{
	"id": "8bf19f74-399d-4d68-acc9-bfb58325f366",
	"created_at": "2026-04-06T00:07:29.360241Z",
	"updated_at": "2026-04-10T13:11:21.579438Z",
	"deleted_at": null,
	"sha1_hash": "572b958ff9024b74f3f53d2dd4be6e3861b9e225",
	"title": "Securing Windows Workstations: Developing a Secure Baseline",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1776710,
	"plain_text": "Securing Windows Workstations: Developing a Secure Baseline\r\nBy Sean Metcalf\r\nPublished: 2016-10-21 · Archived: 2026-04-05 13:35:11 UTC\r\nSecuring workstations against modern threats is challenging. It seems like every week there’s some new method attackers\r\nare using to compromise a system and user credentials.\r\nPost updated on March 8th, 2018 with recommended event IDs to audit.\r\nThe best way to create a secure Windows workstation is to download the Microsoft Security Compliance Manager (currently\r\nat version 4.0) and select “Security Compliance” option under the operating system version for which you want to create the\r\nsecurity baseline GPO. Review the options, change as needed, and export as a GPO Backup (folder). Create a new empty\r\nGPO and Import the settings from the SCM GPO backup. Then apply this newly created GPO to your workstations. This\r\nwill improve your workstation security baseline if you have minimal security settings already configured, especially if you\r\nhave no existing workstation GPO.\r\nAs part of developing your Windows Workstation Security Baseline GPO, there are several large organizations that have\r\nspent time and money determining what’s “secure”:\r\nDoD STIG: http://iase.disa.mil/stigs/os/windows\r\nDoD Windows 10 Secure Host Baseline files: https://github.com/iadgov/Secure-Host-Baseline\r\nAustralian Information Security Manual: http://www.asd.gov.au/infosec/ism/index.htm\r\nCIS Benchmarks: https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.windows\r\nMicrosoft Administrative Templates for controlling settings via Group Policy are here:\r\nWindows 7 \u0026 Windows Server 2008 R2: https://www.microsoft.com/en-us/download/details.aspx?id=6243\r\nWindows 8.1 \u0026 Windows Server 2012 R2: https://www.microsoft.com/en-us/download/details.aspx?id=43413\r\nWindows 10 (v1607) \u0026 Windows Server 2016: https://www.microsoft.com/en-us/download/details.aspx?id=53430\r\nOffice 2010: https://www.microsoft.com/en-us/download/details.aspx?id=18968\r\nOffice 2013: https://www.microsoft.com/en-us/download/details.aspx?id=35554\r\nOffice 2016: https://www.microsoft.com/en-us/download/details.aspx?id=49030\r\nNote that these locations are subject to change with further updates.\r\nGroup Policy Settings Reference for Windows and Windows Server\r\nhttps://adsecurity.org/?p=3299\r\nPage 1 of 30\n\nWindows 10 (v1607) \u0026 Windows Server 2016 security configuration baseline settings:\r\nhttps://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/\r\nIf you already have a GPO configuring workstation security, you can compare what you have to the SCM generated\r\n“Security Compliance” GPO using Microsoft’s Policy Analyzer.\r\nBeyond the standard “Windows security things”, there are legacy and often unused components that linger and are carried\r\nforward from earlier Windows versions that are often no longer needed, but kept for compatibility reasons. This post covers\r\nmany of these as well as other good security practices and configuration.\r\nObviously, you should move to the most recent version of Windows and rapidly deploy security patches when they are\r\navailable.\r\nThe following items are recommended for deploying a secure Windows workstation baseline, though test first since some of\r\nthese may break things.\r\nSecuring Windows Workstation:\r\nDeploying Free/Near-Free Microsoft Tools to Improve Windows Security\r\nDeploy Microsoft AppLocker to lock down what can run on the system.\r\nDeploy current version of EMET with recommended software settings.\r\nDeploy LAPS to manage the local Administrator (RID 500) password.\r\nForce Group Policy to reapply settings during “refresh”\r\nDisable Windows Legacy \u0026 Typically Unused Features\r\nDisable Net Session Enumeration (NetCease)\r\nDisable WPAD\r\nDisable LLMNR\r\nDisable Windows Browser Protocol\r\nDisable NetBIOS\r\nDisable Windows Scripting Host (WSH) \u0026 Control Scripting File Extensions\r\nDeploy security back-port patch (KB2871997).\r\nPrevent local Administrator (RID 500) accounts from authenticating over the network\r\nEnsure WDigest is disabled\r\nRemove SMB v1 support\r\nWindows 10 \u0026 Windows 2016\r\nWindows 10 \u0026 2016 System Image Configuration\r\nBlock Untrusted Fonts\r\nEnable Credential Guard\r\nConfigure Device Guard\r\nApplication Security Settings\r\nDisable Microsoft Office Macros\r\nhttps://adsecurity.org/?p=3299\r\nPage 2 of 30\n\nDisable Microsoft Office OLE\r\nAdditional Group Policy Security Settings\r\nConfigure Lanman Authentication to a secure setting\r\nConfigure restrictions for unauthenticated RPC clients\r\nConfigure NTLM session security\r\nFree or Near Free Microsoft Tools to Improve Windows Security\r\nDeploy AppLocker to lock down what can run on the system\r\nMicrosoft AppLocker provides out of the box application whitelisting capability for Windows.\r\nIt is highly recommended to use AppLocker to lock down what can be executed on Windows workstations and servers that\r\nrequire high levels of security.\r\nAppLocker can be used to limit application execution to specific approved applications. There are several difference phases\r\nI recommend for AppLocker:\r\nPhase 1: Audit Mode – audit all execution by users and the path they were run from. This logging mode provides\r\ninformation on what programs are run in the enterprise and this data is logged to the event log.\r\nPhase 2: “Blacklist Mode” – Configure AppLocker to block execution of any file in a user’s home directory, profile\r\npath, and temporary file location the user has write access to, such as c:\\temp.\r\nPhase 3: “Folder Whitelist Mode” – Configure AppLocker to build on Phase 2 by adding new rules to only allow\r\nexecution of files in specific folders such as c:\\Windows and c:\\Program Files.\r\nPhase 4: “Application Whitelisting” – Inventory all applications in use in the enterprise environment and whitelist\r\nthose applications by path and/or file hash (preferably digital signature). This ensures that only approved organization\r\napplications will execute.\r\nAppLocker Group Policies are created and managed here:\r\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies\\AppLocker\r\nReview the AppLocker Policies Design Guide for deployment help.\r\nExpected Level of Effort:\r\nMedium High\r\nExpected Impact:\r\nThis is likely to break things in the enterprise, please test first.\r\nDeploy current version of EMET with recommended software settings\r\nMicrosoft Enhanced Mitigation Experience Toolkit (EMET) helps prevent application vulnerabilities from being exploited\r\n(including mitigating many 0-days). It’s a free product that effectively “wraps” popular applications so when vulnerability\r\nexploitation is attempted, the attempt is stopped at the “wrapper” and doesn’t make it to the OS.\r\nThere are several profiles for deployment:\r\nDefault configuration.\r\nRecommended Software.\r\nPopular Software.\r\nAt the very least, deploy EMET with the default configuration to harden core applications.\r\nUse the EMET administration templates (EMET.admx \u0026 EMET.adml) enable EMET management via GPO and are found in\r\nhttps://adsecurity.org/?p=3299\r\nPage 3 of 30\n\nthe \u003cSystemDrive\u003e\\Program Files\\EMET\\Deployment\\Group Policy Files folder on a system with EMET installed. Copy\r\nthese to the Active Directory GPO Central Store.\r\nCustomize EMET configuration via Group Policy\r\nTest with applications since some “more secure” settings may cause crashes with programs like Outlook and Chrome as well\r\nas some security software.\r\nNote that Microsoft EMET is End of Life (EOL) in 2018 since it was developed by Microsoft to help improve certain\r\nelements of Windows security when it was released. Windows 10 includes greatly improved security which exceeds most of\r\nthe EMET enhancements.\r\nExpected Level of Effort:\r\nMedium\r\nExpected Impact:\r\nThis may break things in the enterprise, please test first.\r\nUse LAPS to manage the local Administrator (RID 500) password\r\nMicrosoft Local Administrator Password Solution (LAPS) provides automated local administrator account management for\r\nevery computer in Active Directory (LAPS is best for workstation local admin passwords). A client-side component installed\r\non every computer generates a random password, updates the (new) LAPS password attribute on the associated AD\r\ncomputer account, and sets the password locally. LAPS configuration is managed through Group Policy which provides the\r\nvalues for password complexity, password length, local account name for password change, password change frequency, etc.\r\nLAPS Deployment Information\r\nExpected Level of Effort:\r\nLow to Medium\r\nExpected Impact:\r\nThis may break things in the enterprise, please test first.\r\nForce Group Policy to reapply settings during “refresh”\r\nThe default Group Policy application behavior is to “refresh the group policy” on the client, though this doesn’t actually\r\nmean the GPO settings are re-applied. By default, the GPO’s settings are only reapplied if the GPO was modified prior to\r\nthe refresh. This means that one could reverse a GPO enforced setting via the computer’s registry (typically with admin\r\nrights) and the unauthorized setting remains until the GPO is modified (if it ever is), after which the GPO settings are re-applied.\r\nAfter testing, change the Group Policy default setting to re-apply GPO settings at every refresh – “Process even if the Group\r\nPolicy objects have not changed”. This does have a potential performance hit on the client, but will ensure all GPO enforced\r\nsettings are re-applied.\r\nComputer Configuration, Policies, Administrative Templates, System, Group Policy, Configure security policy processing:\r\nSet to Enabled.\r\nAlso check the box for “Process even if the Group Policy objects have not changed”\r\nIt’s also recommended to configure the same settings for each of the following:\r\nComputer Configuration, Policies, Administrative Templates, System, Group Policy, Configure registry policy\r\nprocessing\r\nhttps://adsecurity.org/?p=3299\r\nPage 4 of 30\n\nComputer Configuration, Policies, Administrative Templates, System, Group Policy, Configure scripts policy\r\nprocessing\r\nAs well as any other policy settings as needed.\r\nEnable LSA Protection/Auditing\r\nStarting with Windows 8.1/Windows Server 2012 R2, LSA Protection can be enabled with a registry key addition to prevent\r\nunsigned code from interacting with LSASS (like Mimikatz). Before enabling LSA Protection, it’s a best practice to enable\r\nLSA Auditing to know what code may be interacting with LSASS which would be blocked otherwise.\r\nFrom Microsoft’s “Configuring Additional LSA Protection“:\r\nThe LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote\r\nsign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA\r\nto prevent reading memory and code injection by non-protected processes. This provides added security for the credentials\r\nthat the LSA stores and manages. The protected process setting for LSA can be configured in Windows 8.1, but it cannot be\r\nconfigured in Windows RT 8.1. When this setting is used in conjunction with Secure Boot, additional protection is achieved\r\nbecause disabling the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa registry key has no effect.\r\nhttps://adsecurity.org/?p=3299\r\nPage 5 of 30\n\nFor an LSA plug-in or driver to successfully load as a protected process, it must meet the following criteria:\r\n1. Signature verificationProtected mode requires that any plug-in that is loaded into the LSA is digitally signed with a\r\nMicrosoft signature. Therefore, any plug-ins that are unsigned or are not signed with a Microsoft signature will fail\r\nto load in LSA. Examples of these plug-ins are smart card drivers, cryptographic plug-ins, and password filters.LSA\r\nplug-ins that are drivers, such as smart card drivers, need to be signed by using the WHQL Certification. For more\r\ninformation, see WHQL Release Signature (Windows Drivers).LSA plug-ins that do not have a WHQL Certification\r\nprocess, must be signed by using the file signing service for LSA.\r\n2. Adherence to the Microsoft Security Development Lifecycle (SDL) process guidanceAll of the plug-ins must conform\r\nto the applicable SDL process guidance. For more information, see the Microsoft Security Development Lifecycle\r\n(SDL) Appendix.Even if the plug-ins are properly signed with a Microsoft signature, non-compliance with the SDL\r\nprocess can result in failure to load a plug-in.\r\nRecommended practices\r\n Use the following list to thoroughly test that LSA protection is enabled before you broadly deploy the feature:\r\nIdentify all of the LSA plug-ins and drivers that are in use within your organization. This includes non-Microsoft\r\ndrivers or plug-ins such as smart card drivers and cryptographic plug-ins, and any internally developed software\r\nthat is used to enforce password filters or password change notifications.\r\nEnsure that all of the LSA plug-ins are digitally signed with a Microsoft certificate so that the plug-in will not fail to\r\nload.\r\nEnsure that all of the correctly signed plug-ins can successfully load into LSA and that they perform as expected.\r\nUse the audit logs to identify LSA plug-ins and drivers that fail to run as a protected process.\r\nYou can use the audit mode to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode. While in the\r\naudit mode, the system will generate event logs, identifying all of the plug-ins and drivers that will fail to load under LSA if\r\nLSA Protection is enabled. The messages are logged without blocking the plug-ins or drivers.\r\nTo enable the audit mode for Lsass.exe on a single computer by editing the Registry\r\n1. Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\r\nOptions\\LSASS.exe.\r\n2. Set the value of the registry key to AuditLevel=dword:00000008.\r\n3. Restart the computer.\r\nAnalyze the results of event 3065 and event 3066.\r\nEvent 3065: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to\r\nload a particular driver that did not meet the security requirements for Shared Sections. However, due to the system\r\npolicy that is set, the image was allowed to load.\r\nEvent 3066: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to\r\nload a particular driver that did not meet the Microsoft signing level requirements. However, due to the system policy\r\nthat is set, the image was allowed to load.\r\nExpected Level of Effort:\r\nLow to Medium\r\nExpected Impact:\r\nThis may break things in the enterprise, please test first.\r\nhttps://adsecurity.org/?p=3299\r\nPage 6 of 30\n\nEvent IDs that Matter – Log These\r\nEventID Description Impact\r\n1102/517 Event log cleared Attackers may clear Windows event logs.\r\n4610/4611/4614/4622\r\nLocal Security Authority\r\nmodification\r\nAttackers may modify LSA for escalation/persistence.\r\n4648 Explicit credential logon\r\nTypically when a logged on user provides different\r\ncredentials to access a resource. Requires filtering of\r\n“normal”.\r\n4661\r\nA handle to an object was\r\nrequested\r\nSAM/DSA Access. Requires filtering of “normal”.\r\n4672\r\nSpecial privileges assigned to\r\nnew logon\r\nMonitor when someone with admin rights logs on. Is this\r\nan account that should have admin rights or a normal\r\nuser?\r\n4723\r\nAccount password change\r\nattempted\r\nIf it’s not an approved/known pw change, you should\r\nknow.\r\n4964\r\nCustom Special Group logon\r\ntracking\r\nTrack admin \u0026 “users of interest” logons.\r\n7045/4697 New service was installed Attackers often install a new service for persistence.\r\n4698 \u0026 4702\r\nScheduled task\r\ncreation/modification\r\nAttackers often create/modify scheduled tasks for\r\npersistence.\r\nPull all events in Microsoft-Windows-TaskScheduler/Operational\r\n4719/612 System audit policy was changed Attackers may modify the system’s audit policy.\r\n4732\r\nA member was added to a\r\n(security-enabled) local group\r\nAttackers may create a new local account \u0026 add it to the\r\nlocal Administrators group.\r\n4720\r\nA (local) user account was\r\ncreated\r\nAttackers may create a new local account for persistence.\r\nOn newer versions of Windows, add\r\nEventID Description Impact\r\n3065/3066\r\nLSASS Auditing – checks for code\r\nintegrity\r\nMonitors LSA drivers \u0026 plugins. Test extensively before\r\ndeploying!\r\n3033/3063\r\nLSA Protection – drivers that failed to\r\nload\r\nMonitors LSA drivers \u0026 plugins \u0026 blocks ones that aren’t\r\nproperly signed.\r\n4798\r\nA user’s local group membership was\r\nenumerated.\r\nPotentially recon activity of local group membership. Filter\r\nout normal activity.\r\nLSA Protection \u0026 Auditing (Windows 8.1/2012R2 and newer):\r\nhttps://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx\r\nhttps://adsecurity.org/?p=3299\r\nPage 7 of 30\n\n4798: A user’s local group membership was enumerated (Windows 10/2016):\r\nhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4798\r\nA Note About Logon Types (4624)\r\nLogon\r\nType #\r\nName Description\r\nCreds on\r\nDisk\r\nCreds in\r\nMemory\r\n0 System Typically rare, but could alert to malicious activity Yes Yes\r\n2 Interactive\r\nConsole logon (local keyboard) which includes server\r\nKVM or virtual client logon. Also standard RunAs.\r\nNo Yes\r\n3 Network\r\nAccessing file shares, printers, IIS (integrated auth,\r\netc), PowerShell remoting\r\nNo No\r\n4 Batch Scheduled tasks Yes Yes\r\n5 Service Services Yes Yes\r\n7 Unlock Unlock the system No Yes\r\n8\r\nNetwork Clear\r\nText\r\nNetwork logon with password in clear text (IIS basic\r\nauth). If over SSL/TLS, this is probably fine.\r\nMaybe Yes\r\n9\r\nNew\r\nCredentials\r\nRunAs /NetOnly which starts a program with different\r\ncredentials than logged on user\r\nNo Yes\r\n10\r\nRemote\r\nInteractive\r\nRDP: Terminal Services, Remote Assistance,\r\nR.Desktop\r\nMaybe Yes*\r\n11\r\nCached\r\nInteractive\r\nLogon with cached credentials (no DC online) Yes Yes\r\nAuditing Subcategories to Events\r\nAuditing Subcategory Event IDs\r\nAudit Audit Policy Change\r\n4719: System audit policy was changed.\r\n4908: Special Groups Logon table modified.\r\nAudit Authentication Policy Change 4706: A new trust was created to a domain.4707: A trust to a domain was\r\nremoved.\r\n4713: Kerberos policy was changed.\r\n4716: Trusted domain information was modified.\r\n4717: System security access was granted to an account.\r\n4718: System security access was removed from an account.\r\n4739: Domain Policy was changed.\r\n4865: A trusted forest information entry was added.\r\n4866: A trusted forest information entry was removed.\r\nhttps://adsecurity.org/?p=3299\r\nPage 8 of 30\n\n4867: A trusted forest information entry was modified.\r\n4706: A new trust was created to a domain.\r\n4707: A trust to a domain was removed.\r\nAudit Computer Account\r\nManagement\r\n4741: A computer account was created.4742: A computer account was\r\nchanged.\r\n4743: A computer account was deleted.\r\nAudit DPAPI Activity\r\n4692: Backup of data protection master key was attempted.4693: Recovery of data\r\nprotection master key was attempted.\r\n4695: Unprotection of auditable protected data was attempted.\r\nAudit Kerberos Authentication\r\nService\r\n4768: A Kerberos authentication ticket (TGT) was requested4771: Kerberos pre-authentication failed\r\n4772: Kerberos authentication ticket request failed\r\nAudit Kerberos Service Ticket\r\nOperation\r\n4769: A Kerberos service ticket (TGS) was requested4770: A Kerberos service ticket\r\nwas renewed\r\nAudit Logoff 4634: An account was logged off.\r\nAudit Logon\r\n4624: An account was successfully logged on.4625: An account failed to log on.\r\n4648: A logon was attempted using explicit credentials.\r\nAudit Other Account Logon\r\nEvents\r\n4648: A logon was attempted using explicit credentials4649: A replay attack was\r\ndetected.\r\n4800: The workstation was locked.\r\n4801: The workstation was unlocked.\r\n5378: The requested credentials delegation was disallowed by policy.\r\nAudit Other Object\r\nAccess Events\r\n4698: A scheduled task was created.4699: A scheduled task was deleted.\r\n4702: A scheduled task was updated.\r\nAudit Process Creation 4688: A new process has been created.\r\nAudit Security Group\r\nManagement\r\n4728: A member was added to a security-enabled global group.4729: A member was\r\nremoved from a security-enabled global group.\r\n4732: A member was added to a security-enabled local group.\r\n4733: A member was removed from a security-enabled local group.\r\n4735: A security-enabled local group was changed.\r\n4737: A security-enabled global group was changed.\r\nhttps://adsecurity.org/?p=3299\r\nPage 9 of 30\n\n4755: A security-enabled universal group was changed.\r\n4756: A member was added to a security-enabled universal group.\r\n4757: A member was removed from a security-enabled universal group.\r\n4764: A group’s type was changed.\r\nAudit Security System\r\nExtension\r\n4610: An authentication package has been loaded by the Local Security Authority.4611: A\r\ntrusted logon process has been registered with the Local Security Authority.\r\n4697: A service was installed in the system.\r\nAudit Sensitive Privilege Use\r\n4672: Special privileges assigned to new logon.4673: A privileged service was\r\ncalled.\r\n4674: An operation was attempted on a privileged object.\r\nAudit Special Logon 4964: Special groups have been assigned to a new logon.\r\nAudit User Account\r\nManagement\r\n4720: A user account was created.4722: A user account was enabled.\r\n4723: An attempt was made to change an account’s password.\r\n4724: An attempt was made to reset an account’s password.\r\n4725: A user account was disabled.\r\n4726: A user account was deleted.\r\n4738: A user account was changed.\r\n4740: A user account was locked out.\r\n4765: SID History was added to an account.\r\n4766: An attempt to add SID History to an account failed.\r\n4767: A user account was unlocked.\r\n4780: The ACL was set on accounts which are members of administrators groups.\r\n4794: An attempt was made to set the Directory Services Restore Mode.\r\nDisable Windows Legacy \u0026 Typically Unused Features:\r\nDisable Net Session Enumeration (NetCease)\r\nBy default, Windows computers allow any authenticated user to enumerate network sessions to it. This means an attacker\r\ncould enumerate network sessions to a file share hosting home directories or a Domain Controller to see who’s connected to\r\nSYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.\r\nBloodhound uses this capability extensively to map out credentials in the network.\r\nDisabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).\r\nThese settings can also be deployed via Group Policy:\r\nhttps://adsecurity.org/?p=3299\r\nPage 10 of 30\n\nRun the NetCease PowerShell script on a reference workstation.\r\nOpen the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the\r\nnew preference item, and then click Edit .\r\nIn the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows\r\nSettings folder.\r\nRight-click the Registry node, point to New , and select Registry Wizard .\r\nSelect the reference workstation on which the desired registry settings exist, then click Next .\r\nBrowse to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\DefaultSecurity\\\r\nand select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select\r\nthe check box for a key only if you want to create a Registry item for the key rather than for a value within the key.\r\nClick Finish . The settings that you selected appear as preference items in the Registry Wizard Values collection.\r\nExpected Level of Effort:\r\nLow – Medium\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nDisable WPAD\r\nWeb Proxy Auto-Discovery Protocol (WPAD) is “a method used by clients to locate the URL of a configuration file using\r\nDHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be\r\nexecuted to determine the proxy for a specified URL.”\r\nDisabling WPAD removes a method Responder uses for passive credential theft. Only disable if not used in environment.\r\nDisable WPAD via Group Policy by deploying the following:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\r\nNew DWORD (32-Bit Value) called “WpadOverride” and set to “1”\r\nDisable the service “WinHTTP Web Proxy Auto-Discovery Service”\r\nComputer Configuration/Policies/Windows Settings/Security Settings/System Services\r\nNote:\r\nPartial mitigation of WPAD issues is possible by installing the Microsoft patch KB3165191 (MS16-077).\r\nThis patch hardens the WPAD process and when the system responds to NetBIOS requests.\r\nExpected Level of Effort:\r\nLow-High\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nDisable LLMNR\r\nLink-Local Multicast Name Resolution (LLMNR):\r\nIn a nutshell, Link-Local Multicast Name Resolution (LLMNR) resolves single label names (like: COMPUTER1), on the\r\nlocal subnet, when DNS devolution is unable to resolve the name. This is helpful if you are in an Ad-Hoc network scenario,\r\nor in a scenario where DNS entries do not include hosts on the local subnet.LLMNR should be disabled if not used since\r\ndisabling it removes a method Responder uses for passive credential theft.Group Policy:Computer\r\nConfiguration/Administrative Templates/Network/DNS Client\r\nhttps://adsecurity.org/?p=3299\r\nPage 11 of 30\n\nSet “Turn Off Multicast Name Resolution” to “Enabled”\r\nExpected Level of Effort:\r\nLow\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nDisable Windows Browser Protocol (Browser Service)\r\nThe Browser service (Browser protocol) was used by Windows NT to discover and share information on resources on the\r\nlocal network. This process works by broadcasting on the network and gathering results of this broadcast. A network\r\nbroadcast is a little like yelling in a room full of people to find a friend every 30 seconds (once you find your friend you note\r\ntheir location, but may forget a little while later and have to re-discover their current location). In order to make this process\r\nsomewhat less inefficient, a “Master Browser” is elected on each subnet which tracks resources and responds to these\r\nresource broadcast requests. In a Windows domain, the PDC acts as the Domain Master Browser to which these subnet\r\nMaster Browsers forward resource information. Resource discovery using Windows Browser broadcasts was ultimately\r\nreplaced by Windows Internet Name Service (WINS) and then Active Directory (with DNS). While the necessity of the\r\nBrowser service has been reduced to almost nil, the Computer Browser service in Windows has continued up through\r\nWindows 10 and Windows Server 2012 R2 (though the service was removed in Windows 10 v1607 \u0026 Windows Server\r\n2016).\r\nThe Windows Browser protocol is another method used by Responder to passively steal credentials.\r\nThe Windows Computer Browser service is set to manually start up, though usually starts at Windows start.\r\nThe simple method to disable the Windows browser protocol is to disable the Computer Browser service.\r\nIn Windows 10 v1607 (aka “Anniversary Update”) and Windows Server 2016, the Computer Browser service was removed\r\nand is no longer available.\r\nDisable the Computer Browser via Group Policy:\r\nOpen the Group Policy Management Console. Right-click the Group Policy object (GPO) that requires modification,\r\nand then click Edit .\r\nIn the console tree under Computer Configuration, expand Policies folder, expand Windows Settings, expand\r\nSecurity Settings, and then expand the System Services folder.\r\nScroll down to the “Computer Browser” service, right-click on the service name, and select Properties.\r\nCheck the box to “Define this policy setting”, select Disabled as the service startup mode, and click OK.\r\nNote: Group Policy Preferences can also be used to manage services.\r\nExpected Level of Effort:\r\nLow\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nhttps://adsecurity.org/?p=3299\r\nPage 12 of 30\n\nDisable NetBIOS\r\nNetBIOS is one of the earliest protocols used by Windows.\r\nNetBIOS over TCP/IP is specified by RFC 1001 and RFC 1002. The Netbt.sys driver is a kernel -mode\r\ncomponent that supports the TDI interface. Services such as workstation and server use the TDI interface directly,\r\nwhile traditional NetBIOS applications have their calls mapped to TDI calls through the Netbios.sys driver. Using\r\nTDI to make calls to NetBT is a more difficult programming task, but can provide higher performance and\r\nfreedom from historical NetBIOS limitations.\r\nNetBIOS defines a software interface and a naming convention, not a protocol. NetBIOS over TCP/IP provides\r\nthe NetBIOS programming interface over the TCP/IP protocol, extending the reach of NetBIOS client and server\r\nprograms to the IP internetworks and providing interoperability with various other operating systems.\r\nThe Windows 2000 workstation service, server service, browser, messenger, and NetLogon services are all NetBT\r\nclients and use TDI to communicate with NetBT. Windows 2000 also includes a NetBIOS emulator. The emulator\r\ntakes standard NetBIOS requests from NetBIOS applications and translates them to equivalent TDI functions.\r\nWindows 2000 uses NetBIOS over TCP/IP to communicate with prior versions of Windows NT and other clients,\r\nsuch as Windows 95. However, the Windows 2000 redirector and server components now support direct hosting\r\nfor communicating with other computers running Windows 2000. With direct hosting, NetBIOS is not used for\r\nname resolution. DNS is used for name resolution and the Microsoft networking communication is sent directly\r\nover TCP without a NetBIOS header. Direct hosting over TCP/IP uses TCP port 445 instead of the NetBIOS\r\nsession TCP port 139.\r\nMost versions of Windows in use, can leverage Direct hosting of SMB over TCP/IP, meaning the use of NetBIOS on a\r\nnetwork today is only to support legacy systems.\r\nIn 2005, Daniel Miessler wrote:\r\nIn fact, one can completely disable NetBIOS over TCP/IP on a Windows 2000/XP machine since these new\r\noperating systems (via TCP/445) have SMB riding directly on top of TCP rather than on NetBIOS. Microsoft calls\r\nthis the “direct hosting” of SMB.\r\nDisabling NetBIOS requires some work to determine how and where it’s being used on the network. Disabling it removes a\r\nmethod Responder uses for passive credential theft.\r\nNoted that NetBIOS may be required for legacy systems (older versions of Windows, non-Windows systems, etc).\r\nDisable NetBIOS via (Microsoft) DHCP:\r\nOpen Microsoft DHCP.\r\nIn the navigation pane, expand SERVERNAME, expand Scope, right-click Scope Options, and then click Configure\r\nOptions.\r\nClick the Advanced tab, and then click Microsoft Windows 2000 Options in the Vendor class list.\r\nMake sure that Default User Class is selected in the User class list.\r\nClick to select the 001 Microsoft Disable Netbios Option check box, under the Available Options column.\r\nIn the Data entry area, type 0x2 in the Long box, and then click OK.\r\nReference: Disabling NetBIOS\r\nOn Linux/Unix based DHCP servers, setting option 43 configures DHCP to disable NetBIOS\r\noption 43 hex 0104.0000.0002\r\nhttps://adsecurity.org/?p=3299\r\nPage 13 of 30\n\nDisable NetBIOS on the Computer:\r\nGo to the properties of all network devices on the computer, TCPIPv4 Properties, Advanced, WINS, Disable NetBIOS over\r\nTCP/IP\r\nExpected Level of Effort:\r\nMedium-High\r\nExpected Impact:\r\nThis is very likely to break things in the enterprise, so please test extensively first.\r\nDisable Windows Script Host (WSH) File Extensions (and others that execute code)\r\nA common method for attackers is to embed or attach a WSH associated file in an email or attached document in order for a\r\nuser. Disable the WSH extensions not used in the environment by associating them with notepad.exe (this forces the files to\r\nbe opened in Notepad instead of with WSH). If the organization uses batch files or VBScript, those should be evaluated for\r\ndisabling prior to changing the file extension. Note that PowerShell files (.ps1, etc) already open by default in notepad.\r\nWSH extensions:\r\nJScript: .js, .jse  [disabling not likely to cause issues, please test first].\r\nWindows Scripting files: .wsf, .wsh   [disabling not likely to cause issues, please test first].\r\nVBScript: .vbs, .vbe   [disabling may cause issues if still using VBScript, please test first].\r\nHTML for Applications: .hta   [disabling not likely to cause issues, please test first].\r\nCMD Batch: .bat, .cmd (be careful with .cmd)   [disabling may cause issues if using batch files, please test first].\r\nhttps://adsecurity.org/?p=3299\r\nPage 14 of 30\n\nVisual Basic for Applications: Most VBA code is run in another filetype, however .mod opens as video file  \r\n[disabling not likely to cause issues, please test first].\r\nDisabling JScript \u0026 Wscript should have minimal impact, though test before disabling VBScript.\r\nThe following registry key disables Windows Scripting, though doing so doesn’t disable it in SCT or\r\nActiveScriptEventConsumer.\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings\r\nAdd new DWORD value “Enabled” and set to “0”\r\nTo disable for specific users, the following may be performed:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings value “Enabled” and set to “0”\r\nGroup Policy:\r\nFile extensions that open in scripting engines can be modified to open in Notepad via GPO:\r\nOpen the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the\r\nnew preference item, and then click Edit .\r\nGo to User Configuration \u003e Preferences \u003e Control Panel Settings.\r\nRight click on Folder Options, Click New, Open With.\r\nIn “File Extension”, Enter the extension and then provide the path to the program which will open this file extension.\r\nYou can also opt to “Set as default”. Click OK.\r\nRepeat for each file type.\r\nDisable Windows Scripting Host in the registry via GPO:\r\nConfigure the registry setting on a reference workstation\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings\\Enabled = “0”\r\nOpen the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the\r\nnew preference item, and then click Edit .\r\nIn the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows\r\nSettings folder.\r\nRight-click the Registry node, point to New , and select Registry Wizard .\r\nSelect the reference workstation on which the desired registry settings exist, then click Next .\r\nBrowse to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings\\\r\nand select the check box for “Enabled” from which you want to create a Registry preference item. Select the check\r\nbox for a key only if you want to create a Registry item for the key rather than for a value within the key.\r\nClick Finish. The settings that you selected appear as preference items in the Registry Wizard Values collection.\r\nExpected Level of Effort:\r\nLow to Medium High\r\nExpected Impact:\r\nThis may break things in the enterprise, please test first.\r\nDeploy security back-port patch (KB2871997)\r\nEnsure all Windows systems prior to Windows 8.1 \u0026 Windows Server 2012 R2 have the KB2871997 patch installed. This\r\npatch updates earlier supported versions of Windows with security enhancements baked into Windows 8.1 \u0026 Windows\r\nServer 2012 R2.\r\nAdditional protections in kb2871997\r\nhttps://adsecurity.org/?p=3299\r\nPage 15 of 30\n\nExpected Level of Effort:\r\nLow\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nPrevent local “administrator” accounts from authenticating over the network\r\nWhile the local Administrator (RID 500) account on two different computers has a different SID, if they have the same\r\naccount name and password, the local Administrator account from one can authenticate as Administrator on the other. The\r\nsame is true with any local account that is duplicated on multiple computers.\r\nThis presents a security issue if multiple (or all) workstations in an organization have the same account name and password\r\nsince compromise of one workstation results in compromise of all.\r\nWindows 8.1 \u0026 Windows 2012 R2 and newer introduced two new local SIDs:\r\nS-1-5-113: NT AUTHORITY\\Local account\r\nS-1-5-114: NT AUTHORITY\\Local account and member of Administrators group\r\nThese SIDs are also added in earlier supported versions of Windows by installing the KB2871997 patch.\r\nLocal account network access behavior can be changed via Group Policy:\r\nComputer Configuration\\Windows Settings\\Local Policies\\User Rights Assignment\r\nDeny access to this computer from the network: Local account and member of Administrators group\r\nDeny log on through Remote Desktop Services: Local account and member of Administrators group\r\nNote that using “Local account” instead also provides the same level of protection as well as blocking all local users from\r\nauthenticating in this manner.\r\nExpected Level of Effort:\r\nLow to Medium\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nEnsure WDigest is disabled\r\nWDigest provides support for Digest authentication which is:\r\n“An industry standard that is used in Windows Server 2003 for Lightweight Directory Access Protocol (LDAP) and Web\r\nauthentication. Digest Authentication transmits credentials across the network as an MD5 hash or message digest.”\r\nPrior to Windows 8.1 and Windows Server 2012 R2, Wdigest was enabled which placed the user’s “clear text” password in\r\nLSASS memory space in order to support basic authentication scenarios.Windows 8.1 and Windows Server 2012 R2 and\r\nnewer have WDigest disabled by default by adding and setting the following registry\r\nkey:HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\\UseLogonCredential =\r\n“0”Earlier supported Windows versions with KB2871997 installed add this registry key, though WDigest is enabled and\r\nneeds to be disabled by changing UseLogonCredential from “1” Enabled, to “0” DisabledKeeping WDigest enabled means\r\nthat tools like Mimikatz can extract the user’s “clear-text” password.Identify who is authenticating via Wdigest:\r\nServer Event ID 4624\r\nSecurity ID: ADSECURITY\\JoeUser\r\nSource Network Address: 10.10.10.221 [Workstation IP Address]\r\nhttps://adsecurity.org/?p=3299\r\nPage 16 of 30\n\nAuthentication Package: WDigest\r\nDomain Controller Event ID 4776\r\nAuthentication Package: Wdigest\r\nLogon Account: JoeUSer\r\nSource Workstation: ADS-IIS01 [Server that accepted WDigest Auth]\r\nIn order to get WDIgest authentication logged on DCs, enable the appropriate auditing:\r\nComputer Configuration\u003eWindows Settings\u003eSecurity Settings\u003eAdvanced Audit Policy Configuration\u003eAudit\r\nPolicies\u003eAccount Logon\u003eAudit Credential Validation\u003eSuccess\r\nDisable WDigest via Group Policy:\r\nConfigure the registry setting on a reference workstation\r\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\\UseLogonCredential =\r\n“0”\r\nOpen the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the\r\nnew preference item, and then click Edit .\r\nIn the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows\r\nSettings folder.\r\nRight-click the Registry node, point to New , and select Registry Wizard .\r\nSelect the reference workstation on which the desired registry settings exist, then click Next .\r\nBrowse to HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\\\r\nand select the check box for “UseLogonCredential” from which you want to create a Registry preference item. Select\r\nthe check box for a key only if you want to create a Registry item for the key rather than for a value within the key.\r\nClick Finish. The settings that you selected appear as preference items in the Registry Wizard Values collection.\r\nExpected Level of Effort:\r\nLow\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nRemove SMB v1 from Windows 8.1 \u0026 Windows Server 2012 R2\r\nServer Message Block (SMB)\r\nSMB “operates as an application-layer network protocol[3] mainly used for providing shared access to files, printers, and\r\nserial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process\r\ncommunication mechanism. Most usage of SMB involves computers running Microsoft Windows, where it was known as\r\n“Microsoft Windows Network” before the subsequent introduction of Active Directory.”\r\nSMB version 1 was the default for Windows 2003 \u0026 Windows 2003 and has several security issues.\r\nNed Pyle outlines several reasons to stop using SMBv1:\r\nSMB1 isn’t safe\r\nWhen you use SMB1, you lose key protections offered by later SMB protocol versions:\r\nPre-authentication Integrity (SMB 3.1.1+). Protects against security downgrade attacks.\r\nSecure Dialect Negotiation (SMB 3.0, 3.02). Protects against security downgrade attacks.\r\nEncryption (SMB 3.0+). Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption\r\nperformance is even better than signing!\r\nInsecure guest auth blocking (SMB 3.0+ on Windows 10+) . Protects against MiTM attacks.\r\nhttps://adsecurity.org/?p=3299\r\nPage 17 of 30\n\nBetter message signing (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB\r\n2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and\r\n3.\r\nSMB1 isn’t modern or efficient\r\nWhen you use SMB1, you lose key performance and productivity optimizations for end users.\r\nLarger reads and writes (2.02+)- more efficient use of faster networks or higher latency WANs. Large\r\nMTU support.\r\nPeer caching of folder and file properties (2.02+) – clients keep local copies of folders and files via\r\nBranchCache\r\nDurable handles (2.02, 2.1) – allow for connection to transparently reconnect to the server if there is a\r\ntemporary disconnection\r\nClient oplock leasing model (2.02+) – limits the data transferred between the client and server,\r\nimproving performance on high-latency networks and increasing SMB server scalability\r\nMultichannel \u0026 SMB Direct (3.0+) – aggregation of network bandwidth and fault tolerance if multiple\r\npaths are available between client and server, plus usage of modern ultra-high throughout RDMA\r\ninfrastructure\r\nDirectory Leasing (3.0+) – Improves application response times in branch offices through caching\r\nSMB1 isn’t usually necessary\r\nThis is the real killer: there are very few cases left in any modern enterprise where SMB1 is the only option. Some\r\nlegit reasons:\r\n1. You’re still running XP or WS2003 under a custom support agreement.\r\n2. You have some decrepit management software that demands admins browse via the ‘network\r\nneighborhood’ master browser list.\r\n3. You run old multi-function printers with antique firmware in order to “scan to share”.\r\nNone of these things should affect the average end user or business. Unless you let them.\r\nWindows SMB Support by Windows OS Version:\r\nThere are several different versions of SMB used by Windows operating systems:\r\nCIFS – The ancient version of SMB that was part of Microsoft Windows NT 4.0 in 1996. SMB1\r\nsupersedes this version.\r\nSMB 1.0 (or SMB1) – The version used in Windows 2000, Windows XP, Windows Server 2003 and\r\nWindows Server 2003 R2\r\nSMB 2.0 (or SMB2) – The version used in Windows Vista (SP1 or later) and Windows Server 2008\r\nSMB 2.1 (or SMB2.1) – The version used in Windows 7 and Windows Server 2008 R2\r\nSMB 3.0 (or SMB3) – The version used in Windows 8 and Windows Server 2012\r\nSMB 3.02 (or SMB3) – The version used in Windows 8.1 and Windows Server 2012 R2\r\nSMB Negotiated Versions:\r\nHere’s a table to help you understand what version you will end up using, depending on what Windows version is\r\nrunning as the SMB client and what version of Windows is running as the SMB server:\r\nOS\r\nWindows 8.1\r\nWS 2012 R2\r\nWindows 8\r\nWS 2012\r\nWindows 7\r\nWS 2008 R2\r\nWindows Vista\r\nWS 2008\r\nPrevious\r\nversions\r\nhttps://adsecurity.org/?p=3299\r\nPage 18 of 30\n\nWindows 8.1\r\nWS 2012 R2\r\nSMB 3.02 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0\r\nWindows 8\r\nWS 2012\r\nSMB 3.0 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0\r\nWindows 7\r\nWS 2008 R2\r\nSMB 2.1 SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0\r\nWindows Vista\r\nWS 2008\r\nSMB 2.0 SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0\r\nPrevious\r\nversions\r\nSMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0\r\n* WS = Windows Server\r\nSMB Features and Capabilities:\r\nHere’s a very short summary of what changed with each version of SMB:\r\nFrom SMB 1.0 to SMB 2.0 – The first major redesign of SMB\r\nIncreased file sharing scalability\r\nImproved performance\r\nRequest compounding\r\nAsynchronous operations\r\nLarger reads/writes\r\nMore secure and robust\r\nSmall command set\r\nSigning now uses HMAC SHA-256 instead of MD5\r\nSMB2 durability\r\nFrom SMB 2.0 to SMB 2.1\r\nFile leasing improvements\r\nLarge MTU support\r\nBranchCache\r\nFrom SMB 2.1 to SMB 3.0\r\nAvailability\r\nSMB Transparent Failover\r\nSMB Witness\r\nSMB Multichannel\r\nPerformance\r\nSMB Scale-Out\r\nSMB Direct (SMB 3.0 over RDMA)\r\nSMB Multichannel\r\nDirectory Leasing\r\nBranchCache V2\r\nBackup\r\nVSS for Remote File Shares\r\nSecurity\r\nSMB Encryption using AES-CCM (Optional)\r\nSigning now uses AES-CMAC\r\nManagement\r\nhttps://adsecurity.org/?p=3299\r\nPage 19 of 30\n\nSMB PowerShell\r\nImproved Performance Counters\r\nImproved Eventing\r\nFrom SMB 3.0 to SMB 3.02\r\nAutomatic rebalancing of Scale-Out File Server clients\r\nImproved performance of SMB Direct (SMB over RDMA)\r\nSupport for multiple SMB instances on a Scale-Out File Server\r\nYou can get additional details on the SMB 2.0 improvements listed above at\r\nhttp://blogs.technet.com/b/josebda/archive/2008/12/09/smb2-a-complete-redesign-of-the-main-remote-file-protocol-for-windows.aspx\r\nYou can get additional details on the SMB 3.0 improvements listed above at\r\nhttp://blogs.technet.com/b/josebda/archive/2012/05/03/updated-links-on-windows-server-2012-file-server-and-smb-3-0.aspx\r\nYou can get additional details on the SMB 3.02 improvements in Windows Server 2012 R2 at\r\nhttp://technet.microsoft.com/en-us/library/hh831474.aspx\r\nThird-party implementations:\r\nThere are several implementations of the SMB protocol from someone other than Microsoft. If you use one of\r\nthose implementations of SMB, you should ask whoever is providing the implementation which version of SMB\r\nthey implement for each version of their product. Here are a few of these implementations of SMB:\r\nApple – Up to SMB2 implemented in OS X 10 Mavericks –\r\nhttp://images.apple.com/osx/preview/docs/OSX_Mavericks_Core_Technology_Overview.pdf\r\nEMC – Up to SMB3 implemented in VNX – http://www.emc.com/collateral/white-papers/h11427-vnx-introduction-smb-30-support-wp.pdf\r\nLinux (Client) – SMB 2.1 and SMB 3.0 (even minimum SMB 3.02 support) implemented in the Linux\r\nkernel 3.11 or higher –\r\nhttp://www.snia.org/sites/default/files2/SDC2013/presentations/Revisions/StevenFrench_SMB3_Meets_Linux_ver3_revisio\r\nNetApp – Up to SMB3 implemented in Data ONTAP 8.2 –\r\nhttps://communities.netapp.com/community/netapp-blogs/cloud/blog/2013/06/11/clustered-ontap-82-with-windows-server-2012-r2-and-system-center-2012-r2-innovation-in-storage-and-the-cloud\r\nSamba (Server) – Up to SMB3 implemented in Samba 4.1 – http://www.samba.org/samba/history/samba-4.1.0.html\r\nPlease note that is not a complete list of implementations and the list is bound to become obsolete the minute I\r\npost it. Please refer to the specific implementers for up-to-date information on their specific implementations and\r\nwhich version and optional portions of the protocol they offer.\r\nManaging SMB with PowerShell (Windows 8.1 \u0026 Windows Server 2012 R2 and up):\r\nThis Powershell command can audit SMBv1 usage:\r\nSet-SmbServerConfiguration –AuditSmb1Access $true\r\nThe PowerShell command can disable SMB v1:\r\nSet-SmbServerConfiguration –EnableSMB1Protocol $false\r\nhttps://adsecurity.org/?p=3299\r\nPage 20 of 30\n\nExpected Level of Effort:\r\nMedium\r\nExpected Impact:\r\nThis is may break things in the enterprise, please test first.\r\nWindows 10 \u0026 Windows 2016 Specific\r\nWindows 10/2016 Build Updates\r\nWhen configuring your baseline image for Windows 10, remove the following features:\r\nPowerShell 2.0 Engine\r\nSMB 1 (breaks access to old file shares, like Windows 2003)\r\nNote: In the screenshot above, .Net framewok 3.5 is enabled. This is a Microsoft SCM 4.0 requirement and is why it’s\r\nenabled on the system. Do not add .Net 3.5 (which includes .Net 2.0 \u0026 3.0) to the Windows 10 base image.\r\nExpected Level of Effort:\r\nLow\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nBlock Untrusted Fonts\r\nTo help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve\r\ncreated the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees\r\nfrom loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are\r\nhttps://adsecurity.org/?p=3299\r\nPage 21 of 30\n\nany font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based\r\nor email-based) and local EOP attacks that can happen during the font file-parsing process.\r\nEnable the Blocking Untrusted Fonts feature:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\\r\nIf the MitigationOptions key isn’t there, right-click and add a new QWORD (64-bit) Value, renaming it to\r\nMitigationOptions.\r\nMitigationOptions key value options:\r\nTo turn this feature on. Type 1000000000000.\r\nTo turn this feature off. Type 2000000000000.\r\nTo audit with this feature. Type 3000000000000.\r\nIt’s highly recommended to enable this feature in Audit mode for a week or two and check for related events. After that, flip\r\nthe switch to turn it on.\r\nReview Audit Events:\r\n1. Open Event Viewer and go to Application and Service Logs/Microsoft/Windows/Win32k/Operational.\r\n2. Review Event ID 260 events.\r\nEvent Example 1 – MS Word\r\nWINWORD.EXE attempted loading a font that is restricted by font loading policy.\r\n  FontType: Memory\r\n  FontPath:\r\n  Blocked: true\r\nNote: Because the FontType is Memory, there’s no associated FontPath.\r\nEvent Example 2 – Winlogon\r\nWinlogon.exe attempted loading a font that is restricted by font loading policy.\r\n FontType: File\r\n FontPath: \\??\\C:\\PROGRAM FILES (X86)\\COMMON FILES\\MICROSOFT\r\nSHARED\\EQUATION\\MTEXTRA.TTF\r\n Blocked: true\r\nNote: Because the FontType is File, there’s also an associated FontPath.\r\nEvent Example 3 – Internet Explorer running in Audit mode\r\n Iexplore.exe attempted loading a font that is restricted by font loading policy.\r\n FontType: Memory\r\n FontPath:\r\n Blocked: false\r\nNote: In Audit mode, the problem is recorded, but the font isn’t blocked.\r\nBlock Untrusted Fonts via Group Policy:\r\nConfigure the registry setting on a reference workstation\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\MitigationOptions Type\r\n= 1000000000000\r\nOpen the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the\r\nnew preference item, and then click Edit .\r\nIn the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows\r\nSettings folder.\r\nRight-click the Registry node, point to New, and select Registry Wizard .\r\nhttps://adsecurity.org/?p=3299\r\nPage 22 of 30\n\nSelect the reference workstation on which the desired registry settings exist, then click Next .\r\nBrowse to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\\r\nand select the check box for “MitigationOptions ” from which you want to create a Registry preference item. Select\r\nthe check box for a key only if you want to create a Registry item for the key rather than for a value within the key.\r\nClick Finish. The settings that you selected appear as preference items in the Registry Wizard Values collection.\r\nExpected Level of Effort:\r\nLow to Medium\r\nExpected Impact:\r\nThis may break things in the enterprise, please test first (at least deploy in audit mode first).\r\nBlock Authenticated Users from Enumerating Local Groups on Windows 10 Workstations\r\nThanks to the Microsoft ATA folks, we know that Windows 10 Anniversary Update (v1607) restricts remote SAMR calls\r\n(default) to only local administrators.\r\nWhen using PowerView to enumerate local group membership on Windows 10 v1607 as a domain user, we get the\r\nfollowing error\r\nEnable Credential Guard\r\nhttps://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/\r\nConfigure Device Guard\r\nDevice Guard Deployment Guide\r\nMatt Graeber’s Device Guard rules to mitigate bypasses\r\nApplication Settings\r\nDisable Office Macros\r\nThe term Office Macro sounds like a nice helper in an Office document. The reality is that a macro is code that runs on the\r\ncomputer. This code is written in Visual Basic (VBA) and can be used to help, or used maliciously.\r\nAccording to Microsoft, “In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates\r\n98% of Office-targeted threats use macros.“\r\nhttps://adsecurity.org/?p=3299\r\nPage 23 of 30\n\nMacros are disabled by\r\ndefault in current versions of Office (VBA was enabled in Office 2010), but some organizations have users who require\r\nmacro functionality. This complicates managing macros.Starting with Office 2007, there are several options to control\r\nmacros\r\nDisable all macros without notification\r\nDisable all macros with notification\r\nDisable all macros except digitally signed macros\r\nEnable all macros (not recommended, potentially dangerous code can run)\r\nSome organizations configure Office to block macros with notification, but users are able to enable macros – a fact that\r\nphishers take advantage of.\r\nMicrosoft Office 2013 introduced the Telemetry Dashboard which can be used to determine macro usage, though it’s\r\ndisabled by default.\r\nhttps://adsecurity.org/?p=3299\r\nPage 24 of 30\n\nEnable by using Group Policy, registry settings, or by selecting the Enable Logging button in Telemetry Log\r\nhttps://technet.microsoft.com/en-us/library/jj863580.aspx\r\nhttps://blogs.technet.microsoft.com/office_resource_kit/2012/08/08/using-office-telemetry-dashboard-to-see-how-well-your-office-solutions-perform-in-office-2013/\r\nAssuming you are running Office 2007 and newer, block all macros without notification for all users.\r\nIf you have a subset of users who require macros, you can lower the restriction to those users so they can use digitally signed\r\nmacros.\r\nOffice 2016 introduced a new setting, which has since been backported to Office 2013 in KB3177451, (get the Office 2016\r\nGroup Policy administrative templates to configure via GPO) which provides the ability to “Block macros from running in\r\nOffice files from the Internet.”\r\nThis policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this\r\npolicy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the\r\nTrust Center. Also, instead of having the choice to “Enable Content,” users will receive a notification that macros are\r\nblocked from running. If the Office file is saved to a trusted location or was previously trusted by the user, macros will be\r\nallowed to run. If you disable or don’t configure this policy setting, the settings configured in the Macro Settings section of\r\nthe Trust Center determine whether macros run in Office files that come from the Internet.\r\nThis option provides another level of granularity for organizations which have users who have to use macros in files within\r\ntheir organization, but have issues with signing those macros.\r\nMicrosoft describes this feature:\r\nThis feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to\r\nblock macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios\r\nsuch as the following:\r\nDocuments downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and\r\nDropbox).\r\nDocuments attached to emails that have been sent from outside the organization (where the organization uses the\r\nOutlook client and Exchange servers for email)\r\nDocuments opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).\r\nhttps://adsecurity.org/?p=3299\r\nPage 25 of 30\n\nGroup policy:\r\n1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click\r\nEdit.\r\n2. In the Group Policy Management Editor, go to User configuration.\r\n3. Click Administrative templates \u003e Microsoft Word 2016 \u003e Word options \u003e Security \u003e Trust Center.\r\n4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.\r\nExpected Level of Effort:\r\nLow to Medium\r\nExpected Impact:\r\nThis may break things in the enterprise, please test first.\r\nDisable Office OLE\r\nYou have disabled all Office macros in your organization, so you’re good right?\r\nNot exactly. There’s a technology for embedding files from Windows ancient times called OLE Package (packager.dll)\r\nwhich provides attackers the ability to trick users into running code on their system simply by opening the attachment.\r\nIn fact, Will Harmjoy (Harmj0y.net) \u0026 I demonstrated how embedded OLE can bypass most organization’s perimiter\r\nsecurity and execute attacker code even when Office macros are disabled:\r\nDerbyCon 6 (2016) Slides (PDF)\r\nDerbyCon 6 (2016) Presentation Video (YouTube)\r\nAccording to Kevin Beaumont, this affects Outlook 2003 through Outlook 2016.\r\nhttps://adsecurity.org/?p=3299\r\nPage 26 of 30\n\nScreenshot by Kevin Beaumont\r\nKevin provides several mitigations for this issue:\r\nApplication whitelisting. However, be careful for signed executables with parameters being embedded. E.g. there are\r\nmany Microsoft digitally signed tools you can use to springboard for other content, and because they’re Microsoft\r\nyou’ve probably already trusted their publisher certificate.\r\nDeploy the registry key ShowOLEPackageObj, for your version(s) of Office, to silently disable OLE Package\r\nfunction in Outlook. There is no way to disable it in wider Office, however, so attackers can still embed inside Word,\r\nExcel and PowerPoint.\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Security\\ShowOLEPackageObj = “0”\r\n(disabled)\r\nEMET. If you run Microsoft EMET (or a similar product such as Palo-Alto TRAPS), add this mitigation for\r\nOutlook.exe:\r\n\u003cMitigation Name=”ASR” Enabled=”true”\u003e\r\n\u003casr_modules\u003epackager.dll\u003c/asr_modules\r\n\u003c/Mitigation\u003e\r\nBy stopping packager.dll, you stop the issue.\r\nGroup Policy:\r\nThe simplest method to deploy mitigation is to create a Group Policy and link to the OU(s) containing users:\r\nSet this registry key on a reference workstation:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\###\\Outlook\\Security\\\r\nAdd new Ddword (32-bit) value: ShowOLEPackageObj = “0” (disabled)Where “###” is the current version of\r\nOffice installed\r\nOffice Version Value\r\nhttps://adsecurity.org/?p=3299\r\nPage 27 of 30\n\nOffice 2016 16.0\r\nOffice 2013 15.0\r\nOffice 2010 14.0\r\nOffice 2007 12.0\r\nOpen the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the\r\nnew preference item, and then click Edit .\r\nIn the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows\r\nSettings folder.\r\nRight-click the Registry node, point to New , and select Registry Wizard .\r\nSelect the reference workstation on which the desired registry settings exist, then click Next .\r\nBrowse to HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\###\\Outlook\\Security\\ and select the check box\r\nfor “ShowOLEPackageObj ” to create a Registry preference item. Select the check box for a key only if you want to\r\ncreate a Registry item for the key rather than for a value within the key.\r\nClick Finish . The settings that you selected appear as preference items in the Registry Wizard Values collection.\r\nIf your organization has deployed EMET (which it should), update the EMET configuration file with the following:\r\n\u003cMitigation Name=”ASR” Enabled=”true”\u003e\r\n\u003casr_modules\u003epackager.dll\u003c/asr_modules\u003e\r\n\u003c/Mitigation\u003e\r\nConfigure this via Group Policy: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/override-mitigation-options-for-app-related-security-policies\r\nExpected Level of Effort:\r\nLow to Medium\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nWindows Group Policy Settings\r\nConfigure Lanman Authentication to a secure setting\r\nConfigure Lanman authentication to “Send NTLMv2 response only” to enforce authentication security.\r\nFor better security, configure this setting to “Send NTLMv2 response only. Refuse LM \u0026 NTLM”Group Policy\r\nconfiguration:\r\nComputer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options\r\nSetting Description\r\nRegistry\r\nsecurity\r\nlevel\r\nSend LM \u0026 NTLM\r\nresponses\r\nClient computers use LM and NTLM authentication, and they never use\r\nNTLMv2 session security. Domain controllers accept LM, NTLM, and\r\nNTLMv2 authentication.\r\n0\r\nSend LM \u0026 NTLM – use\r\nNTLMv2 session\r\nClient computers use LM and NTLM authentication, and they use\r\nNTLMv2 session security if the server supports it. Domain controllers\r\n1\r\nhttps://adsecurity.org/?p=3299\r\nPage 28 of 30\n\nsecurity if negotiated accept LM, NTLM, and NTLMv2 authentication.\r\nSend NTLM response\r\nonly\r\nClient computers use NTLMv1 authentication, and they use NTLMv2\r\nsession security if the server supports it. Domain controllers accept LM,\r\nNTLM, and NTLMv2 authentication.\r\n2\r\nSend NTLMv2 response\r\nonly\r\nClient computers use NTLMv2 authentication, and they use NTLMv2\r\nsession security if the server supports it. Domain controllers accept LM,\r\nNTLM, and NTLMv2 authentication.\r\n3\r\nSend NTLMv2 response\r\nonly. Refuse LM\r\nClient computers use NTLMv2 authentication, and they use NTLMv2\r\nsession security if the server supports it. Domain controllers refuse to\r\naccept LM authentication, and they will accept only NTLM and NTLMv2\r\nauthentication.\r\n4\r\nSend NTLMv2 response\r\nonly. Refuse LM \u0026\r\nNTLM\r\nClient computers use NTLMv2 authentication, and they use NTLMv2\r\nsession security if the server supports it. Domain controllers refuse to\r\naccept LM and NTLM authentication, and they will accept only NTLMv2\r\nauthentication.\r\n5\r\nIn Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the default is Send NTLMv2\r\nresponse only. Check to see if you are overriding this with another GPO.\r\nExpected Impact:\r\nThis could very well break things in the enterprise, please test first.\r\nConfigure restrictions for unauthenticated RPC clients\r\nThis policy setting configures the RPC Runtime on an RPC server to restrict unauthenticated RPC clients from connecting to\r\nthe RPC server. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or\r\nif it uses RPC Security. RPC interfaces that have specifically asked to be accessible by unauthenticated clients may be\r\nexempt from this restriction, depending on the selected value for this policy.\r\nIf you enable this policy setting, the following values are available:\r\n• None. Allows all RPC clients to connect to RPC servers that run on the computer on which the policy is applied.\r\n• Authenticated. Allows only authenticated RPC clients to connect to RPC servers that run on the computer on which the\r\npolicy is applied. Interfaces that have asked to be exempt from this restriction will be granted an exemption.\r\n• Authenticated without exceptions. Allows only authenticated RPC clients to connect to RPC servers that run on the\r\ncomputer on which the policy is applied. No exceptions are allowed.\r\nGroup Policy:\r\nComputer Configuration\\Administrative Templates\\System\\Remote Procedure Call to “Enabled”\r\nRPC Runtime Unauthenticated Client Restriction to Apply: Authenticated\r\nExpected Impact:\r\nThis is not likely to break things in the enterprise, but please test first.\r\nConfigure NTLM session security\r\nhttps://adsecurity.org/?p=3299\r\nPage 29 of 30\n\nYou can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support\r\nProvider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In\r\nother words, these options help protect against man-in-the-middle attacks.\r\nThis policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider\r\n(SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how\r\nthe authentication sequence works but instead require certain behaviors in applications that use the SSPI.\r\nThe possible values for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients\r\nsetting are:\r\n– Require message confidentiality. This option is only available in Windows XP and Windows Server 2003, the connection\r\nwill fail if encryption is not negotiated. Encryption converts data into a form that is not readable until decrypted.\r\n– Require message integrity. This option is only available in Windows XP and Windows Server 2003, the connection will\r\nfail if message integrity is not negotiated. The integrity of a message can be assessed through message signing. Message\r\nsigning proves that the message has not been tampered with; it attaches a cryptographic signature that identifies the sender\r\nand is a numeric representation of the contents of the message.\r\n– Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.\r\n– Require NTLMv2 session security. The connection will fail if the NTLMv2 protocol is not negotiated.\r\n– Not Defined.\r\nGroup Policy:\r\nComputer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options\r\nNetwork security: Minimum session security for NTLM SSP based (including secure RPC) client\r\nExpected Impact:\r\nThis is may break things in the enterprise, please test first.\r\nImportant Note Before Applying:\r\nThese are only recommendations. You are responsible for testing and identifying issues before deploying.\r\nI am not responsible if you break your environment. Configuring any of these settings could negatively impact your\r\nenvironment – test before applying. Though configuring as many of these as possible will improve the security of your\r\nsystems.\r\n(Visited 228,835 times, 6 visits today)\r\nSource: https://adsecurity.org/?p=3299\r\nhttps://adsecurity.org/?p=3299\r\nPage 30 of 30\n\nCIS Benchmarks: Microsoft Administrative https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.windows Templates for controlling settings via Group Policy are here:\nWindows 7 \u0026 Windows Server 2008 R2: https://www.microsoft.com/en-us/download/details.aspx?id=6243\nWindows 8.1 \u0026 Windows Server 2012 R2: https://www.microsoft.com/en-us/download/details.aspx?id=43413\nWindows 10 (v1607) \u0026 Windows Server 2016: https://www.microsoft.com/en-us/download/details.aspx?id=53430\nOffice 2010: https://www.microsoft.com/en-us/download/details.aspx?id=18968  \nOffice 2013: https://www.microsoft.com/en-us/download/details.aspx?id=35554  \nOffice 2016: https://www.microsoft.com/en-us/download/details.aspx?id=49030  \nNote that these locations are subject to change with further updates.\nGroup Policy Settings Reference for Windows and Windows Server\n   Page 1 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://adsecurity.org/?p=3299"
	],
	"report_names": [
		"?p=3299"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434049,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/572b958ff9024b74f3f53d2dd4be6e3861b9e225.pdf",
		"text": "https://archive.orkl.eu/572b958ff9024b74f3f53d2dd4be6e3861b9e225.txt",
		"img": "https://archive.orkl.eu/572b958ff9024b74f3f53d2dd4be6e3861b9e225.jpg"
	}
}