This document contains a number of items on how to secure your Microsoft Windows environment, this document, however is tailored towards an Active Directory environment.
-
Ensure that WSUS is configured and deployed across all machines, and that updates are applied as soon as possible
-
Ensure that all machines have been updated to Windows 10, or are being updated to Windows 10 as soon as possible
-
Although being made end of life, look at deploying EMET to all Workstations (this becomes end of life in July 2018)
-
Implement AppLocker to block applications from running in user locations (such as home directory, profile path, temp, etc).
-
Make sure that the blocking of MS Office macros (Windows & Mac) on content downloaded from the Internet is enabled
-
Make sure that all devices are running some form of endpoint security - anti-virus/anti-malware, host based firewall
-
Make sure of centralised monitoring - ensure that event monitoring (WEF) is forwarded to a centalised location
-
Limit the capability of running rogue applictions by blocking/restricting attachments via email/download:
Executables extensions: (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
Office files that support macros (docm, xlsm, pptm, etc.)
Change default program for anything that opens with Windows scripting to notepad: bat, js, jse, vbe, vbs, wsf, wsh, etc.
- Ensure that the Domain Administrator group is limited to a select number of accounts - ideally no more than 5 people atmost
- Ensure that Enterprise and Schema Administrator accounts are restricted even further than Domain Admins
- Local Administrator access on workstations should not be used by default
- Ensure that users are only given access to Security Groups that they need access to
- Ensure that the local administrator account passwords are automatically changed (Microsoft LAPS) & remove any extra local admin accounts
- Configure the Group Policy Objects (GPO) to prevent local accounts from network authentication (KB2871997)
- Use Managed Service Accounts for SAs when possible - Fine-Grained Password and Account Policy - https://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
- Ensure all built-in groups but Administrator are denied from logging on to Domain Controllers user User Right Assignments. By default, Backup operators, Account operators can login to Domain Controllers, which is dangerous
- Add all admin accounts to Protected Users group (requires Windows 2012 R2 DCs)
- Remove NetBIOS over TCP/IP
- Disable LLMNR
- Disable WPAD
- Enforce LDAP signing
- Enable SMB signing (& encryption where possible)
- Windows 10, remove:
- SMB 1.0/CIFS
- Windows PowerShell 2.0
- Ensure all computers are talking NTLMv2 & Kerberos, deny LM/NTLMv1