Links from our TechDays Presentation
Here are a link collection and some brief information from our TechDays session.
We’ll skip the wannacry part from the post because it’s everywhere anyway except for the fact that patching is extremely important.
Selecting hardware
There is no secret that Microsoft is working hard to reduce the use of passwords. It’s simple, It’s something you know and someone else can find it out.
Windows Hello Requirements
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise
Hardware Security Testability Specification
https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification
Managing firmware patches
Firmware also needs patching. You need to be able to deploy firmware patches to your clients which is already in the environment
TPM Recommendations
https://docs.microsoft.com/en-us/windows/device-security/tpm/tpm-recommendations
BitLocker mitigation plan for vulnerability in TPM
https://support.microsoft.com/en-us/help/4046783/bitlocker-mitigation-plan-for-vulnerability-in-tpm
UEFI Secure Boot
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
Security features
Credential guard
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
Device Guard
https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
Windows Defender Exploit Guard
Attack Surface Reduction
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
This security feature really harderns the client. Especially when it comes to office applications.
As an example, one of the rules, will stop office applications form starting another process like CMD or powershell using DDE.
PowerShell Example
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled
Controlled Folder Access
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard
This is the new ransomware protection. It looks great but too soon to call it the silver bullet since you can still to a full disc encryption.
But ransomware’s that encrypt files this is something that has to be configured for your protection. Sec-Labs R&D will dig deeper into this feature.
PowerShell Downgrade Attacks
All new cool security features are being added in PowerShell version 5.0.
AMSI (Antimalware scan interface) – Not that many 3rd party AV vendors are supporting this which is a shame when we look at real world attacks today
Constrained Language Mode – Lock down, no api calls just legacy powershell
System Wide Transcript
Script Block Logging
PowerShell -version 2 and you’re in… (more or less)
PowerShell version 2 is deprecated since Windows 10 1709. When you install .net 3.5 it will be enabled and then you’ll have to disable it.
PowerShell downgrade attacks can be found in the event viewer, ID 400 and then the host version less than 5.0
Oldschool configurations which should already be in place
Local firewall – Enabled!
Applocker
We always get’s questions about applocker. It is builtin since Windows 7.
Build, evaluate and push a baseline to take control of executions no need for 3rd party here.
Windows Event Forwarding, WEF
When we asked, there were just a few actually using this.
There are lots of documentation on how to deploy this in an enterprise.
https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection
Encrypt the harddrives, no excuses here.
DMA Protection
https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security
Antimalware
Don’t spend your money here.
LAPS Local Admin Password Solution
Make sure you don’t have the same local admin password on all clients.
https://technet.microsoft.com/en-us/mt227395.aspx
https://www.microsoft.com/en-us/download/details.aspx?id=46899
Guidelines to secure and lockdown you Internet Browsers
https://www.us-cert.gov/publications/securing-your-web-browser
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/
https://docs.google.com/document/d/1iu6I0MhyrvyS5h5re5ai8RSVO2sYx2gWI4Zk4Tp6fgc/edit
https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/#HE5XfCofMiy1S7QM.97
Windows Defender Advanded threat protection (WD ATP)
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
Built-in Security Stack (Agent-less)
Supported on:
Windows 10 1607 (minimum)
Windows Server 2012 R2
Windows Server 2016
X-Plat Support under Investigation
Licensing
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
Sysinternals Sysmon is also a great tool to deploy if you can’t use WD ATP for some reasons or just want to see more for yourself.
Should be used with Event Forwarding
Securing Privilege access
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access
Link to slides here