Quick Security Wins for $0
By Dan Beavins
Cybersecurity has been an important topic on the mind of every business – especially over the last few years with the rise of ransomware and attacks on companies making the news almost daily. This has driven the amount of money spent on security upwards of $140 billion in 2021 alone. Companies both small and large struggle to know how to properly protect their assets without breaking the bank. There are amazing solutions on the market to help defend and prevent attacks against your organization, however, there are some features built into your existing environment that can make a big impact for $0 coupled with your existing cybersecurity spending.
I have spent over a decade as a Penetration Tester, and my job consisted of breaking into companies and showing them how successful an attacker could be. The things I'm outlining today are all FREE solutions that (when coupled with proper cybersecurity products and offerings), greatly improves your company’s overall security
Now you may be asking "why is a security company providing information about free solutions?" We at Vigilant believe in being a security advocate for the industry as a whole and that includes providing guidance and content on solutions that complements our services. Now let's get into the recommendations everyone is here for!
Microsoft LAPS (Local Administrator Password Solution)
Microsoft LAPS is a free tool that Microsoft has been supporting for years. This is a lightweight agent that is installed on all Windows systems in your environment. This agent rotates the local administrator password to a unique password every 30 days and stores that password as an attribute within Active Directory. When doing the setup, you can assign specific groups which have access to view that attribute. Helpdesk staff and IT support team members can install the GUI for LAPS on their systems to quickly enter a system name and retrieve the password. LAPS greatly reduces the possibilities of lateral movement from an attacker. By implementing a unique password for all systems, an attacker cannot use one password to gain administrative access on all of a company’s internal systems. Raise your hand if you know passwords are being used in multiple places in your company. It’s likely we all know of some passwords that are being reused and it becomes a larger issue when those passwords provide administrative access to multiple systems.
Use Standard User Accounts
Using LAPS can allow you to remove users from local administrative rights on the systems and have them contact the helpdesk for administrative actions. It is well understood that a local administrator has more access than a standard user and when an attacker gains access to a system as a local administrator they can install software, pull system configuration information, and even extract the passwords of all recently signed in users. Not allowing users to be administrators on their workstations adds in an extra layer of security and additional complexity for an attacker as they will need to find a vulnerability on the system to elevate privileges to administrator.
Group Policy Configurations
We have compiled a list of three GPO settings that are easy to implement and make an immediate impact on the success of an attacker in your company. Number one on the list is to block macro usage within Microsoft Office Products. This will prevent an attacker from sending a malicious document to an end user and tricking that user in to opening and enabling macros.
The second is restrict Domain Admin logins to Domain Controllers only. Allowing privileged accounts such as domain or enterprise admins to login to standard workstations or servers increases the attack surface. As an attacker, compromising standard user workstations is often easier than compromising a domain controller. Limiting logins greatly protects those accounts from compromise.
Managing browser extensions via GPO is possible for many mainstream browsers. Using Edge, Firefox, or Google Chrome allows you to control which browser extensions can be installed. Vigilant recommends creating an Allow List via GPO and only allow specific extensions to be installed. Two that have always been installed on every new system I build is uBlock Origin and HTTPs Everywhere. uBlock does a great job of ad and tracker blocking as well as alerting if you are being redirected to a malicious website. HTTPs everywhere forces any webpage to attempt to load as HTTPs versus HTTP. This is helpful when a site allows both HTTP and HTTPs logins to happen as it ensures your credentials are only sent over an encrypted channel.
Windows allows all systems to utilize Bitlocker if they are a professional license or above. Bitlocker will encrypt the systems drive and will require a special key, passcode, or installed TPM chip to decrypt during the boot process. Active Directory joined machines can store their Bitlocker keys with Active Directory for administrators to decrypt drives if errors or issues arise. This will help a company in the event a system was stolen or lost. The data will be encrypted and requires special tooling and skills to attempt to bypass the encryption.
Enabling the Windows Firewall and blocking all incoming connections is the recommended place to start from an endpoint firewall perspective. Sure, it's impossible to block all incoming connections, and you’ll need to allow management tooling, security tooling, and other IT systems to access your endpoints. However, by enabling the firewall and creating explicit "allow" rules, you can limit the attack surface to only specific ports and systems. This greatly reduces the ability for an attacker to move laterally, as they would need to compromise several systems to move around the network. We see many companies disable their Windows firewalls internally as they want all internal systems to easily communicate with each other. The important piece here is that if it is easy for anyone on the network to access other remote systems, this always means it is easy for an attacker to access these same machines.
Last and certainly not least, enable Windows Updates across your organization. Implementing an internal WSUS server is the ideal method, however some folks control which updates can be applied and let the clients reach out of the internet to download those directly from Microsoft. The second method is great for remote folks to prevent all that traffic coming from your internal datacenter. Additionally, if the software offers this option, we like to recommend that any 3rd party software on your systems be set to “auto update.” This is beneficial if you are in an environment without strict application controls. If you have an allowed list of software that is controlled via an MDM solution or GPO, then those updates should be controlled in the same fashion.
Looking back over the list, many of these items may seem like no-brainer solutions. If you have already implemented all these solutions, you deserve a pat on the back as you are in great shape compared to many companies. If these solutions are all new, that is also great news as you can implement all these solutions for FREE. Finally, if you are ready to put your newfound security controls in place, let the Vigilant team know and we can talk to you about penetration testing where our highly skilled hackers will put your security controls to the test!