If your endpoint protection software fails or is bypassed/over-ridden by user-error, the next step in your prevention policy should be to do everything possible to restrict lateral movement. PCs on your network should NOT be talking to each other, yet by default Microsoft allows this behavior. You can use netstat -ano to determine existing applications and their listening ports. Here are a few steps to take to lock down your Windows 10/11 network PCs to prevent lateral movement of malware using Windows Firewall Rules and other settings:
- Block SMB-in traffic (port 445)
- Block Netbios/NBT-in traffic (TCP/UDP ports 137,138,139)
- Block RPC/DCom/WMi-in traffic (TCP/UDP ports 135,593)
- Block RDP-in traffic (TPC port 3389)
- Block IRC ports (TCP 194, 6660-6669, 6697, 7000)
- Block Calc.exe outbound traffic (\system32 and \syswow64)
- Block Notepad.exe outbound traffic (\system32 and \syswow64)
- Block Conhost.exe outbound traffic (\system32 and \syswow64)
- Block mshta.exe outbound traffic (\system32 and \syswow64)
- Block CertUtil.exe outbound traffic (\system32 and \syswow64)
- Block cscript.exe outbound traffic (\system32 and \syswow64)
- Block wscript.exe outbound traffic (\system32 and \syswow64)
- Block runscripthelper.exe outbound traffic (\system32 and \syswow64)
- Block regsvr32.exe outbound traffic (\system32 and \syswow64)
- Block hh.exe outbound traffic (\system32 and \syswow64)
- Disable SSH server and Block inbound connections on Port 22
- Disable Windows Update Optimization (this allows other PCs on your network to get updates from your PC and vice versa): Select Start > Settings? > Windows Update? > Advanced options Select Delivery Optimization. Under Allow downloads from other PCs,?select Devices on my local network. Disable. Also, block Inbound and Outbound traffic on port 7680 in Windows Firewall..
- Disable firewall inbound-outbound rules for superfluous Windows applications. Do you use Skype? Why is Xbox even installed on your office PC? Do your users really need the News and Weather "gadget" on the taskbar?
- Run Powershell as administrator. Execute: Disable-PSRemoting to disable remote powershell execution. Execute: Set-ExecutionPolicy Restricted to restrict powershell execution.
- Use gpedit.msc or AD GPO to restrict the following commands from running (admin templates section): cmd.exe, netstat.exe, ipconfig.exe, powershell.exe, psexec.exe, paexec.exe, regedit.exe, and powershell_ise.exe
- Use gpedit.msc or AD GPO to disable LLMNR (computer-admin templates-network-dnsclient-turn off multicast name resolution)
- Disable RDP (see additional RDP information below)
- Disable Windows Remote Management service
- Associate Commonly Abused File Extensions such as .WS, .WSF, .HTA, .PIF, .VB, .VBS, .JS, .JSE, .WSC, .WSH, .PS1, .PS1XML, .PS2, .PS2XML, .PSC1, .PSC2, .MSH, .MSH1, .MSH2, .MSHXML, .MSH1XML, .MSH2XML, .SCF, .LNK, .INF and .REG (just to name a few) with Notepad.exe. Check out this list of dangerous file extensions over on HowToGeek: https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/
- Disable Macros in MS Office applications
- Ensure that PDF sandboxing is enabled in your PDF reader. *note: It is advisable to scan ALL pdf files before opening
- User logins should not be given local administrator rights
- Users should not be allowed to install software on their PC; this should only be done by administrators, and only after testing to ensure app safety.
- UAC should be enabled and set to high security
The most common lateral movement techniques abuse the Windows PC local admin$ and c$ administrative shares. These cannot be disabled nor can permissions be changed. However, restricting SMB-in traffic prevents the use of these shares. On a domain-joined PC you may have to allow SMB-in from Domain Controllers for group policies, but in that case only allow traffic by the DC's IP address and only via an encrypted session. The second most-abused lateral movement technique is RDP. It should be disabled. If RDP is a requirement, then restrict RDP-in to specific IP addresses and USERIDs, and enable encrypted traffic only. Secure RDP by requiring successful kerberos authentication from trusted computers and users and installing a 2FA solution such as Duo. Coming in third is Powershell. Disabling Remote Powershell (psexec), restricting powershell script execution, and disabling the use of powershell executables helps prevent this tactic. Dane Stucky has a great write-up over on Medium regarding endpoint isolation tactics, including how to implement secure RDP: https://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a795f4cfb
While this is by far not an exhaustive list of all of the tactics that can be implemented to prevent lateral movement, it is a great starting point. Implement rules one at a time, test your applications to make sure the rule doesn't "break" the application, and as always, back up your computer, your registry and local/domain group policies BEFORE attempting any of the above steps.
One added note. On your test system where you're implementing all of these changes, one way to get better visibility into the results is to install Glasswire ($36/yr subscription) on the test box and monitor for open ports, applications attempting outbound or inbound connections, etc.
Oh, and if I missed anything, please add to the list in the comments.
CEO at Akzium | Cybersecurity, Cloud Computing and High Availability Expert
11 个月The CIS benchmarks are a more comprehensive list of Operating System hardening tactics. Most are implemented using Group Policy. While CIS offers a tool to "test" your OS hardening changes against the benchmarks I've found that Wazuh's agent-based scanning engine give more detailed insights into the security of your workstation endpoints.
CEO at Akzium | Cybersecurity, Cloud Computing and High Availability Expert
11 个月I've received several IMs regarding modifying file extension associations. Seems that Microsoft is now making it extremely difficult (if not impossible) to do this in Windows 10 and Windows 11 AND that even if you can manage to change them Microsoft will eventually reset them in Windows updates. It is VERY clear that Microsoft continues to sell an operating system that favors ransomware gangs over their end-user customers.
CEO at Akzium | Cybersecurity, Cloud Computing and High Availability Expert
12 个月Another great prevention tactic is to install the VT4Browsers extension in Chrome or Firefox. This browser add-on integrates the VirusTotal URL and File threat scanning engine into your browser. Have VirusTotal warn you BEFORE you visit a malicious website, while also having VirusTotal scan every downloaded file before you open it. https://chromewebstore.google.com/detail/vt4browsers/efbjojhplkelaegfbieplglfidafgoka?pli=1 https://addons.mozilla.org/en-US/firefox/addon/vt4browsers/