Background
Keeping your organization safe from cyber threats is complicates. New vulnerabilities are uncovered every day. Software updates allow for new vulnerabilities to be unintentionally exploited. Users forget to path, or patches don't work leaving devices exposed. All of these things and more are causes for headaches.
One thing you can exercise more control over is reducing your attack footprint on Microsoft OS systems. The harder it is for attackers to get a foothold, the safer your data, customers and employees will be. Below are our top five Windows configuration suggestions to help with reducing your attack footprint.
Local Administrator Password Solution (LAPS)
The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by Access Control List (ACL), so only eligible users can read it or request its reset.
You should implement LAPS to ensure regular randomizing of Local Admin account passwords on clients and applicable servers to avoid ‘Pass the Hash’ exploits, and horizontal escalation in the event of a compromise on a system. You can then easily access these passwords when needed from AD, Microsoft Endpoint System Center Configuration Manager (SCCM) or the LAPS UI console that can be installed on authorized Admin or Technician desktops, limiting access to them via security groups, OU, or both.
Deploying LAPS entails
Downloading the solution from https://aka.ms/laps (which includes the installation guide and installation files for the password UI console, needed GPO templates, and PowerShell modules).
Deploying the installation package on the Primary Domain Controller
Configuring the GPOs and deployment PowerShell scripting to apply to the desired client and server OUs.
There are several positive factors for implementing LAPS. A vast majority of vulnerabilities in Windows environments are related to the local admin accounts. Implementing LAPS helps address this situation. It is efficient and effective software and through Group Policy, LAPS enforces strong, unique password usage. LAPS automatically identifies password expiration and generates a new password.
There are also some challenges to implementing LAPS. The software requires careful planning, management, and maintenance. It requires AD and domain-joined accounts and excludes non-Windows environments. Finally, it only covers Local Admin accounts, not other types of administrative accounts. These are minor challenges compared to the benefits.
Exploit Guard – Attack Surface Reduction
Exploit Guard is a collection of components that can quickly harden a client against most basic attack vectors. Attack Surface Reduction (ASR) can reduce the attack surface of your applications with intelligent rules that stop the attack vectors used by Office, script, and mail-based malware from being exploitable.
ASR rules can be enabled in multiple ways, including via the Endpoint Security section of Intune by creating a new policy,
via Microsoft Endpoint SCCM
Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard section by creating a new Exploit Guard Policy |
via GPO
under Administrative Templates in the Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction Policy object path by enabling the “Configure Attack surface reduction rules” policy. |
There are several positive factors for implementing ASR. The implementation is with simple toggle options that administrators can enable/disable with GPOs or through Microsoft Endpoint Manager / Configuration Manager. These rules can also be set in Audit Mode, to generate alerts within the Windows Event Viewer. The tool can block many common attack vectors that use launched executables.
There are also some challenges to implementing ASR. If it is not correctly configured, it can block users from doing their jobs. Additionally, ASR works best with Defender, SCCM, and other Microsoft tools. While ASR does work with other tools, PowerShell scripting and registry changes are required to achieve the same 'click-done' functionality as with using the Microsoft tools.
Exploit Guard – Controlled Folder Access
Controlled Folder Access is a tunable (valid exceptions can be specified) protection feature that will stop applications, browsers, and other risk programs from attempting to write to ‘controlled folders’ such as the Windows directory, Font folder, C: root, even User Desktop.
Controlled Folder Access rules can be deployed via the same method as Attack Surface Reduction rules and, if desired, under the same Exploit Guard Policy in SCCM or Intune.
There are several positive factors for implementing Controlled Folder Access rules. The implementation is with simple toggle options that administrators can enable/disable with GPOs or through Intune or SCCM. These rules can also be set in Audit Mode, to generate alerts within the Windows Event Viewer. Controlled Folder Access rules protect sensitive data from ransomware by blocking untrusted processes from accessing your protected folders.
There are a few challenges to implementing Controlled Folder Access rules. If it is not correctly configured, it can block users from doing their jobs. The other challenge is that the default folders protected cannot be changed, only added to. They can have allowed exceptions.
Reduction of NTLM Authentication Use
New technology LAN Manager (NTLM) is a defined method for helping determine whether a user who is trying to access an IT system really is actually who they claim to be. NTLM was replaced with Kerberos as the default authentication protocol in Windows 2000. Despite being replaced, many old applications still use v1 and v2 of NTLM.
In an older, existing domain or environment with legacy applications, ensure that if NTLM is still needed that it is set to strictly use NTLMv2. If possible, block the use of LM and NTLMv1. While not perfect, it can give more security to this legacy authentication protocol.
NTLM restriction can be achieved in a few ways, including via Intune Windows Security Baseline and configuration policies to limit NTLM, or via GPO.
In Group Policy Editor,
navigate to the Computer Configuration > Security Settings > Security Options Policy object path using the Restrict NTLM policies that are appropriate. |
For Intune,
Update the NTLM restrictions in all the Windows Security Baseline and Configuration Policy settings. Policies need to match. If one is updated and the other is not, they can conflict. |
There is a positive result to be gained when reducing the use of NTLM. NTLM authentication is a huge security vulnerability that is still being exploited globally. Reducing NTLM use reduces your attack footprint.
There is also a possible challenge to reducing the use of NTLM. Older application might still use it, so blocking all NTLM could prevent users from doing their jobs. Despite the challenge, it is definitely worth considering.
BitLocker
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes.
Use BitLocker Drive Encryption to addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. This data protection feature integrates with the operating system. Enterprise environments can securely store the recovery key in Active Directory, or Azure AD.
BitLocker can be deployed either by enabling it on the local machine either in the
Privacy and Security > Drive Encryption section of Window’s settings, or by searching for “BitLocker” in the start menu to bring up the Manage BitLocker control panel applet. For Enterprise-wide deployments, add BitLocker policies in Intune or SCCM. |
There are several positive factors for implementing BitLocker. It is simple to use and doesn’t take many systems resources. Deploying BitLocker protects computers from intrusions/data breaches. It is particularly good for protecting computers that are accessing/storing sensitive/confidential data.
There are also some challenges to implementing BitLocker. BitLocker uses the device’s TPM chip and not all devices have them. The initial encryption can take a long time. Finally, devices are still potentially vulnerable if attacker has physical access.
Enable Core Isolation and Memory Integrity
Core isolation is a security feature of Microsoft Windows that protects important core processes of Windows from malicious software by isolating them in memory. It does this by running those core processes in a virtualized environment.
Memory integrity is one feature of core isolation which regularly verifies the integrity of the code running those core processes to attempt to prevent any attacks from altering them. This feature can be turned on in Group Policy, Intune, or with PowerShell Scripting.
To deploy memory integrity via GPO, create a GPO and in the
Computer Configuration > Administrative Templates > Systems > Device Guard Policy object path edit the Turn on Virtualization Based Security policy to enable. Alternately, on a local device from the Settings app navigate to Update and Security >Windows Security > Device Security > Core isolation details > Memory Integrity section to enable. |
These changes can also be done through Intune or PowerShell scripting, but the GPO is more straightforward.
There are several positive factors for implementing Core Isolation and Memory Integrity. With these enabled, it is virtually impossible for malware to penetrate the code integrity checks. This also means that malware would not be able to access the Windows kernel. It is simple to use and doesn’t take many systems resources. There is almost no performance impact when both options are enabled.
There is one potential drawback to implementing Core Isolation and Memory Integrity. Memory Integrity protection can cause problems with other low-level Windows applications and some device drivers.
Conclusion
Reducing your attack footprint on Microsoft OS systems doesn't have to be hard. These top 5 configurations can help stop attacks. Reducing your exposure reduces your risk and helps you focus on other areas.
This work is not a one-time event. It is part of a security mindset. These settings need to be monitored. Compensating controls need to be added for items that can’t be changed or non-Microsoft systems. Will these steps in place, your systems will be safer for your data, customers and employees.