If your organization is getting serious about cybersecurity but isn’t quite sure where to focus their efforts, this list of internal network security controls should help set you on the right track to get rid of some of the low-hanging fruit in your environment, enhance your security controls, and prepare you for your next penetration test.
In this three-part series, Sikich will offer guidance in addressing the most common internal network, external network, and web application vulnerabilities and security control weaknesses that we find during penetration tests and identify as root causes in forensic investigations.
Warning before the label: Before implementing any changes in your environment, please make sure to test the changes first, as some changes could potentially break critical processes if run in a production environment.
Prevent Anonymous File Access
Why this control is important: Network File System (NFS) or Server Message Block (SMB) file shares that can be accessed by any user without authentication could disclose sensitive data such as configuration files, important documents, and other critical files.
How to implement this control: Restrict access to NFS and SMB shares to only the hosts and/or users that require access. You can find additional information here.
Eliminate Anti-Virus Gaps
Why this control is important: It’s necessary to keep anti-virus up to date and active on all systems to protect your data and devices. While attackers are constantly looking for ways to bypass anti-virus defenses, systems that are not protected at all serve as easy targets. During its testing, Sikich often finds (a) systems that were overlooked during the deployment of anti-virus, and (b) servers for which anti-virus was disabled and/or removed due to perceived conflicts with applications.
How to implement this control: First, audit anti-virus coverage by generating a report from Active Directory (AD) of all computers on the domain and cross-comparing that list with all covered computers reported by your anti-virus console. The PowerShell command “Get-ADComputer” can be helpful in generating a full list of domain-joined computers. Once you have confirmed that all domain computers have anti-virus running, then review your anti-virus configuration to ensure that important features, such as real-time scanning and behavior-based analysis, are enabled on all computers. You can find additional information on using the PowerShell command here.
Restrict Accounts to Only Have Necessary Privileges
Why this control is important: During an attack, attackers can often elevate privileges from a low-privileged user account to a much more powerful administrator account. These privilege escalation attacks often take advantage of accounts that were provided more access than they needed.
How to implement this control: Service and user accounts should be granted only the minimum level of access using the principle of least privilege. This is especially important for service accounts whose passwords can be stored in plaintext in the local Security Account Manager (SAM) database that stores user passwords locally and can be used to authenticate users. Granting excessive permissions makes it easier for an attacker to compromise a system or environment. Only grant the minimum required access, create separate administrative accounts so day-to-day activities are not performed with excessive privileges, and limit the number of administrators, domain administrators, and enterprise administrators. You can find additional information about implementing least privilege practices here.
Block Uncategorized Sites Using Web Content Filtering
Why this control is important: Web content filtering is a method where the firewall screens and/or restricts access to questionable emails, websites, and executables. Tools typically categorize websites based on their domain name and content. Many malicious websites used for phishing attacks, drive-by malware downloads, and malware command-and-control channels show up in web filtering systems as uncategorized websites, often because the sites are very new or very obscure. By default, many web content filters do not block uncategorized sites, fearing it will be an inconvenience for employees.
How to implement this control: Implement a web content filter if one is not already in place. Then, review the configuration of the web content filters to make certain unknown and uncategorized sites are blocked. You can find additional information about web content filtering here.
Enable LDAP Signing
Why this control is important: Lightweight Directory Access Protocol (LDAP) signing is a feature of the LDAP protocol that digitally signs communications at the packet level. When LDAP signing is disabled, an attacker can perform man-in-the-middle (MITM) attacks, such as LDAP reflection and LDAP relay, that could allow the attacker to steal credentials and obtain unauthorized access to hosts.
How to implement this control: Require LDAP signing in a host’s configuration. On Microsoft-based hosts, the setting is found in the Local Computer Policy. You set this on all Windows systems within the domain’s Group Policy. You can find additional information about enabling LDAP signing here.
Block Legacy Name Resolution Protocols
Why this control is important: Legacy broadcast name resolution protocols are used to send name resolution requests between hosts in a broadcast or multicast domain. These protocols include the Link-Local Multicast Name Resolution (LLMNR) protocol, the Multicast DNS (mDNS) protocol and the NetBIOS Name Service (NBNS) protocol. Since these requests are sent to anyone listening on the broadcast or multicast domain, all devices on that network would receive the request and be able to respond to it, potentially with a malicious response that can allow an attacker to obtain password hashes or other sensitive information.
How to implement this control:
- LLMNR can be disabled through the Advanced Sharing Settings dialog or Group Policy
- mDNS can be disabled depending upon the type of operating system:
- Windows – Use a Group Policy Object (GPO) to disable the Bonjour service
- Mac – The mDNSResponder service can be edited to disable the service
- NBNS can be disabled through the Advanced TCP/IP Settings dialog or by configuring DHCP server options
You can find additional information about legacy name resolution protocols here.
Protect Backups From Being Encrypted or Deleted Using Stolen Passwords
Why this control is important: Attackers routinely destroy backups during ransomware attacks. It is common for attackers to use stolen passwords to delete backups and virtual machine files, or even reset disk-based storage systems to factory defaults, prior to launching malware that encrypts files and applications during the attack.
How to implement this control: Today’s most common approach to protecting backups from attackers is by using cloud-based backups. Other options include (a) placing data on offline media, such as tape or removable USB, or (b) placing backups in a hardened network enclave behind multi-factor authentication (MFA). You can find additional information about protecting backups from ransomware here.
Implement PDNS
Why this control is important: Phishing attacks, malware, and command-and-control agents often use DNS protocols to connect compromised computers to malicious Internet hosts. Protective DNS (PDNS) is a service that protects users from reaching known or suspected malicious websites. PDNS services (e.g., Cisco Umbrella) typically utilize open-source, commercial, and government information feeds of known malicious domains and IP addresses.
How to implement this control: Configure your internal network to use a protective DNS service for DNS queries, and block queries to any other DNS services at the firewall. You can find additional information on PDNS here.
Require SMB Signing
Why this control is important: SMB signing is a feature of the SMB protocol that digitally signs the communications at the packet level. Requiring this feature allows the packet recipient to validate the authenticity of the packets, which helps to prevent an MITM attack. When SMB signing is disabled, an attacker can perform MITM attacks, such as SMB reflection and SMB relay, that could allow the attacker to steal credentials and obtain unauthorized access to hosts.
How to implement this control: Enable and require SMB signing in a host’s configuration. On Microsoft-based hosts, the setting is found in the Local Security Policy. You can find additional information about SMB signing here.
Prevent Password Stealing due to Weak Credentials and Password Reuse
Why this control is important: Two very common ways for attackers to gain initial unauthorized access to networks is through password spraying and password stuffing. Password spraying involves attempting to log in with one weak password, such as “[Company name]123,” across hundreds of user accounts. This allows the attacker to identify accounts with weak passwords without locking out accounts. Password stuffing, on the other hand, involves using credentials disclosed in password dumps that have been leaked on the Internet against a login service to try to take advantage of situations in which a user has used the same password across multiple services.
How to implement this control: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. Be sure to perform periodic audits to verify that passwords meet length and complexity requirements. Also use a unique password for each account. Consider implementing passphrases (i.e., long passwords) to reduce the likelihood that users would use weak passwords. Training is an excellent way to teach staff about the dangers of using the same passwords across multiple systems and discourage password reuse. You can find additional information on password security best practices here.
Implement a Strong Password Policy
Why this control is important: Weak password policies undermine the effectiveness of passwords as the primary access control mechanisms used throughout an environment. Weak password policies can allow users to set blank passwords or passwords that are not long enough to thwart password cracking efforts, should a password hash be captured. Certain policy settings could also allow an attacker to brute force account passwords without fear of locking out user accounts or being discovered.
How to implement this control: To align with best practices from the National Institute of Standards and Technology (NIST), set the following values in your domain password policy:
- Minimum password length: 15
- Password history length: 4
- Maximum password age: 365
- If minimum password length is less than 15 characters, set to 90 days
- Password Complexity Flags: 00000
- Domain Refuse Password Change: 0
- Domain Password Store Cleartext: 0
- Domain Password Lockout Admins: 0
- Domain Password No Clear Change: 0
- Domain Password No Anon Change: 0
- Domain Password Complex: 0
- If minimum password length is less than 15 characters, set to 1
- Minimum password age: 1
- Reset Account Lockout Counter: 30
- Locked Account Duration: 0 (lockouts need to be reset by an administrator)
- Account Lockout Threshold: 3
You can find additional information on password policy best practices here.
Disable WPAD
Why this control is important: Web Proxy Auto-Discovery (WPAD) is a protocol that enables web browsers to automatically download and configure a web proxy configuration file. This feature is enabled by default in several web browsers, most commonly, Internet Explorer. When enabled, attackers can craft a response to WPAD-related queries and serve up a malicious proxy configuration file. The attacker can then intercept all of the web traffic sent to and from the WPAD-enabled host.
How to implement this control: Uncheck “Automatically detect settings” in Internet Explorer’s “Internet Options.” Next, disable “WinHTTP Web Proxy Auto-Discovery Service” in “Services.” Then, set the registry key HKLMSystemCurrentControlSetServicesTcpipParametersUseDomainName devolution to 0 to prevent name devolution. You can find additional information about disabling WPAD here.
Implementing these controls on your internal network can go a long way toward preventing ransomware and similar attacks. To learn more about these controls, or get help with implementing or auditing these controls, please contact our team.
Next in the series, Sikich will dive into controls intended to address external vulnerabilities.