Microsoft Windows Laptop Security: Harden These 10 Things Now

The Importance of Hardening

Manual Penetration Testing

A discussion:

Microsoft Windows Laptop Security

The following article is a discussion on configuration settings that could potentially help to improve your Microsoft Windows Laptop Security – protecting and defending your data from Malicious actors. Join the discussion below or reach out to Redbot Security for Cybersecurity Services.

Author: Andrew Bindner, CSO & Principal Security Engineer

What is Security Hardening?

By definition, the act of hardening is, “A process intended to eliminate a means of attack by patching vulnerabilities and turning off nonessential services. – NIST SP 800-12”. Realistically, the act of hardening is akin to wearing your seatbelt while driving. You may not be a victim of an accident; in this case a data breach, but you level of risk and potential impact for severe damage due to a compromise from a ‘drive-by’ malicious actor is high. Especially if your mobile infrastructure (laptops, cellphones, touchpads, etc.) are not effectively configured to withstand a technical attack.

Why is it Important?

Malicious actors prey on weak configurations like locusts. Microsoft, despite knowing that their operating systems, have inherent weaknesses have done little to enhance their initial security outside of remediation for publicly known vulnerabilities. Alone, Microsoft had 1,212 security vulnerabilities in 2021. 104 of them rated at a critical risk for Remote Code Execution (RCE) or privilege escalation. Most of us only really hear about the critical vulnerabilities, such as ETTERNALBLUE (MS17-010); a vulnerability that is consistently exploited on regular penetration tests. Microsoft does a ?decent? job of enforcing security patching, but other issues remain. Specifically, most security engineers and consultants would refer to these as misconfigurations, but it’s Microsoft’s approach to the balancing act that is security versus usability. Microsoft aim as giving the administrators and end users the highest usability with as little hinderance as possible, meaning that security takes the back seat. Unfortunately, these weaknesses in security settings allow hackers and other malicious actors to gain a foothold and launch more sophisticated attack techniques that will likely expose sensitive information and gain unauthorized access.

False Sense of Security through VPN

One mistake that Redbot Security sees on a regular basis is that network and systems administrators rely on the implementation of VPNs to control access. This is a false sense of security that; if not implemented correctly, can lead to bigger issues. But why? A VPN opens a direct tunnel to hosts and services (typically on enterprise networks) that are otherwise not directly accessible from the internet. Depending on it’s configuration, the VPN commonly will also redirect all internet-bound network traffic to provide a layer of security and privacy. The VPN software does this by establishing a virtual network interface and implementing routing rules. What it does not do is hide the computer from current Local Area Network (LAN). This means that when the laptop or mobile device connect to the untrusted networks, such as a coffee shop or airport Wi-Fi network, it still maintains a presence. In most non-enterprise networks, network administrators can enable network segmentation and client isolation techniques that keep users from communicating with one another. However, outside of the corporate-owned networks, administrator’s that allow mobile devices to connect to untrusted networks cannot enforce these policies. Furthermore, for home-based workers, personal internal networks often share a local network with devices that are truly a high-risk, such as the computers and mobile devices of children or unregulated IoT devices.

Common Attacks

Common Attacks

Before delving into the top configurable settings to harden Windows-based laptops, let’s take a moment to discuss the understand the most common attacks techniques used by malicious actors.

Password Guessing

It’s loud, but password guessing is effective and straightforward. Furthermore, it requires little to no skill and can be fully automated by an attacker. The effectiveness preys upon users setting weak, guessable passwords. Yes, ‘123456’ and ‘Password1’ are the most common, along with ‘Season+Year’. Even with a baseline password policy of eight characters and enforced complexity, ‘Password1’ and ‘Fall2022’ meet the set criteria. This is further advanced by the fact that local administrator on Microsoft Windows operating systems do not lockout. This means that an attacker can send hundreds, if not thousands of guesses from open-sourced dictionaries with mutation rules in an incredibly short amount of time.

LLMNR

Link-Local Multicast Name Resolution (LLMNR) sounds super fancy, but it’s ultimately one of the worst protocols ever developed in the history of technology. Furthermore, it’s enabled by default and is only absolutely needed for super rare cases, such as the lack of access to DNS services. While enabled, an attacker can monitor a network for certain protocols; typically associated with authentication against network-based resources, and intercept or manipulate the authentication process to illicit an authentication request. In most cases, the intercept must be cracked offline and cannot be used in the moment for Pass-the-Hash (PTH) techniques, but it’s a start.

SMB Attacks

Directly manipulation of SMB traffic can reveal a lot about a host on the network, such as name, operating system, and even the build or patching version. In some cases, the attacker can leverage things like e-mail or access to other network resources to intercept authentication requests similar to LLMNR-based attacks.

Missing Security Patches

Pretty sure, the attack techniques surrounding missing security patching is large enough to be it’s own topic. However, to summarize this point, there are loads of Remote Code Execution (RCE) vulnerabilities that have come to light over the last 20 years and are backed by a plethora of available resources quickly discovered through internet-based searches using Google or Bing. Most also have publicly available, Proof of Concept (PoC) code or pre-compiled binaries that are similar to handing over a live grenade to the attacker with instructions on how to pull the pin.

Web Application Attacks

Without a VPN redirecting web application traffic, the user may be at risk for web-based attack techniques. These are commonly Cross-Site Scripting (XSS) and java-derived vulnerabilities which attempt to seal session cookies, authentication credentials, execute malicious code, or hijack browsers.

Phishing

“You won!” and “A relative you didn’t know left you their fortune when they past.” I’m sure we’ve all seen them,… all day long. Despite advanced technology and new products every year to thwart phishing, it works and it’s here to stay. Even elementary and high schools are teaching students about how to recognize phishing emails. The problem is that just like mass marketing, it’s easy for a malicious actor to target as few as one (1) or up to 10,000 people with ease. Inevitably; despite the poor grammar and lack of spellcheck, someone will eventually click the Link of Doom.

10 Configurations You Need to Apply Now

10 Configurations You Need to Apply Now

Now, on to the good stuff. Here are 10 things that and Windows Professional user or administrator can do to enhance security of their laptop (apologies to Windows Home users, Microsoft doesn’t believe in allowing you configurable access unless you pay for the upgrade).

Note: Non-domain joined (folks that own a laptop with Windows Professional), can leverage the built in Group Policy Editor (gpedit.msc), while enterprise administrators should capitalize on Microsoft’s Group Policy Objects (GPOs) for Active Directory.

  1. Change the local administrator name: This will prevent password guessing against the administrator account because the malicious actor will have to not only guess the password, but the name as well.
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Administrator account status: Disabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Rename administrator account: “Rename
  1. Disable Guest: Guest access is still access. Hackers may have to work much harder, but privilege escalation starts with initial access. Disabling the guest account is default in Windows 10 and 11.
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Guest account status: Disabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Rename guest account: “Rename
  1. Disable SMB Version 1: SMB is a primary authentication mechanism for Microsoft. Version 1 is unencrypted and should only be used when absolutely necessary and with other security controls in place.
  1. Enable SMB Signing: This setting ensures that encrypted communications between two hosts stays that way.
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Digitally sign communications (always): Enabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Digitally sign communications (if server agrees): Enabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications (always): Enabled
  • Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications (if client agrees): Enabled
  1. Disable LLMNR: Unless you have a specific business use case, this protocol can be disabled.
  • Local Computer Configuration > Administrative Templates > Network > DNS Client > Turn Off Multicast Name Resolution: Enable
  1. Disable MDNS: Again, like LLMNR, unless you have a specific use case, it is recommended that this protocol is disabled.
  • Using Powershell: set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\” -Name EnableMDNS -Value 0 -Type DWord
  • Using the Registry Editor: REG ADD “HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters” /v ” EnableMDNS” /t REG_DWORD /d “0” /f
  • Using Group Policy Management Console: Add “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\mDNS – Key: EnableMDNS=0” through a batch script in Local Computer Policy > Preferences > Windows Settings > Scripts > Startup
  1. Enhance Cryptographic Implementation: Despite social media’s attempts to bring back the 90’s, computers are much faster and more efficient. Get rid of antiquated cryptography. 99.999% of the time, you couldn’t possibly notice the difference between your computer using a weak RC4 versus an AES-256 bit encryption algorithm… but a hacker would.
  • Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Domain member: Require strong (Windows 2000 or later) session key: Enabled
  • Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >Network security: Configure encryption types allowed for Kerberos: AES128_HMAC_SHA1, AES256-HMAC-SHA1, Future Encryption Types
  • Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >Network security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
  1. Strong Password Policy: Longer passwords are inherently stronger. It doesn’t mean that the level of complexity has to be obnoxious either. As a matter of fact, the more complex the password, the more likely the user is to leverage a weak or guessable password. There have also been significant changes to the recommended password policy baselines from NIST over the last few years. However, most security professionals will agree that a minimum of eight characters is laughable. (Note: All following settings are listed under “Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Protection OR Account Lockout Policies”
  • Enforce password history: 20 passwords remembered
  • Maximum password age: 1 year
  • Minimum password age: 1 day
  • Minimum Password Length:
    • Users: 12-characters
    • Administrators: 15-characters
    • Service Accounts: 20-characters
  • Password must meet complexity length limits: Enabled
  • Relax minimum password length limits: Disabled
  • Store passwords using reversible encryption: Disabled
  • Account lockout duration: 30 minutes
  • Account lockout threshold: 5 invalid login attempts
  • Allow Administrator account lockout: Enable
  • Reset account lockout counter after 30 minutes
  1. Role separation: Do not use a computer for everyday activities, such as surf the web and checking email with an account that has privileged access (specifically, administrator). Instead, create two accounts, one for administrative functions, such as installing software, and a second for normal everyday tasks as a user.
  • This group of settings are different for every organization.

Note: User Rights Assignments is located in Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Please exercise extreme caution with these policies. Misconfiguration can and likely will cause a computer to crash. For that reason, Redbot Security will not be covering this section in detail. Understanding the concept of Privilege and Role Separation is the key takeaway.

  • Standalone installation of Microsoft Windows can leverage the User Accounts Management Console instead of Group Policies.

Helpful Hint: If the laptop has biometric authentication, such as a finger print reader, assign one your index finger to one account and your middle finger to the other.

  1. Full Disk Encryption and Backups: Laptops go missing regularly. Keep your data secure and do not neglect backups. It doesn’t matter if it’s classified sensitive information or pictures of your family. When your data is in someone else’s hands, lost, or exposed to the world, it’s a nightmare.

NOTICE: This is a opinion article / discussion with some insight on methods that can potentially help harden a Microsoft Windows Environment. This is NOT a complete guide to Windows Security Hardening and you should always consult a professional cybersecurity company for security services.   Contact Redbot Security

Join the discussion below

Share your opinion thoughts in the comments below!

About the Author

Andrew Bindner, CSO & Principal Security Engineer

Andrew has 20+ years of hands-on security experience leading teams or working individually on highly technical engagements for a wide variety of commercial and government industries in IT and OT security. Andrew is an active security community leader/member that has developed Redbot Security’s penetration testing methodologies, security policies, attack tools, social engineering tactics, and application and IoT testing guidance.  Andrew is able to hack his way into a variety of IT/OT networks, devices and applications and has been known take over entire cities, Simulating Real World Attacks – Before they Become Real

…and he likes to void warranties for a living!

Redbot Security

Redbot Security is a boutique penetration testing firm with a Sr. Level Team of industry experts. Since Redbot Security is a smaller more specialized penetration testing group, the company is able to focus on building client relationships and delivering a premier customer experience through continuously engaged Senior Engineers.

Learn More.

Penetration Testing Quote
Related Posts
What is Redbot Security’s Manual Controlled Penetration Testing?2022-08-22T15:06:13+00:00

MCPT® or Manual Controlled Penetration Testing [manual penetration testing] is a controlled assessment of networks and applications that is able to safely identify and validate real world vulnerabilities that are potentially exploitable.  Manual Penetration Testing removes false positives and provides proof of concept reporting along with a exploit storyboard for easier remediation.

What are the stages in a penetration test?2022-08-22T14:48:02+00:00

The Six Stages of Penetration Testing

  • Discovery. The first phase of penetration testing is OSINT and Discovery.
  • Testing. Testing phase is performed by qualified engineers that utilize both automated and manual exploitation testing techniques and tools
  • Assessment. Determine Risk to organization
  • Knowledge Sharing.  Provide clear results with Remediation planning
  • Remediation.  Organization remediates findings that pose a risk.
  • Retesting. Retesting of remediated vulnerabilities and final report delivery
2022-09-08T15:12:33+00:00

Leave A Comment