The forgotten fruits of securing your Windows 10 Endpoint

The forgotten fruits of securing your Windows 10 Endpoint

Step 1: Least Privilege (No local admin)  

*ONLY using Autopilot? You also denied the registering personal devices? Good, if not… You need a solution to make sure your users are not admins.  

Step 2: Applocker 

*Nice…  users are no longer admins. Why not implement an Applocker policy? 

Step 3: Bitlocker 

*Make sure you enable Bitlocker. You can do this through the Intune portal or with a custom made Intunewin app based on a PowerShell script. Your choice…  

Step 4: Windows Defender with ASR rules (Got money? Enable Windows Defender ATP) 

*Please turn on Windows Defender and configure the ASR Rules.  You can automate the deployment like I did with the Applocker policy. 

Step 5: Baseline policies 

*Take a look at the baseline policies in Intune. It is easy to implement, and if you’d like to dig a little deeper you can create your own baseline with a PowerShell script.  I find it easier to read than the baseline policy and not all security configs exist in the Intune baseline policy. 


#Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" /v AllowProtectedCreds /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f

#Disables DNS multicast
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /f

#Disable anonymous access to named pipes/shared, anonymous enumeration of SAM accounts, non-admin remote access to SAM
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v TokenLeakDetectDelaySecs /t REG_DWORD /d 30 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictRemoteSAM /t REG_SZ /d "O:BAG:BAD:(A;;RC;;;BA)" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f

#Enable PowerShell Logging
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f

#Disable autorun/autoplay on all drives
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f

Step 6: Windows Firewall 

*Turning on the Windows Firewall is always a good thing. You could configure it with Intune. Just make sure you are blocking these executables who want to go outbound. Again, through a PowerShell script. 

#firewall Rules
Netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\system32\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block rundll32 netconns" program="%systemroot%\system32\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any

Step 7: Windows Hello  

*Easy to turn on… I recommend requiring users to use at least a device pin instead of their password. 

Step 8: Windows 10 Update 

*Windows has to be kept up to date, go configure Windows 10 update for business within Intune. 

Step 9: Office  365 Apps Security 

*Don’t forget about the macro’s and file type settings in Office. If like me, you didn’t know why blocking DIF and Sylk files is necessary. Take a look at this blog from Outflank https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/. They do a very good job at explaining why this is important. 

Step 10: OneDrive KFM 

*Onedrive KFM is a nice solution to make sure your documents and desktop are silently redirected to your onedrive account. Your data is also protected against ransomware.  


Step 11: Chocolatey  

*Did you think about patching third-party apps? Use Chocolatey (or Winget… but it does not have an automatic upgrade function). Very good… your third-party apps will be up to date forever. 

Invoke-Expression ((New-Object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) -ErrorAction Stop
$ChocoPackages = @(“jre8”,"adobereader","7zip.install")
$chocoinstall = Get-Command -Name 'choco' -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Select-Object -ExpandProperty Source
foreach($Package in $ChocoPackages) {
     try {
         Invoke-Expression “cmd.exe /c $ChocoInstall Install $Package -y” -ErrorAction Stop
     }
     catch {
         Throw “Failed to install $Package”
     }
}
##Create A scheduled task to Update all packages each day at 12:00
choco install choco-upgrade-all-at --params "'/DAILY:yes /TIME:12:00 /ABORTTIME:14:00'"  -y

Step 12: Audit Logging 

*Did you increase the Security/System/Application event log size? And are you auditing everything you need to know? 

Step 13: Laps 

*Have you thought about implementing LAPS? I will show you a quick and dirty way to deploy is.

Conclusion: 

You have to take a few steps… but your endpoint has to be secure. It can be much work if you need to configure all these settings in your tenant. Guess what? All these steps can be done within a few seconds. I’ll show you how in my next blog! 

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  87  =  91