DOCSLIB.ORG

BASIC SECURITY PRINCIPLES Outline

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
BASIC SECURITY PRINCIPLES Outline Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com | BASIC SECURITY PRINCIPLES Outline . User Identity and Access Tokens . Local User Accounts . Domain User Accounts . Authentication Mechanisms . User Rights . User Account Control . Group Policy Security Settings . Computer Environment . Groups and Group Scopes Advanced Windows Security USER IDENTITY AND ACCESS TOKENS Windows Processes . Everything runs as a process some code runs in Kernel mode, but mostly under identity of the calling process interrupts, DPCs and file cache are executing without user context . Every process runs under a user identity SYSTEM, Network Service, Local Service, local user, domain user . Access permissions are always checked there is no root superuser as in unix User Identity . User identity is represented as a SID NT Authority\SYSTEM = S-1-5-18 NT Authority\Local Service = S-1-5-19 NT Authority\Network Service = S-1-5-20 BUILTIN\Administrators = S-1-5-32-544 BUILTIN\Users = S-1-5-32-545 local user = S-1-5-21-LocalSID-RID domain user = S-1-5-21-DomainSID-RID . Every process gets its own copy of an Access Token list of user’s SID and SIDs of his groups created by LSASS.exe (Local Security Authority) Access Token . Memory structure that contains user SID and the SIDs of his groups identified by its Logon Session ID . Inherited by child processes . Cached after a successful interactive logon in registry HKLM\Security\Cache Policy: Number of Previous Logons to Cache . Limitted to 1025 SIDs Access Token Cache Limit Access token limit to 1025 SIDs Lab: indirect group membership in access token Tools for Access Token . WHOAMI /ALL built into Vista/2008 and newer member of Support Tools for 2003/xp and older . PROCEXP Process Explorer download from http://live.sysinternals.com . PSEXEC download from http://live.sysinternals.com . ADUC Attribute Editor Active Directory Users and Computers console Select View – Advanced Features Can show user and group SIDs in AD Lab: Access Token . Log on to GPS-WKS as Kamil use WHOAMI /ALL to investigate his access token verify that he is member of Administratos and Employees groups note his SID and the SIDs of his groups . Use PSEXEC -D -S -I CMD to start command line under SYSTEM account use WHOAMI /ALL to verify its access token . Use PSEXEC -D -I -U “NT Authority\Network Service” CMD to start command line under Network Service account use WHOAMI /ALL to verify its access token . Start PROCEXP and verify contents of the access tokens of some processes . Start ADUC and use Attribute Editor tab to verify user SIDs in Active Directory System SIDs . Some SIDs are added automatically . INTERACTIVE, NETWORK, BATCH, REMOTE INTERACTIVE LOGON . Everyone, Authenticated Users, This Organization, NTLM Authentication Lab: SERVICE SID . On GPS-DC create a service account for SNMPTRAP service user: svc-snmp options: password never expires, user cannot change password . On GPS-WKS reconfigure SNMP TRAP service to run under GPS\svc-snmp account . Using PROCEXP verify SERVICE SID injected into the processes access token Translating SIDs with PowerShell 'S-1-5-18', 'S-1-5-32-544' | Select @{ n = 'SID' ; e = { $_ } }, @{ n = 'Name' ; e = { (New-Object System.Security.Principal.SecurityIdentifier $_).Translate([System.Type]::GetType('System.Security.Principa l.NTAccount')).Value } } 'Administrators', 'NT AUTHORITY\Network Service' | Select @{ n = 'Name' ; e = { $_ } }, @{ n = 'SID' ; e = { (New-Object Security.Principal.NTAccount $_).Translate([Security.Principal.SecurityIdentifier]).Value } } $rxSID = '[Ss]-1(?:-\d+){1,}' [regex]::Match('This SID S-1-5-80-3964583643-2633443559- 2834438935-3739664028-1580655619 has been detected', $rxSID).Value All BUILTIN SIDs (1..1000) | % { $user = New-Object Security.Principal.SecurityIdentifier S-1-5-32-$_ $errorActionPreference = 'SilentlyContinue' write-host ("{0,35} = S-1-5-32-{1}" -f $user.Translate([Type]::GetType('System.Security.Princi pal.NTAccount')).Value.Replace('BUILTIN\', ''), $_) $errorActionPreference = 'Continue' } Everyone vs. Authenticated Users . Windows 2000- Everyone = Authenticated Users + Anonymous Logon . Windows XP+ Everyone = Authenticated Users can be changed back in security policy Let Everyone permissions apply to Anonymous Users Everyone vs. Authenticated Users Default Local Users Group and Domain User . By default local Users group contains Authenticated Users . Default security Everyone = Authenticated Users = Users = Domain Users . Do not use any of the groups for securing resources Default Local Users Group Lab: Local Users on GPS-WKS Lab: Verify (non)Access . Verify that users can log on to GPS-WKS workstation [email protected] (Employee) [email protected] (Employee) [email protected] (account from ELEARNING domain) . Verify that the following users cannot log on to GPS-WKS [email protected] (Contractor) BIKES\tanja (account from BIKES domain) Advanced Windows Security LOCAL USER ACCOUNTS Local User Accounts . Stored in local registry HKLM\SAM\Domains\Account . Password hashed (MD4) can be stored in full Policy: Store passwords using reversible encryption . Can enforce password complexity and history Policy: Password complexity requirements Policy: Enforce password history . Single login: COMPUTER\username Do not store clear-text passwords LM Password Hashes . Windows 2003/XP store LM password hashes extreme insecurity, only 7 uppercase characters remains in Default Domain Policy GPO if installed with Windows 2003 or older backward compatibility Windows 95, 3.1, MS-DOS . Should be disabled as soon as possible LM Password Hashes Lab: Disable LM Hashes . On GPS-DC open the GPMC console . Create a new GPO for domain name: Security: LM Hashes Disabled link to: gopas.virtual enforced: yes . Disable LM hashes Computer – Windows Settings – Local Policies - Security Options – Do not store LAN Manager hashes on next password change Lab: Cracking Local Passwords with Cain . Log on to GPS-WKS as gps\kamil . Install Cain & Abel tool . Switch to Cracker tab . Import LM&NTLM hashes from local system . Perform Brute-Force Attack on one of the hashes http://hashcat.net performance (2016) Brute-Force vs. Rainbow Tables . Brute-force generate all the possible hashes taking time for the generation ca 80x per additional character . Rainbow Tables use pre-generated, sorted list of hashes taking one-time for the generation taking space to store the database ca 40x per additional character Local Password Policies Password Policies . Minimum recommended length: 10 characters http://www.sevecek.com/Lists/Posts/Post.aspx?ID =145 . Minimum password age the settings is necessary only to enforce password history . Password complexity 3of4: at least three from: a-z, A-Z, 0-9, #^%&* do not contain 3 or more chars from user’s login Complex Passwords . Simple examples September2012 John-Lennon Buldo-zer56 . Login considered login: ondrej Invalid password: J@mES-BonD38 Local Account Lockout Policy Advanced Windows Security VOLATILE STATE VS. OFFLINE ATTACKS Sensitive memory information . LSASS.exe currently logged-on user hashes currently logged-on user plain-text passwords processes, services, jobs, IIS apppools . Only local administrators can attack online debug privilege! . Windows 8/2012 and older password + MD4 hash + LM hash (always) . Windows 8.1/2012R2 and newer MD4 hash (+ password if RDP SSO) LM hash if enabled Extract passwords/hashes Pass-the-hash Sensitive information stored permanently . Only local administrators can extract online local user password hashes from registry service, scheduled tasks, IIS apppools plaintext passwords . Users can extract their own online IE stored passwords RDP stored passwords stored Windows credentials software keylogging . Offline extractions anything stored permanently except with SYSKEY Permanently stored system-wide information . HKLM\SAM local user account hashes (LM, MD4) non-salted = rainbow/brute-force . HKLM\SECURITY\Cache domain user account hash cache (1000x SHA-1) salted with username = brute-force . HKLM\SECURITY\Policy\Secrets LSA secret plain-text passwords for services, DefaultPassword, VPN (dialup) passwords . %windir%\System32\Config\SystemProfile\AppData \Local\Microsoft\Credentials scheduled task plain-text passwords protected with DPAPI Permanently stored system-wide and per- user information . IIS application pool accounts plain-text applicationHost.config (DPAPI protected) appcmd list apppool /text:* . NPS RADIUS clients plain-text shared secrets netsh nps export exportpsk=yes . Per user Windows Vault/Stored User Names and Passwords (DPAPI) %userprofile%\AppData\Roaming\Microsoft\Credentials %userprofile%\AppData\Local\Microsoft\Vault Online fake password prompts . Require CTRL-ALT-DEL . Require secure desktop UAC confirmation Require CTRL-ALT-DEL Require secure UAC prompts Do not allow "Stored user names and passwords“ (WKS only vs. scheduled jobs) Do not allow IE caching passwords (basic/forms) . IE 7,6,… HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings DisablePasswordCaching = 1 . IE 8,9,10 disable Credential Manager . IE 11 HKCU\Software\Microsoft\Internet Explorer\Main FormSuggest Passwords = no Do not allow browser caching passwords (basic/forms) . Edge HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main FormSuggest Passwords = no . Chrome
Load more

Recommended publications
  • Tokenvator Release 3 Written by Alexander Polce Leary | July 22, 2021 Tokenvator Release 3 Is a Long Overdue Update That Includes a Major Overhaul to the Tool
    Tokenvator Release 3 written by Alexander Polce Leary | July 22, 2021 Tokenvator Release 3 is a long overdue update that includes a major overhaul to the tool. From the user interface, it will be mostly familiar with some command line tweaks. Under the surface, large portions of the code base have been reworked, and parts of the base have had some updates. In this series, we will go over some of the changes and new features added. Teaser Alert: Adding Privileges & Creating Tokens Improvements First and foremost, the user interface. Historically, every action had a series of positional arguments that were clunky and generally difficult to remember. They were also not very flexible, and as the commands started to have more, and additional optional arguments, they became completely unwieldy. These have been replaced with flags that will auto complete. For instance, to list and enable privileges: This also works in the non-interactive mode (though it won’t tab complete – sorry, it’s Windows): Additionally, the scroll back function was improved and numerous bugs were resolved. For instance, now when you press up you will always go to the last command issued. A printable command history has also been added if you want to copy and paste instead or keep a log of your actions. The info functionality was improved again, removing many bugs and adding additional information, such as impersonation contexts: (Tokens) > whoami [*] Operating as NT AUTHORITY\SYSTEM (Tokens) > info [*] Primary Token [+] User: S-1-5-21-258464558-1780981397-2849438727-1001
    [Show full text]
  • Oracle® Database Administrator's Reference
    Oracle® Database Administrator's Reference 18c for Microsoft Windows E83889-01 August 2018 Oracle Database Administrator's Reference, 18c for Microsoft Windows E83889-01 Copyright © 1996, 2018, Oracle and/or its affiliates. All rights reserved. Primary Authors: Tanaya Bhattacharjee, Sunil Surabhi, Mark Bauer Contributing Authors: Lance Ashdown Contributors: Alexander Key, Sivaselvam Narayanasamy, Ricky Chen, David Collelo, David Friedman, Prakash Jashnani, Sue K. Lee, Rich Long, Satish Panchumarthy, Ravi Thammaiah, Michael Verheij This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency- specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • Security Assessment Security Policy Assessment
    Security Assessment Security Policy Assessment Prepared for: Jonathan Doe Prepared by: Austin Archer 3/23/2018 CONFIDENTIALITY NOTE: The information contained in this report is for the exclusive use of the client specified above and may contain confidential, privileged and non-disclosable information. If the recipient of this report is not the client or addressee, such recipient is strictly prohibited from reading, photocopying, distributing or otherwise using this report or its contents in any way. Scan Date: 4/1/2014 Security Policy Assessment SECURITY ASSESSMENT Table of Contents 1 - Summary 1.1 - Sampled Systems 2 - Local Security Settings (Sampled Systems) 2.1 - Account Policies 2.1.1 - Password Policy 2.1.2 - Account Lockout Policy 2.2 - Local Policies 2.2.1 - Audit Policy 2.2.2 - User Rights Assignment 2.2.3 - Security Options PROPRIETARY & CONFIDENTIAL Page 2 of 14 Security Policy Assessment SECURITY ASSESSMENT 1 - Summary 1.1 - Sampled Systems IP Addresses Computer Name Operating System 10.0.7.28 tandem Windows 7 Enterprise 172.20.1.3, 10.0.1.3 DC01 Windows Server 2012 Standard PROPRIETARY & CONFIDENTIAL Page 3 of 14 Security Policy Assessment SECURITY ASSESSMENT 2 - Local Security Settings (Sampled Systems) 2.1 - Account Policies 2.1.1 - Password Policy Policy Setting Computers Enforce password history 0 passwords remembered TANDEM 24 passwords remembered DC01 Maximum password age 42 days All Sampled Minimum password age 1 days All Sampled Minimum password length 7 characters All Sampled Password must meet complexity requirements
    [Show full text]
  • Run-Commands-Windows-10.Pdf
    Run Commands Windows 10 by Bettertechtips.com Command Action Command Action documents Open Documents Folder devicepairingwizard Device Pairing Wizard videos Open Videos Folder msdt Diagnostics Troubleshooting Wizard downloads Open Downloads Folder tabcal Digitizer Calibration Tool favorites Open Favorites Folder dxdiag DirectX Diagnostic Tool recent Open Recent Folder cleanmgr Disk Cleanup pictures Open Pictures Folder dfrgui Optimie Drive devicepairingwizard Add a new Device diskmgmt.msc Disk Management winver About Windows dialog dpiscaling Display Setting hdwwiz Add Hardware Wizard dccw Display Color Calibration netplwiz User Accounts verifier Driver Verifier Manager azman.msc Authorization Manager utilman Ease of Access Center sdclt Backup and Restore rekeywiz Encryption File System Wizard fsquirt fsquirt eventvwr.msc Event Viewer calc Calculator fxscover Fax Cover Page Editor certmgr.msc Certificates sigverif File Signature Verification systempropertiesperformance Performance Options joy.cpl Game Controllers printui Printer User Interface iexpress IExpress Wizard charmap Character Map iexplore Internet Explorer cttune ClearType text Tuner inetcpl.cpl Internet Properties colorcpl Color Management iscsicpl iSCSI Initiator Configuration Tool cmd Command Prompt lpksetup Language Pack Installer comexp.msc Component Services gpedit.msc Local Group Policy Editor compmgmt.msc Computer Management secpol.msc Local Security Policy: displayswitch Connect to a Projector lusrmgr.msc Local Users and Groups control Control Panel magnify Magnifier
    [Show full text]
  • Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals
    Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals - www.sysinternals.com Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded. The Process Explorer display consists of two sub-windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. You can obtain equivalent command-line tools, Handle and ListDLLs, at the Sysinternals Web site.
    [Show full text]
  • Copyrighted Material
    11_783269 bindex.qxp 11/10/06 11:15 AM Page 209 Index applications (defined), 205. See also programs Numerics arranging windows, 43–44 100% button (Internet Explorer 7), 99–100 assigning sounds to program events, 24 audio visualizations, 186 A Windows Media Player 11, 183, 185–186 accessibility options, 156 audio CDs. See CDs accessories, 205 Audio Description feature, 157 account types, 169 AutoComplete feature (Internet Explorer 7), 101 accounts (administrative), 169 automatic updates with Windows Update, 161–162, 167 accounts (e-mail), 124 AutoPlay, 13, 148, 151 accounts (user) Autosearching feature (Internet Explorer 7), 113 account types, 169 adding, 169 creating, 169 B deleting, 170 backgrounds for desktop, 24 managing, 168, 170 Backup and Restore Center, 140–143, 146 names, 169 Backup Files dialog box, 141 Parental Controls, 170 backups passwords, 169 CompletePC Backup utility, 140–142 pictures, 169–170 DVD discs, 142 switching, 74 File and Folder Backup utility, 140–142 User Account Control (UAC), 170 Send To shortcut menu command, 64–65 activity reporting, 165 stopping, 141 activity reports, 166 BitLocker drive encryption, 163–164 Add Printer Wizard, 149–151 blocking Add to Library dialog box, 187 computer use, 165 adding Web sites, 165 bookmarks to Favorites Center, 102 blog, 208 gadgets, 31–32 bookmarks (Internet Explorer 7) icons, 35 adding to Favorites Center, 102 languages, 155–156 deleting, 104 music, 187 importing, 101 printers, 149–151 moving, 103–105 user accounts, 169 organizing, 103–105 address bar, 15–16 renaming, 104 address book, 128–130 selecting, 103 Address toolbar, 41 browser (defined), 208. See also Internet Explorer 7 adjusting volume, 152 browsing offline.
    [Show full text]
  • Understanding Windows Lateral Movements
    Understanding Windows Lateral Movements ATTL4S & ElephantSe4l # ATTL4S • Daniel López Jiménez (a.k.a. ATTL4S) • Twitter: @DaniLJ94 • GitHub: @ATTL4S • Youtube: ATTL4S • Loves Windows and Active Directory security • Senior Security Consultant at NCC Group • Associate Teacher at Universidad Castilla-La Mancha (MCSI) Confs: NavajaNegra, No cON Name, h-c0n, Hack&Beers Posts: Crummie5, NCC Group’s blog, Hackplayers Certs: CRTO, PACES, OSCP, CRTE www.crummie5.club # ElephantSe4l • Godlike Programmer and Elephant Seal • Twitter: @ElephantSe4l • GitHub: @ElephantSe4l • Very curious, he enjoys understanding complex and weird things • Mind behind all the low-level contents of my talks This has been written by ATTL4S www.crummie5.club WWW.CRUMMIE5.CLUB www.crummie5.club The goal of this talk is understanding how to perform lateral movements in Windows and Active Directory environments by comprehending the art of user impersonation www.crummie5.club Credential theft │ Password │ Hash │ Token UserA UserB HostA UserB HostB Agenda 1. Ways of Authentication 2. Authentication Packages 3. Logon Sessions 4. Access Tokens 5. User Impersonation 6. Let’s Move www.crummie5.club Ways of Authentication www.crummie5.club [SAM] : Local Auth [NTDS] : Domain Auth HostA DC [SAM] HostA\UserA [SAM] HostA\UserB [NTDS] Corp\DomainUserA HostB [NTDS] Corp\DomainUserB Remote Authentications • We don’t (usually) care about physical authentications • We care about remote authentications and they require privileges • Being a local user in a system doesn’t mean you have privileges
    [Show full text]
  • Run a Program Under Administrator Privilege
    Knowledgebase Article Run a program under Administrator privilege © Copyright 2001-2012 EMCO Software Company web site: emcosoftware.com Support telephone: +44 20 3287-7651 Support email: [email protected] +1 646 233-1163 Knowledgebase Article Run a program under Administrator privilege 2 Run a program under Administrator privilege In this tutorial we will show you how to execute a program under another user rights to gain more access if you don't have it from your current user logon. Some of our programs require Administrator rights to the remote computer to perform correctly, and the most common support questions we get are because the user that is using our product's does not have the required privilege needed for the program to perform the way it should be!. About the RunAs feature The RunAs feature allows you to run any program under another user account rights. Think about it... if you are not a full member of the Administrator group on the computer you are logged into and have a need to run a program as the administrator user you can use the RunAs feature any time you want. But of course you need to know the password for the administrator or the user you want to use for the RunAs function. There are many ways to use and access the RunAs feature, and we will write about two of them here in this short tutorial. emcosoftware.com © Copyright 2001-2012 EMCO Software Knowledgebase Article Run a program under Administrator privilege 3 Using RunAs from the command line, Cmd.exe From the screenshot below you can see how we access this feature easily by writing just the RunAs.exe as the filename into the Cmd.exe dialog.
    [Show full text]
  • How to Get Started with Third Wall
    How to get started with Third Wall So now you have Third Wall, and you're trying to figure out the best way to use all of that power at your fingertips. Not a bad problem to have! We have a good suggestion on how to get started. You'll notice that, with 56 different policies to apply, some will impact end-users more than others. The ones that impact end users the least (while still providing great protection, of course!) are what we call "no-brainers." That is, you should be deploying many of these across ALL of your managed computers - right now. And, using our Profile feature, we make that easy for you to do. How do you do that? Simply create a Profile in Third Wall with the following no-brainer policies that are appropriate for you. Once you have done that, apply the Profile and select the "All Clients" option, which will then turn these policies on at ALL of your managed Locations - just like that. Pretty slick. Then, you can customize each of your clients by setting up a separate Profile for each of them, then deploy those Profiles by single client on top of your original deployment of the no-brainers. Since Profiles are additive, this will allow you to layer your Profile deployments like this for maximum protection in minimum time. So here is our suggested list of no-brainer policies: 1. Rename Local Administrator Account Why would you ever leave the name of this as default (Administrator)? Hide the name – make it harder for malware to find.
    [Show full text]
  • Lazarus Under the Hood Kaspersky Lab Global Research and Analysis Team Executive Summary
    Lazarus Under The Hood Kaspersky Lab Global Research and Analysis Team Executive Summary The Lazarus Group’s activity spans multiple years, going back as far as 2009. Its malware has been found in many serious cyberattacks, such as the massive data leak and file wiper attack on Sony Pictures Entertainment in 2014; the cyberespionage campaign in South Korea, dubbed Operation Troy, in 2013; and Operation DarkSeoul, which attacked South Korean media and financial companies in 2013. There have been several attempts to attribute one of the biggest cyberheists, in Bangladesh in 2016, to Lazarus Group. Researchers discovered a similarity between the backdoor used in Bangladesh and code in one of the Lazarus wiper tools. This was the first attempt to link the attack back to Lazarus. However, as new facts emerged in the media, claiming that there were at least three independent attackers in Bangladesh, any certainty about who exactly attacked the SWIFT systems, and was behind one of the biggest ever bank heists in history, vanished. The only thing that was certain was that Lazarus malware was used in Bangladesh. However, considering that we had previously found Lazarus in dozens of different countries, including multiple infections in Bangladesh, this was not very convincing evidence and many security researchers expressed skepticism abound this attribution link. This paper is the result of forensic investigations by Kaspersky Lab at banks in two countries far apart. It reveals new modules used by Lazarus group and strongly links the SWIFT system attacking tools to the Lazarus Group’s arsenal of lateral movement tools. Considering that Lazarus Group is still active in various cyberespionage and cybersabotage activities, we have segregated its subdivision focusing on attacks on banks and financial manipulations into a separate group which we call Bluenoroff (after one of the tools they used).
    [Show full text]
  • Nine Ways to Restrict End-Users Who Have Windows Admin Privileges
    WHITE PAPER: Nine Ways to Restrict End-Users Who Have Windows Admin Privileges Nine Ways to Restrict End-Users Who Have Windows Admin Privileges WHITE PAPER WHITE PAPER: Nine Ways to Restrict End-Users Who Have Windows Admin Privileges Contents Introduction ................................................................................................................................3 Restriction 1 – Prevent Users from Changing the UAC Setting ...............................................3 Restriction 2 – Prevent Users from Running the MMC with Admin Privileges.........................4 Restriction 3 – Prevent Users from Running Commands or Scripts with Admin Privileges ....5 Restriction 4 – Prevent Users from Uninstalling Third-party Software Protecting Your System ...................................................................................................................................................6 Restriction 5 – Prevent Users from Being Able to Edit System Settings in the Registry .........7 Restriction 6 – Prevent Users from Disabling or Changing Endpoint Firewall Settings ..........7 Restriction 7 – Prevent Users from Changing the Date and Time ...........................................8 Restriction 8 – Prevent Users from Terminating Processes ....................................................9 Restriction 9 – Prevent Users from Elevating Applications that Could Introduce Malware .....9 What Next? ............................................................................................................................
    [Show full text]
  • Disabling UAC for Wonderware® Product Support on Windows 2008 Server R2 – 64 Bit
    Disabling UAC for Wonderware® Product Support on Windows 2008 Server R2 – 64 bit Tech Note 772 Disabling UAC for Wonderware® Product Support on Windows 2008 Server R2 – 64 bit All Tech Notes, Tech Alerts and KBCD documents and software are provided "as is" without warranty of any kind. See the Terms of Use for more information. Topic#: 002552 Created: April 2011 Updated: September 2011 Introduction User Account Control (UAC) is a new security component for Windows Server 2008. UAC enables users to perform common tasks as Non-Administrators, who were called Standard Users in Windows 2000. Non- Administrators can also perform common tasks as Administrators without having to switch users, log off, or use Run As. A Standard User account in Windows 2000 is synonymous with a User Account in Windows XP. User accounts who are members of the local Administrators group will run most applications as a Standard User. This Tech Note applies ONLY to Windows Server 2008 R2 (64 bit). The following information describes disabling the Windows 2008 R2 User Account Control (UAC) in order to allow Wonderware® Products to operate correctly. Note: Disabling UAC for Windows 2008 SP2 is covered in Tech Note 733 Disable UAC on Windows Server 2008 SP2. Application Versions All Wonderware Products Windows Server 2008 R2 (64 bit) Windows 7 Issues There are many problems associated with running Wonderware Products in Windows 2008 R2 with the User Account Control (UAC) enabled. The problems include but are not limited to Deployment failure to a remote node. Unable to see the remote node in the SMC.
    [Show full text]