What’s Tip #14 for National Cybersecurity Awareness Month? Harden your networks and systems.
Most cyberattacks that result in full domain compromises start with the lack of hardening on many systems on the network.
Network/system hardening is the process of reducing a system’s attack surface by defining secure configuration settings, disabling unnecessary services and protocols, and changing default credentials — in addition to a myriad of other items that could be employed to further reduce the system’s attack surface.
A threat actor who successfully breaches the network perimeter — whether it’s using a rogue device on the network, compromising a workstation via a malicious phishing email or perhaps cracking a Wi-Fi network — will take advantage of this lack of hardening to mount attacks against the network.
Steps you can take
WARNING: This is going to get a bit more technical than our usual tip!
Proper network/system hardening can prevent a cybercriminal from compromising the domain and its assets or slow them down long enough to be detected by other network controls before a compromise can occur.
Our penetration testers reveal recurring deficiencies present in almost all compromises of Windows domains. Some of the most prevalent network/system hardening issues that surface again and again include:
1. SMB NULL sessions enabled: Windows domain controllers that allow SMB NULL sessions allow an unauthenticated attacker to extract Active Directory user, group and group membership information. This is invaluable reconnaissance to the attacker that can show high-value user accounts and systems that can become the target of subsequent attacks. NULL Sessions should be disabled on all domain controllers.
2. Insecure broadcast name resolution protocols enabled: These protocols, typically NBNS and LLMNR, are enabled by default on the Windows system upon install. Their purpose is to give a host a way to resolve hostnames to IP addresses when DNS doesn’t return a value. An attacker can intercept and spoof responses to these requests and force the victim host to interact with the attacker. If you don’t rely on these protocols for name resolution, both should be disabled.
3. Lack of SMB signing: SMB signing is a component of the SMB protocol that digitally signs packets to ensure packets are valid only for the hosts intended. Once an attacker is interacting with a victim host, one of the things the attacker will look for is the victim authenticating to the attacker. If SMB signing is disabled on a host, the attacker can relay captured credentials to a second victim machine. If the relayed credentials provide administrative access, the second victim machine has now been compromised. SMB signing should be enabled on every host that allows it.
4. Local administrator credentials shared: Once an attacker has compromised a machine, the credentials for local users in the form of hashed passwords (including the local administrator) are now in the attacker’s possession. The attacker can then use that password hash to test for its validity on other machines on the network. Local administrator passwords are commonly shared among machines, so the compromise of one can result in the compromise of several, or many. Microsoft knows this is a challenge and can introduce vulnerability, so they created a solution to help. Check out the local administrative password solution (LAPS) and consider implementing it within your organization.
5. Lack of network segmentation: Large, flat networks increase the chances of an attacker to capture and relay credentials. Network segmentation, which is the process of placing different classes of assets on different network subnets, limits the broadcast domain to as few different asset classes as possible. Typically, user workstations, administrative user’s workstations, servers, domain controllers and other back-end servers would be on different subnets. Consider the case of a compromised user workstation: If that workstation is located on a flat network with devices of all classes, it will see broadcasts from all classes of users and devices. If that workstation was isolated on a network segment only with other user workstations, it would not see broadcasts from users with elevated privileges, potentially leaving the attacker with only user-level credentials to work with. Consider segmenting flat networks to isolate an attacker as much as possible.