Hardening the Modern Windows Client Let s NOT break it this time

Transcription

1 Hardening the Modern Windows Client Let s NOT break it this time Raymond P.L. Comvalius

2 Raymond Comvalius IT Infra Architect/Trainer MVP Windows IT Pro Zelfstandig sinds 1998

3 Agenda History of Hardening Windows Modern desktops with modern challenges Old fashioned hardening Modern hardening Conclusions

4 History of Hardening Windows

5 How it all started Windows NT C2 Classification Security Guidance by NSA and others Trustworthy Computing Microsoft Security Guidance High Security became SSLF (Specialized Security Low Functionality)

6 INTELLIGENCE

7 ATTACK VECTORS Attack the applications and infrastructure Attack the Human

8 Hardening Mishaps of the past Replace all ACLs Removing Control Panel items Disable right-click anywhere Disable Command Prompt Disable RegEdit Disable InPrivate Mode "Tightening" a security setting doesn't always lead to better security

9 Some old rules still apply The most secure environments follow the least privilege principle

10 UAC was NOT the answer Elevating standard user to admin requires an exploitable bug User Account Control will NOT save you from elevation User Account Control is NOT a security boundary

11 UAC Enable UAC for built-in Administrator Enable UAC for local accounts on network logon Don t even think of disabling UAC

12 Old measures that still apply - Disk Encryption (BitLocker) - Account Lockout - Disable LM (default)

13 New measures but not modern Disable NetBIOS over TCP/IP Disable linking Microsoft Accounts Disable new DMA devices when this computer is locked (fixed in 1803) Disable SMBv1

14 SMB v1 Client and Server parts not in Windows 10 Enterprise/Education since version 1709 Server not in default install of Windows 10 Home/Professional since version 1709 Client uninstalls on Windows 10 Home/Professional when not used for 15 days after upgrade or clean install

15 Discussion Items Storing Network Credentials AutoPlay Sleep/Hibernate Remote Desktop Remote Assistance Telemetry

16 Modern Hardening

17 Windows is Secure by Default So Don t: Change default ACLs Change User Rights Assignments Replace system components Turn off security features

18 WINDOWS 7 SECURITY FEATURES Device protection Threat resistance Identity protection Information protection Breach detection investigation & response PRE-BREACH POST-BREACH

19 WINDOWS 10 SECURITY FEATURES Device protection Threat resistance Identity protection Information protection Breach detection investigation & response PRE-BREACH POST-BREACH

20 Windows Hello The power of PIN

21 Windows Hello for Business

22 Windows N-Factor N-Factor Second Factor Windows Hello Biometric Windows Hello Biometric First Factor or PIN or PIN or or Companion Devices Companion Devices Private keys secured in TPM

23 OFF MACHINE End to End Protection PRE-BREACH ON MACHINE POST- BREACH OFF MACHINE O365 ( ) Reducing attack vector Advanced sandbox detonation Exploit mitigation Edge (Browser) Browser hardening Reduce script based attack surface App container hardening Reputation based blocking for downloads Windows Defender Exploit Guard (HIPS) Attack Surface Reduction Set of rules to customize the attack surface Controlled Folder Access Protecting data against access by untrusted process Exploit Protection Mitigations against exploits Network Protection Blocking outbound calls to low rep sources Locked down device (Hardened platform) Windows 10S Device Guard App Guard (Virtualized base security) App isolation Application Control (Whitelist Executables) Only allowed apps can run Windows Defender Antivirus (AV) Improved ML and heuristic protection Instantly protected with the cloud Enhanced Exploit Kit Detections AntiMalware Scan Interface (Script based detection) Improved detection script based attacks AMSI for VBS/JS script runtime Windows Defender Antivirus behavioral engine (Behavior Analysis) Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Memory scanning capabilities Windows Defender ATP (Advanced Threat Protection) Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Machine Isolation and quarantine One Drive (Cloud Storage) Reliable versioned file storage in the cloud Point in time file recovery

24 Virtualization Based Security Apps Windows Platform Services DEVICE GUARD Credential GUARD Trustlet #3 Kernel Kernel Windows Operating System SystemContainer Hyper-V Hyper-V Hypervisor Device Hardware

25 Device Guard vs AppLocker Functionally they look alike a little bit Device Guard User Mode & Kernel Mode System-wide Admin cannot circumvent Admin cannot always disable Requires specific hardware AppLocker User Mode User/Group addressable Admin can circumvent Admin can always disable Runs on all Windows hardware

26 OFF MACHINE End to End Protection PRE-BREACH ON MACHINE POST- BREACH OFF MACHINE O365 ( ) Reducing attack vector Advanced sandbox detonation Exploit mitigation Edge (Browser) Browser hardening Reduce script based attack surface App container hardening Reputation based blocking for downloads Windows Defender Exploit Guard (HIPS) Attack Surface Reduction Set of rules to customize the attack surface Controlled Folder Access Protecting data against access by untrusted process Exploit Protection Mitigations against exploits Network Protection Blocking outbound calls to low rep sources Locked down device (Hardened platform) Windows 10S Device Guard App Guard (Virtualized base security) App isolation Application Control (Whitelist Executables) Only allowed apps can run Windows Defender Antivirus (AV) Improved ML and heuristic protection Instantly protected with the cloud Enhanced Exploit Kit Detections AntiMalware Scan Interface (Script based detection) Improved detection script based attacks AMSI for VBS/JS script runtime Windows Defender Antivirus behavioral engine (Behavior Analysis) Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Memory scanning capabilities Windows Defender ATP (Advanced Threat Protection) Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Machine Isolation and quarantine One Drive (Cloud Storage) Reliable versioned file storage in the cloud Point in time file recovery

27 Windows Defender AV Enhanced or new functionalities à à à à Limited Periodic scanning Enhanced Notifications Improved Adware Protection Client side ML Collect at First Sight, Block at Second Sight à à Cloud ML Improved Block at First Site à à Enhanced client sample collection Improved client whitelisting

28 PowerShell Tool for Hacking and Management AMSI (Anti Malware Scan Interface) Enable PowerShell Script Block Logging Execution policy is NO security boundary PowerShell Constrained Language Mode

29 OFF MACHINE End to End Protection PRE-BREACH ON MACHINE POST- BREACH OFF MACHINE O365 ( ) Reducing attack vector Advanced sandbox detonation Exploit mitigation Edge (Browser) Browser hardening Reduce script based attack surface App container hardening Reputation based blocking for downloads Windows Defender Exploit Guard (HIPS) Attack Surface Reduction Set of rules to customize the attack surface Controlled Folder Access Protecting data against access by untrusted process Exploit Protection Mitigations against exploits Network Protection Blocking outbound calls to low rep sources Locked down device (Hardened platform) Windows 10S Device Guard App Guard (Virtualized base security) App isolation Application Control (Whitelist Executables) Only allowed apps can run Windows Defender Antivirus (AV) Improved ML and heuristic protection Instantly protected with the cloud Enhanced Exploit Kit Detections AntiMalware Scan Interface (Script based detection) Improved detection script based attacks AMSI for VBS/JS script runtime Windows Defender Antivirus behavioral engine (Behavior Analysis) Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Memory scanning capabilities Windows Defender ATP (Advanced Threat Protection) Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Machine Isolation and quarantine One Drive (Cloud Storage) Reliable versioned file storage in the cloud Point in time file recovery

30 Attack Surface Reduction Very useful to protect from script/macro attacks Blocks executable content from macros Blocks obfuscated scripts Runs in all Windows 10 SKUs Requires Windows Defender AV Works best with Windows Defender ATP

31 Configuring Attack Surface Reduction Configure from: MDM Group Policy Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access Configure Controlled Folder Access PowerShell Set-MpPreference - AttackSurfaceReductionRules_Ids {GUID} - AttackSurfaceReductionRules_Actions [Enabled/Disabled/AuditMode]

32 Process Mitigation in Windows 10 Force OS mitigations on existing applications Usually applied by the developer Previously done by EMET Utilizes the Application Compatibility Framework

33 Process Mitigations Windows Defender is not required! Windows Defender Security Center UI PowerShell Option to import EMET settings Export to XML for: Group Policy Mobile Device Management Configuration Manager

34 Controlled Folder Access Very useful to protect from ransomware Blocks suspicious programs from writing in protected folders Runs in all Windows 10 SKUs Requires Windows Defender AV Works best with Windows Defender ATP

35 Configuring Controlled Folder Access Configure from: Windows Defender Security Center app Group Policy Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access Configure Controlled Folder Access PowerShell Set-MpPreference -EnableControlledFolderAccess Enabled

36 Windows Defender Network Protection Like Smartscreen beyond IE and Edge Blocks applications from accessing suspicious locations over http and https Runs on all Windows 10 SKUs Requires Windows Defender AV

37 OFF MACHINE End to End Protection PRE-BREACH ON MACHINE POST- BREACH OFF MACHINE O365 ( ) Reducing attack vector Advanced sandbox detonation Exploit mitigation Edge (Browser) Browser hardening Reduce script based attack surface App container hardening Reputation based blocking for downloads Windows Defender Exploit Guard (HIPS) Attack Surface Reduction Set of rules to customize the attack surface Controlled Folder Access Protecting data against access by untrusted process Exploit Protection Mitigations against exploits Network Protection Blocking outbound calls to low rep sources Locked down device (Hardened platform) Windows 10S Device Guard App Guard (Virtualized base security) App isolation Application Control (Whitelist Executables) Only allowed apps can run Windows Defender Antivirus (AV) Improved ML and heuristic protection Instantly protected with the cloud Enhanced Exploit Kit Detections AntiMalware Scan Interface (Script based detection) Improved detection script based attacks AMSI for VBS/JS script runtime Windows Defender Antivirus behavioral engine (Behavior Analysis) Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Memory scanning capabilities Windows Defender ATP (Advanced Threat Protection) Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Machine Isolation and quarantine One Drive (Cloud Storage) Reliable versioned file storage in the cloud Point in time file recovery

38 Edge for Secure Browsing Microsoft Edge is the most secure browser Microsoft has ever shipped Tactics Objective Strategy Eliminate vulnerabilities before attackers can find them Keep our customers safe when browsing the web à Make it difficult and costly for attackers to find and exploit vulnerabilities in Microsoft Edge à Break exploitation techniques used by attackers Contain the damage when vulnerabilities are discovered Prevent navigation to known exploit sites

39 HARDWARE ISOLATION WITH WINDOWS DEFENDER APPLICATION GUARD Microsoft Edge Apps Windows Platform Services Windows Platform Services Critical System Processes Kernel Windows Defender Application Guard Container Kernel Windows Operating System Kernel System Container Hyper-V Hyper-V Hypervisor Device Hardware

40

41

42 There is so much more

43 Links Windows Security Baselines Unintended consequences of Security Lockdowns Microsoft Compliance Toolkit Windows 10 Hardening Australia

44 16:15 17:15 Multi-Factor Authentication, wie ben je nu helemaal? Sander Berkouwer