System Hardening and Technical Controls for Windows


Seeking private investigator services? Get a free consultation today.

Introduction

Are you a IT or technology professional looking for ways to reduce the attack surface and increase the security of your information assets? Below are some of the best ways to ensure your security is as good as it can be, without making too many productivity compromises.

Assess Risk level
Firewalls
Group Policies
Unused Services
Updates & Patches
Anti-Exploit
Data Execution Prevention (DEP)
Remote Access & RDP
Principle of Least Privilege
Passwords, Passwords, Passwords

Assess risk level

Risk is inherent in all organizations. Information technology staff need to be cognizant when it comes to risk to information and assets. Data, alone, can be worth more than an organization’s physical assets in compliance fines or possible liability. An IT Professional must make or follow a risk model, specific to their organization, in order to gauge the appropriate level of security for that organization. Organizations with too little or excess security face monetary loss. The whole point of security is to mitigate monetary loss, if you’re losing time and money with security, security is meaningless.

Firewalls

Firewalls prevent unauthorized traffic from entering a network. If the firewalls are under-configured or over-configured, it may have undesirable consequences. A few good configurations are below.

  • Run ‘netstat -abn’ in cmd or powershell with admin privileges and disable unnecessary listening ports.
  • If possible, implement an SPI firewall (stateful packet inspection) and configure appropriate rules. SPI firewalls only allow inbound traffic that matches outbound traffic.
  • Configure default deny and add rules when needed. Always remove old unused rules.
  • Turn on outbound blocking and logging. This helps to prevent malicious services or malware from reaching back to the mothership.
  • Consider a third-party high rated firewall, like from Comodo. Comodo’s firewall has a built-in HIPS in addition to other firewall and AV functions.

Group policies

Just about everything on this guide can be pushed out with Group Policy. In fact, it is encouraged if you have more than a few users. Some additional miscellaneous policies are listed here.

  • Software Restriction Policy
  • Simple Software Restriction Policy, (a third party software)
  • Disable Network Logins for Local Accounts (important!)
  • Disable Live Tiles, Onedrive (if unused), and Web Results in Windows 10 Search.
  • Disable AutoPlay
  • Max out UAC (User Account Control) in every situation.

Unused services

Disable unnecessary services. This is by no means an exhaustive guide, however, it will provide some insight as to which services can normally be disabled.

  • Disable IPv6, just do it. (no it’s not becoming a standard within the next 5 years).
  • Limit NetBIOS to local subnet by disabling NetBIOS over TCP/IP in IPv4 options.
  • Ensure discovery protocols are disabled.
  • Disable file and printer sharing unless absolutely necessary.
  • Disable Client for MS Networks
  • Disable QoS
  • Disable Microsoft Network Adapter Multiplexor Protocol
  • Disable Microsoft LLDP Protocol Driver
  • Disable Link Layer Topology Discovery Mapper IO Driver
  • Disable Link Layer Topology Discovery Responder
  • Disable IGMP, UPnP, SMB v1
  • Remove and disable MS, Dell, HP, Asus, etc bloatware.
  • Disable unused network adapters.

Updates & patches

  • Create an update and patch schedule on a weekly basis (multiple times per week if possible)
  • File Hippo and Comodo have a program manager that checks for versions of 3rd party programs. This will assist in updates and patching, and will automate latest version searches.
  • Follow best practices in update testing, documentation, and implementation.

Anti-exploit

Anti-Exploit is a relatively new feature (1709) of Windows Defender. It prevents some attack vectors of zero-days by implementing certain policies and strategies. Ensure it is enabled and audited frequently, as determined by your risk model. Further info can be found here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection

Data execution prevention (DEP)

Ensure DEP is enabled for ALL programs in Control Panel\System Security\System > Advanced System Settings> Advanced Tab> Performance (Settings button) > Data Execution Prevention > Turn on DEP for all programs and services except those I accept.

Remote access & RDP

Disable remote assistance, remote desktop, and remove all remote access applications that are not in use. If you so choose to allow remote access for admin functions, be sure to make logins complex and difficult to guess. Follow username and password best practices and do not reuse passwords or usernames.

Principle of least privilege

Reduce your attack surface by ensuring least privilege is followed.

  • Use standard accounts with limited privilege when engaging in non-admin functions. End users should not have admin privileges, EVER. (I don’t care that the user will call you 50x a day. They shouldn’t be downloading uTorrent at work!) Legitimate software can be pushed out with Group Policy.
  • Create standards for Role Based Access Control (RBAC) and audit roles frequently.
  • Never (ever) log in to an end user’s workstation with domain credentials. EVER. Just don’t do it. You’re asking for a compromise by privilege escalation.

Strong password requirements

You’ve heard it and million times; create complex passwords and change frequently.

  • Audit your AD passwords with rainbow tables and combined dictionary attacks.
  • Force users to create complex passwords with password policies.
  • Force users to change passwords frequently. If users create passwords that are not re-used often or are super complex, you can stretch out the time that passwords are changed.
  • Your users must comply! There are only 3 basic rules for end-users, password high password entropy is one of them. Small organizations and those with less inherent risk may be more lenient, but it is still very important to enforce password rules.

About us

Spectre Intelligence is a private investigation and intelligence firm located in sunny Round Rock, TX (Austin area). If you need investigation or cybersecurity services, visit us at www.spectreintel.com and www.spectretechnology.com