securing the giac enterprise endpoint · pdf filesecuring the giac enterprise endpoint ise/m...
TRANSCRIPT
Securing the GIAC Enterprise Endpoint
ISE/M 6100 – Security Project Practicum – Lab Notebook
Author: Balaji Balakrishnan, [email protected] Matthew Hosburgh, [email protected]
Patrick Neise, [email protected] Advisor: Stephen Northcutt
Due: January 5th 2016
Lab Notebook 2
1. Lab Setup Base Windows 10 VM Each test configuration was built on top of the base Windows 10 virtual machine. The Windows 10 virtual machine was downloaded from the modern.ie website, which provides virtual machines of various Windows operating systems with each of their supported browser types. The virtual machines are provided to support browser testing, but also are sufficient to support our testing purposes. The base VM was configured per below setup:
● Windows 10 VM from modern.ie ● Install Chrome and uBlock Origin (initially disabled) ● Install Adobe Reader ● Add user account in addition to existing IEUser (local administrator) ● All options under Settings -> Privacy are turned On ● One network adapter on an internal VMnet5
Router and Packet Capture A VyOS VM was used to provide routing for the Windows 10 host to the Internet as well as being a platform to conduct the required packet capture of outbound Internet data. The router was configured per below, and packet captures were conducting per the testing procedure with tcpdump.
● 2 network iinterfaces o eth0 set to NAT to expose router to Internet via host o eth1 set to VMnet5, IP address 10.10.10.1 as default gw for Windows
VMs ● tcpdump -i eth1 host 10.10.10.10 -w filename
Testing Procedure For each of the tested configurations, the following procedure was followed to collect data necessary to make a comparison of the effectiveness of the configuration and/or software changes.
● Begin tcpdump packet capture on VyOS VM ● Boot Windows 10 VM ● Wait for 30 minutes ● Open a PDF document with Adobe PDF Reader ● Use the Edge browser for the following sites:
o cnn.com o torproject.org
Balakrishnan, Hosburgh, Neise
Lab Notebook 3
o google.com ● Use Chrome browser for the sites above ● Shut down the Windows 10 VM ● Stop the packet capture on the VyoS VM
● Just boot VM and collect pcap for 30min
2. PCAP Analysis After conducting each of the tests described in the remainder of this appendix, the collected packet captures needed to be analyzed for comparison of results. In order to quickly provide a consistent comparison, a Python script was written to process each individual capture. The Python script ingested and processed each pcap file with pyshark, a module that utilizes the tshark functionality of WireShark. The resulting output is a comma separated value file that consists of each outbound IP address, amount of data transferred, transmission protocol used (i.e. TCP or UDP), and domain name associated with the IP address. The results could then be combined and compared to determine the relative effectiveness of the changes on limiting outbound traffic from the Windows 10 host.
Python Script The following Python script was used for analysis of each pcap file: #! /usr/bin/env python import pyshark import csv import sys
def get_ipv4_info(cap_file, display_filter): """ This function takes the pcap file and filter to produce a list of outbound traffic for the specified host.
Args: cap_file (pyshark capture file): pcap to be processed display_filter (str): tshark filter to apply before
Balakrishnan, Hosburgh, Neise
Lab Notebook 4 processing the capture file.
Returns: list: List of dictionaries for each IP address that contains IP address source port, destination port, protocol, and payload size """ cap = pyshark.FileCapture(cap_file, display_filter=display_filter, keep_packets=False) accum = []
def ipv4_info(pkt): try: protocol = pkt.transport_layer src_addr = pkt.ip.src src_port = pkt[protocol].srcport dst_addr = pkt.ip.dst dst_port = pkt[protocol].dstport if protocol == "TCP": len_payload = int(pkt[protocol].len) elif protocol == 'UDP': len_payload = int(pkt[protocol].length) entry = dict(src_ip=src_addr, src_port=src_port, dst_ip=dst_addr, dst_port=dst_port, payload=len_payload, protocol=protocol) accum.append(entry) except AttributeError as e: pass
cap.apply_on_packets(ipv4_info, timeout=10000)
Balakrishnan, Hosburgh, Neise
Lab Notebook 5 return accum
def get_dns_info(cap_file): """ This function takes the pcap file and filter to produce a dictionary of host names and associated IP addresses.
Args: cap_file (pyshark capture file): pcap to be processed
Returns: dictionary: Dictionary of domain names and IP addresses """ cap = pyshark.FileCapture(cap_file, keep_packets=False) accum = {}
def dns_info(pkt): try: dns_name = pkt.dns.resp_name ip_addr = pkt.dns.resp_addr accum[ip_addr] = dns_name except AttributeError as e: pass
cap.apply_on_packets(dns_info, timeout=10000)
return accum
def main(pcap_file, source_ip):
Balakrishnan, Hosburgh, Neise
Lab Notebook 6 # create display filter based on ip address passed as
argument display_filter = 'ip.src==' + source_ip
# csv file for output csv_file = pcap_file + ".csv" outbound_ipv4 = {}
# get dns/ip address combinations from pcap dns_list = get_dns_info(pcap_file) # get ipv4 information from pcap file ipv4_list = get_ipv4_info(pcap_file, display_filter)
# accumulate TCP and UDP data for each destination IP for item in ipv4_list: dest = item['dst_ip']
if dest not in outbound_ipv4: outbound_ipv4[dest] = dict(tcp_data=0, udp_data=0, name='None')
if item['protocol'] == 'TCP': outbound_ipv4[dest]['tcp_data'] += item['payload'] elif item['protocol'] == 'UDP': outbound_ipv4[dest]['udp_data'] += item['payload']
try: outbound_ipv4[dest]['name'] = dns_list[dest] except: pass
Balakrishnan, Hosburgh, Neise
Lab Notebook 7 # write all results to csv file for analysis with open(csv_file, 'w') as csvfile: csvfile.write('IP,TCP,UDP,Name\n') for key in outbound_ipv4: line = ('{},{},{},{}\n').format(key, outbound_ipv4[key]['tcp_data'], outbound_ipv4[key]['udp_data'], outbound_ipv4[key]['name']) csvfile.write(line)
if __name__ == "__main__": main(sys.argv[1], sys.argv[2])
3. Windows 10 Privacy and Security Mitigations Issue Windows 10 by default has lot of built-‐in applications like Cortana, Edge which collect lot of personal information. According to Microsoft they collect this information for enhancing the windows experience. This data also enabled them to better advertise and gain revenue. There are lot of privacy concerns with this data being extracted from the systems. The security risk due to this personal information being extracted from the systems are huge. One risk is if Microsoft gets compromised then bad guys will get access to all Microsoft data including GIAC corporation. The other risk is if bad guys figure out how to exploit services like Cortana and Edge, bad guys will be able to get lot of telemetry information and also control the camera etc.
Thesis Windows 10 has provided graphical user interface(GUI) options for disabling all the privacy related features including Cortana, Edge. In the GIAC enterprise setting to enable this globally on all GIAC Windows 10 systems group policy will be used. The group policy settings are applied in accordance to TechNet article in reference. All the group policy settings are exported for reference.
Balakrishnan, Hosburgh, Neise
Lab Notebook 8 Windows 10 has good security controls. In order to strengthen the security of Windows 10 systems below controls were applied to mitigate any attempts to compromise the system. Windows Defender -‐ This is Microsoft anti-‐virus/anti-‐malware engine which detects known threats. Windows Firewall -‐ This is Microsoft built-‐in Firewall which can be configured to prevent all unwanted network communication and allow only legitimate traffic. Windows AppLocker -‐ This is Microsoft built-‐in application whitelisting module which will allow only authorized applications to run. All unauthorized applications and executables will be prevented from execution. SCM (Security Compliance Manager) Windows 10 Group policy templates -‐ These group policy settings are best practices recommended by Microsoft for enforcing password policies, audit policies. These group policy templates have settings to prevent Pass the hash attacks and other recommended best practices.
Finding By enabling the group policy settings to disable Cortana, Edge and other Telemetry service the amount of data being sent to Microsoft is reduced. Packet captures have been taken in order to confirm that the corresponding traffic is not sent after disabling the services.
Evidence 3.1.1. Privacy settings before applying group policy
Balakrishnan, Hosburgh, Neise
Lab Notebook 9
Balakrishnan, Hosburgh, Neise
Lab Notebook 10
Balakrishnan, Hosburgh, Neise
Lab Notebook 11
Balakrishnan, Hosburgh, Neise
Lab Notebook 12
Balakrishnan, Hosburgh, Neise
Lab Notebook 13
Balakrishnan, Hosburgh, Neise
Lab Notebook 14
Balakrishnan, Hosburgh, Neise
Lab Notebook 15
Balakrishnan, Hosburgh, Neise
Lab Notebook 16
Balakrishnan, Hosburgh, Neise
Lab Notebook 17
Balakrishnan, Hosburgh, Neise
Lab Notebook 18
Balakrishnan, Hosburgh, Neise
Lab Notebook 19
Balakrishnan, Hosburgh, Neise
Lab Notebook 20
Balakrishnan, Hosburgh, Neise
Lab Notebook 21
Balakrishnan, Hosburgh, Neise
Lab Notebook 22
Balakrishnan, Hosburgh, Neise
Lab Notebook 23
Balakrishnan, Hosburgh, Neise
Lab Notebook 24
Balakrishnan, Hosburgh, Neise
Lab Notebook 25
Balakrishnan, Hosburgh, Neise
Lab Notebook 26
3.1.2. Lockdown Settings
Balakrishnan, Hosburgh, Neise
Lab Notebook 27
Balakrishnan, Hosburgh, Neise
Lab Notebook 28
Balakrishnan, Hosburgh, Neise
Lab Notebook 29
Balakrishnan, Hosburgh, Neise
Lab Notebook 30
3.1.3. PCAP Analysis for GPO
Balakrishnan, Hosburgh, Neise
Lab Notebook 31
4. Windows 10 Logging and Monitoring
Issue The goal of this project is to secure Windows 10 systems in GIAC corporation. If we assume GIAC assets are breached mindset, there should be a strong logging and monitoring capability to identify and remediate the compromised assets. This is also very important component for determining impact during an incident.
Thesis Splunk is installed to log and monitor Windows 10 and Active directory events. Splunk is advanced SIEM solution with excellent data mining capabilities. Group policy is enabled to log all the critical events to Windows event logs. Splunk collects these event logs and based on certain defined patterns it can alert and further queries can be developed to dig deeper to understand the impact and scope of the threat/incident. Few examples of suspicious event logs were taken and explored as part of this lab.
Balakrishnan, Hosburgh, Neise
Lab Notebook 32 Finding
By utilizing Splunk, suspicious events were alerted and further queries and dashboards were created to understand the scope and impact of the threat/incident.
Evidence 4.1.1. Splunk Examples
Windows -‐ New Added Services | NOT SYSTEM ( EventCode=601 OR EventCode=4697 ) | table _time host User Service_Name Service_File_Name | rename _time AS Time | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) | rename User AS Username Service_Name AS "Service Name" Service_File_Name AS "Service File" host AS "Server" Windows -‐ New Created Groups | EventCode=631 OR EventCode=4727 OR EventCode=635 OR EventCode=4731 OR EventCode=658 OR EventCode=4754 | rex field=Message "(?<msg>[^\.:]+)" | eval new_grp = if(isnotnull(Account_Name), Group_Name, New_Account_Name) | eval creator = if(isnotnull(Account_Name), Account_Name, Caller_User_Name) | table _time creator new_grp msg | rename _time AS Time creator AS "Group created by" new_grp AS "Created group" msg AS "Reason/Type" | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) Windows -‐ Added Domain Accounts | "EventCode=624" OR "EventCode=4720" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Created_Account"=coalesce(Win2K8_acc,New_Account_Name) Windows -‐ Deleted Domain Accounts | "EventCode=67" OR "EventCode=4726" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Deleted_Account"=coalesce(Win2K8_acc,Target_Account_Name) Windows -‐ Deleted Groups
Balakrishnan, Hosburgh, Neise
Lab Notebook 33 | EventCode=662 OR EventCode=4758 OR EventCode=638 OR EventCode=4734 OR EventCode=634 OR EventCode=477 | rex field=Message "(?<msg>[^\.:]+)" | eval del_grp = if(isnotnull(Account_Name), Group_Name, Target_Account_Name) | eval deletedby = if(isnotnull(Account_Name), Account_Name, Caller_User_Name) | table _time deletedby del_grp msg | rename _time AS Time deletedby AS "Group deleted by" del_grp AS "Deleted group" msg AS "Reason/Type" | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) Windows -‐ Disabled User Accounts | ( CategoryString="Account Management" OR TaskCategory="User Account Management" ) ( "EventCode=629" OR "EventCode=4725" ) | eval caller = if(isnull(Account_Name), Caller_User_Name, mvindex(Account_Name,0)) | eval member = if(isnull(Account_Name), Target_Account_Name, mvindex(Account_Name,1)) | table _time caller member | rename _time AS Time caller AS "Account disabled by" member AS "Disabled Account" | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) Windows -‐ Domain Policy Changes | EventCode=643 | rex field=Message "Domain Policy Changed:\s(?<msg>.*)" | table _time host msg Caller_Domain | rename _time AS Time host AS Server msg AS "Policy change" Caller_Domain AS "Windows Domain" | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) Windows -‐ Firewall Allowed Binds | EventCode=5159 Windows -‐ Firewall Allowed Connections | EventCode=5156 Windows -‐ Firewall Blocked Binds | EventCode=5158 Windows -‐ Firewall Blocked Connections | EventCode=5157 Windows -‐ Firewall Configuration Changes
Balakrishnan, Hosburgh, Neise
Lab Notebook 34 | EventCode=4946 OR EventCode=4947 OR EventCode=4948 | rex field=Message "A rule was (?<temp>[^\.]+)" | eval Action=case(temp == "added", "Rule added", temp == "modified", "Rule modified", temp == "deleted", "Rule deleted") Windows -‐ Installation History | sourcetype="*wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) -‐-‐" | table _time host User product_name | rename _time AS Time host AS Server product_name AS "Product Installed" | convert timeformat="%d.%m.%Y. %H:%M:%S" ctime(Time) Windows -‐ Locked Domain Accounts | "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) Windows -‐ Log Entry Deleted | ("EventCode=517" OR "EventCode=1102") | eval msg="The audit log was cleared." | convert timeformat=" %H:%M:%S %d.%m.%Y." ctime(_time) | table _time host msg | rename _time as Time host as Hostname msg as Message Windows -‐ NTLM successful logins | ("EventCode=4776" AND Keywords="Audit Success") OR ("EventCode=680" AND "Success Audit") NOT (Logon_Account="*$" OR Logon_account="*$") | eval "User_Account" = coalesce(Logon_Account,Logon_account) | transaction "User_Account",Source_Workstation maxpause=5s Windows -‐ NTLM unsuccessful logins | ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") NOT (Logon_Account="*$" OR Logon_account="*$") | eval "User Account" = coalesce(Logon_Account,Logon_account) Windows -‐ Process Activity EventCode="592" OR EventCode=4688 NOT User="SYSTEM" NOT User="NETWORK SERVICE" | eval
Balakrishnan, Hosburgh, Neise
Lab Notebook 35 FileName=if(isnotnull(Image_File_Name),Image_File_Name,New_Process_Name) | eval finaluser=if(isnotnull(User_Name),User_Name,Account_Name) Windows -‐ RDP unsuccessful logins ( EventCode=529 Logon_Type=10 ) OR EventCode=4625 Failure | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) Splunk Example Screenshots
Balakrishnan, Hosburgh, Neise
Lab Notebook 36
Balakrishnan, Hosburgh, Neise
Lab Notebook 37
5. Enterprise Solution: Palo Alto Traps Issue GIAC Enterprises is at risk for malware, according to a recent threat and risk assessment. GIAC Enterprises does leverage Microsoft’s SCEP; however, this solution only provides protection against known threats (signature based). For that reason, a more robust solution is needed that can fill the gap between a signature based technology and a more advanced form of protection, or zero day threats. Additionally, GIAC is looking for a way to restrict what web browsers are being used based on the organization’s security policy.
Thesis Based on several vendor evaluations and research, the Security Team has determined that the best enterprise endpoint protection technology would be Palo Alto traps. Traps provides protection against exploits and unknown or zero day malware. Not only does this technology provide what GIAC is looking for in terms of risk mitigation, it integrates into existing infrastructure with ease. This solution will be evaluated after the hardened and proposed OS is configured.
Finding After evaluating the Windows 10 operating system, it is evident that the Operating System (OS) is lacking in terms of security and privacy. By simply configuring the
Balakrishnan, Hosburgh, Neise
Lab Notebook 38 system to limit the privacy exposure the amount of outbound traffic can be drastically reduced. Furthermore, by utilizing Microsoft’s Security Compliance Manager (SCM), a group policy object can be created for an organization that can be deployed via Active Directory with ease. This is the single most significant method to reduce exposure and secure the operating system. After this has been completed, a third party tool can be introduced what will fill the gap between policy/configuration and advanced attacks against the system. In our case, we evaluated Palo Alto Traps. This solution provides protection for unknown to little known malware and exploits. It also has the ability to restrict processes from running if they have not been explicitly allowed (zero trust model). It is highly recommended that the OS be first locked down to the organization’s security, privacy and operational requirements. Then, the OS should be further secured by implementing third-party tool to further lock the system down.
Evidence 5.1.1. Manual findings
Connections to login.live.com:
Balakrishnan, Hosburgh, Neise
Lab Notebook 39
Built-in Apps connect to tile-service.weather.microsoft.com over HTTP:
Balakrishnan, Hosburgh, Neise
Lab Notebook 40
5.1.2. System Configuration Manager
Proposed steps: -‐Apply locked down GPO based off a manual review of the privacy settings found here: https://technet.microsoft.com/library/mt577208(v=vs.85).aspx#BKMK_DevInst After researching Microsoft’s privacy settings in Windows 10, a good table was found showing where each of the new settings can be controlled from:
Balakrishnan, Hosburgh, Neise
Lab Notebook 41
Based on this list, and for our lab, the settings will be controlled with a GPO first and then with the UI if needed. A table was created that further shows where these settings can be controlled via a GPO, what the privacy implications are and what loss of functionality will take place if the settings are enabled or disabled.
Balakrishnan, Hosburgh, Neise
Lab Notebook 42
5.1.3. -Enable additional GPOs / privacy settings (this is how we will control the traffic):
Setting U
I GPO
Setting Location Description & Privacy Implication
Loss of Feature
Cortana x Computer Configuration > Administrative Templates > Windows Components > Search > Allow Cortana > Disabled
Microsoft collects and uses information including your device location information and location history, contacts (People), voice input, searching history, calendar details, content and communication history from messages and apps, and other information on your device. In Microsoft Edge, Cortana collects and uses your
No voice activated commands or assistance.
Balakrishnan, Hosburgh, Neise
Lab Notebook 43
browsing history. This information is saved on your device, in your Cortana Notebook, and in the cloud on the Bing.com dashboard.
Device metadata retrieval
x Computer Configuration > Administrative Templates > System > Device Installation > Prevent device metadata retrieval from the Internet > Enabled
Device metadata is downloaded/pulled from the Internet
More detailed information might be lacking for installed devices.
Insider preview builds
x Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Toggle user control over Insider builds> Disable
Prevents the downloading of bleeding edge OS from Microsoft
Internet Explorer (IE)
x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Turn on Suggested Sites > Disabled
Limits the amount of sites that may be suggested by a user’s search behavior.
IE x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Allow
Limits targeted search suggestions
Balakrishnan, Hosburgh, Neise
Lab Notebook 44
Microsoft services to provide enhanced suggestions as the user types in the Address Bar > Disabled
.
IE x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Turn off the auto-complete feature for web addresses > Enabled
Autocompleting can help save time when searching. This feature would be disabled.
IE x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Disable Periodic Check for Internet Explorer software updates > Disabled
This setting should remain enabled if the system is managed with SCCM or other centralized patch management solution.
Can leave the browser exposed to attacks if not centrally managed.
IE x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Turn off browser geolocation > Enabled
Limits apps and settings that might use geolocation.
Mail synchronization
x Settings > Accounts > Your email and accounts, remove any connected Microsoft Accounts
Microsoft Edge
x Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Allow employees to send Do Not
Browsing data and information about malicious
Auto search help functions are disabled.
Balakrishnan, Hosburgh, Neise
Lab Notebook 45
Track headers> Enabled Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge> Turn off address bar search suggestions> Disabled
websites is sent back to Microsoft to assist with page prediction and SmartScreen.
NCSI x Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off Windows Network Connectivity Status Indicator active tests > Enable
Limits the client from checking to see if the Internet is accessible.
Offline maps
x Computer Configuration > Administrative Templates > Windows Components > Maps > Turn off Automatic Download and Update of Map Data > Enable
No setting found in our Windows 10 image.
OneDrive x Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage > Enable
Users cannot use OneDrive to centrally store their files in the cloud.
Preinstalled apps
x To remove the News app: ● Right-click the app in
Start, and then click Uninstall.
● -or- ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows
Limits app specific functionality such as news feeds, weather, etc.
Balakrishnan, Hosburgh, Neise
Lab Notebook 46
PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage
To remove the Weather app: ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -
Balakrishnan, Hosburgh, Neise
Lab Notebook 47
PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage
To remove the Money app: ● Right-click the app in
Start, and then click Uninstall.
● -or- ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the
Balakrishnan, Hosburgh, Neise
Lab Notebook 48
following Windows PowerShell command: Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage
To remove the Sports app: ● Right-click the app in
Start, and then click Uninstall.
● -or- ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage
To remove the Twitter app: ● Right-click the app in
Balakrishnan, Hosburgh, Neise
Lab Notebook 49
Start, and then click Uninstall.
● -or- ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage *.Twitter | Remove-AppxPackage
To remove the XBOX app: ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object
Balakrishnan, Hosburgh, Neise
Lab Notebook 50
{$_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage
To remove the Sway app: ● Right-click the app in
Start, and then click Uninstall.
● -or- ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName
Balakrishnan, Hosburgh, Neise
Lab Notebook 51
$_.PackageName} ● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage
To remove the OneNote app: ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage
Balakrishnan, Hosburgh, Neise
Lab Notebook 52
To remove the Get Office app: ● Right-click the app in
Start, and then click Uninstall.
● -or- ● Remove the app for new
user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage
To remove the Get Skype app: ● Right-click the Sports
app in Start, and then click Uninstall.
● -or- ● Remove the app for new
user accounts. From an
Balakrishnan, Hosburgh, Neise
Lab Notebook 53
elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}
● -and- ● Remove the app for the
current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage
Settings > privacy
General x Computer Configuration > Administrative Templates > System > User Profiles > Turn off the advertising ID > Enabled
Location x Computer Configuration > Administrative Templates > Windows Components > Location and Sensors > Turn off location > Enabled
Balakrishnan, Hosburgh, Neise
Lab Notebook 54
Camera x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access the camera > Disabled
This setting was not found in our image; however, it might be a good idea to disable in a secure environment.
App functionality might be reduced if it relies on a camera.
Microphone
x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access the microphone > Disabled
This setting was not found in our image; however, it might be a good idea to disable in a secure environment.
App functionality might be reduced if it relies on a camera.
Speech, inking, & typing
x Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Handwriting personalization > Turn off automatic learning > Enabled
Limits app customization because it cannot learn behavior.
Account info
x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access account information > Set the Select a setting box to Force Deny
Contacts x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access contacts > Disabled
Calendar x Computer Configuration >
Balakrishnan, Hosburgh, Neise
Lab Notebook 55
Administrative Templates > Windows Components > App Privacy > Let Windows apps access the calendar > Set the Select a setting box to Force Deny
Messaging x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access messaging > Set the Select a setting box to Force Deny
Radios x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps control radios > Set the Select a setting box to Force Deny
Other devices
x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access trusted devices > Set the Select a setting box to Force Deny
Feedback & diagnostics
x Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications > Enabled
Background apps
x Turn off the feature in the UI for each app
Software Protection Platform
x Computer Configuration > Administrative Templates > Windows Components >
This setting sends Key Management
Limits the client's ability to
Balakrishnan, Hosburgh, Neise
Lab Notebook 56
Software Protection Platform > Turn off KMS Client Online AVS Activation > Enabled
Service (KMS) client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
activate.
Sync your settings
x Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync > Enabled
Settings are not synced with any other devices.
Teredo netsh interface teredo set state disabled
Limits the system’s ability to communicate with IPv6 devices.
Wi-Fi Sense
x Computer Configuration > Administrative Templates > SCM: Wi-Fi Sense > Disable Wi-Fi Sense > Enabled
Removes the ability to enumerate and connect to WiFi discovered to be used by the user’s contacts.
Balakrishnan, Hosburgh, Neise
Lab Notebook 57
Windows Defender
x Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS > Join Microsoft MAPS > Disabled
Depending on the organization’s privacy policy, it might be worth considering enabling this to share threat/virus detection info with Microsoft.
Limits the system’s ability to share virus information with Microsoft.
Windows Media Player
x From the Programs and Features control panel, click Turn Windows features on or off, under Media Features, clear the Windows Media Player check box, and then click OK
Limits the ability for users to leverage the built-in media player.
Windows spotlight
x Computer Configuration > Administrative Templates > Control Panel > Personalization > Force a specific default lock screen image > Enabled
● Add a location in the Path to local lock screen image box.
Limits the user’s ability to customize a lock screen image.
Windows Store
x Computer Configuration > Administrative Templates > Windows Components > Store > Disable all apps from Windows Store > Enabled
This setting was not found on the image we were working with. If the endpoint is in an enterprise or managed
Limits the ability for the apps to contact the Windows Store for updates.
Balakrishnan, Hosburgh, Neise
Lab Notebook 58
by SCCM, the store should be disabled to help keep tabs on what applications are installed. For individual deployments, this could be left enabled.
WU Delivery Optimization
x Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > None
Setting was not found in the modern.ie image. This depends on the environment, but if at an enterprise, it might make more sense to centrally manage--however, this setting could cut down on bandwidth requirements.
The ability rapidly download and install updates is impacted.
Windows Update
Computer Configuration > Administrative Templates > Windows Components > Do not connect to any Windows Update Internet locations > Enabled
This setting depends on the environment and whether or not the systems are centrally managed.
Balakrishnan, Hosburgh, Neise
Lab Notebook 59
5.1.4. Further Control the Traffic by Proposed Solution (Traps)
Diagram:
Verifying that the agent is checking-‐in for the correct test system. Examining the enabled exploit prevention policies.
Balakrishnan, Hosburgh, Neise
Lab Notebook 60
Verifying the WildFire policy. NOTE: After applying the WildFire Policy, Google Chrome would not launch.
Balakrishnan, Hosburgh, Neise
Lab Notebook 61 Verifying the Restrictions Policy is set.
Verifying that the Protection Policy is set
Showing the hunting and forensics capabilities
Balakrishnan, Hosburgh, Neise
Lab Notebook 62
5.1.5. PCAP Analysis
Balakrishnan, Hosburgh, Neise
Lab Notebook 63
5.1.6. Overall Recommendation
Traps for the GIAC Enterprise is necessary because it will help address any unknown malware and exploit attempts against the organization. This will be valuable after all of the other configuration settings (hardening) has been applied to the system. Due to the risk assessment, this additional layer of protection is highly recommended.
6. 3rd Party Applications Issue Modifications to the GPO can be effective in mitigating information that Microsoft transmits with or without user knowledge, however, these changes would not impact 3rd party applications from transmitting similar data.
Thesis Installation of a 3rd party application to more effectively manage Windows Firewall settings
Balakrishnan, Hosburgh, Neise
Lab Notebook 64 Finding
Evidence 6.1.1. Windows Firewall Notifier
Windows Firewall Notifier (WFN) is a 3rd party application that monitors all outbound and inbound traffic from the Windows 10 host. WFN will block any application’s outbound traffic that is not already specifically allowed in the firewall configuration. WFN is free for use and supports Windows 10.
Although there is not much ability to customize the features of WFN, it appears to be effective in mitigating unwanted outbound traffic from 3rd party applications on the host.
Balakrishnan, Hosburgh, Neise
Lab Notebook 65 NOTE: WFN prevented Google Chrome from communicating until being added to ruleset.
6.1.2. Windows Firewall Control
Windows Firewall Control (WFC) is very similar to WFN in that it is a free 3rd party application that provides additional functionality and security when compared to the default Windows Firewall.
Balakrishnan, Hosburgh, Neise
Lab Notebook 66 However, as shown in the screen captures below, WFC has significantly more robust feature set when compared to WFN. With WFC a user can save and export application settings for WFC as well as the customized firewall rule set within WFC.
Balakrishnan, Hosburgh, Neise
Lab Notebook 67
Balakrishnan, Hosburgh, Neise
Lab Notebook 68
Balakrishnan, Hosburgh, Neise
Lab Notebook 69
6.1.3. Adblocker
After completing the initial testing and analysis with WFN and WFC, it was observed that there were still an abnormally high number of unique domains and IPs in the outbound traffic. An additional testing run was conducted with WFC and the desired GPO in place to determine the effectiveness and need for ad blocking software within the browser. For this test, uBlock Origin was installed and enabled within Google Chrome browser and the test procedure was repeated, with the exception of browsing to sites from the Edge Browser. As shown below, the combination of WFC and uBlock is an effective choice for minimizing unwanted outbound connections.
Balakrishnan, Hosburgh, Neise
Lab Notebook 70
Balakrishnan, Hosburgh, Neise