cancel
Showing results for 
Search instead for 
Did you mean: 

Hardening Windows

JCDavid
Iron I
Iron I

You don't have to attend Black Hat to know that there's a steady flow of vulnerabilities being discovered in Windows. It's the most popular desktop operating system and must support legacy setups to avoid breaking business systems. I've been working on content that builds upon our platform's point-and-click policies using custom entries and benchmarks through PowerShell. It's not ready for primetime yet, but we can learn from each other in the interim. Here's a project, Hardening Kitty, that you may find useful.

What does your organization's secure configuration look like? User impact is always a challenge and it would be helpful to hear how other IT admins have handled this challenge. 

The initial plan to implement a secure configuration at my previous company was as follows:

(i) Workstations

Note that all of these require someone to be on-site to 1) implement and especially 2) troubleshoot any issues. If no knowledgeable/experienced technical support is on-site, we do not recommend enabling any of the following.

Disable LLMNR - this should be easy for IT to implement and have low impact on end users
Enable NLA for RDP - this should be easy for IT to implement and have low impact on end users
Removing debug rights for all users - this should be easy for IT to implement and have low impact on end users
Enable LAPS - this should be medium effort for IT to implement  and have low impact on users
Block SMB ports outbound on network firewalls - this should be easy for IT to implement and have low impact on end users
Block Office macros from running in files from the internet - this should be medium effort for IT to implement and have a medium impact on users who receive macro-enabled Office files via email
Block OLE Excel update links - this should be medium effort for IT to implement and have a medium impact on users who receive OLE-enabled Office files via email
Disable SMBv1 - this should be high effort for IT to implement and have medium impact on end users
Enable MFA for Azure SSO-enabled applications - This should be high effort for IT to implement and have high impact on end users
Enable 16+ character passwords + minimum password age - This should be high effort for IT to implement and have high impact on end users
Enable PowerShell constrained language mode - This should be high effort for IT to implement and have high impact on end users
Enable Credential Guard on Win 10 systems - This should be high effort for IT to implement and have high impact on end users

(ii) Servers

Secure configuration settings as mentioned below. Note that all of these require someone to be on-site to 1) implement and especially 2) troubleshoot any issues. If no knowledgeable/experienced technical support is on-site, we do not recommend enabling any of the following.

Disable LLMNR - this should be easy for IT to disable and have low impact on end users
Enable NLA for RDP - this should be easy for IT to disable and have low impact on end users
Removing debug rights for all users - this should be easy for IT to disable and have low impact on end users
Enable LAPS - this should be medium effort for IT to enable and have low impact on users
Block SMB ports outbound on network firewalls - this should be easy for IT to disable and have low impact on end users
Disable SMBv1 - this should be high effort for IT and have medium impact on end users
Enable 16+ character passwords - This should be high effort for IT and have high impact on end users

 

 

1 ACCEPTED SOLUTION

kenr
Novitiate I

I use a couple different resources here based on the client.  The two I have implemented the most are CIS level 1 benchmarks, https://www.cisecurity.org/cis-benchmarks/,  and occasionally the DOD Stigs. https://public.cyber.mil/stigs/downloads/. The DoD stigs are free but I do not know of any automated detection systems for Stigs. If you are a member of the MS-ISAC you can get CIS for free and there is an assessor tool offered by CIS.  The CIS benchmarks get included in Nexpose and Nessus automatically.  The CIS benchmarks also apply to Cloud configurations so you can use CSPM tools like Aqua which have those benchmarks built in and even Microsoft up in Security Center, now recently rebranded as defender for cloud, has the CIS cloud benchmarks already integrated.   MS-ISAC membership is free for any State, Local, Tribal, and Territorial government entity.   One more plug, CIS also has Benchmark compliant hardened images for deployment in Azure, AWS, GCP, and Oracle Cloud for the 4 people using that one.   I love me some MS-ISAC....

EDIT: CIS benchmarks are also free but require creating a CIS account.

View solution in original post

2 REPLIES 2

kenr
Novitiate I

I use a couple different resources here based on the client.  The two I have implemented the most are CIS level 1 benchmarks, https://www.cisecurity.org/cis-benchmarks/,  and occasionally the DOD Stigs. https://public.cyber.mil/stigs/downloads/. The DoD stigs are free but I do not know of any automated detection systems for Stigs. If you are a member of the MS-ISAC you can get CIS for free and there is an assessor tool offered by CIS.  The CIS benchmarks get included in Nexpose and Nessus automatically.  The CIS benchmarks also apply to Cloud configurations so you can use CSPM tools like Aqua which have those benchmarks built in and even Microsoft up in Security Center, now recently rebranded as defender for cloud, has the CIS cloud benchmarks already integrated.   MS-ISAC membership is free for any State, Local, Tribal, and Territorial government entity.   One more plug, CIS also has Benchmark compliant hardened images for deployment in Azure, AWS, GCP, and Oracle Cloud for the 4 people using that one.   I love me some MS-ISAC....

EDIT: CIS benchmarks are also free but require creating a CIS account.

very thoughtful and productive response. this is the great thing about community: sharing and learning from one another.