Easy security hardening tips and tricks thread

[Ron Rattie]

8 hours ago, MalwareTech said:

Use non standard ports for service. A lot of people consider it security through obscurity, but you cut down on background noise from internet scanners and may also be saved from mass exploitation in the event of a vulnerability. 

This right here and then bitch and moan at clients/companies that use software that might be hard coded for port 22 instead of making the port number a user variable.

[Name_Too_Long]

1 hour ago, arcsinx said:

Oh really? Is there some trick to this or did I miss some news? Last I heard it still required the Pro upgrade.

For Home versions it requires logging in with a Microsoft account.

Pro (or Enterprise / EDU) is still required if you want to use a local account.

It's stupid and annoying... just like all the arbitrary restrictions on the "Home" SKUs (and the fact you can't actually just buy legit Enterprise or EDU SKUs without big multi-user agreements).

[j91321]

For Windows I consider these things worth checking out (some were already mentioned):

• Microsoft Attack Surface Reduction rules  - these are great for hardening when deployed through GPO, audit mode is a friend.
• Canarytokens - great service, you can even host your own instance if needed, some of my favourites are Sensitive command token and AWS key.
• Task Scheduler Event 4698 - if I had to choose only one event log to monitor it would be Scheduled Task creation. I can't remember the last time I saw Windows incident that didn't include task scheduler.
• runZero starter tier (previously rumble) - I haven't used this one in some time, but if you are struggling with asset discovery it's worth checking out, hard to protect assets you don't know about.

This is however very dependent on your environment. It can get you far if you are SMB with no dedicated security staff and 0 budget where sysadmins have to do the security work if they like it or not. You'll have to tune the settings a bit, but it doesn't take that much time. You have relatively small number of machines and the users probably have very similar needs.

Deploy ASR rules or Sensitive command canary token blindly in an enterprise environment and you are going to have a bad time.

[Scoobs McGee]

If using Exchange Online, you can utilize mail flow rules to stop or alert on some common email threats. No E5 or MDO required. Rules to quarantine attachments with executable content or specific file extensions (e.g. lnk, iso) help quite a bit and weren't enabled by default where I work. That includes if the file is in a zip archive at least a few layers deep. We also set up a rule to BCC us on any emails with password protected attachments that aren't quarantined.

You can get really fancy with them, but just those two help quite a bit.

[yougisatoshi]

Principal of least privileges 

[masek]

disable mounting of iso/img files via double-click. we've been seeing a ton of isos disguised as other files in attachments housing malicious lnk files, so you can defeat a lot of modern phishing attacks this way. most people that actually needs to mount an iso/img should know or be able to figure out how to use the command line to do it, so it shouldn't have a huge impact on operations

obviously follow change management procedures just in case

[Batikha]

On 11/5/2022 at 2:53 PM, MalwareTech said:

Use non standard ports for service. A lot of people consider it security through obscurity, but you cut down on background noise from internet scanners and may also be saved from mass exploitation in the event of a vulnerability. 

Also applies to web apps (e.g wordpress wp-admin to something else etc..)

[Batikha]

On 11/5/2022 at 7:08 PM, SabreWolfy said:

Use ssh keys for login authentication instead of passwords.

+1.. use yubikey or similar alternatives as well

[sysadminafterdark]

Hey everyone. I thought I'd throw my hat into the ring and give everyone a pretty decent set of comprehensive guides to harden their infrastructure. You can find a list of DoD complaint STIGs here: https://www.stigviewer.com/stigs.

[Chauke]

On 11/5/2022 at 10:27 PM, sianemo said:

This is really basic, but befits the thread: in a corporate environment you should enforce MFA on your users, and if policy allows, prohibit the use of SMS based MFA.

Also, in 365 specifically disallow Windows Hello face authentication. Windows Hello face authentication has been fooled before by security researchers ( https://www.engadget.com/cyber-ark-microsoft-windows-hello-trick-173547832.html ) and, in my experience, has a high failure rate on legitimate attempts.

I personally love to use it, but for Company's it is not working that great. MFA with most of people is like adding a second lock to a door, but forgetting to locking it. The Problem is that the cas user is not willing to spend time on security, they will use the weakest password and use it everywhere. That's why MFA fatigue works so well.

[Florian]

As i see, no one till now mentioned 

 

group Managed Service Accounts - use where ever possible gMSA as Service Accounts

Secure group managed service accounts - Microsoft Entra | Microsoft Learn

these are Useraccounts where the Active Directory rotate the password in the back and only specified computer can retrieve the password for the user.

it automates e.g. the shitty Password Change Topic on Service accounts no one is doing.

[Florian]

implement the Microsoft Security Baseline (GPO, Intune or what ever way) and adapt it for your company -> later you can proceed and add Stig or any other recommendation 

[guthix]

If you're running a Wordpress instance you should disable xmlrpc.php. Its active on default since Wordpress 3.5, obsolet since REST API replaced it and can be used for pingback attacks and brute force attacks.

[Szeth]

One of the more useful things i’ve found is the CIS benchmarks.

Used their 365 and Azure benchmarks quite a bit and they are fantastic, and free.

They have them for most OS’s and other systems too.

[BrokenSyntax]

Don't just run software as Admin because it works.

Troubleshoot what permissions are needed and apply them. Just because your vendor was too lazy to state "need write-access to logs found in %programdata%/software/logs" doesn't mean you can't figure it out. Any software you grant an admin-auth token to, is an increased vector. *side-eyes several legal software vendors*

[Sinc0]

What are some good resources for hardening mobile phone security? Got the feeling that there's a lot that I need to do to get my android more secure

[karlyeurl]

Not exactly "hardening", but if there's one thing I think is even above MFA, it is:

• do not expire passwords in enterprise settings. This inevitably leads to stuff like `password_4` and post-it notes on computer screens.

[Florian]

56 minutes ago, karlyeurl said:

Not exactly "hardening", but if there's one thing I think is even above MFA, it is:

• do not expire passwords in enterprise settings. This inevitably leads to stuff like `password_4` and post-it notes on computer screens.

this is Hardening -> it was based of NIST Recommendation which was revised a few years ago.

current recommendation for enduser is something about 12-14 chars non complex (changed between 1-2 years) and on potential compromise    (NIST Special Publication 800-63B)

[Chris]

On 11/6/2022 at 3:24 AM, andrew said:

Delete calc.exe

I really like that one :D

 

I have two suggestions for phishing scenarios:

• Tell your users that an e-mail is a postcard and not "mail". I saw awareness drastically improving by this simple comparison
• Deny sending office documents per mail (filter out the attachments or block these mails completely), at least for internal communication where everyone could just simply drop the files on a network share

[GieltjE]

Install crowdsec (or upgrade from fail2ban).

Use modsecurity if running apache2.

Implement an ip allow list for rdp/ssh, use something like wireguard to get access to that source ip.

For untrusted selfhosted software, put it behind an apache/nginx reverse proxy with htaccess (digest) with an ip whitelist for the local network.

Edited November 8, 2022 by GieltjE

[vilkas622]

For AWS:

• Kill the users, federate all human access. Service accounts will likely need to persistent depending on your tech stack you may be able to leverage OIDC and assume-roles for most areas.
• Org policies are really nice and can prevent footguns (public s3, snapshots, etc.) pretty well
• Tag your resources with team ownership and data classification.
  • Depending on your account strategy you may be able to leverage account tags for this.

[avoidthehack]

This thread got pushed towards servers really quick!

Servers: close your unused ports (probably most of them)

Mobile: keep it updated

Edited November 8, 2022 by avoidthehack

[ChickenKing]

Sort of on topic here, but I know some manufacturers have been adding hardware switches for mics and webcams. Pretty sure the Framework laptop has these. If you don't trust software disables for those devices then completely disconnecting them is a good choice. They physically cannot work when disabled by a hardware switch. +1 from me

[Florian]

7 hours ago, ChickenKing said:

Sort of on topic here, but I know some manufacturers have been adding hardware switches for mics and webcams. Pretty sure the Framework laptop has these. If you don't trust software disables for those devices then completely disconnecting them is a good choice. They physically cannot work when disabled by a hardware switch. +1 from me

the Huawei Matebook X Pro i own has its Webcam in the keyboard. it is not disconnected but you have to click it that it pops out. so somehow like a hardware switch 😛

[horse]

For deity’s sake, put your Active Directory admins in the Protected Users group.