3 ways to make your Windows network harder to attack

Start the new year right by checking these three areas for potential vulnerabilities in your Windows network. Don't make it easy for attackers.

Microsoft Windows  >  Defending against attacks
IDG / Microsoft

As you start the new year, it’s a good time to think about what you can do to keep your network and organization from being low hanging fruit for attackers. Taking these steps won’t make you immune to attacks, but it might encourage attackers to go after someone else.

1. How you get in, they get in: Protect remote access and management access

The MITRE ATT&CK framework lists the ways and ports typically used for management access to servers and workstations. Attackers know these access methods as well and target the ways you enter your network. For example, if you use any of the following ports and expose them to the internet, add closing, blocking or enabling two-factor authentication (2FA) on them to your to-do list for 2020.

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

Password spraying attacks against Remote Desktop Protocol (RDP), for example, is one way that attackers attempt to gain access. Third-party platforms such as Duo.com can add 2FA to help thwart these attempts.

Review even internal-only transmissions such as LDAP to ensure you are setting them up securely. Microsoft recently announced that it will enforce LDAP signing in March 2020, so review your settings now to determine if you are ready for the upcoming changes.

Review if you need to reset Kerberos passwords — especially if you suspect credential reuse in your organization and have older operating systems that control your domain with the domain controller role. If you have recently retired older operating systems such as Server 2008 or Server 2008 R2, you might wish to reset passwords for any read/write domain controllers (RWDCs) and read-only domain controllers (RODCs).

2. Protecting credentials: Choose better passwords and protect them

The typical scenario that attackers use to gain access is to send a phishing email to a user and gain access to a workstation. If the network has the local administrator password set to the same value in the network, the attacker can gain the hash value of the one machine and use it throughout the network. You can make this ”pass the hash” technique harder to do in several ways. Start with disabling LM hash and NTLMv1 in your network.

Review your password policy rules and ensure that users are educated to pick better long passphrases. Note that if users are required to change their passwords often, they will pick more insecure passwords, not better passwords.

Be aware of how often you reuse passwords. Use a password manager program and choose complex passwords. Review the maximum length of allowed passwords. If you find a vendor offers you only a short password, ask them what technical block prevents you from using a longer password.

Use the LAPS toolkit to set unique passwords on local administrator accounts. This ensures that attackers can’t move laterally in a network.

Ensure that you enable multi-factor authentication (MFA) on administrator accounts and on as many user accounts as you can. Too often it’s one password between you and the attackers. Make it much harder for them. Finally, review your network for accounts that are not set up securely by auditing if hash values are left behind in the network, passwords have been shared, or other insecure settings. You’ll needs to use the Scan and Check All Accounts In AD Forest - Account And Password Hygiene script and install the PowerShell module for Lithnet and DSInternals to use the module to check your Active Directory.

3. Browsers and email are the new entry points 

Attackers know that users are the weak links in your armor. They also know that users can be tricked to click. Browsers and emails are the main entry points into our networks. For email, look for the use of attack tools such as “ruler” that abuse the client-side Outlook features and gain a shell remotely. To counter such attacks, use tools such as “notruler” for on-premises deployments to investigate and review if your Exchange environment has been compromised. For Office 365, use PowerShell to audit and review if rules and injections have been set up.

For browsers, review your policies or set up boundaries for what users can download and install in their browsers. Use Group Policy or Intune to set limitations on what users can install in their browsers. As Chromium-based Edge rolls out in January 2020, prepare yourself in advance to also control Edge policies in Group Policy settings as well.

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)