fine Grain Password Policy) (Domain Functional Level)
  28. Prevent interactive logon and enable logon to specific computers
  29. Disable inactive service accounts and remove from privileged groups
  30. Protect workstations and servers
  31. Patch quickly, especially privilege escalation vulnerabilities
  32. Deploy security back-port patch
  33. Set Reg key to 0 :
  34. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest
  35. Deploy workstation whitelisting
  36. Deploy workstation application sandboxing technology (EMET) – Enhanced Mitigation Toolkit
  37. Run software and service required to support AD
  38. Restrict groups/users having domain controller administrator or logon rights
  39. Ensure patches are applied before running DCPromo
  40. Validate scheduled tasks & scripts
  41. Implement centralized logging using SIEM
  42. User behavioral analysis system
  43. Enable enhanced auditing
  44. Enable PowerShell module logging
  45. Enable CMD Process logging & enhancement and forward logs to central log server

Secure PowerShell (PS) Remoting Endpoints

PS Remoting gives access to almost everything. So it is more likely to be attcked by threat actors

When PS Remoting is enabled, it configures four endpoints called session configurations

Each endpoint will have users to access the session. By default, system administrators and remote management users can access the endpoints

Execute Get-PSSessionConfiguration to view all the endpoints. The Permission property will give details of the users and permissions at each endpoint.

To reduce the risks from PS Remoting, custom endpoint (constrained endpoints) can be created with restricted permissions for endpoint users.

PS enhanced logging feature (PowerShell version 5.0) enabled recording executed PS commands and scripts, de-obfuscated code, output, and transcripts

Enable PS logging to identify any suspicious scripting activity across the network.

PS Logging Components

Transcript logging Creates a unique record of every PS session

Script block logging: Records blocks of code as they are executed

Module logging: Records pipeline execution details as PS executes

Disable PS v2.0

PS 2.0 is considered a security risk and can be used to execute malicious code

Disable PS 2.0 if it is enabled

To disable PS 2.0 in Windows 10 use the following command:

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

To check PS 2.0 status in Windows 10 use the following command:

Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

Enforce Script Signing for PS Scripts

By Default, as a security feature Windows restricts PS scripts execution

PS execution policy settings determine the execution of scripts

Type Get-ExecutionPolicy command to verify the PS execution policy

Configure PS to enforce script signing for all PS script

PS execution policy settings can be done using:

Command line

Group Policy

Registry Editor

PowerShell Script Execution Policy Settings

Restricted – No scripts can be executed

AllSigned: Only execution of scripts signed by a trusted publisher

RemoteSigned: executes downloaded scripts only when signed by a trusted publisher

Unrestricte: executes all PowerShell scripts

Use ConstrainedLanguageMode of PS

PS FullLanguageMode allows loading of all COM objects / libraries / classes into PS session

Enforce RestrictedLanguageMode or ConstrainedLanguageMode to prevent attackers loading of all COM objects / libraries / classes into PS session

Type $ExecutionContext.SessionState.LanguageMode command to determine PS LanguageMode

RestrictedLanguageMode can be implemented using:

AppLocker

Device Guard using UMCI (User Mode Code Integrity)

Command to determine PowerShell LanguageMOde

$ExecutionContext.SessionState.LanguageMode

To restrict use MMC snap in Local Computer Policy

Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker\Script Rules

Using Windows Potentially Unwanted Applications Protection Feature

Potentially unwanted programs (PUPs) or potentially unwanted applications (PUAs) are programs downloaded from a tusted source or not used often.

Examples of the PUAs are adware, downloaders, and aggressive monetizing software.

The Windows PUA protection feature scans and detects all PUA files in the system.

PUA protection can be configured using the following:

GPO

PowerShell.

Configure PUA Protection using PowerShell

Running PowerShell in Administrator mode and enter the following command:

Set-MpPreference -PUAProtection 1

Windows Sandbox

Windows Sandbox creates an isolated, temporary desktop environment to run application software without affecting the host machine.

Folks can safely download an executable file from a risky source, install it, and test it in Sandbox without rasking the host system.

The PC should support virtualization for using Windows Sandbox

Turn on Windows Features and check Windows Sandbox

Sandboxing Tool: Sandboxie

Sandboxie is a sandboxing tool developed by Sophos

It keeps the browser isolated and blocks malicious software, viruses, ransomware, and zero-day threats.

It prevents Internet websites from modifying files and folders on the system

BufferZone – bufferzonesecurtity.com

SHADE Sandbox – shadesandbox.com

Shadow Defender – shadowdefender.com

BitBox – rohde-schwarz.com

Toolwiz Time Freeze – toolwiz.com

Sandboxie – sandboxie.com

Windwos Defender Application Guard: Microsoft Edge

Windows Defender Application Guard (WDAG) isolates Microsoft Edge and blocks websites from accessing the local storage, memory, installed apps, and corporate network endpoints

PS Remoting Security Remocommendations

  1. Turn on transcription logging and ensure the logs are written in a central file share
  2. Lock down the accounts that have privileges to remove the logs in the central file share
  3. Script block logging should be turned on to evaluate the damage on the system
  4. If module logging is enabled, then it will produce enormous amount of event log data
  5. Certificate infrastructure is to be enabled for the domain
  6. SSL certificates are to be install on all domain systems
  7. HTTP port in use should be disabled for PS after the deployment of SSL certificates
  8. Ensure every system of the network is installed with upgraded versions of Windows PS
  9. Limit firewall to open only two ports used by PS Remoting. If SSL in used, only one port should be opened.

Securing Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDO) enables encrypted remote connection between different systems over TCP protocol on port number 3389.

When a RDP connection is applied between the systems, it uses tunneling mechanism to encrypt the data.

The encryption is done between the client and the server only but no for the authentication of the terminal server

Attackers can exploit the vulnerability in the encryption method of RDP.

If attacker is able to guess the authentication details, they can perform Man-in-the-Middle (MITM) attack to sniff data transfer between the client and the server.

RDP Security Best Practices:

  1. Limit the users who can log in using remote desktop
  2. Restrict access by implement firewalls (scoping)
  3. Use strong passwords
  4. Implement RDP gateways (never exposed RDP to the Internet directly – require VPN)
  5. Enable Network Level Authentication

Limit the number of RDP users

By default, all users with administrative rights can login into the remote desktop

Security Settings\Local Policy\User Rights Assignment\Allow log on through Remote Desktop Services

Scoping RDP Firewall Rule

Restrict access to RDP using firewall

Scoping should be implemented to restrict access to IP address or group of IP addresses to a particular port

Scoping will restrict access to IPs not within scope

Implementing RDP Gateways

RDP gateways are implemented to strictly restrict the access to the RDP ports but support the connections through a single gateway.

When an external source tries to get access to a private network through Remote Desktop Connection the RDP gateway is used for a secure connection.

RDP runs over HTTPS port 443

Enabled Network Level Authentication (NLA) in RDP Server and Client.

NLA is done in RDP Server or RDP client even before the establishment of the session between the client and the server.

NLA is implemented to send the user credentials securely from the client side using a security service provider of the client and makes the user authenticate before the session gets started.

Enabled NLA using Windows PowerShell

(Get-WmiObject – class “Win32_TSGeneralSettings” -Namespace root\cimv2\terminalservices -ComputerName “test” -Filter “TerminalName= ‘RDP-tcp'”).SetUserAuthenticationRequired(1)

Getting NLA Information

WmiObject – class “Win32_TSGeneralSettings” -Namespace root\cimv2\terminalservices -ComputerName “test” -Filter “TerminalName= ‘RDP-tcp'”).UserAuthenticationRequired

Protecting Credentials over RDP

Remote Credential Guard is a feature used to protect user credentials over a remote desktop connection

This protects the credentials by redirecting Kerberos requires to the device requesting the credentials for connection

Remote Credential Guard will be active only when the host supports it and when enabled; connection to the other systems is done using SSO.

Restrict delegation of credentials to remote servers – Prefer Remote Credential Guard

Managing DNSSEC for a Domain Name

DNSSEC adds a layer of security to a domain names by adding digital signatures to their Domain Name System (DNS) information.

Delegation signing (DS) data contains the digital signature information for respective domain names DNS.

Depending upon the domain names extension, one or more DS records at one time are used.

DNSSEC guarantees: Authenticity

Integrity

The non-existence of a domain name or type

DNSEC does not guarantee:

Confidentiality

Protection against Denial of Service (DoS)

Securing DNS with DNSSEC

DNS is a distributed hierarchic database that maps URLs to IP addresses

To protect DNS threats like cache poison attacks and DNS spoofing, Domain Name System Security Extensions (DNSSEC) provides a key to the response given by the DNS server

The validator checks if the publics key and private key are same by checking it with the data sent by the corresponding top level domain (TLD) and root servers.

If the keys match, then it confirms that the DNS data was not tampered with in transit.

List how to setup DNSEC for major hosting and DNS proivders

AD

AWS

Azure

Cloudflare

GoDaddy

Google

How Does DNSSEC Protect Internet Users

DNSEC is planned to shield Internet users from artificial DNS data, such as a deceptive or mischievous address instead of the genuine address that was requested.

Difference between Non-aware and DNSSEC-aware lookups

Non-DNSSEC-Aware lookups

URL request goes toward the Internet and accepts the first response it receives

A mischievous Internet user can cut off the request and send back incorrect information

The response received points to an undesired Internet site where personal data can be compromised

DNSSEC-Aware lookups

These DNS lookups travel toward the domain names registry and get a duplicate of the digital signature that is being used by the URL.

The browser cannot display the site unless an address response also includes a matching digital signautre

This way, user cannot be redirected to a bogus location that they did not request.

Monitor DNS logs for security threats

Almost every connection query that a machine makes will be a DNS query request

If the systems present in the domain uses Windows Server, then the requests made by the users can be monitored

Intention connections requests can be detected by monitoring DNS logs

To enabled DNS monitoring:

  1. Open DNS Management Console
  2. Right click and select properties
  3. Click Debug Logging Tab
  4. Check the checkbox Log packets for debugging

Disable SMB 1.0

It is recommended that SMB 1.0 is disabled and the latter versions of SMB having enhanced security features is used.

Disabling SMB 1.0 using PS

Type the followingr command to disable SMB 1.0

For Windows Servers:

Set-SmbServerConfiuration -EnableSMB1Protocol $false

For Windows 10:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Disabling SMB 1.0 Using Windows Registry

Navigate to :

HKLM\SYSTEM\CurrentControlSet\Set\Services\LanmanServer\Parameters\ DWORD SMB1 should not be present or should have a value of 0

Disabling SMB 1.0 using Control Panel using Windows Features

Enable SMB Encryption

SMB encryption provides end-to-end encryption of SMB data and protects data from man-in-the-middle attacks on untrusted networks

SMB encryption can be enabled for the entire file server or only for specific file sshares

Advanced Encryption Standard (AES)-CCM algorithm is used to encrypt and decrypt the data in SMB encryption.

Enable SMB Encryption with Windows PowerShell

Execute the following commands to enable SMB encryption

Encrypt individual file share:

Set-SmbShare -Name <ShareNameHere> -EncryptData $true

Encrypt the entire file server

Set-SmbServerConfiguration -EncryptData $true

Create a new SMB file share with SMB encryption enabled

New-SmbShare -Name <ShareNameHere> -Path <PathNameHere> -EncryptData $true

Enable SMB 3.0

Set-SmbServerConfiguration -MaxChannelPerSession 32 -Force

Application Patch Management Solutions and Tools

SolarWinds Patch Manager – solarwinds.com

Kaseya Patch Management Software – kanseya.com

Ivanti Patch – ivanti.com

IBM BigFix – ibm.com

LANDESK Patch Manager – ivanti.com

Flexera Corporate Software Inspector – flexera.com

Verismic CMD Patch Manager – cloudmanagementsuite.com

Shavlik Protect – ivanti.com

Disk Encryption: Implementing Built-in Disk Encryption for Windows

  1. Enabling Device Encryption – Go to Start – Settings – Update & Security – Device Encryption and click Turn on device encryption option.
  2. Enabling Standard BitLocker Encryption
  3. Sign in with an Administrator Account. Select the Start button, choose Control Panel, and then click System and Security. Select Turn on BitLocker

File Level Encryption: Implementing Built-in File System-level Encryption on Windows

cipher /e “c:\test\sample.txt”

3rd Party Crypters

AxCrypt

idoo file encryption – idooencryption.com

cryptomator – cryptomator.org

encrypto – macpaw.com

aes crypt – aescrypt.com

flashcrypt – flashcrypt.en.softonic.com

boxcryptor – boxcryptor.com

DLP Solution: MyDLP

MyDLP is a free and open source solution that allows organizations to secure confidentail data

The supported data inspection channels include web, email, instant messaging, printers, removable storage device, screenshots, etc.

Scan and rebuild system health

DISM /Online /Cleanup-Image /CheckHealth

DISM /Online /Cleanup-Image /ScanHealth

DISM /Online /Cleanup-Image /RestoreHealth

sfc /scannow

Summary

Windows security baseline is a group of Microsoft-recommended configuration settings for security Windows.

Unpatched OS, improper configurations, weak passwords, lack of anti-malware software, leaving unnecessary services and processes enabled, etc. can provide a path to attackers to compromise security of Windows systems.

Patch management ensures appropriate and updated patches are installed on the system.

Restricted permissions for endpoint users should be created to reduce the risks of PS Remoting

DNSSEC adds a layer of security to your domain names by adding digital signatures to their DNS information

Disable SMB 1.0 and enable SMB encryption.

Discuss Windows network services and protocol security