Doug Bassett is StormWind Studios’ Senior Technical Instructor with a focus on Microsoft and securing your network from the scumbags of the IT world. In today’s vblog post, we’ll discuss Microsoft’s new bag of ammunition with 4 new security capabilities and the top 4 ways to lock down your network that Doug teaches in his class.
Microsoft’s Windows Defender Exploit Guard
There are 4 new security capabilities by Microsoft that have begun rolling out to the public as of yesterday. These features have been rolled up in the “Windows 10 Fall Creators Update” and promise to “prevent ransomware from encrypting your files.” Which would be fantastic considering SMBs paid over $300 Million to ransomware hackers this past year. As if you needed a new reason to routinely update your system.
This update and corresponding security features were released to Microsoft’s favorite children, also known as Windows Insiders, starting in July. So far, the update has rolled out to public Windows 10 for PCs, but if you have a Windows phone, no dice for you yet. Especially if you have Lumia 640 and 640 XL.
There are four components of the Windows Defender Exploit Guard that “are designed to lock down the device against a variety of attack vectors and block behaviors commonly used in malware attacks.” All without making your machine into a glorified paperweight when it comes to end-user productivity.
Component #1 – Controlled Folder
This feature, called Controlled folder, creates a divide from whitelisted apps and everyone else. Only whitelisted apps can access files in the Controlled folder list. Users can add new folders into the protected area and adjust which ones can access the protected files. (As we all know, adding users to the mix can affect even the best-laid plans for security).
While the everyday user can access this feature, let’s get to the nitty-gritty of how to protect users from themselves. Admins can enable to Controlled folder from the Windows Defender Security Center. (Or you can access it from Group Policy, PowerShell, or a mobile device management configuration service provider if you want to be an overachiever). Microsoft has already put a “gold star on the heads” of a few apps it considers trustworthy already. These apps already have the ability to access protected files. As an Admin, you have the ability to add or remove apps that can access protected files.
You will receive warnings when unauthorized apps or processes try to access your protected folders.
Component #2: Attack Surface Reduction (ASR)
While email and office apps give your users a lot to work with during their day jobs, they also give hackers a lot to work with to hack. The Attack Surface Reduction aims to give you fewer headaches without sacrificing the productivity of your users. The ASR “provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by malicious docs to execute without hindering productive scenarios.” So it’s like a sensor that allows you to continue to eat at sketchy taco trucks but will block food poisoning from reaching your gullet. No lost taco productivity, but less long nights on the toilet.
The various behaviors that the ASR is covering include Office, scripts, and email. This component uses the Windows Defender Antivirus as its primary AV so the real-time protection feature must be turned on to work.
Component #3: Network Protection
The network protection capability aims to take the same level of protection that protects Microsoft Edge to the entire system and network stack. While Microsoft Edge has been chided for being Internet Explorer in disguise, Edge actually outperforms Chrome and Firefox in terms of security due to the Intelligent Security Graph (ISG). By using the same intelligence from the ISG, the network protection feature vets and blocks all outbound connections before they are made.
If the outbound call is a phishing attempt, socially engineered malware or malware designed to connect to the command-and-control server, network protection can vet and kill the connection.
Component #4: Exploit Protection
While performing the Windows 10 Fall Creator Update, you will not only be gaining some firepower, but you’re also be getting some stronger defensive settings. The exploit protection feature includes various “vulnerability mitigation and hardening techniques” that are baked right into your Windows 10 device.
No need to do anything, all settings and configuration are handled during your upgrade.
Doug’s Top 4 Ways to Secure Your Network Environment
Now that you know more about a few of Microsoft’s newest techniques to defend against threats, here are Doug Bassett’s top 4 ways he instructs students to secure their network. Watch the video for a demonstration of these techniques.
Loved this video? You’re gonna love this Security QuickCast!
About this vBlog Instructor:
Doug brings over thirty years of experience in consulting, operations, network design and instruction, serving small office/home offices as well as global enterprises. As a technical instructor, Doug’s high energy, infectious enthusiasm and unmatched passion for training and “all things gizmo” leave students energized, excited and driven to devour complex technology and innovation. Known for getting the audience to do “the wave” at events, Doug was a featured speaker at Microsoft TechEd in Barcelona Spain on Virtual classroom training and has presented numerous times at Fortune 100 corporations like Microsoft and Apple. Wanna join his next class? Learn more here.
Transcript of this video:
Hello everyone. My name’s Doug Bassett. I’m the Senior Technical Instructor here at StormWind Studios, and I’ve had some questions come in from students about the Top Four Things that they can do to help secure their network. So I put together a list, and we’ll start off with number four.
#4: Disable SMB (via Powershell)
If you remember, we had an attack that occurred a few months back, where we had the ransomware virus, WannaCry, where it went through and it found hundreds and hundreds and hundreds of thousands of machines that were vulnerable to a particular attack. It went in and encrypted their hard drives and locked it in, and when you tried to log on, it showed a screen that says, “Oh, you have to send us bitcoins.” Well, the vulnerability that causes that is Server Message Block version one. SMB is used to be able to access file shares. My number four security tip is you want to disable SMB version one.
So, how do you go through and do that? Well, my recommendation would be to go to your favorite search engine and do a search on support.microsoft.com, and we’re looking for article 2696547. That’s called How To Detect, Enable, and Disable SMBv1, SMBv2, and SMBv3. Now you can use this to disable all three of them, but you really don’t want to. It’ll even go through and it’ll say, “Hey, if you disable this and disable this and disable this, these are all of the functionalities that you’re going to lose.” But, if you dig further into the article, it will show you based upon the operating system, different ways that you can turn it off using things like PowerShell. So what I’ve done is I’ve compiled a list of different PowerShell commands that we can use.
So if you have Windows Server 2012 R2, or 2016, Windows 8.1, or Windows 10, you can use a disable Windows optional feature, online feature name SMB1 Protocol, which is this command right here. If you have Windows 2012 and Windows 8, you can say, “Set SMB server configuration, enable SMB1 protocol is set to false.” And if you have even older machines, like Vista, Windows 7, Windows 8, Window Server 2008, 2008 R2, and 2012, I can do this with an, Sc.exe config lanmanworkstation depend= (bowser, not browser) bowser/mrxsmb20/nsi, scconfig/mrxsmb10, start equals disabled, and that will turn it off.
Also, if you want to use it on a group policy object, that particular article that I brought up has all sorts of different ways you can do it. In fact, let me show you. We can go in and we can look at this. It shows you how you can detect a particular protocol, how you can disable a particular protocol, and how you can re-enable it if you like. But down here towards the bottom, they go in and they show you how you can do this via a group policy. You can do it via the registry, or you can go in and you do it via group policy. The idea here is that you want to disable this particular protocol. Now be aware, SMB 1 shouldn’t be used in your environment at all. If you have even one machine, if everybody else is nice and solid on SMB 1, you’ve turned it all off, but you have one single machine that is still running SMB 1, that can be used to not only infect that one machine but all the other machines as well. You really need to make sure that you go through and check machine by machine by machine, and turn all that stuff off.
#3: Update and Change Your WSUS Settings
Now here’s the bad news. This was already done via a Windows update. However, unfortunately, even though Microsoft released the update a couple of days, or actually a couple of months before the WannaCry virus made it out into the wild, nobody used it. So my number three way, number four was disable SMBv1, my number three way of securing your network is that you want to make sure that you’re doing updates. Now Microsoft has provided us with good old automatic updates. Automatic updates allows us to contact Microsoft update, and I can pull down all the updates for me. The only problem with this is is that if I have a whole bunch of machines and they all want the same update, I am filling up my network pulling down the exact same thing over and over and over again.
In our 7-740 class, we go through and we talk about WSUS server. WSUS Server makes it so that the WSUS server can go up to Microsoft Update, find the various pieces that we want to pull down and push out, and then we go ahead and download them to the WSUS server. Then as users, or client machines, find out that there’s an update, they will pull it down from the WSUS server, so I only have to pull it down once via my network as opposed to having to pull it down for all 5,000 or 6,000 of my machines. The problem with WSUS is that it is a bit of a pill as far as some of the default settings. You’ll find, especially if you haven’t done updates in a while, we had one machine that had 2,400 updates that needed updating, that the SMB or the WSUS server will run out of memory. Then all of a sudden the admin console gives you a 503 error. I can’t see anything, I can’t do anything. Then nothing will work.
That’s because this was designed to only have about 2 GB of ram associated to WSUS. You need to really associate at least 8 GB. It’s not just to the WSUS server, it is to the web application because all of the stuff is done via IIS. Let me go ahead and show you how we can fix that. Now what I’m going to do is I’m going to go into my tools. I have my IS server, so we’re going to go in and we’re going to apply more Ram to the WSUS web application pool. We’ll go ahead on my machine drop this down. We have our application pools. This is our .net application pool, or default application pool, but this one right here is the WSUS pool. This is the one that causes all sorts of problems because it’s not given enough ram. If I double-click on this … Actually, what I want to do is I want to right click on it, and I want to go into my advanced settings.
Inside of my advanced settings you’ll notice all the way down here we have the private memory limit for recycling. This is how much ram we are going to devote to this particular app pool. By default, it’s about 1.8 GB. What I would do is I would change this to at least 8 GB. Change this number to eight million, and then your WSUS will be nice and happy. Number three, update and change your WSUS settings so that it will actually work.
#2: UEFI and TPM
Now number two setting is kind of interesting. I’m sure that you’ve heard of the problems that we have with Experian and stuff getting stolen in there. One of the issues that we have associated with that is the fact that there have been reports that somebody went in and actually stole hard drives that had tens of millions of people’s information on it. When they go in and steal this information, they can stick it into another machine and harvest all that data out. So my number two way, my second number two method of securing your network, is you want to encrypt your computers, and more importantly, you want to encrypt your hard drives. Now we’re talking about UEFI, and we’re talking about trusted platform modules, TPM modules. This is in the bios of your particular machines. You can do it on physical machines, but the principles still apply even if you do it on virtual machines.
If somebody steals a virtual machine, they’re not going to be able to read it because the drive itself is encrypted. If you go under 7-744 class, I go through in chapter one right off the bat and show you how to set up UEFI, but let me just give you the nickel tour here. Now I have a virtual machine, but the process is, it’s a different way to get into the interface, but the whole idea is still the same. If I go into this virtual machine and I bring up its settings, you’ll notice that we have a tab here called security. This is a generation two virtual machine, so enable secure boot is turned on by default and we will do the Windows template. But what I want to do is I want to use a UEFI certificate authority. That way I can make sure that not only is my hard drive secure, but also we have trusted applications, we have trusted hardware, if anything changes we’ll know about it. Even though this is a virtual machine that I could copy out to a thumb drive, with this UEFI if I can’t contact my UEFI infrastructure, I’m not going to be able to boot and you’re not going to be able to get the data.
We also have with Windows server 26T, we have support for a virtual trusted platform module, a TPM module. This is where I can store a decryption certificate and an encryption certificate so that I can encrypt the entire hard drive. That way if somebody does steal a hard drive, well good luck, you’re not going to be able to read it. I can also have this encrypt when I’m doing a system state or a migration traffic, and if I really want to go hardcore, I can set up a guardian host service and I can enable full on shielding where I will lock all this stuff down, have a list of applications that can run. Again, we get into a lot of detail on this in the 70-744 class, securing Windows server 2016. But even if they steal your hardware, well congratulations you’re not going to be able to read it. Even if you are a hyper-v administrator, unless you happen to have specific workload administration permissions, you’re not going to be able to open this up and find out what’s going on inside the system.
#1: Train Yourself to Train Your Users
Now the last step, and probably the most important step as far as securing your entire environment, is the realization that things are always changing. If I go up to map.norsecorp.com, one of the things that you’re going to find is that we’re under attack, and I mean we as in the entire world. This is a real-time map of what’s going on. There are all sorts of different attack types that are going on. We have SMTP, we have telnet, we have all sorts of different things that are happening, but these are always changing because we close one hole, they open another hole, or somebody puts out a new thing. The number one way to secure your environment is training. You need to train your end users how not to be socially engineered, not to fall prey to phishing and hacks, and most importantly you need to train your administrators. This is where it is critical to get the latest and greatest information, get yourself up to speed, and make sure that you keep nice and sharp on that edge to make sure that any new attacks that come out you are in the lead of that in being able to lock that stuff down.
You want to look for, and even if you don’t take training from us, these are some of the things you want to look for. You want to look for not just book smart, but actual real-world experience. You want to make sure that you have access to labs. You want to make sure that your sessions are recorded. That way two weeks from now, two months from now, a year from now, you want to go in and be able to view a live session, or maybe even have it with you on your phone when you’re out there in the wild. That is critical information. Something that’s constantly updated, you don’t just want a recorded session that they recorded it once and then they never update it for two or three years. You want live stuff whenever possible. If you don’t get it from us, I do recommend that you get it from whoever meets all of your criteria.
On behalf of everybody here at StormWind Studios, we thank you for coming by. If you do have questions about my top four, remember number four was “disable SMB”, number three was “make sure you have updates and update your WSUS”, number two is “UEFI and TPM”, but number one, “make sure that you keep up-to-date on your training”. Thanks for coming by, and we hope to see you in another class real soon. Have a good one.