Customizing Group Policy

There is no substitute to manually stepping through my options with the Group Policy Editor (by running ‘gpedit.msc’). Improve its readability by sorting the ‘Setting’ or ‘State’ column.

The wording for some settings can be very counter-intuitive. Luckily each option has a clear description.

Most of the relevant settings are found under these Policy Paths:

Computer Configuration > Windows Settings > Security Settings

Computer Configuration > Administrative Templates > System

Computer Configuration > Administrative Templates > Windows Components

User Configuration > Administrative Templates

Apply any changes by execution the command below in any admin shell:

gpupdate.exe /Force

It can be very insightful to repeat this step as new CIS benchmark documents are released.

Merging Baselines

The information the Policy Analyzer gives me allows me to quickly combine the best of two baselines together and customize my settings as desired.

I eased my Account Lockout Policy (duration).

I require VMWare compatibility to do my job (a nonissue in v1703)

I disabled Windows Defender (and SpyNet) for privacy reasons.

I white-listed my desired Chrome Extensions and relaxed other settings.

I disabled program execution from removable drives.

Despite primarily working from VMWare, some settings aimed at improving security would interfere with me during a penetration test. Such as those limiting the number of simultaneously active network adapters or prevent me from creating a layer 2 MAC bridge between them.

Less Telemetry

As you are stepping through your options, you will not only discover Chrome has a Dinosaur Easter Egg Game, but that many apps have some form of:

Advertising ID

Cloud Sync

Error Reporting

Experience Improvement

Customer Experience Improvement Program (CEIP)

Telemetry

Usage Statistics

The DoD baseline has done a good job disabling most, but not all. Note that unless you have a Windows Enterprise or Education license, you will not be able to disable Telemetry entirely.

Strict policy reapplication

Make sure to enforce strict reapplication of critical policies:

Adm. Templates > System > Group Policy.

Enable: ‘Process even if the Group Policy objects have not changed’.

For: Folder redirection-, IP security-, registry-, scripts-, security-, Services preference-, software installation-, wired-, and wireless- policy processing.

Deny access from the network

I will never need to remotely login to my workstation:

Adm. Templates > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Add ‘Local account and member of Administrators group’ to:

‘Deny access to this computer from the network’

‘Deny log on through Remote Desktop Services’

Windows DNS Client

Windows 10’s DNS Client just accepts whichever response it receives first, not necessarily the one from your intended DNS server.

Adm. Templates > Network > DNS Client.

‘Turn off smart multi-homed name resolution’ to prevent “DNS Leaks”.

‘Turn off multicast name resolution’ to disable LLMNR.

‘Turn off smart protocol reordering’ for good measure.

We can later enforce this policy using Windows Firewall as a technical control.

Windows NTP Client

Configure the Windows Network Time Protocol (NTP) Client to use trusted, non-Microsoft, servers — perhaps even authenticated ones. At least till Google’s ‘roughtime protocol’ is synchronizing our clocks.

SSL/TLS Standards

You can enforce the use of modern TLS standards system-wide:

Adm. Templates > Network > SSL Configuration Settings.

To determine which ECC curves are supported on your system, use the following command:

CertUtil.exe -DisplayEccCurve

This usually breaks older applications like SQL Server 2008 Express (Windows Event Viewer is your friend).

Lucky for us Google Chrome is state of the art:

Adm. Templates > Google > Google Chrome.

‘Disable the SPDY protocol’ (HTTP2), set ‘Minimum SSL version enabled’ ’ to TLS 1.2 and set ‘Enable WPAD optimization’ to Disabled.

Review the Control Panel > Internet Options > Advanced tab and uncheck ‘Use HTTP2’, check ‘Send Do Not Track requests’. Disable WPAD on the Connections tab > LAN Settings > uncheck ‘Automatically detect settings’.

Additional Privacy

Adm. Templates > Windows Components > Internet Explorer.

I granted myself the privilege to delete my IE browsing history.

Adm. Templates > Windows Components > Location and Sensors.

I turned off all Sensors.

Microsoft EMET

Re-configure Microsoft EMET for maximum security:

Adm. Templates > Windows Components > EMET

Set System DEP to ‘Always On’

Enable ‘Default Protections for Popular Software’

At time of writing, I had a small issue with Chrome after enforcing EMET’s Popular Programs via Group Policy. The solution was to configure it via the GUI and turn off ‘EAF: Extended Table Access Filtering Plus’ for Chrome only.

LSA Protection

It is recommended to configure additional LSA Protection to defeat tools like MimiKatz.

Under: Adm. Templates > MS Security Guide (a custom template from SCM4) enable ‘Lsass.exe audit mode’.

Reboot and check the Windows Event Viewer for event codes 3065 and 3066 — those are drivers that do not meet security standards.

Sysinternals Autoruns will show unsigned drivers in a different color, under Options > Scan Options you can enable code signature verification and submission to VirusTotal.com.

Go back and enable ‘LSA Protection’ if all your drivers are properly signed.

WDigest Authentication should already be disabled to prevent transmission of credentials across the network as a weak MD5 hash or message digest.

Microsoft Office

If you are installing Microsoft Office outside of a VM (not recommended!):

Customize your install and do not install potentially vulnerable extensions.

The DoD and Microsoft Baselines do not have a policy for Office 2016 yet, copy the settings from an earlier version.

Double check the Security Settings & Telemetry Dashboard for each of the Microsoft Office suites under User Configuration > Administrative Templates. I disabled Telemetry & all ActiveX and VBA.

‘Block macros from running in Office files from the Internet’ under Options > Security > Trust Center for each Microsoft Office product.

You should also disable Office OLE Automation for Outlook. Note that an attacker can still embed code inside Office documents.

Launch the Windows Registry Editor (regedit.exe)

Browse to: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Office > # > Outlook > Security (# = 12.0/14.0/15.0/16.0)

Create a new ‘DWORD (32-Bit) Value’ called ‘ShowOLEPackageObj’ and set it to ‘0’.

Registry changes require a reboot.

Net Session Enumeration

Run the NetCease PowerShell script to mitigate against a method Bloodhound uses.

cd $env:USERPROFILE\Downloads Unblock-File -Path '.\NetCease.zip' .\NetCease\NetCease.ps1

Restart the Server service (or reboot).

Web Proxy Auto-Discovery Protocol (WPAD)

We already disabled the ‘WinHTTP Web Proxy Auto-Discovery Service’ service and unchecked the ‘Auto-detect settings’ Internet Options property.

Launch the Windows Registry Editor (regedit.exe)

Browse to: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Windows > CurrentVersion > Internet Settings > Wpad

Create a new ‘DWORD (32-Bit) Value’ called ‘WpadOverride’ and set to ‘1’

Browse to: HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip > Parameters

Set the existing ‘UseDomainNameDeveloution’ to ‘0’.

Registry changes require a reboot.

Windows Script Host (WSH)

Malware often abuses functionality that allows apps and processes to be automated; Windows Script Host is a classic example.

We can disable most of the Windows Scripting capabilities:

Launch the Windows Registry Editor (regedit.exe)

Browse to: HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows Script Host > Settings

Create a new ‘DWORD (32-Bit) Value’ called ‘Enabled’ and set it to ‘o’

Disabling WSH may prevent you from running .bat batch files.