All networks have security vulnerabilities. Penetration testing and network security assessments are great tools to gauge the security posture of your environment. However, most organizations attempt these without conducting some sort of basic hardening.
The result you might ask?
A report with critical findings and a team that is now rushed to fix them.
Does it matter that we can gain Domain Administration permissions within an hour? No.
We want our engagements to mean something and have value to your organization. This is why we are publishing some best practices for organizations to follow and a series of videos on how to implement some of these controls.
As with all recommendations, we recommend that you test and research all changes before implementing in your environment. What might work for most may cause issues in your environment. If you are not sure, give us a call, we can help. We are not liable for any damages.
Windows Domain Controller Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain controller policy, this should be applied to the OU that your domain controllers reside.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Audit Policy
Policy | Recommended | Default |
Audit account logon events | Success, Failure | Success |
Audit account management | Success, Failure | Success |
Audit directory service access | Success | Success |
Audit logon events | Success, Failure | Success |
Audit object access | Failure | No auditing (not defined) |
Audit policy change | Success | Success |
Audit privilege use | Failure | No auditing (not defined) |
Audit process tracking | Success, Failure | No auditing (not defined) |
Audit system events | Success | Success |
Member Servers and Workstation Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain policy, this should be applied at the root level of your domain.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Audit Policy
Policy | Recommended | Default |
Audit account logon events | Success, Failure | No auditing (not defined) |
Audit account management | Success, Failure | No auditing (not defined) |
Audit directory service access | No auditing (not defined) | No auditing (not defined) |
Audit logon events | Success, Failure | No auditing (not defined) |
Audit object access | Failure | No auditing (not defined) |
Audit policy change | Success | No auditing (not defined) |
Audit privilege use | Failure | No auditing (not defined) |
Audit process tracking | Success, Failure | No auditing (not defined) |
Audit system events | Success | No auditing (not defined) |
Member Servers and Workstation Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain policy, this should be applied at the root level of your domain.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Security Options
Policy | Recommendation |
Accounts: Administrator account status | Enabled |
Account: Rename administrator account | Set a unique username |
Network access: Allow anonymous SID/name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network security: Do not store LAN Manager hash value on next password change | Enabled |
Network security: LAN Manager authentication level | Sent NTLMv2 response only/refuse LM and NTLM |
Windows Domain Controller Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain controller policy, this should be applied to the OU that your domain controllers reside.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Security Options
Policy | Recommendation |
Network access: Allow anonymous SID/name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network security: Do not store LAN Manager hash value on next password change | Enabled |
Network security: LAN Manager authentication level | Sent NTLMv2 response only/refuse LM and NTLM |