SlideShare a Scribd company logo

Windows Security Crash Course

UTD Computer Security Group
UTD Computer Security Group

The document provides an overview of ways to secure Windows systems, beginning with general advice like enabling drive encryption with BitLocker or VeraCrypt, using strong passwords, and implementing the principle of least privilege for access control. It discusses Windows tools like Cmd, PowerShell, Windows Event Viewer, and the Windows Registry that can help secure and monitor systems. The document also provides an introduction to Active Directory, including its components, structure, and use of group policy for centralized management. It concludes with an overview of updated Microsoft security tools like Defender Security Center, Exploit Guard, Attack Surface Reduction, and Event Forwarding.

1 of 41
Download to read offline
Securing Windows January 31st, 2018
Announcements ● SharifCTF - Friday, February 2nd, 1 - 5 pm; Saturday, February 3rd, 9 - 12 pm; ECSS 4.619 ● Saturday @ 12 pm: Beginner-friendly pentesting session ● Firetalks - Sometime in March/April ● twitch.tv/utdcsg
We have secured the windows. Good job!
Goal for today ● Learn ways to protect personal Windows install ● Find out what Active Directory is and why it sucks (jk) ● Discuss Windows tools that help in securing Windows in personal and corporate environments
Absolute Security
Absolute Security Never connect computer to anything and store it in a place that no one can ever find it Not at all feasible. So how do we secure Windows to the best of our abilities?
General Advice: Drive Encryption Windows offers BitLocker ● But only available for Pro, Enterprise and Education licensees of Windows 10. VeraCrypt is a good free 3rd party alternative
General Advice: Strong Passwords If you have all of the strongest defenses available, but your passwords are weak, your defenses are nearly useless ● Generally minimum 15 characters with mixed case, numbers, and symbols ● Optimal: randomly selected characters → better to find happy medium Alternative, better solutions (though not always feasible): Key-based login, 2-factor authentication
General Advice: Access Control Principle of Least Privilege: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job”[1] Basically, Jill from Corporate Party Planning should not have access production environments, including the files it contains, because she does not need that level of access [1] Saltzer and Schroeder, "Basic Principles of Information Protection”
General Advice: Regular Backups Backups of files and systems are important ● Rolling back to a known good state can sometimes be quicker than trying to resolve misconfiguration ○ This does not mean that vulnerabilities should be ignored Check out Backup Settings (Windows 10) or Backup and Restore (older Windows versions)
General Windows Knowledge
Cmd & Powershell Cmd: original command line utility (older than dirt), more difficult to use PowerShell: Command line shell and scripting language, similar to Unix-based shells ● Utilizes Visual Basic/.NET, so possible to create new modules ● Unified interface to interact with system, utilities, and services Will save many hours of point-and-click if you get comfortable with utilizing PowerShell
Know what is running It is difficult to secure any computer without knowing what is running on it Find what programs run on startup in C:Users<user name>AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup For Windows, utilize PowerShell to view running processes ● Get-Process: Lists running processes ● https://docs.microsoft.com/en-us/previous-versions/windows/it -pro/windows-powershell-1.0/ee176855(v=technet.10)
Get-Process
Windows Event Viewer Window’s built-in way to view event logs Beware of lots of information, warnings, and errors ● Information - program reporting information of its execution ● Warning - not necessarily significant, but an issue might be about to occur ● Error - probably a major issue Default save location: C:WindowsSystem32winevtLogs
Windows Event Viewer
Windows Registry Registry: “a system-defined database in which applications and system components store and retrieve configuration data” [2] ● Stored in a tree structure, up to 512 levels deep Utilizes standard access control (must have proper privileges to modify certain registry key values) [2] Microsoft Registry Documentation
Important Windows Registry Keys ● DisallowRun: prevent certain exe files from executing ● fDenyTSConnections: disables Remote Desktop ● restrictanonymoussam: prevent anonymous enumeration of SAM accounts and shares ● RNGSeed: seed used for random number generation ● HKEY_CLASSES_ROOT*: mapping of all known file extensions to programs
Tin Foil Hats in Windows How to disable built-in tracking 1. Don’t use your microsoft account as login a. “Local account” = less tracked account 2. Disable associated services that keep track of location, what websites you have visited, etc. 3. Limit which apps can utilize camera, location, microphone, etc.
Active Directory
What is Active Directory? Active Directory - a directory service that keeps track of users and systems within the network ● Utilizes domains - computer network with all user accounts, systems, and security policies registered within a central database Basically a service that allows administrators of Windows networks to manage users who need the ability to access multiple services/systems across the network
Why do I need to know about Active Directory? Almost every major company and government agency has at least 1 Windows domain that utilizes AD ● For blue or red team roles, being comfortable with Active Directory management can be invaluable ● Windows dominance within the corporate computing industry will not be going away anytime soon
Active Directory Components Domain Controller: server(s) running the Active Directory Domain Services (AD DS) ● AD DS keeps data in a tree structure that can be accessed using LDAP ● Authentication handled using Kerberos ● Samba for network shares Usually includes DNS server, WSUS, Exchange email server, network shares
Active Directory Structure Active Directory uses tree structures to keep track of users and the categories they fit in
Active Directory Structure Taken from msdn.microsoft.com
Group Policy Group policy - centralized management and configuration of user/system accounts Helps to enforce user/group access control across the network using rules Group Policy Object - set of Group Policy rules ● Import/Export GPO in order to have standardized rules throughout multiple domains
Group Policy Group Policy Preferences - settings that are preferred by the admin, but not enforced CAUTION: The Group Policy Preferences AES key that is used for encrypting passwords within the Preferences Policy file is publicly available through Microsoft
Threat Protection
Updates to Microsoft Security Tools ● Fortunately, Microsoft has updated most of its security suite ● Unfortunately, this means most of the old tools don’t work anymore
Windows 10 Enterprise ● Microsoft tiers their security features ● Provides free evaluation copy for interested Developers and System Admins ● https://www.microsoft.com/en-us/evalcenter/evaluate-windo ws-10-enterprise
Defender Security Center ● Aggregates most security features in a single application ● Firewall ● Antivirus ● Application Protection
Windows Security Crash Course
Defender Exploit Guard ● New product designed to be close to a built in HIPS System ● Replaces EMET ● Exploit Protection ● Attack Surface reduction ● Network Protection ● Controlled Folder Access
Exploit Protection ● Customizable in Defender Security System ● Data Execution Protection ● Control Flow Guard ● Address Space Layout Randomization ● Various App Level protections
Attack Surface Reduction ● Disables potentially malicious behaviors ● “Block executable content from email client and webmail” ● “Block Office applications from creating child processes” ● No custom rules ● Can be applied in audit and block mode
Network Protection ● Block outgoing traffic to malicious domains ● Can’t pick what domains are on that list ● Can be applied in audit and block mode
Controlled folder access ● Marketed as ransomware protection ● Allows folders to be marked as “protected” ● Protected folders can only be modified by whitelisted programs ● Program whitelist can be configured in Defender Security Center
Windows Defender Playground ● Microsoft provides “malicious” applications to test Exploit Guard and Antivirus ● https://demo.wd.microsoft.com/
Windows SmartScreen ● Scans websites for malicious behavior ● Scans downloaded files for malicious behavior ● Warns user if anything unusual is detected
Defender Application Guard ● Can’t be run in a VM easily :( ● Windows 10 only ● Runs Internet Explorer/Edge in a HyperV container if the website is untrusted ● Supposedly doesn’t share the kernel
Event Forwarding ● Finally? ● Replaces features provided by Sysmon ● Sends events to a Windows Event Collector

More Related Content

Windows Security Crash Course

  • 2. Announcements ● SharifCTF - Friday, February 2nd, 1 - 5 pm; Saturday, February 3rd, 9 - 12 pm; ECSS 4.619 ● Saturday @ 12 pm: Beginner-friendly pentesting session ● Firetalks - Sometime in March/April ● twitch.tv/utdcsg
  • 3. We have secured the windows. Good job!
  • 4. Goal for today ● Learn ways to protect personal Windows install ● Find out what Active Directory is and why it sucks (jk) ● Discuss Windows tools that help in securing Windows in personal and corporate environments
  • 6. Absolute Security Never connect computer to anything and store it in a place that no one can ever find it Not at all feasible. So how do we secure Windows to the best of our abilities?
  • 7. General Advice: Drive Encryption Windows offers BitLocker ● But only available for Pro, Enterprise and Education licensees of Windows 10. VeraCrypt is a good free 3rd party alternative
  • 8. General Advice: Strong Passwords If you have all of the strongest defenses available, but your passwords are weak, your defenses are nearly useless ● Generally minimum 15 characters with mixed case, numbers, and symbols ● Optimal: randomly selected characters → better to find happy medium Alternative, better solutions (though not always feasible): Key-based login, 2-factor authentication
  • 9. General Advice: Access Control Principle of Least Privilege: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job”[1] Basically, Jill from Corporate Party Planning should not have access production environments, including the files it contains, because she does not need that level of access [1] Saltzer and Schroeder, "Basic Principles of Information Protection”
  • 10. General Advice: Regular Backups Backups of files and systems are important ● Rolling back to a known good state can sometimes be quicker than trying to resolve misconfiguration ○ This does not mean that vulnerabilities should be ignored Check out Backup Settings (Windows 10) or Backup and Restore (older Windows versions)
  • 12. Cmd & Powershell Cmd: original command line utility (older than dirt), more difficult to use PowerShell: Command line shell and scripting language, similar to Unix-based shells ● Utilizes Visual Basic/.NET, so possible to create new modules ● Unified interface to interact with system, utilities, and services Will save many hours of point-and-click if you get comfortable with utilizing PowerShell
  • 13. Know what is running It is difficult to secure any computer without knowing what is running on it Find what programs run on startup in C:Users<user name>AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup For Windows, utilize PowerShell to view running processes ● Get-Process: Lists running processes ● https://docs.microsoft.com/en-us/previous-versions/windows/it -pro/windows-powershell-1.0/ee176855(v=technet.10)
  • 15. Windows Event Viewer Window’s built-in way to view event logs Beware of lots of information, warnings, and errors ● Information - program reporting information of its execution ● Warning - not necessarily significant, but an issue might be about to occur ● Error - probably a major issue Default save location: C:WindowsSystem32winevtLogs
  • 17. Windows Registry Registry: “a system-defined database in which applications and system components store and retrieve configuration data” [2] ● Stored in a tree structure, up to 512 levels deep Utilizes standard access control (must have proper privileges to modify certain registry key values) [2] Microsoft Registry Documentation
  • 18. Important Windows Registry Keys ● DisallowRun: prevent certain exe files from executing ● fDenyTSConnections: disables Remote Desktop ● restrictanonymoussam: prevent anonymous enumeration of SAM accounts and shares ● RNGSeed: seed used for random number generation ● HKEY_CLASSES_ROOT*: mapping of all known file extensions to programs
  • 19. Tin Foil Hats in Windows How to disable built-in tracking 1. Don’t use your microsoft account as login a. “Local account” = less tracked account 2. Disable associated services that keep track of location, what websites you have visited, etc. 3. Limit which apps can utilize camera, location, microphone, etc.
  • 21. What is Active Directory? Active Directory - a directory service that keeps track of users and systems within the network ● Utilizes domains - computer network with all user accounts, systems, and security policies registered within a central database Basically a service that allows administrators of Windows networks to manage users who need the ability to access multiple services/systems across the network
  • 22. Why do I need to know about Active Directory? Almost every major company and government agency has at least 1 Windows domain that utilizes AD ● For blue or red team roles, being comfortable with Active Directory management can be invaluable ● Windows dominance within the corporate computing industry will not be going away anytime soon
  • 23. Active Directory Components Domain Controller: server(s) running the Active Directory Domain Services (AD DS) ● AD DS keeps data in a tree structure that can be accessed using LDAP ● Authentication handled using Kerberos ● Samba for network shares Usually includes DNS server, WSUS, Exchange email server, network shares
  • 24. Active Directory Structure Active Directory uses tree structures to keep track of users and the categories they fit in
  • 25. Active Directory Structure Taken from msdn.microsoft.com
  • 26. Group Policy Group policy - centralized management and configuration of user/system accounts Helps to enforce user/group access control across the network using rules Group Policy Object - set of Group Policy rules ● Import/Export GPO in order to have standardized rules throughout multiple domains
  • 27. Group Policy Group Policy Preferences - settings that are preferred by the admin, but not enforced CAUTION: The Group Policy Preferences AES key that is used for encrypting passwords within the Preferences Policy file is publicly available through Microsoft
  • 29. Updates to Microsoft Security Tools ● Fortunately, Microsoft has updated most of its security suite ● Unfortunately, this means most of the old tools don’t work anymore
  • 30. Windows 10 Enterprise ● Microsoft tiers their security features ● Provides free evaluation copy for interested Developers and System Admins ● https://www.microsoft.com/en-us/evalcenter/evaluate-windo ws-10-enterprise
  • 31. Defender Security Center ● Aggregates most security features in a single application ● Firewall ● Antivirus ● Application Protection
  • 33. Defender Exploit Guard ● New product designed to be close to a built in HIPS System ● Replaces EMET ● Exploit Protection ● Attack Surface reduction ● Network Protection ● Controlled Folder Access
  • 34. Exploit Protection ● Customizable in Defender Security System ● Data Execution Protection ● Control Flow Guard ● Address Space Layout Randomization ● Various App Level protections
  • 35. Attack Surface Reduction ● Disables potentially malicious behaviors ● “Block executable content from email client and webmail” ● “Block Office applications from creating child processes” ● No custom rules ● Can be applied in audit and block mode
  • 36. Network Protection ● Block outgoing traffic to malicious domains ● Can’t pick what domains are on that list ● Can be applied in audit and block mode
  • 37. Controlled folder access ● Marketed as ransomware protection ● Allows folders to be marked as “protected” ● Protected folders can only be modified by whitelisted programs ● Program whitelist can be configured in Defender Security Center
  • 38. Windows Defender Playground ● Microsoft provides “malicious” applications to test Exploit Guard and Antivirus ● https://demo.wd.microsoft.com/
  • 39. Windows SmartScreen ● Scans websites for malicious behavior ● Scans downloaded files for malicious behavior ● Warns user if anything unusual is detected
  • 40. Defender Application Guard ● Can’t be run in a VM easily :( ● Windows 10 only ● Runs Internet Explorer/Edge in a HyperV container if the website is untrusted ● Supposedly doesn’t share the kernel
  • 41. Event Forwarding ● Finally? ● Replaces features provided by Sysmon ● Sends events to a Windows Event Collector