The document provides an overview of ways to secure Windows systems, beginning with general advice like enabling drive encryption with BitLocker or VeraCrypt, using strong passwords, and implementing the principle of least privilege for access control. It discusses Windows tools like Cmd, PowerShell, Windows Event Viewer, and the Windows Registry that can help secure and monitor systems. The document also provides an introduction to Active Directory, including its components, structure, and use of group policy for centralized management. It concludes with an overview of updated Microsoft security tools like Defender Security Center, Exploit Guard, Attack Surface Reduction, and Event Forwarding.
4. Goal for today
● Learn ways to protect personal Windows install
● Find out what Active Directory is and why it sucks (jk)
● Discuss Windows tools that help in securing Windows in
personal and corporate environments
6. Absolute Security
Never connect computer to anything and store it in a place that no one can ever find it
Not at all feasible. So how do we secure Windows to the best of our abilities?
7. General Advice: Drive Encryption
Windows offers BitLocker
● But only available for Pro, Enterprise and Education licensees of
Windows 10.
VeraCrypt is a good free 3rd party alternative
8. General Advice: Strong Passwords
If you have all of the strongest defenses available, but your
passwords are weak, your defenses are nearly useless
● Generally minimum 15 characters with mixed case, numbers,
and symbols
● Optimal: randomly selected characters → better to find happy
medium
Alternative, better solutions (though not always feasible): Key-based
login, 2-factor authentication
9. General Advice: Access Control
Principle of Least Privilege: “Every program and every user of the
system should operate using the least set of privileges necessary to
complete the job”[1]
Basically, Jill from Corporate Party Planning should not have access
production environments, including the files it contains, because she
does not need that level of access
[1] Saltzer and Schroeder, "Basic Principles of Information Protection”
10. General Advice: Regular Backups
Backups of files and systems are important
● Rolling back to a known good state can sometimes be quicker
than trying to resolve misconfiguration
○ This does not mean that vulnerabilities should be ignored
Check out Backup Settings (Windows 10) or Backup and Restore
(older Windows versions)
12. Cmd & Powershell
Cmd: original command line utility (older than dirt), more difficult to
use
PowerShell: Command line shell and scripting language, similar to
Unix-based shells
● Utilizes Visual Basic/.NET, so possible to create new modules
● Unified interface to interact with system, utilities, and services
Will save many hours of point-and-click if you get comfortable with
utilizing PowerShell
13. Know what is running
It is difficult to secure any computer without knowing what is running
on it
Find what programs run on startup in C:Users<user
name>AppDataRoamingMicrosoftWindowsStart
MenuProgramsStartup
For Windows, utilize PowerShell to view running processes
● Get-Process: Lists running processes
● https://docs.microsoft.com/en-us/previous-versions/windows/it
-pro/windows-powershell-1.0/ee176855(v=technet.10)
15. Windows Event Viewer
Window’s built-in way to view event logs
Beware of lots of information, warnings, and errors
● Information - program reporting information of its execution
● Warning - not necessarily significant, but an issue might be
about to occur
● Error - probably a major issue
Default save location: C:WindowsSystem32winevtLogs
17. Windows Registry
Registry: “a system-defined database in which applications and
system components store and retrieve configuration data” [2]
● Stored in a tree structure, up to 512 levels deep
Utilizes standard access control (must have proper privileges to
modify certain registry key values)
[2] Microsoft Registry Documentation
18. Important Windows Registry Keys
● DisallowRun: prevent certain exe files from executing
● fDenyTSConnections: disables Remote Desktop
● restrictanonymoussam: prevent anonymous enumeration of
SAM accounts and shares
● RNGSeed: seed used for random number generation
● HKEY_CLASSES_ROOT*: mapping of all known file extensions
to programs
19. Tin Foil Hats in Windows
How to disable built-in tracking
1. Don’t use your microsoft account as login
a. “Local account” = less tracked account
2. Disable associated services that keep track of location, what
websites you have visited, etc.
3. Limit which apps can utilize camera, location, microphone, etc.
21. What is Active Directory?
Active Directory - a directory service that keeps track of users and
systems within the network
● Utilizes domains - computer network with all user accounts,
systems, and security policies registered within a central
database
Basically a service that allows administrators of Windows networks
to manage users who need the ability to access multiple
services/systems across the network
22. Why do I need to know about Active
Directory?
Almost every major company and government agency has at least 1
Windows domain that utilizes AD
● For blue or red team roles, being comfortable with Active
Directory management can be invaluable
● Windows dominance within the corporate computing industry
will not be going away anytime soon
23. Active Directory Components
Domain Controller: server(s) running the Active Directory Domain
Services (AD DS)
● AD DS keeps data in a tree structure that can be accessed using
LDAP
● Authentication handled using Kerberos
● Samba for network shares
Usually includes DNS server, WSUS, Exchange email server, network
shares
26. Group Policy
Group policy - centralized management and configuration of
user/system accounts
Helps to enforce user/group access control across the network using
rules
Group Policy Object - set of Group Policy rules
● Import/Export GPO in order to have standardized rules
throughout multiple domains
27. Group Policy
Group Policy Preferences - settings that are preferred by the admin,
but not enforced
CAUTION: The Group Policy Preferences AES key that is used for
encrypting passwords within the Preferences Policy file is publicly
available through Microsoft
29. Updates to Microsoft Security Tools
● Fortunately, Microsoft has updated most of its security suite
● Unfortunately, this means most of the old tools don’t work
anymore
30. Windows 10 Enterprise
● Microsoft tiers their security features
● Provides free evaluation copy for interested Developers and
System Admins
● https://www.microsoft.com/en-us/evalcenter/evaluate-windo
ws-10-enterprise
31. Defender Security Center
● Aggregates most security features in a single application
● Firewall
● Antivirus
● Application Protection
33. Defender Exploit Guard
● New product designed to be close to a built in HIPS System
● Replaces EMET
● Exploit Protection
● Attack Surface reduction
● Network Protection
● Controlled Folder Access
34. Exploit Protection
● Customizable in Defender Security System
● Data Execution Protection
● Control Flow Guard
● Address Space Layout Randomization
● Various App Level protections
35. Attack Surface Reduction
● Disables potentially malicious behaviors
● “Block executable content from email client and webmail”
● “Block Office applications from creating child processes”
● No custom rules
● Can be applied in audit and block mode
36. Network Protection
● Block outgoing traffic to malicious domains
● Can’t pick what domains are on that list
● Can be applied in audit and block mode
37. Controlled folder access
● Marketed as ransomware protection
● Allows folders to be marked as “protected”
● Protected folders can only be modified by whitelisted programs
● Program whitelist can be configured in Defender Security
Center
38. Windows Defender Playground
● Microsoft provides “malicious” applications to test Exploit Guard
and Antivirus
● https://demo.wd.microsoft.com/
39. Windows SmartScreen
● Scans websites for malicious behavior
● Scans downloaded files for malicious behavior
● Warns user if anything unusual is detected
40. Defender Application Guard
● Can’t be run in a VM easily :(
● Windows 10 only
● Runs Internet Explorer/Edge in a HyperV container if the
website is untrusted
● Supposedly doesn’t share the kernel