Ensure that the NTLMv1 and old LM protocols are banned

Rule ID:
S-OldNtlm

Description:
The purpose is to check if NTLMv1 or LM can be used by DC

Technical explanation:
NTLMv1 is an old protocol which is known to be vulnerable to cryptographic attacks.
It is typically used when a hacker sniffs the network and tries to retrieve NTLM
hashes which can then be used to impersonate users.

This attack can be combined with coerced authentication attacks - a hacker forces
the DC to connect to a controlled host.
In this case, NTLMv1 can be specified so the hacker can retrieve the NTLM hash of
the DC, impersonates it and then take control of the domain.
This attack is still possible with NTLMv2 but this is more difficult.

Windows has default security settings regarding LM/NTLM. Windows XP: Send LM &
NTLM responses, Windows Server 2003: Send NTLM response only, Vista/2008:
Win7/2008 R2: Send NTLMv2 response only.

However Domain Controllers have relaxed default settings to accept the connection
of older operating systems.
That means that by default, NTLMv1 is accepted on domain controllers.
If no GPO defines the LAN Manager Authentication Level, the DC fall back to the non
secure default.

Advised solution:
After an audit of NTLMv1 usage (see the links below), you need to raise the LAN
Manager Authentication Level to "Send NTLMv2 response only. Refuse LM & NTLM".
This can be done by editing the policy "Network security: LAN Manager
authentication level" which can be accessed in Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options
The policy will be applied after a computer reboot.

Beware that you may break software which is not compatible with Ntlmv2 such as
very old Linux stacks or very old Windows before Windows Vista.
But please note that Ntlmv2 can be activited on all Windows starting Windows 95
and other operating systems.

Points:
15 points if present

Documentation:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/a
udit-domain-controller-ntlmv1
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-polic
y-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-polic
y-settings/network-security-lan-manager-authentication-level
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/e
nable-ntlm-2-authentication
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R37
[paragraph.3.6.2.1]

Details:
The detail can be found in Security settings

Check the process of registration of computers to the domain

Rule ID:
S-ADRegistration

Description:
The purpose is to ensure that basic users cannot register extra computers in the
domain

Technical explanation:
By default, a basic user can register up to 10 computers within the domain. This
default configuration represents a security issue as basic users shouldn't be able to
create such accounts and this task should be handled by administrators.

If the value of the attribute ms-DS-MachineAccountQuota is not set (the program see
this as "Infinite"), there is no limit to computer addition.

Note: this program checks also the GPO for SeMachineAccountPrivilege

assignment. This assignment can be used to restrict the impact of the key
ms-DS-MachineAccountQuota.

Advised solution:
To solve the issue, limit the number of extra computers that can be registered by a
basic user. It can be reduced by modifying the value of ms-DS-MachineAccountQuota
to zero (0). Another solution can be to remove the "Authenticated Users" group in the
domain controllers policy altogether. Do note, that if you need to set delegation to an
account, so it can add computers to the domain, it can be done through 2 methods:
Delegation in the OU or by assigning the SeMachineAccountPrivilege to a special
group

Points:
10 points if present

Documentation:
https://docs.microsoft.com/troubleshoot/windows-server/identity/default-workstati
on-numbers-join-domain
http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.ht
ml
[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Unrestricted domain join (vuln4_user_accounts_machineaccountquota)4

Check for completeness of network declaration

Rule ID:
S-DC-SubnetMissing

Description:
The purpose is to ensure that the minimum set of subnet(s) has been configured in
the domain

Technical explanation:
When multiple sites are created in a domain, networks should be declared in the
domain in order to optimize processes such as DC attribution. In addition, PingCastle
can collect the information to be able to build a network map. This rule has been
triggered because at least one domain controller has an IP address which was not
found in subnet declaration. These IP addresses have been collected by querying the
DC FQDN IP address in both IPv6 and IPv4 format.

Advised solution:
Locate the IP address which was found as not being part of declared subnet, then
add this subnet to the "Active Directory Sites" tool. If you have found IPv6 addresses
and it was not expected, you should disable the IPv6 protocol on the network card.

Points:
5 points if present

Documentation:
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration

Details:
The detail can be found in Domain controllers

Check that there is no account with never-expiring passwords

Rule ID:
S-PwdNeverExpires

Description:
The purpose is to ensure that every account has a password which is compliant with
password expiration policies

Technical explanation:
Some accounts have passwords which never expire. Should an attacker compromise
one of these accounts, he would be able to maintain long-term access to the Active
Directory domain.

We have noted that some Linux servers, domain joined, are configured with a
password which never expires.
This is a misconfiguration because a password change can be configured. It was
however not the default on some plateform.
See one of the link below for more information.

Advised solution:
In order to make Active Directory enforce periodic password change, accounts must
not have the "Password never expires" flag set in the "Account" tab of the user
properties. Their passwords should then be rolled immediately.
For services accounts, Windows provide the "managed service accounts" and "group
managed service accounts" features to facilite the automatic change of passwords.
Please note that there is a document in the section below which references solutions
for service accounts of well known products.
Also Linux servers should be configured with automatic machine account change.

Points:
1 points if present

Documentation:
https://adsecurity.org/?p=4115
https://access.redhat.com/discussions/1283873
[FR]ANSSI - Accounts with never-expiring passwords (vuln2_dont_expire)2
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration

Details:
The detail can be found in User information
 DN

CN=Administrateur,CN=Users,DC=rubycorp,DC=lan

CN=Adrien Schmitt,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Antoine Lopez,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Benjamin Morel,OU=Marketing,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Camille Perrin,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Camille Martin,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Chloé Marchand,OU=Commercial,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Chloé Garcia,OU=Marketing,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Chloé Schmitt,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Claire Mercier,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Emilie Bernard,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Jean Martin,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Julien Dupont,OU=Commercial,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Laura Lemoine,OU=Commercial,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Léa Fournier,OU=Direction,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Lucas Petit,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Lucas Gauthier,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan
CN=Manon Perrin,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Matthieu Mercier,OU=Direction,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Maxime Moulin,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Maxime Blanc,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Nicolas Moulin,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Nicolas
Rousseau,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Paul Benoit,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Paul Dupont,OU=Marketing,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Pierre Gaillard,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Sarah Moreau,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Sophie Blanc,OU=Administratif,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Thomas Fournier,OU=Marketing,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Thomas Girard,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

CN=Thomas Lopez,OU=Ventes,OU=Employes,OU=Infra,DC=rubycorp,DC=lan

Ensure that DC supports Kerberos armoring when functional level is at least

Windows Server 2012
Rule ID:
S-KerberosArmoringDC

Description:
The purpose is to ensure that DC supports Kerberos armoring when functional level
is at least Windows Server 2012
Technical explanation:
Kerberos Armoring is an optimization of the Kerberos protocol. It avoids the
pre-authentication steps and thereby prevents pre-authentication attacks.
It is supported only starting Windows Server 2012 DC and Windows 8 workstations.
If Kerberos Armoring is requested for other operating systems (such as Windows 7
or Linux), the Kerberos authentication protocol may refuse to work.

Advised solution:
To enable Kerberos armoring for domain controllers, edit the GPO and go to
Computer Configuration > Administrative Templates > System > KDC
then enable the policy "KDC support for claims, compound authentication and
Kerberos armoring".
The policy should be set to at least "Supported".

The safest settings is "Fail authentication requests when Kerberos armoring is not
available" but it should be enabled only if the clients support Kerberos armoring.

Points:
Informative rule (0 point)

Documentation:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-serve
r-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets

Details:
If activated, the detail can be found in Security settings

Ensure that clients support Kerberos armoring when the domain functional
level is at least Windows Server 2012
Rule ID:
S-KerberosArmoring

Description:
The purpose is to ensure that clients support Kerberos armoring when domain
functional level is at least Windows Server 2012

Technical explanation:
Kerberos Armoring is an optimization of the Kerberos protocol. It avoids the
pre-authentication steps thus prohibiting pre-authentication attacks;
It is supported only starting Windows Server 2012 DC and Windows 8 workstations.
If Kerberos armoring is requested for other operating systems (such as Windows 7
or Linux), the Kerberos authentication protocol may refuse to work.

Advised solution:
To enable Kerberos armoring for client, edit the GPO and go to Computer
Configuration > Administrative Templates > System > Kerberos
then enable the policy "Kerberos client support for claims, compound authentication
and Kerberos armoring".

Points:
Informative rule (0 point)

Documentation:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-serve
r-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets

Details:
If activated, the detail can be found in Security settings

Verify the Default Application for Script File Execution

Rule ID:
S-FolderOptions

Description:
The objective is to ensure scripts do not automatically execute upon opening by
default.

Technical explanation:
By default, PowerShell scripts (.ps1) open in Notepad, which blocks these extensions
from being exploited in phishing attacks that evade email filters through
multi-layered archives.
However, several legacy script extensions (.js, .jse, .vbs, .vbe, .vb, .wsh, .wsf) still
execute with their respective engines.
While .js and .jse files are commonly associated with web content and handled by
browsers, it’s crucial to recognize their potential for harm when executed directly in
Windows.
Redirecting these files to open in Notepad safeguards against inadvertent execution
without affecting web browsing.
The browser navigation is not impacted by this recommendation.
Review is recommended for other script files before implementing this security
measure.
Note: Javascript execution can be mitigated by an "Attack surface reduction rule"
named "Impede JavaScript and VBScript to launch executables" available since
Windows 10, version 1709.
But we still recommend to apply the folder options mitigation as it is more effective.

Advised solution:
Navigate to Computer Configuration / Preferences / Windows Settings / Folders.
Create a new File Type with the "Replace" action for the extension you wish to
secure.
In "Configure class settings", add a new "open" action with Notepad as the default
application: C:\Windows\System32\notepad.exe.

Points:
Informative rule (0 point)

Documentation:
https://isc.sans.edu/diary/Controlling+JavaScript+Malware+Before+it+Runs/21171
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration

Details:
The detail can be found in Folder Options

Verify that Defender ASR mitigations are in place

Rule ID:
S-DefenderASR

Description:
This rule confirms the activation of Defender ASR (Attack Surface Reduction)
mitigations within a Group Policy Object (GPO).

Technical explanation:
Microsoft Defender, the default antivirus included with Windows, activates
automatically on systems without a pre-installed alternative.
Defender’s ASR features, designed to minimize vulnerability to attacks, are available
even in the standard version.
These protections have been part of Windows since the release of Windows 10
version 1710 and are also applicable to Windows Server 2012 R2.

Note: Windows 11 may enable in some conditions those 3 ASR rules: Block abuse of
exploited vulnerable signed drivers, Block credential stealing from the Windows local
security authority subsystem (lsass.exe), Block persistence through WMI event
subscription
Advised solution:
To apply an ASR mitigation, navigate to the GPO setting "Configure Attack Surface
Reduction rules" found under Computer Configuration > Policies > Administrative
Templates > Windows Components > Windows Defender Antivirus > Windows
Defender Exploit Guard > Attack Surface Reduction.
Upon enabling this setting, select "Set the state for each ASR rule".
Then, input the mitigation’s GUID as the Value name and assign 1 as the Value to
enforce the rule in Block mode.
Other configurable values include 2 for Audit mode and 6 for Warn mode.
For instance, to block JavaScript or VBScript from executing downloaded executable
content, use the GUID: d3e037e1-3eb8-44c8-a917-57927947596d.
It is recommended to set Defender ASR rules as recommended in the article below.

Prior to implementation, conduct an impact analysis to anticipate any potential

disruptions, and utilize Audit mode to identify possible issues.

Points:
Informative rule (0 point)

Documentation:
https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules
-reference?view=o365-worldwide#per-asr-rule-alert-and-notification-details
https://blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendat
ions-a5c7d41c3cf8
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration

Details:
The detail can be found in Defender ASR

Guid Label Reason

7674ba52-37eb-4a Block Adobe Reader from creating child Not found - Block
4f-a9a1-f0f9a1619 processes or Warn
a2c recommended

9e6c4e1f-7d60-47 Block credential stealing from the Not found - Block

2f-ba1a-a39ef669e Windows local security authority or Warn
4b2 subsystem (lsass.exe) recommended
be9ba2d9-53ea-4c Block executable content from email Not found - Block
dc-84e5-9b1eeee4 client and webmail or Warn
6550 recommended

d3e037e1-3eb8-44 Block JavaScript or VBScript from Not found - Block

c8-a917-57927947 launching downloaded executable or Warn
596d content recommended

3b576869-a4ec-45 Block Office applications from creating Not found - Block

29-8536-b80a7769 executable content or Warn
e899 recommended

e6db77e5-3df2-4cf Block persistence through WMI event Not found - Block

1-b95a-636979351 subscription or Warn
e5b recommended

b2b3f03d-6a65-4f Block untrusted and unsigned processes Not found - Block

7b-a9c7-1c7ef74a that run from USB or Warn
9ba4 recommended

56a863a9-875e-41 Block abuse of exploited vulnerable Not found - Block

85-98a7-b882c64b signed drivers or Warn
5ce5 recommended

a8f5898e-1dc8-49 Block Webshell creation for Servers Not found - Block

a9-9878-85004b8a or Warn
61e6 recommended

75668c1f-73b5-4cf Block Office applications from injecting Not found - Audit

0-bb93-3ecf5cb7c code into other processes recommended
c84

92e97fa1-2edf-447 Block Win32 API calls from Office Not found - Audit
6-bdd6-9dd0b4ddd macros recommended
c7b

d4f940ab-401b-4ef Block all Office applications from Not found - Audit

c-aadc-ad5f3c506 creating child processes recommended
88a

5beb7efe-fd9a-455 Block execution of potentially Not found - Audit

6-801d-275e5ffc04 obfuscated scripts recommended
cc
 01443614-cd74-43 Block executable files from running Not found - Audit
3a-b99e-2ecdc07b unless they meet a prevalence, age, or recommended
fc25 trusted list criterion

c1db55ab-c21a-46 Use advanced protection against Not found - Audit

37-bb3f-a1256810 ransomware recommended
9d35

d1e49aac-8f56-42 Block process creations originating from Not found - Audit

80-b9ba-993a6d77 PSExec and WMI commands recommended
406c

26190899-1602-49 Block Office communication application Not found - Audit

e8-8b27-eb1d0a1c from creating child processes recommended
e869

33ddedf1-c6e0-47 Block rebooting machine in Safe Mode Not found - Audit

cb-833e-de613396 (preview) recommended
0387

c0033c00-d16d-41 Block use of copied or impersonated Not found - Audit

14-a5a0-dc9b3a7d system tools (preview) recommended
2ceb
Verify if there are restrictions for internet connectivity of script engines
Rule ID:
S-FirewallScript

Description:
This rule verifies whether programs, such as script engines, are allowed to connect
to the internet by default.

Technical explanation:
Malicious scripts, often distributed via phishing emails, frequently attempt to
connect to the internet to propagate their infection.
To mitigate this risk, we recommend implementing a set of firewall rules through
Group Policy Objects (GPOs).
These rules will prohibit direct internet connections for specific programs.

The current list of programs to restrict includes: wscript.exe, mshta.exe, cscript.exe,

conhost.exe, and runScriptHelper.exe.

Advised solution:
1) Create Firewall Rules via GPO

Configure the firewall rules under Computer Configuration / Policies / Windows

Settings / Security Settings / Windows Defender Firewall with Advanced Security.
Ensure the rules are applied on the Outbound side.
Activate the rules.

2) Network Restrictions:
We recommend setting the rules as active for the following IP address ranges to
allow local network access:
0.0.0.0 to 9.255.255.255
11.0.0.0 to 126.255.255.255
128.0.0.1 to 172.15.255.255
172.32.0.0 to 192.167.255.255
192.169.0.0 to 255.255.255.255

Alternatively, you can choose to apply the rules to ALL IP addresses or add your
internal proxy IP.

Points:
Informative rule (0 point)

Documentation:
https://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a79
5f4cfb
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration

Details:
The detail can be found in Firewall configuration

Program Reason

wscript.exe No Firewall rules found

mshta.exe No Firewall rules found

cscript.exe No Firewall rules found

conhost.exe No Firewall rules found

 runScriptHelper.exe No Firewall rules found

Verify Terminal Services configuration best practices in GPO

Rule ID:
S-TerminalServicesGPO

Description:
This rule verifies the recommended configuration for Terminal Services.

Technical explanation:
It is a common practice for hackers to look for open sessions on remote servers.
This can be done by attempting to open the user registry and checking if there is an
access denied error or if the registry hive is not available at all.
If found, the hacker can exploit this information by targeting this computer, or if the
session is still active, hijack it and impact the client computer.
Indeed, you can access the local drive by default and push a malicious file such as a
login script in the start menu of the remote user.
Another alternative is if the session is not secure, to capture the credentials in
memory.

The printer redirection has no known attack pattern.

However due to past vulnerabilites with the Printer spooler, the complexity of the
underlying protocol, the relative absence of need to this feature, we recommend to
block it.
It can also be a bypass for copy / paste restriction and it is recommended to deny it
in most admin bastion.

Advised solution:
The Terminal Services configuration can be found in Policies / Administrative
Templates / Windows Components / Remote Desktop Services / Remote Desktop
Session Host
The details of this rule is located in Printer Redirection and Session Time Limits.

PingCastle recommends to set the following Policy:

Set time limit for disconnected sessions: 2h (aka MaxDisconnectionTime)
Set time limit for active but idle Remote Desktop Services sessions: 8h (aka
MaxIdleTime)
Do not allow client printer redirection: Enabled (aka fDisableCpm)

This rule is active if nothing is set or if the time limit is set to NEVER.

Points:
Informative rule (0 point)

Documentation:
https://woshub.com/remote-desktop-session-time-limit/
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/ce70794
f-2138-43e8-bf6c-2c147887d6a2
https://community.spiceworks.com/t/are-redirected-printers-a-security-risk/826344/
27
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration