securing the giac enterprise endpoint · pdf filesecuring the giac enterprise endpoint ise/m...

Securing the GIAC Enterprise Endpoint

ISE/M 6100 – Security Project Practicum – Lab Notebook

Author: Balaji Balakrishnan, [email protected] Matthew Hosburgh, [email protected]

Patrick Neise, [email protected] Advisor: Stephen Northcutt

Due: January 5th 2016

Lab Notebook 2

1. Lab Setup Base Windows 10 VM Each test configuration was built on top of the base Windows 10 virtual machine. The Windows 10 virtual machine was downloaded from the modern.ie website, which provides virtual machines of various Windows operating systems with each of their supported browser types. The virtual machines are provided to support browser testing, but also are sufficient to support our testing purposes. The base VM was configured per below setup:

● Windows 10 VM from modern.ie ● Install Chrome and uBlock Origin (initially disabled) ● Install Adobe Reader ● Add user account in addition to existing IEUser (local administrator) ● All options under Settings -> Privacy are turned On ● One network adapter on an internal VMnet5

Router and Packet Capture A VyOS VM was used to provide routing for the Windows 10 host to the Internet as well as being a platform to conduct the required packet capture of outbound Internet data. The router was configured per below, and packet captures were conducting per the testing procedure with tcpdump.

● 2 network iinterfaces o eth0 set to NAT to expose router to Internet via host o eth1 set to VMnet5, IP address 10.10.10.1 as default gw for Windows

VMs ● tcpdump -i eth1 host 10.10.10.10 -w filename

Testing Procedure For each of the tested configurations, the following procedure was followed to collect data necessary to make a comparison of the effectiveness of the configuration and/or software changes.

● Begin tcpdump packet capture on VyOS VM ● Boot Windows 10 VM ● Wait for 30 minutes ● Open a PDF document with Adobe PDF Reader ● Use the Edge browser for the following sites:

o cnn.com o torproject.org

Balakrishnan, Hosburgh, Neise

Lab Notebook 3

o google.com ● Use Chrome browser for the sites above ● Shut down the Windows 10 VM ● Stop the packet capture on the VyoS VM

● Just boot VM and collect pcap for 30min

2. PCAP Analysis After conducting each of the tests described in the remainder of this appendix, the collected packet captures needed to be analyzed for comparison of results. In order to quickly provide a consistent comparison, a Python script was written to process each individual capture. The Python script ingested and processed each pcap file with pyshark, a module that utilizes the tshark functionality of WireShark. The resulting output is a comma separated value file that consists of each outbound IP address, amount of data transferred, transmission protocol used (i.e. TCP or UDP), and domain name associated with the IP address. The results could then be combined and compared to determine the relative effectiveness of the changes on limiting outbound traffic from the Windows 10 host.

Python Script The following Python script was used for analysis of each pcap file: #! /usr/bin/env python import pyshark import csv import sys

def get_ipv4_info(cap_file, display_filter): """ This function takes the pcap file and filter to produce a list of outbound traffic for the specified host.

Args: cap_file (pyshark capture file): pcap to be processed display_filter (str): tshark filter to apply before


Lab Notebook 4 processing the capture file.

Returns: list: List of dictionaries for each IP address that contains IP address source port, destination port, protocol, and payload size """ cap = pyshark.FileCapture(cap_file, display_filter=display_filter, keep_packets=False) accum = []

def ipv4_info(pkt): try: protocol = pkt.transport_layer src_addr = pkt.ip.src src_port = pkt[protocol].srcport dst_addr = pkt.ip.dst dst_port = pkt[protocol].dstport if protocol == "TCP": len_payload = int(pkt[protocol].len) elif protocol == 'UDP': len_payload = int(pkt[protocol].length) entry = dict(src_ip=src_addr, src_port=src_port, dst_ip=dst_addr, dst_port=dst_port, payload=len_payload, protocol=protocol) accum.append(entry) except AttributeError as e: pass

cap.apply_on_packets(ipv4_info, timeout=10000)


Lab Notebook 5 return accum

def get_dns_info(cap_file): """ This function takes the pcap file and filter to produce a dictionary of host names and associated IP addresses.

Args: cap_file (pyshark capture file): pcap to be processed

Returns: dictionary: Dictionary of domain names and IP addresses """ cap = pyshark.FileCapture(cap_file, keep_packets=False) accum = {}

def dns_info(pkt): try: dns_name = pkt.dns.resp_name ip_addr = pkt.dns.resp_addr accum[ip_addr] = dns_name except AttributeError as e: pass

cap.apply_on_packets(dns_info, timeout=10000)

return accum

def main(pcap_file, source_ip):


Lab Notebook 6 # create display filter based on ip address passed as

argument display_filter = 'ip.src==' + source_ip

# csv file for output csv_file = pcap_file + ".csv" outbound_ipv4 = {}

# get dns/ip address combinations from pcap dns_list = get_dns_info(pcap_file) # get ipv4 information from pcap file ipv4_list = get_ipv4_info(pcap_file, display_filter)

# accumulate TCP and UDP data for each destination IP for item in ipv4_list: dest = item['dst_ip']

if dest not in outbound_ipv4: outbound_ipv4[dest] = dict(tcp_data=0, udp_data=0, name='None')

if item['protocol'] == 'TCP': outbound_ipv4[dest]['tcp_data'] += item['payload'] elif item['protocol'] == 'UDP': outbound_ipv4[dest]['udp_data'] += item['payload']

try: outbound_ipv4[dest]['name'] = dns_list[dest] except: pass


Lab Notebook 7 # write all results to csv file for analysis with open(csv_file, 'w') as csvfile: csvfile.write('IP,TCP,UDP,Name\n') for key in outbound_ipv4: line = ('{},{},{},{}\n').format(key, outbound_ipv4[key]['tcp_data'], outbound_ipv4[key]['udp_data'], outbound_ipv4[key]['name']) csvfile.write(line)

if __name__ == "__main__": main(sys.argv[1], sys.argv[2])

3. Windows 10 Privacy and Security Mitigations Issue Windows 10 by default has lot of built-‐in applications like Cortana, Edge which collect lot of personal information. According to Microsoft they collect this information for enhancing the windows experience. This data also enabled them to better advertise and gain revenue. There are lot of privacy concerns with this data being extracted from the systems. The security risk due to this personal information being extracted from the systems are huge. One risk is if Microsoft gets compromised then bad guys will get access to all Microsoft data including GIAC corporation. The other risk is if bad guys figure out how to exploit services like Cortana and Edge, bad guys will be able to get lot of telemetry information and also control the camera etc.

Thesis Windows 10 has provided graphical user interface(GUI) options for disabling all the privacy related features including Cortana, Edge. In the GIAC enterprise setting to enable this globally on all GIAC Windows 10 systems group policy will be used. The group policy settings are applied in accordance to TechNet article in reference. All the group policy settings are exported for reference.


Lab Notebook 8 Windows 10 has good security controls. In order to strengthen the security of Windows 10 systems below controls were applied to mitigate any attempts to compromise the system. Windows Defender -‐ This is Microsoft anti-‐virus/anti-‐malware engine which detects known threats. Windows Firewall -‐ This is Microsoft built-‐in Firewall which can be configured to prevent all unwanted network communication and allow only legitimate traffic. Windows AppLocker -‐ This is Microsoft built-‐in application whitelisting module which will allow only authorized applications to run. All unauthorized applications and executables will be prevented from execution. SCM (Security Compliance Manager) Windows 10 Group policy templates -‐ These group policy settings are best practices recommended by Microsoft for enforcing password policies, audit policies. These group policy templates have settings to prevent Pass the hash attacks and other recommended best practices.

Finding By enabling the group policy settings to disable Cortana, Edge and other Telemetry service the amount of data being sent to Microsoft is reduced. Packet captures have been taken in order to confirm that the corresponding traffic is not sent after disabling the services.

Evidence 3.1.1. Privacy settings before applying group policy


Lab Notebook 9


Lab Notebook 10


Lab Notebook 11


Lab Notebook 12


Lab Notebook 13


Lab Notebook 14


Lab Notebook 15


Lab Notebook 16


Lab Notebook 17


Lab Notebook 18


Lab Notebook 19


Lab Notebook 20


Lab Notebook 21


Lab Notebook 22


Lab Notebook 23


Lab Notebook 24


Lab Notebook 25


Lab Notebook 26

3.1.2. Lockdown Settings


Lab Notebook 27


Lab Notebook 28


Lab Notebook 29


Lab Notebook 30

3.1.3. PCAP Analysis for GPO


Lab Notebook 31

4. Windows 10 Logging and Monitoring

Issue The goal of this project is to secure Windows 10 systems in GIAC corporation. If we assume GIAC assets are breached mindset, there should be a strong logging and monitoring capability to identify and remediate the compromised assets. This is also very important component for determining impact during an incident.

Thesis Splunk is installed to log and monitor Windows 10 and Active directory events. Splunk is advanced SIEM solution with excellent data mining capabilities. Group policy is enabled to log all the critical events to Windows event logs. Splunk collects these event logs and based on certain defined patterns it can alert and further queries can be developed to dig deeper to understand the impact and scope of the threat/incident. Few examples of suspicious event logs were taken and explored as part of this lab.


Lab Notebook 32 Finding

By utilizing Splunk, suspicious events were alerted and further queries and dashboards were created to understand the scope and impact of the threat/incident.

Evidence 4.1.1. Splunk Examples

Windows -‐ New Added Services | NOT SYSTEM ( EventCode=601 OR EventCode=4697 ) | table _time host User Service_Name Service_File_Name | rename _time AS Time | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) | rename User AS Username Service_Name AS "Service Name" Service_File_Name AS "Service File" host AS "Server" Windows -‐ New Created Groups | EventCode=631 OR EventCode=4727 OR EventCode=635 OR EventCode=4731 OR EventCode=658 OR EventCode=4754 | rex field=Message "(?<msg>[^\.:]+)" | eval new_grp = if(isnotnull(Account_Name), Group_Name, New_Account_Name) | eval creator = if(isnotnull(Account_Name), Account_Name, Caller_User_Name) | table _time creator new_grp msg | rename _time AS Time creator AS "Group created by" new_grp AS "Created group" msg AS "Reason/Type" | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) Windows -‐ Added Domain Accounts | "EventCode=624" OR "EventCode=4720" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Created_Account"=coalesce(Win2K8_acc,New_Account_Name) Windows -‐ Deleted Domain Accounts | "EventCode=67" OR "EventCode=4726" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Deleted_Account"=coalesce(Win2K8_acc,Target_Account_Name) Windows -‐ Deleted Groups


Lab Notebook 33 | EventCode=662 OR EventCode=4758 OR EventCode=638 OR EventCode=4734 OR EventCode=634 OR EventCode=477 | rex field=Message "(?<msg>[^\.:]+)" | eval del_grp = if(isnotnull(Account_Name), Group_Name, Target_Account_Name) | eval deletedby = if(isnotnull(Account_Name), Account_Name, Caller_User_Name) | table _time deletedby del_grp msg | rename _time AS Time deletedby AS "Group deleted by" del_grp AS "Deleted group" msg AS "Reason/Type" | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) Windows -‐ Disabled User Accounts | ( CategoryString="Account Management" OR TaskCategory="User Account Management" ) ( "EventCode=629" OR "EventCode=4725" ) | eval caller = if(isnull(Account_Name), Caller_User_Name, mvindex(Account_Name,0)) | eval member = if(isnull(Account_Name), Target_Account_Name, mvindex(Account_Name,1)) | table _time caller member | rename _time AS Time caller AS "Account disabled by" member AS "Disabled Account" | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) Windows -‐ Domain Policy Changes | EventCode=643 | rex field=Message "Domain Policy Changed:\s(?<msg>.*)" | table _time host msg Caller_Domain | rename _time AS Time host AS Server msg AS "Policy change" Caller_Domain AS "Windows Domain" | convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time) Windows -‐ Firewall Allowed Binds | EventCode=5159 Windows -‐ Firewall Allowed Connections | EventCode=5156 Windows -‐ Firewall Blocked Binds | EventCode=5158 Windows -‐ Firewall Blocked Connections | EventCode=5157 Windows -‐ Firewall Configuration Changes


Lab Notebook 34 | EventCode=4946 OR EventCode=4947 OR EventCode=4948 | rex field=Message "A rule was (?<temp>[^\.]+)" | eval Action=case(temp == "added", "Rule added", temp == "modified", "Rule modified", temp == "deleted", "Rule deleted") Windows -‐ Installation History | sourcetype="*wineventlog:application" SourceName=MsiInstaller EventCode=11707 | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) -‐-‐" | table _time host User product_name | rename _time AS Time host AS Server product_name AS "Product Installed" | convert timeformat="%d.%m.%Y. %H:%M:%S" ctime(Time) Windows -‐ Locked Domain Accounts | "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) Windows -‐ Log Entry Deleted | ("EventCode=517" OR "EventCode=1102") | eval msg="The audit log was cleared." | convert timeformat=" %H:%M:%S %d.%m.%Y." ctime(_time) | table _time host msg | rename _time as Time host as Hostname msg as Message Windows -‐ NTLM successful logins | ("EventCode=4776" AND Keywords="Audit Success") OR ("EventCode=680" AND "Success Audit") NOT (Logon_Account="*$" OR Logon_account="*$") | eval "User_Account" = coalesce(Logon_Account,Logon_account) | transaction "User_Account",Source_Workstation maxpause=5s Windows -‐ NTLM unsuccessful logins | ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") NOT (Logon_Account="*$" OR Logon_account="*$") | eval "User Account" = coalesce(Logon_Account,Logon_account) Windows -‐ Process Activity EventCode="592" OR EventCode=4688 NOT User="SYSTEM" NOT User="NETWORK SERVICE" | eval


Lab Notebook 35 FileName=if(isnotnull(Image_File_Name),Image_File_Name,New_Process_Name) | eval finaluser=if(isnotnull(User_Name),User_Name,Account_Name) Windows -‐ RDP unsuccessful logins ( EventCode=529 Logon_Type=10 ) OR EventCode=4625 Failure | eval User = if(isnull(Account_Name), User_Name, mvindex(Account_Name,1)) Splunk Example Screenshots


Lab Notebook 36


Lab Notebook 37

5. Enterprise Solution: Palo Alto Traps Issue GIAC Enterprises is at risk for malware, according to a recent threat and risk assessment. GIAC Enterprises does leverage Microsoft’s SCEP; however, this solution only provides protection against known threats (signature based). For that reason, a more robust solution is needed that can fill the gap between a signature based technology and a more advanced form of protection, or zero day threats. Additionally, GIAC is looking for a way to restrict what web browsers are being used based on the organization’s security policy.

Thesis Based on several vendor evaluations and research, the Security Team has determined that the best enterprise endpoint protection technology would be Palo Alto traps. Traps provides protection against exploits and unknown or zero day malware. Not only does this technology provide what GIAC is looking for in terms of risk mitigation, it integrates into existing infrastructure with ease. This solution will be evaluated after the hardened and proposed OS is configured.

Finding After evaluating the Windows 10 operating system, it is evident that the Operating System (OS) is lacking in terms of security and privacy. By simply configuring the


Lab Notebook 38 system to limit the privacy exposure the amount of outbound traffic can be drastically reduced. Furthermore, by utilizing Microsoft’s Security Compliance Manager (SCM), a group policy object can be created for an organization that can be deployed via Active Directory with ease. This is the single most significant method to reduce exposure and secure the operating system. After this has been completed, a third party tool can be introduced what will fill the gap between policy/configuration and advanced attacks against the system. In our case, we evaluated Palo Alto Traps. This solution provides protection for unknown to little known malware and exploits. It also has the ability to restrict processes from running if they have not been explicitly allowed (zero trust model). It is highly recommended that the OS be first locked down to the organization’s security, privacy and operational requirements. Then, the OS should be further secured by implementing third-party tool to further lock the system down.

Evidence 5.1.1. Manual findings

Connections to login.live.com:


Lab Notebook 39

Built-in Apps connect to tile-service.weather.microsoft.com over HTTP:


Lab Notebook 40

5.1.2. System Configuration Manager

Proposed steps: -‐Apply locked down GPO based off a manual review of the privacy settings found here: https://technet.microsoft.com/library/mt577208(v=vs.85).aspx#BKMK_DevInst After researching Microsoft’s privacy settings in Windows 10, a good table was found showing where each of the new settings can be controlled from:


https://technet.microsoft.com/library/mt577208(v=vs.85).aspx#BKMK_DevInst

Lab Notebook 41

Based on this list, and for our lab, the settings will be controlled with a GPO first and then with the UI if needed. A table was created that further shows where these settings can be controlled via a GPO, what the privacy implications are and what loss of functionality will take place if the settings are enabled or disabled.


Lab Notebook 42

5.1.3. -Enable additional GPOs / privacy settings (this is how we will control the traffic):

Setting U

I GPO

Setting Location Description & Privacy Implication

Loss of Feature

Cortana x Computer Configuration > Administrative Templates > Windows Components > Search > Allow Cortana > Disabled

Microsoft collects and uses information including your device location information and location history, contacts (People), voice input, searching history, calendar details, content and communication history from messages and apps, and other information on your device. In Microsoft Edge, Cortana collects and uses your

No voice activated commands or assistance.


Lab Notebook 43

browsing history. This information is saved on your device, in your Cortana Notebook, and in the cloud on the Bing.com dashboard.

Device metadata retrieval

x Computer Configuration > Administrative Templates > System > Device Installation > Prevent device metadata retrieval from the Internet > Enabled

Device metadata is downloaded/pulled from the Internet

More detailed information might be lacking for installed devices.

Insider preview builds

x Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >Toggle user control over Insider builds> Disable

Prevents the downloading of bleeding edge OS from Microsoft

Internet Explorer (IE)

x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Turn on Suggested Sites > Disabled

Limits the amount of sites that may be suggested by a user’s search behavior.

IE x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Allow

Limits targeted search suggestions


http://go.microsoft.com/fwlink/?LinkId=691918

http://go.microsoft.com/fwlink/?LinkId=691918

Lab Notebook 44

Microsoft services to provide enhanced suggestions as the user types in the Address Bar > Disabled

.

IE x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Turn off the auto-complete feature for web addresses > Enabled

Autocompleting can help save time when searching. This feature would be disabled.

IE x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Disable Periodic Check for Internet Explorer software updates > Disabled

This setting should remain enabled if the system is managed with SCCM or other centralized patch management solution.

Can leave the browser exposed to attacks if not centrally managed.

IE x Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Turn off browser geolocation > Enabled

Limits apps and settings that might use geolocation.

Mail synchronization

x Settings > Accounts > Your email and accounts, remove any connected Microsoft Accounts

Microsoft Edge

x Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Allow employees to send Do Not

Browsing data and information about malicious

Auto search help functions are disabled.


Lab Notebook 45

Track headers> Enabled Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge> Turn off address bar search suggestions> Disabled

websites is sent back to Microsoft to assist with page prediction and SmartScreen.

NCSI x Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off Windows Network Connectivity Status Indicator active tests > Enable

Limits the client from checking to see if the Internet is accessible.

Offline maps

x Computer Configuration > Administrative Templates > Windows Components > Maps > Turn off Automatic Download and Update of Map Data > Enable

No setting found in our Windows 10 image.

OneDrive x Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage > Enable

Users cannot use OneDrive to centrally store their files in the cloud.

Preinstalled apps

x To remove the News app: ● Right-click the app in

Start, and then click Uninstall.

● -or- ● Remove the app for new

user accounts. From an elevated command prompt, run the following Windows

Limits app specific functionality such as news feeds, weather, etc.


Lab Notebook 46

PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}

● -and- ● Remove the app for the

current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage

To remove the Weather app: ● Remove the app for new

user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -


Lab Notebook 47

PackageName $_.PackageName}


current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage

To remove the Money app: ● Right-click the app in



user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}


current user. From an elevated command prompt, run the


Lab Notebook 48

following Windows PowerShell command: Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage

To remove the Sports app: ● Right-click the app in



user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}


current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage

To remove the Twitter app: ● Right-click the app in


Lab Notebook 49



user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}


current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage *.Twitter | Remove-AppxPackage

To remove the XBOX app: ● Remove the app for new

user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object


Lab Notebook 50

{$_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}


current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage

To remove the Sway app: ● Right-click the app in



user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName


Lab Notebook 51

$_.PackageName} ● -and- ● Remove the app for the

current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage

To remove the OneNote app: ● Remove the app for new

user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}


current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage


Lab Notebook 52

To remove the Get Office app: ● Right-click the app in



user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}


current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage

To remove the Get Skype app: ● Right-click the Sports

app in Start, and then click Uninstall.


user accounts. From an


Lab Notebook 53

elevated command prompt, run the following Windows PowerShell command: Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName}


current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage

Settings > privacy

General x Computer Configuration > Administrative Templates > System > User Profiles > Turn off the advertising ID > Enabled

Location x Computer Configuration > Administrative Templates > Windows Components > Location and Sensors > Turn off location > Enabled


Lab Notebook 54

Camera x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access the camera > Disabled

This setting was not found in our image; however, it might be a good idea to disable in a secure environment.

App functionality might be reduced if it relies on a camera.

Microphone

x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access the microphone > Disabled

This setting was not found in our image; however, it might be a good idea to disable in a secure environment.

App functionality might be reduced if it relies on a camera.

Speech, inking, & typing

x Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Handwriting personalization > Turn off automatic learning > Enabled

Limits app customization because it cannot learn behavior.

Account info

x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access account information > Set the Select a setting box to Force Deny

Contacts x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access contacts > Disabled

Calendar x Computer Configuration >


Lab Notebook 55

Administrative Templates > Windows Components > App Privacy > Let Windows apps access the calendar > Set the Select a setting box to Force Deny

Messaging x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access messaging > Set the Select a setting box to Force Deny

Radios x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps control radios > Set the Select a setting box to Force Deny

Other devices

x Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access trusted devices > Set the Select a setting box to Force Deny

Feedback & diagnostics

x Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications > Enabled

Background apps

x Turn off the feature in the UI for each app

Software Protection Platform

x Computer Configuration > Administrative Templates > Windows Components >

This setting sends Key Management

Limits the client's ability to


Lab Notebook 56

Software Protection Platform > Turn off KMS Client Online AVS Activation > Enabled

Service (KMS) client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.

activate.

Sync your settings

x Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync > Enabled

Settings are not synced with any other devices.

Teredo netsh interface teredo set state disabled

Limits the system’s ability to communicate with IPv6 devices.

Wi-Fi Sense

x Computer Configuration > Administrative Templates > SCM: Wi-Fi Sense > Disable Wi-Fi Sense > Enabled

Removes the ability to enumerate and connect to WiFi discovered to be used by the user’s contacts.


Lab Notebook 57

Windows Defender

x Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS > Join Microsoft MAPS > Disabled

Depending on the organization’s privacy policy, it might be worth considering enabling this to share threat/virus detection info with Microsoft.

Limits the system’s ability to share virus information with Microsoft.

Windows Media Player

x From the Programs and Features control panel, click Turn Windows features on or off, under Media Features, clear the Windows Media Player check box, and then click OK

Limits the ability for users to leverage the built-in media player.

Windows spotlight

x Computer Configuration > Administrative Templates > Control Panel > Personalization > Force a specific default lock screen image > Enabled

● Add a location in the Path to local lock screen image box.

Limits the user’s ability to customize a lock screen image.

Windows Store

x Computer Configuration > Administrative Templates > Windows Components > Store > Disable all apps from Windows Store > Enabled

This setting was not found on the image we were working with. If the endpoint is in an enterprise or managed

Limits the ability for the apps to contact the Windows Store for updates.


Lab Notebook 58

by SCCM, the store should be disabled to help keep tabs on what applications are installed. For individual deployments, this could be left enabled.

WU Delivery Optimization

x Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > None

Setting was not found in the modern.ie image. This depends on the environment, but if at an enterprise, it might make more sense to centrally manage--however, this setting could cut down on bandwidth requirements.

The ability rapidly download and install updates is impacted.

Windows Update

Computer Configuration > Administrative Templates > Windows Components > Do not connect to any Windows Update Internet locations > Enabled

This setting depends on the environment and whether or not the systems are centrally managed.


Lab Notebook 59

5.1.4. Further Control the Traffic by Proposed Solution (Traps)

Diagram:

Verifying that the agent is checking-‐in for the correct test system. Examining the enabled exploit prevention policies.


Lab Notebook 60

Verifying the WildFire policy. NOTE: After applying the WildFire Policy, Google Chrome would not launch.


Lab Notebook 61 Verifying the Restrictions Policy is set.

Verifying that the Protection Policy is set

Showing the hunting and forensics capabilities


Lab Notebook 62

5.1.5. PCAP Analysis


Lab Notebook 63

5.1.6. Overall Recommendation

Traps for the GIAC Enterprise is necessary because it will help address any unknown malware and exploit attempts against the organization. This will be valuable after all of the other configuration settings (hardening) has been applied to the system. Due to the risk assessment, this additional layer of protection is highly recommended.

6. 3rd Party Applications Issue Modifications to the GPO can be effective in mitigating information that Microsoft transmits with or without user knowledge, however, these changes would not impact 3rd party applications from transmitting similar data.

Thesis Installation of a 3rd party application to more effectively manage Windows Firewall settings


Lab Notebook 64 Finding

Evidence 6.1.1. Windows Firewall Notifier

Windows Firewall Notifier (WFN) is a 3rd party application that monitors all outbound and inbound traffic from the Windows 10 host. WFN will block any application’s outbound traffic that is not already specifically allowed in the firewall configuration. WFN is free for use and supports Windows 10.

Although there is not much ability to customize the features of WFN, it appears to be effective in mitigating unwanted outbound traffic from 3rd party applications on the host.


Lab Notebook 65 NOTE: WFN prevented Google Chrome from communicating until being added to ruleset.

6.1.2. Windows Firewall Control

Windows Firewall Control (WFC) is very similar to WFN in that it is a free 3rd party application that provides additional functionality and security when compared to the default Windows Firewall.


Lab Notebook 66 However, as shown in the screen captures below, WFC has significantly more robust feature set when compared to WFN. With WFC a user can save and export application settings for WFC as well as the customized firewall rule set within WFC.


Lab Notebook 67


Lab Notebook 68


Lab Notebook 69

6.1.3. Adblocker

After completing the initial testing and analysis with WFN and WFC, it was observed that there were still an abnormally high number of unique domains and IPs in the outbound traffic. An additional testing run was conducted with WFC and the desired GPO in place to determine the effectiveness and need for ad blocking software within the browser. For this test, uBlock Origin was installed and enabled within Google Chrome browser and the test procedure was repeated, with the exception of browsing to sites from the Edge Browser. As shown below, the combination of WFC and uBlock is an effective choice for minimizing unwanted outbound connections.


Lab Notebook 70


securing the giac enterprise endpoint · pdf filesecuring the giac enterprise endpoint ise/m...

Documents