Awesome Windows Domain Hardening

A curated list of awesome Security Hardening techniques for Windows.

Created by gepeto42 and PaulWebSec but highly inspired from PyroTek3 research!

Summary

This document summarizes the information related to Pyrotek and Harmj0y's DerbyCon talk called "111 Attacking EvilCorp Anatomy of a Corporate Hack". Video and slides are available below.

Something's missing? Create a Pull Request and add it.

Initial foothold

Deploy EMET to Workstations (End of line in July 2018)
Use AppLocker to block exec content from running in user locations (home dir, profile path, temp, etc).
Manage PowerShell execution via Applocker or constrained language mode.
Enable PowerShell logging (v3+) & command process logging.
Block Office macros (Windows & Mac) where possible.
Deploy security tooling that monitors for suspicious behavior
Limit capability by blocking/restricting attachments via email/download:
- Executables extensions:
- (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
- Office files that support macros (docm, xlsm, pptm, etc.)
Change default program for anything that opens with Windows scripting to notepad (test first!)
- bat, js, jse, vbe, vbs, wsf, wsh, etc.

Reconnaissance

Deploy Windows 10 and limit local group enumeration.
Limit workstation to workstation communication.
Increase security on sensitive GPOs.
Evaluate deployment of behavior analytics (Microsoft ATA).

Lateral movement

Configure GPO to prevent local accounts from network authentication (KB2871997).
Ensure local administrator account passwords are automatically changed (Microsoft LAPS) & remove extra local admin accounts.
Limit workstation to workstation communication (Windows Firewall).

Privilege escalation

Remove files with passwords in SYSVOL (including GPP).
Ensure admins don’t log onto untrusted systems (regular workstations).
Use Managed Service Accounts for SAs or ensure SA passwords are >25 characters (FGPP)
Ensure all computers are talking NTLMv2 & Kerberos, deny LM/NTLMv1.

Protect Administration Credentials

Ensure all admins only log onto approved admin workstations & servers.
Add all admin accounts to Protected Users group (requires Windows 2012 R2 DCs).
Admin workstations & servers:
- Control & limit access to admin workstations & servers.
- Remove NetBIOS over TCP/IP
- Disable LLMNR.
- Disable WPAD.

Strengthen/Remove Legacy

Audit/Restrict NTLM.
Enforce LDAP signing.
Enable SMB signing (& encryption where poss.).
Disable WPAD & LLMNR & work to disable NetBIOS.
Windows 10, remove:
- SMB 1.0/CIFS
- Windows PowerShell 2.0

Tools

Responder - A LLMNR, NBT-NS and MDNS poisoner
BloodHound - Six Degrees of Domain Admin
PowerSploit - A PowerShell Post-Exploitation Framework
PowerView - Situational Awareness PowerShell framework
Empire - PowerShell and Python post-exploitation agent
Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
Tools Cheatsheets - (Beacon, PowerView, PowerUp, Empire, ...)
UACME - Defeating Windows User Account Control
Windows System Internals - (Including Sysmon etc.)

Videos

Slides

Additional resources

ADSecurity
Harmj0y's blog
Sysmon SecuriTay's configuration file - template with default high-quality event tracing
Explaining and adapting Tay’s Sysmon configuration
Use of PSExec

README.md Unescape Escape