Simple list of things-to-do to secure your Windows network against attackers by Sami Laiho
Today I came across wonderful Tweets of Sami Laiho (@samilaiho). Sami is a world-wide expert on Windows security. He wrote a simplified list of things-to-do to secure your Windows network against attackers in Ukraine. I believe everyone can derive benefit from his Tweets.
His original Tweets are in Ukranian. I am just copying them in English. Great work Sami. Please follow him on LinkedIn (https://www.dhirubhai.net/in/samilaiho) and Twitter (@samilaiho).
Translated article starts from here:
Glory to Ukraine!
Security can be simple. It's more about the right ways of working, concepts than about expensive products. In this thread, I will talk about what I would do personally if I worked in a war, and protection would have to be improved in a few hours without disconnecting the system from the Internet.
I could say that you should remove the end-user administrator rights, configure AppLocker and so on, but this is not done in a few days. Therefore, these instructions are designed to provide a quick and real effect of protection against cyber attacks.
Instructions are designed to prevent the loss of your greatest treasure - Directory Service. Losses are possible, but the DS will not be compromised. Companies get into the news not because there is ransomware on one computer, but because someone controls the entire infrastructure.
These instructions are simple and can be applied to any company that uses DS (AD / AAD). They could be better if they were tailored to a specific client, but I want to create instructions that will work for most, if not all.
2. Because you can only use DA to manage DC, you must add the following parameter to the policy so that ComputerAdmins members can manage other computers.
3. Same for Azure. You can do the same, even if the settings are a little different. These photos show how I do it and how I block restricted users from accessing the portal. https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207
领英推荐
4. Later, you can configure and split AD into more levels, deploy PAWs, and more. But for now, Tier0 isolation is something you NEED TO DO NOW!
5. Having a PowerShell. PS is used by almost all malware. He can attack, take orders and send valuable information to the attacker. So, let's block it by adding Outbound Firewall Rule to the policy, as shown:
6. The UAC settings are as follows. If you have computers with administrators logged in, add this UAC option to the policy. If you do not have these, GREAT, you reduce the likelihood of 80% of attacks!
7. The principle of least privileges. If you log in to your computer with an administrator account at home or at work, STOP NOW! Your computer will work better, last longer, and have fewer reinstallations. Even your SSD will last longer!
8. Create a separate administrator account and replace your current one with a limited one. If you have a fingerprint reader, register your index finger for a restricted user and your middle finger for an administrator.
9. Integrate the Privileged Access Workstation concept. Do not browse the Internet or mail from a computer that could ruin your network, such as an RDP connection to your DC. You'll do it cool later - with virtual machines, but for now let's just work safely.
10. Use MFA everywhere. If you have servers that support RDP, protect them, for example, using Cisco DUO. Do the same for the computers you use to manage your services. If you don't need RDP, block it!
11.??REMEMBER "in safety, perfection is the enemy of good." We can improve the settings later. So let's take the basic steps NOW!
12. I would recommend everyone to read Mikko Gipponen's book "The Internet", but it is currently encrypted in Elvish: https://www.wsoy.fi/kirja/mikko-hypponen/internet/9789510464410
13. It was translated by @svitlanaExe and @FraktalCyber from my trade into Finnish. I will publish it?in English soon . Thank you for reading, take care of yourself!
Glory to Ukraine!
End