Microsoft security, everyone’s favorite topic to poke fun at. For both the offense and the defense it is considered to be our job security, the bane of our existence, and sometimes an unobtainable goal. Whether we like it or not Windows Server and Desktop environments have their roots sunk deep into the infrastructure of the corporations and homes of the world. We must learn how to actively manage Windows environments without them getting away from us. How many of you can say that your home or work environment has completely removed depreciated operating systems? XP was end of life April 8th, 2014 and the extended support for Windows Server 2003 is coming up this July (https://support.microsoft.com/en-us/lifecycle/search/default.aspx). Just please do not tell me that you have anything prior than that on your network. I know there is a good chance that you do, just don’t tell me about it. It is scary enough some of the things that are out there on the internet. From old Windows 3.1 boxes, IP cameras, electrical control systems and more. HD Moore has a great talk about the scan of the internet that he performed over the whole year of 2012 and the data he collected on internet facing systems (https://youtu.be/VuYi7gVy3dI). Which includes a large amount of windows systems.
It is extremely hard to tell companies “Just patch/upgrade everything to where it needs to be”. I realize it is not just that simple. You may have business critical applications that only run on depreciated Operating Systems, the newest OS may not run on the hardware that you do not have it in the budget to replace, or maybe you just don’t have the time. Honestly most of these are just excuses in the mind of someone in information security. You are putting convenience, money, and time before protecting your critical assets. In an upcoming article I’ll cover asset and risk management is not something many do right, but it is one of the most important planning strategies that you can have.
Moving away from the obvious upgrades to current OS and software there are still many low cost or free enhancements that you can accomplish in Windows to create a more secure environment. Many can be accomplished via Group Policy (if you are in fact on an Active Directory Domain). Here are some links that I’ve always relied on and pointed others to for reference:
Best practices for GPOs (Group Policy Objects)
http://www.grouppolicy.biz/best-practices/
http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html
http://www.giac.org/paper/gsec/4138/group-policy-security-risks-practices/104227
Defend your Active Directory
https://youtu.be/uccM2xtE5SA - “Active Directory: Real Defense for Domain Admins”
Set local admin account passwords
http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx
http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx
Reduce the amount of people in Domain Admins. No one should be logging into their desktop as a domain admin. Ever. Period.
Fix everything listed here. Just do it
http://blog.spiderlabs.com/2013/09/top-five-ways-spiderlabs-got-domain-admin-on-your-internal-network.html
http://blog.spiderlabs.com/2013/09/top-five-ways-spiderlabs-got-domain-admin-on-your-internal-network.html
Implement EMET
Dave Kennedy has a great article on pushing it out domain wide. https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/
Setup urlscan on IIS servers
http://www.iis.net/downloads/microsoft/urlscan
Setup bitlocker on laptops.
This is a must if you have any chance of that laptop containing sensitive data that could be detrimental to your organization.
This is a must if you have any chance of that laptop containing sensitive data that could be detrimental to your organization.
A few of these changes will cause growing pains as they are made, others not so much. Stronger password policies can cause the user populous to come after you with pitchforks if it’s not something that you have ever needed to change before. No cached credentials, windows firewall settings, and making changes to local system/service accounts can all create changes in process that not many people will be happy with. I’m not saying it’s easy, but these should all be a part of your overall security no matter how small or large your company happens to be.