Understanding Windows OS and Security Concerns
Discuss Windows Security Components
Discuss various Windows Security Features
Discuss Windows Securiy baseline configurations
Discuss Windows user account and password management
Discuss Windows Patch Management
Discuss User access management
Windows OS security hardening techniques
Discuss Windows active directory security best practices
Discuss Windows network services and protocol security
Understanding Windows OS and Security Concerns
Windows Architecture includes user mode and kernel mode
The process of windows system work on 2 different modes of operations
user mode has limited access to resources
kernel mode unrestricted access to system memory and external devices
5:58 image
Windows OS provides various built-in security features, tools and technologies that allow users to secure their system from different types of threats and vulnerabilities
However, Windows security is still a concern for organizations as attackers have exploited number of security vulnerabilities in Windows OS in recent times and have been exposing security vulnerabilities day by day
Unpatched OS, improper configurations, weak passwords, lack of anti-malware software, leaving unnecessary services and processes enabled, etc. can provide a patch to attackers to compromise Windows system security.
Discuss Windows Security Components
Windows Security Components
Windows security model is a collection of user-mode and kernel processes for monitoring and managing the various OS security components.
List of core components of Windows Security
Security Reference Monitor (SRM)
Local Security Authority Subsystem (LSASS)
LSASS policy database
Security Accounts Manager (SAM)
SAM database
Active Directory (AD)
Authentication packages
Windows logon application (Winlogon)
Logon user interface (LogonUI)
Credential providers (PCs)
Network logon services (Netlogon)
Kernel Security Device Driver (KsecDD)
11:18 image
Security Reference Monitor (SRM)
SRM is responsible for controlling access of user (subject) to a resource (object).
SRM checks the privileges of the user in the access control list of the authorization database before granting or denying permissions to the subject.
SRM is a kernel component and has unrestricted level of access, which lets it log security events throughout the system for auditing.
Security Reference Monitor is a component in the Windows executive (%SystemRoot%\System32\ntoskrnl.exe)
Local Security Authority Subsystem (LSASS)
Local Security Authority Subsystem (LSASS) is a user-mode process (\Windows\System32\lsass.exe)
It is responsible for implementing local security policies for privileges granted to users and groups, system security auditing settings, user authentication, and sending security audit messages to the Event Log.
It issues security tokens to accounts and is a key component of the logon process.
LSASS policy database consists of the local system security policy settings
LSASS has the 3 following running services associated with it Security Accounts Manager (SAM), Credential Manager, CNG Key Isolation
LSASS database can be located in HKLM\SECURITY
Security Account Manager (SAM)
SAM is a service responsible for managing the database containing the user names and groups defined on the local machine.
The SAM service (%SystemRoot%\System32\samsrv.dll) is loaded into the LSASS process.
SAM Database
SAM is a database that stores and hashes logon credentials for local users and group accounts.
The SAM database is located in the Windows registry in ( %SystemRoot%\System32\config\SAM) and in the registry under HLKM\SAM\SAM
NLTM and NLTMv2 hashes stored in SAM
Active Directory (AD)
AD is a Windows OS directory services to manage permissions and access to networked resources for Windows domain networks
AD is a hierarchical structure that stores information about objects on the network
AD stores data as objects such as user, group, application or device
Container Objects
These objects can contain other objects inside them, and we can make a collection from them. For example: Site,. Domains, Organizational Units
Leaf Objects
These objects cannot contain other objects inside them. For example: users, computers, printers, etc..
Authentication Packages
Authentication pakcage are the DLLs that run in context of LSASS process and used to implement Windows authentication policy
kerberos.dll
Interactive Logon Manager (Winlogon)
Winlogon is a user-mode reunning process and is responsible for managing user authorization sessions
Windows logon is an application that is activated when the system switched is on and runs in the background.
Location of winlogon.exe (%SystemRoot%\System32\winlogon.exe)
Credential Providers (CPs)
CPs are in-process COM objects that run in the LogonUI process
CPs are used to extract username and password, smartcard PIN, or biometric data (such as a fingerprint)
The standard CPs are:
%SystemRoot%\System32\authui.dll
%SystemRoot%\System32\SmartcardCredentialProvider.dll
Network Logon Service (NetLogon)
NetLogon is a user-mode running process and is responsible for authenticating users and services within a domain
NetLogon is a dynamic link library file that is a services that runs continuously in the background
NetLogon is also used for ad logons
Location of netlogon.dll %SystemRoot%\System32\netlogon.dll
Kernel Security Device Driver (KSecDD)
Kernel Security Device Driver (KSecDD) is kernel-mode library of functions used by kernel-mode security components to implement advanced local procedure call (ALPC) and is used to communicate with LSASS in user mode
Location of KSecDD:
%SystemRoot%\System32\Drivers ksecdd.sys
Discuss various Windows Security Features
Windows Object Protection
Windows objects are assigned security descriptors to control access
Windows Kernel Object Manager is responsible to manages the securable objects
Security Objects
Files/directories on an NTFS files ystem
Named or anonymous pipes
Processes/threads
File-mapping objects
Access tokens
Windows-management objects
Registry keys
Windows services
Local or remote printer
Network share
Interprocess synchronization objects
Job objects
Directory service objects
WinObj – Sysinternals.com tools
Windows Access Checks
Access check is the decision to allow or deny a subject (user/process) to access a securable object comparing the information present in the user’s access token with the access control entries (ACEs) in the objects security descriptors
Access token is a kernel object attached to a process which describes the security context of a process or thread.
It is used to identify the user when a process attempts to access a secrable object
List of Known SIDs
SID – Group – Description
S-1-0-0 – Nobody – Used when the SID is unknown
S-1-1-0 – Everyone – Group including all users except anonymous users
S-1-2-0 – Local – Users logging to the terminal locally connected to the system
S-1-3-0 – Creator Owner ID – Security identifier to be replaced by the security identifier of the user who created a new object
S-1-3-1 – Creator Group ID – Security identifier to be replaced by the primary-group SID of the user who created a new object
S-1-9-0 – Resource Manager – Used by third-[arty applications performing their own security on internal data example: Microsoft Exchange
Access Token Contains:
User account SID (Security Identifier)
SIDs for the groups of which the user is a member
Logon SID to identify the current logon session
List of privileges (user or group based)
Owner SID
SID for the primary group
Default DACL for new securable obj. created without security descriptor
Source of the access token
Flag indicating if primary or impersonation token
Optional list of restricted SIDs
Current impersonation levels
Other statistics
Windows Access Checks: Security Identifier (SID)
Security Identifier (SID) is a unique value of variable length to identify a security principal or security group
View the SID of users or group to troubleshoot user or object access issues across domain system
View SID from sysminternal tool
Sysinternal tool PsGetsid domain\user
View SID of all users using CMD
wmic useraccount get name, sid
View SID of all users using PowerShell
Get-WmiObject win32_useraccount | Select name,sid
View SID of all users in Windows registry
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
You can find SID under the ProfileList key
ProfileImagePath value will contain the username corresponding to the SID
Windows Integrity Control
Windows Integrity Control (WIC)/Mandatory Integrity Control (MIC) is an access control mechanism for controlling the interactions between objects based on their integrity, or level of trustworthiness.
The integrity levels are assigned by the operating system and override the discretionary permissions to protect the computer system
The integrity level is determined based on the presence of specific groups in the TOKE_GROUPS structure
Integrity levels of objects:
Untrusted
Low
Medium
High
System
Installer
Group – SID – Integrity Level
Local System – S-1-5-18 – System
Local Service – S-1-5-19 – System
Network Service – S-1-5-20 – System
Administrators – S-1-5-21-500 – High
Backup Operators – S-4-5-32-551 – High
Network Configuration Operators – S-1-5-32-556 – High
Cryptographic Operators – S-1-5-32-569 – High
Authenticated Users – S-1-5-11 – Medium
Everyone – S-1-1-0 – Low
Anonymous – S-1-5-7 – Untrusted
Windows Integrity Control
Viewing integrity levels:
Tools such as process explorer from sysinternals can help viewing the integrity level of the process running on the system
Integrity levels of cmd.exe is medium with authenticated normal users
Integrity levels of cmd.exe is high with administrative privileges
Virtual Service Accounts
Virtual services accounts are special type of account to enhance the security isolation and access control of Windows services.
With virtual service account, each service runs under its own account having its own security ID
The name of the account is “NT Service\” followed by the internal name of the services
Virtual service account passwords are set and periodically change by Windows automatically
Use the SC (Services Control) tool to create a service that runs under a virtual service account
sc create TestService obj = “NT SERVICE\test” binPath=”C:\demo\test.exe”
Secure File Sharing
Files ar ecommonly shared in an organization. If unprotected files are shared among the network, unauthorized users or attackers can access these files.
Secure file sharing is to be implemented in the network by restricting access to users without privileges
Assign right permissions – Enable Password Protections
Grant access to permissions to share folders using CMD
net share SharedFolder=C:\SharedFiles /GRANT:Bob,READ
Grant access to permissions to share folders using PowerShell
Grant-SmbShareAccess -Name ShareFolder -AccountName Bob -AccessRight Read
Revoking access permissions to share folder for everyone using PowerShell
Revoke-SmbShareAccess -Name ShareFolder -Account Everyone
Security Auditing
Security Auditing helps enhance security by identifying attacks (successful or not) that pose a threat to the network
Windows security auditing can be enabled using:
Group Policy Object (AD environments)
Local security group (single computer)
Security Audit Events Categories
Audit account logon events
Audit account management
Audit directory services access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Get-WinEvent -ComputerName ‘pcname1’ -MaxEvents 1 -Logname ‘security’ -FilterXPath ‘*[System[EventID=4625]]’ | select -expand message
Discuss Windows Securiy baseline configurations
Windows security baseline is a group of Microsoft-recommended configuration settings for securing Windows
Security baseline is used for configuration settings to ensure that user and device configuration settings are compliant with the baseline
Security Compliance Toolkit (SCT) recommends security baseline that should be followed to secure Windows systems
Download and install Security Compliance Toolkit (SCT) to view the security baseline configurations
Checking Windows Security Baseline Configuration Using Security Compliance Toolkit (SCT)
SCT is a set of tools that helps folks analyze, test and edit Microsoft-recommended security configuration baselines for Windows.
The Security Compliance Toolkit includes:
Windows 10 security baselines
Windows Server security baselines
Microsoft Office security baselines
Tools
Policy Analyzer tool
Local Group Policy Object (LGPO) tool
Discuss Windows user account and password management
Folks should setup different user accounts if a system is accessed by multiple users
Windows allows the setup of 3 types of user accounts for user management:
Administrator Account – Has full control and access to all files and folders in the system
Standard Account – Has limited access and users can access their own account files and folders
Guest Account – Has only read and write access. Users are not allowed to install new applications or make changes to existing applications
User Account Management: Disable Guest Account
The guest account in the Windows OS can have access to the system without password
Even if guest accounts are temporary accounts, these accounts need to be disabled to prevent misusage in the long run.
Can be done via GUI
CMD to check
net user guest | findstr /C:”active”
CMD to disable
net user guest /active:No
Disable inactive user account that have been not used over long period of time
Do remember to disable user account of employees who have resigned from the organization
Attacker can gain access to system through compromised unused/inactive user accounts
CMD to get status of user
net user bob
Disabled unnecessary local administrator accounts
Local administrator account is often configured in different computers with a common password
If attackers know the SID of an administrator account, they can compromise the system even if the account name is changed
Enforce Password Policy
Security all the user accounts with a stronge password management policy
Enable password must meet complexity requirement will ensure that the passwords meet a set of guidelines for creating a strong password
This will help in preventing brute-force attacks
Enabling the Password Must Meet Complexity Requirements for Domain Password Policy using PowerShell
Set-ADDefaultDomainPasswordPolicy -Identity domain.com -ComplexityEnabled $True
Get-ADDefaultDomainPasswordPolicy
If password age is set too high, password will be valid for longer period of time. In such case, if attacker succeeds in gaining password anyway, he/she may get enough time to gain unauthorized access using password gained.
Set password age value to as low as possible
Set-ADDefaultDomainPasswordPolicy -Identity domain.com -MinPasswordLength 11
Get-ADDefaultDomainPasswordPolicy
Password Protection Using Credential Guard
Credential Guard secures login credentials by restricting their interaction with the components of the system
Credential guard protects the LANMAN password hashes and Kerberos ticket-granting ticket (TGT)
When credential guard is enabled, only privileged software can access the credentials
It protects against “pass-the-hash” attacks
Turn on Virtualization Based Security
Select Platform Security Level: Secure Boot and DMA Protection
Virtualization Based Protection of Code Integrity: Not Configured
Credential Guard Configuration: Enabled with UEFI lock
Discuss Windows Patch Management
Patch Management ensures appropriate and updated patches are installed on the system
It involves applying patches, service packs and/or upgrading Windows to a newer version
User patch management tools to identify the missing patches and install them on the system.
Patches are the small programs which apply a fix to a specific type of vulnerability
Service packs can fix vulnerabilities along with some functionality improvements
Version upgrades fix vulnerabilities and come with improved security features.
Patch Management Activities:
1. Choosing, verifying, testing, and applying patches
2. Updating previous version of patches to current ones.
3. Recording repositories or depots of patches for easy selection
4. Assigning and deploying applied patches
To apply patches to the operating system against security vulnerabilities and bugs, keep the system up to date enabled automatic updates
Automatic updates will check for important updates and install them automatically
Enabling Automatic Updates
Go to Start, Settings, Click Windows Updates and select option, Install update automatically
image here
Enable Automatic Updates
Registry value: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions REG_DWORD 3
PowerShell
sc.exe configu wuauserv start= auto
CMD
sc config wuauserv start= auto
Disable force system restarts
When a system gets an update, it suggests a force restart to install it
The unsaved work of the employees can go to waste if the system is force restarted
Third-Party Patch Management Tools
You can use a third-party Windows update tool for remote-desktop patch management
Remote patch management involved planning, deciding, and prioritizing updates to OS, software, and devices within a network.
BatchPatch, PRTG Network Monitor, IBM BigFix, SolarWinds Patch Manager, ManageEngine Patch Manager Plus, SysAid Patch Management, Itarian Patch Management, etc., are some examples of third-party patch management tools
Restricting Access to Files and Folders
Assign appropriate permission to individual users or group of users on to specific file or folder to restrict unauthorized access.
PowerShell
$acl = Get-Acl c:\test
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(“\bob”,”ReadPermissions”, “Allow”)
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl c:\test
Prevent Unauthorized Change in System
User Account Control (UAC) Setting for Administrator Account
User Account Control setting ensures that the specific changes are accepted by administrator
It prevents malware to modify system security settings or disable antivirus software
Users cannot access or modify the sensitive information of other users on shared computers
User Access Control (UAC_ Settings for Non-Administrator account
Executing any application on non-administrator account, the UAC will restrict the user and asks them to login with the administrator account to execute the application
It prevents from unauthorized execution of application and programs on the non-administrator accounts
Turn on User Account Control (UAC) using PowerShell
New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 1 -Force
Disable Anonymous Security Identifiers Enumeration
If “Do not allow anonymous enumeration of SAM accounts and shares” feature is disabled, insiders can identify the users and groups associated to a system by searching the SIDs
Ensure that this feature is enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares
Enable
Moderating Access to Control Panel
User with malicious intent and has access to control panel can alter administrative settings with ease, which may create impact on system integrity
Disable unnecessary access to control panel.
Prohibit access to Control Panel and PC settings
Control Access to Command Prompt
With Command Prompt commands, user can access details about the drives, their paths, ASCII codes, version of the windows, registry files, etc.
Any modification to this information can lead to the breakdown of the whole operating system and the OS has to be reinstalled.
Disable unnecessary access to Command Prompt
Prevent access to the command prompt
Enabled
Administrative Access Management Using Just Enough Administration (JEA)
Just Enough Administration (JEA) is used to limit the amount of cmdlets or administrative privileges of an account
PowerShell role capability file is created to determine the privileges of specific accounts
PS configuration files is created to determine who is allowed to perform the tasks that are described in the PowerShell role capability file
Features:
Whenever a user enters a PS session that incorporates JEA, it uses a virtual account for that session alone
Reduces the attack vectors as the credential are not saved in the computer
Windows OS security hardening techniques
Setup BIOS Password
Setting up a BIOS password is the first protection layer of the computer
It helpss you maintain OS security at a low level
Steps:
- Enter BIOS Setup Utility interface
- Select Security and set Supervisor Password. It will control the access to the setup utility
Prevent Windows from storing LAN Manager Hash
Windows generates LM hashs of passwords and stores them in Security Accounts Manager (SAM)
The LM Hashes are weak in nature and can be brute-forced easily
Do not allow Windows to store LM hash values
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLmHash REG_DWORD 1
Network security: Do not store LAN Manager hash value on next password change
Enable
Restrict Software Installations
The Security of the network may get compromised if an application from an untrusted source is installed.
Restricting the users to install an application in the system can prevent malware downloads from untrusted sources.
Prohibit User Installs
Enabled
Disable Unwanted Services
Attackers take advantage of security holes in the services to break-in to a computer.
Disable the following service on any machine other than a server
IIS
FTP
SQL server
Proxy services
Telnet
Universal plug and play
Viewing Windows Services and their state using PowerShell
Get-WmiObject -Class WIN32_Service -ComputerName test | Select __SERVER,Name,state,startName
Set-Service svsvc -StartupType Disabled
Install Antivirus Software
Intall up-to-date antivirus software to protect your system from virus infections
Either use built-in antivirus or third-party antivirus software
Built-in Antivirus for Windows 10: Windows Defender
Enable Windows Defender Firewall
Enable Windows Defender Firewall to filter the incoming and outgoing traffic on Windows System
Go to Control Panel, System and Security, and click Windows Defender Firewall
Enabling Defender Firewall using PowerShell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled true
Viewing Firewall Status using Powershell
New-NetFirewallRule -RemoteAddress 10.0.0.0/24 -DisplayName “Local Subnet” -Direction inbound -Profile Any -Action Allow
Get-NetFirewallRule -Name *NTTP* | Select Name, Enabled, Direction, Action, PrimaryStatus
Monitor Windows Registry
Windows registry is central windows configuration database
It stores all the configuration settings of the applications and systems of the operating system
It maintains the registry keys for various user actions in terms of log, autorun locations, MRU lists, UserAssist, etc.
Regular monitoring and auditing of the registry can help user to detect traces of malicious activity on the system
Process Monitor utility is used to monitor registry activity in real time.
Windows registry can be accessed by executing ‘regedit’ command in command prompt.
Process Monitor – Sysinternals
Viewing registry key data using PowerShell
Get-PSDrive -PSProvider Registry | Select-Object -Property Name, Root
Set-Location HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion
Get-ChildItem
Discuss Windows active directory security best practices
Cleaning Domain Admins Group
Domain administrator account will be in the Domain Administration group by default
Microsoft recommends to clean the Domain Administration group to protect the accounts from attackers
Local Administrator Password Solution (LAPS)
LAPS is implemented to managed local administrator passwords
LAPS creates a password for individual administrator accounts and stores them in the active directory
Disable NTLM and NTLMv2 Protocols
Disable NTLM authentication so that Kerberos authentication is enabled in the AD domain
Network security: Restrict NTLM: NTLM authentication in this domain – disable
Monitor Activity Directory Events for Signs of Compromised
AD Events should be monitored regularly for signs of compromise
Events to Monitor
Changes to administrative groups
Wrong password attempts
Usage of locked out accounts
Account lockouts
Changes in the antivirus software settings
Activities performed by privilege accounts
PS Cmdlets for Security Active Directory
1 View default password policy
Get-AADefaultDomainPasswordPolicy
2. View accounts having password set to never expire
get-aduser -filter * -properties Name, PasswordNeverExpires
get-aduser -filter * -properties Name, PasswordNeverExpires | where {$+.passwordNeverExpires -eq “true”} | Select-Object DistingushedName,Name,Enabled
3. Force user to change password at next login
Set-ADUser -Identity bob -ChangePasswordAtLogon $true
4. Disable user account and liset all disabled accounts
Disable-ADAccount -Identity bob
Search-ADAccount -AccountDisabled | Select Name
5. Search-ADAccount -LockedOut
6. Search-AdAccount -LockedOut | Unlock-ADAccount
7. View users login details
$DC = Get-ADDomainController -Filter *
8. Disable inactive accounts
Search-ADAcount -UsersOnly -AccountInactive -DateTime ‘1/1/2022’ | Disable-ADAccount
$timespan = New-Timespan -Days 90
Search-ADAccount -UserOnly -AccountInactive -TimeSpan $timespan | Disable-ADAccount
AD Security Best Practices
- Manage local Administrator passwords (LAPS)
- Implement RDP Restricted Admin mode
- Remove unsupported OSes from the network
- Monitor scheduled tasks on sensitive systems like domain controllers
- Ensure that OOB management passwords (DSRM) are changed regularly and securely stored
- Use SMB v3+
- Default domain Administrator and KRBTGT password should be changed every year or when an AD administrator leaves
- Remove trusts that are no longer necessary & enable SID filtering as appropriate
- Wherever possible set all domain authentication to send NTLMv2 response only\refuse LM & NTLM
- Audit NTLM use and restrict it
- Block Internet access for domain controllers, servers, and all administration systems.
- Disable NetBIOS over TCPIP and turn off multicast name resolution (LLMNR)
- No user or computer accounts in administrator groups
- Consider all administrator accounts to be sensitive cannot be delegated
- Add all administrator accounts to “Protected Users” group
- Disable all inactive administrator accounts and remove from privileged groups
- Restrict AD administrator membership and use custom delegation groups
- “Tiered” Administration mitigation credential theft impact
- Ensure administrators only logon to approved administer workstations and servers
- Assign time-based, temporary group membership for all administrator accounts
- To protect administrator and critical systems, segment the network
- Deploy IDS to monitor the internal corporate network
- Network device and OOB management on separate network
- Protect Service Account Credentials
- LImit to systems of the same security level
- Implement (Group) managed services accounts
- Implement FGPP (DFL =>2008) to increase password requirements for service accounts and administrators (Fine Grain Password Policy) (Domain Functional Level)
- Prevent interactive logon and enable logon to specific computers
- Disable inactive service accounts and remove from privileged groups
- Protect workstations and servers
- Patch quickly, especially privilege escalation vulnerabilities
- Deploy security back-port patch
- Set Reg key to 0 :
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest
- Deploy workstation whitelisting
- Deploy workstation application sandboxing technology (EMET) – Enhanced Mitigation Toolkit
- Run software and service required to support AD
- Restrict groups/users having domain controller administrator or logon rights
- Ensure patches are applied before running DCPromo
- Validate scheduled tasks & scripts
- Implement centralized logging using SIEM
- User behavioral analysis system
- Enable enhanced auditing
- Enable PowerShell module logging
- Enable CMD Process logging & enhancement and forward logs to central log server
Secure PowerShell (PS) Remoting Endpoints
PS Remoting gives access to almost everything. So it is more likely to be attcked by threat actors
When PS Remoting is enabled, it configures four endpoints called session configurations
Each endpoint will have users to access the session. By default, system administrators and remote management users can access the endpoints
Execute Get-PSSessionConfiguration to view all the endpoints. The Permission property will give details of the users and permissions at each endpoint.
To reduce the risks from PS Remoting, custom endpoint (constrained endpoints) can be created with restricted permissions for endpoint users.
PS enhanced logging feature (PowerShell version 5.0) enabled recording executed PS commands and scripts, de-obfuscated code, output, and transcripts
Enable PS logging to identify any suspicious scripting activity across the network.
PS Logging Components
Transcript logging Creates a unique record of every PS session
Script block logging: Records blocks of code as they are executed
Module logging: Records pipeline execution details as PS executes
Disable PS v2.0
PS 2.0 is considered a security risk and can be used to execute malicious code
Disable PS 2.0 if it is enabled
To disable PS 2.0 in Windows 10 use the following command:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
To check PS 2.0 status in Windows 10 use the following command:
Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
Enforce Script Signing for PS Scripts
By Default, as a security feature Windows restricts PS scripts execution
PS execution policy settings determine the execution of scripts
Type Get-ExecutionPolicy command to verify the PS execution policy
Configure PS to enforce script signing for all PS script
PS execution policy settings can be done using:
Command line
Group Policy
Registry Editor
PowerShell Script Execution Policy Settings
Restricted – No scripts can be executed
AllSigned: Only execution of scripts signed by a trusted publisher
RemoteSigned: executes downloaded scripts only when signed by a trusted publisher
Unrestricte: executes all PowerShell scripts
Use ConstrainedLanguageMode of PS
PS FullLanguageMode allows loading of all COM objects / libraries / classes into PS session
Enforce RestrictedLanguageMode or ConstrainedLanguageMode to prevent attackers loading of all COM objects / libraries / classes into PS session
Type $ExecutionContext.SessionState.LanguageMode command to determine PS LanguageMode
RestrictedLanguageMode can be implemented using:
AppLocker
Device Guard using UMCI (User Mode Code Integrity)
Command to determine PowerShell LanguageMOde
$ExecutionContext.SessionState.LanguageMode
To restrict use MMC snap in Local Computer Policy
Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker\Script Rules
Using Windows Potentially Unwanted Applications Protection Feature
Potentially unwanted programs (PUPs) or potentially unwanted applications (PUAs) are programs downloaded from a tusted source or not used often.
Examples of the PUAs are adware, downloaders, and aggressive monetizing software.
The Windows PUA protection feature scans and detects all PUA files in the system.
PUA protection can be configured using the following:
GPO
PowerShell.
Configure PUA Protection using PowerShell
Running PowerShell in Administrator mode and enter the following command:
Set-MpPreference -PUAProtection 1
Windows Sandbox
Windows Sandbox creates an isolated, temporary desktop environment to run application software without affecting the host machine.
Folks can safely download an executable file from a risky source, install it, and test it in Sandbox without rasking the host system.
The PC should support virtualization for using Windows Sandbox
Turn on Windows Features and check Windows Sandbox
Sandboxing Tool: Sandboxie
Sandboxie is a sandboxing tool developed by Sophos
It keeps the browser isolated and blocks malicious software, viruses, ransomware, and zero-day threats.
It prevents Internet websites from modifying files and folders on the system
BufferZone – bufferzonesecurtity.com
SHADE Sandbox – shadesandbox.com
Shadow Defender – shadowdefender.com
BitBox – rohde-schwarz.com
Toolwiz Time Freeze – toolwiz.com
Sandboxie – sandboxie.com
Windwos Defender Application Guard: Microsoft Edge
Windows Defender Application Guard (WDAG) isolates Microsoft Edge and blocks websites from accessing the local storage, memory, installed apps, and corporate network endpoints
PS Remoting Security Remocommendations
- Turn on transcription logging and ensure the logs are written in a central file share
- Lock down the accounts that have privileges to remove the logs in the central file share
- Script block logging should be turned on to evaluate the damage on the system
- If module logging is enabled, then it will produce enormous amount of event log data
- Certificate infrastructure is to be enabled for the domain
- SSL certificates are to be install on all domain systems
- HTTP port in use should be disabled for PS after the deployment of SSL certificates
- Ensure every system of the network is installed with upgraded versions of Windows PS
- Limit firewall to open only two ports used by PS Remoting. If SSL in used, only one port should be opened.
Securing Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDO) enables encrypted remote connection between different systems over TCP protocol on port number 3389.
When a RDP connection is applied between the systems, it uses tunneling mechanism to encrypt the data.
The encryption is done between the client and the server only but no for the authentication of the terminal server
Attackers can exploit the vulnerability in the encryption method of RDP.
If attacker is able to guess the authentication details, they can perform Man-in-the-Middle (MITM) attack to sniff data transfer between the client and the server.
RDP Security Best Practices:
- Limit the users who can log in using remote desktop
- Restrict access by implement firewalls (scoping)
- Use strong passwords
- Implement RDP gateways (never exposed RDP to the Internet directly – require VPN)
- Enable Network Level Authentication
Limit the number of RDP users
By default, all users with administrative rights can login into the remote desktop
Security Settings\Local Policy\User Rights Assignment\Allow log on through Remote Desktop Services
Scoping RDP Firewall Rule
Restrict access to RDP using firewall
Scoping should be implemented to restrict access to IP address or group of IP addresses to a particular port
Scoping will restrict access to IPs not within scope
Implementing RDP Gateways
RDP gateways are implemented to strictly restrict the access to the RDP ports but support the connections through a single gateway.
When an external source tries to get access to a private network through Remote Desktop Connection the RDP gateway is used for a secure connection.
RDP runs over HTTPS port 443
Enabled Network Level Authentication (NLA) in RDP Server and Client.
NLA is done in RDP Server or RDP client even before the establishment of the session between the client and the server.
NLA is implemented to send the user credentials securely from the client side using a security service provider of the client and makes the user authenticate before the session gets started.
Enabled NLA using Windows PowerShell
(Get-WmiObject – class “Win32_TSGeneralSettings” -Namespace root\cimv2\terminalservices -ComputerName “test” -Filter “TerminalName= ‘RDP-tcp'”).SetUserAuthenticationRequired(1)
Getting NLA Information
WmiObject – class “Win32_TSGeneralSettings” -Namespace root\cimv2\terminalservices -ComputerName “test” -Filter “TerminalName= ‘RDP-tcp'”).UserAuthenticationRequired
Protecting Credentials over RDP
Remote Credential Guard is a feature used to protect user credentials over a remote desktop connection
This protects the credentials by redirecting Kerberos requires to the device requesting the credentials for connection
Remote Credential Guard will be active only when the host supports it and when enabled; connection to the other systems is done using SSO.
Restrict delegation of credentials to remote servers – Prefer Remote Credential Guard
Managing DNSSEC for a Domain Name
DNSSEC adds a layer of security to a domain names by adding digital signatures to their Domain Name System (DNS) information.
Delegation signing (DS) data contains the digital signature information for respective domain names DNS.
Depending upon the domain names extension, one or more DS records at one time are used.
DNSSEC guarantees: Authenticity
Integrity
The non-existence of a domain name or type
DNSEC does not guarantee:
Confidentiality
Protection against Denial of Service (DoS)
Securing DNS with DNSSEC
DNS is a distributed hierarchic database that maps URLs to IP addresses
To protect DNS threats like cache poison attacks and DNS spoofing, Domain Name System Security Extensions (DNSSEC) provides a key to the response given by the DNS server
The validator checks if the publics key and private key are same by checking it with the data sent by the corresponding top level domain (TLD) and root servers.
If the keys match, then it confirms that the DNS data was not tampered with in transit.
List how to setup DNSEC for major hosting and DNS proivders
AD
AWS
Azure
Cloudflare
GoDaddy
How Does DNSSEC Protect Internet Users
DNSEC is planned to shield Internet users from artificial DNS data, such as a deceptive or mischievous address instead of the genuine address that was requested.
Difference between Non-aware and DNSSEC-aware lookups
Non-DNSSEC-Aware lookups
URL request goes toward the Internet and accepts the first response it receives
A mischievous Internet user can cut off the request and send back incorrect information
The response received points to an undesired Internet site where personal data can be compromised
DNSSEC-Aware lookups
These DNS lookups travel toward the domain names registry and get a duplicate of the digital signature that is being used by the URL.
The browser cannot display the site unless an address response also includes a matching digital signautre
This way, user cannot be redirected to a bogus location that they did not request.
Monitor DNS logs for security threats
Almost every connection query that a machine makes will be a DNS query request
If the systems present in the domain uses Windows Server, then the requests made by the users can be monitored
Intention connections requests can be detected by monitoring DNS logs
To enabled DNS monitoring:
- Open DNS Management Console
- Right click and select properties
- Click Debug Logging Tab
- Check the checkbox Log packets for debugging
Disable SMB 1.0
It is recommended that SMB 1.0 is disabled and the latter versions of SMB having enhanced security features is used.
Disabling SMB 1.0 using PS
Type the followingr command to disable SMB 1.0
For Windows Servers:
Set-SmbServerConfiuration -EnableSMB1Protocol $false
For Windows 10:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Disabling SMB 1.0 Using Windows Registry
Navigate to :
HKLM\SYSTEM\CurrentControlSet\Set\Services\LanmanServer\Parameters\ DWORD SMB1 should not be present or should have a value of 0
Disabling SMB 1.0 using Control Panel using Windows Features
Enable SMB Encryption
SMB encryption provides end-to-end encryption of SMB data and protects data from man-in-the-middle attacks on untrusted networks
SMB encryption can be enabled for the entire file server or only for specific file sshares
Advanced Encryption Standard (AES)-CCM algorithm is used to encrypt and decrypt the data in SMB encryption.
Enable SMB Encryption with Windows PowerShell
Execute the following commands to enable SMB encryption
Encrypt individual file share:
Set-SmbShare -Name <ShareNameHere> -EncryptData $true
Encrypt the entire file server
Set-SmbServerConfiguration -EncryptData $true
Create a new SMB file share with SMB encryption enabled
New-SmbShare -Name <ShareNameHere> -Path <PathNameHere> -EncryptData $true
Enable SMB 3.0
Set-SmbServerConfiguration -MaxChannelPerSession 32 -Force
Application Patch Management Solutions and Tools
SolarWinds Patch Manager – solarwinds.com
Kaseya Patch Management Software – kanseya.com
Ivanti Patch – ivanti.com
IBM BigFix – ibm.com
LANDESK Patch Manager – ivanti.com
Flexera Corporate Software Inspector – flexera.com
Verismic CMD Patch Manager – cloudmanagementsuite.com
Shavlik Protect – ivanti.com
Disk Encryption: Implementing Built-in Disk Encryption for Windows
- Enabling Device Encryption – Go to Start – Settings – Update & Security – Device Encryption and click Turn on device encryption option.
- Enabling Standard BitLocker Encryption
- Sign in with an Administrator Account. Select the Start button, choose Control Panel, and then click System and Security. Select Turn on BitLocker
File Level Encryption: Implementing Built-in File System-level Encryption on Windows
cipher /e “c:\test\sample.txt”
3rd Party Crypters
AxCrypt
idoo file encryption – idooencryption.com
cryptomator – cryptomator.org
encrypto – macpaw.com
aes crypt – aescrypt.com
flashcrypt – flashcrypt.en.softonic.com
boxcryptor – boxcryptor.com
DLP Solution: MyDLP
MyDLP is a free and open source solution that allows organizations to secure confidentail data
The supported data inspection channels include web, email, instant messaging, printers, removable storage device, screenshots, etc.
Scan and rebuild system health
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow
Summary
Windows security baseline is a group of Microsoft-recommended configuration settings for security Windows.
Unpatched OS, improper configurations, weak passwords, lack of anti-malware software, leaving unnecessary services and processes enabled, etc. can provide a path to attackers to compromise security of Windows systems.
Patch management ensures appropriate and updated patches are installed on the system.
Restricted permissions for endpoint users should be created to reduce the risks of PS Remoting
DNSSEC adds a layer of security to your domain names by adding digital signatures to their DNS information
Disable SMB 1.0 and enable SMB encryption.
Discuss Windows network services and protocol security