Hardening là gì? Tại sao phải Hardening ? Khi nào thì nên Hardening? Hardening là quá trình nâng cao tính bảo mật cho một hệ thống bằng các quy tắc, các thiết lập bảo mật server và hệ thống, đây là những quy tắc, chính sách mà người quản trị phải thiết lập, đưa ra để áp dụng cho toàn bộ hệ thống của mình. Từ đó ta có thể giảm thiểu các rủi ro security từ những dịch vụ đang chạy trên máy chủ đó.Mình sẽ hướng dẫn các bạn cách thực thi trên máy chủ Windows Server 2016. VIệc Hardening các bạn nên thực thi sau khi vừa cài đặt mới xong máy chủ.1.
Đang xem: Hardening là gì
Xem thêm: Nghĩa Của Từ Incorporation Là Gì, Nghĩa Của Từ Incorporation
Làm sao để chạy các lệnh mà mình sẽ cung cấp dưới đây?Trên thanh taskbar -> Start-> powershell ise -> kích phải -> run as AdministratorHoặc lưu file đặt tên với ext ps1 ví dụ: Hardening.ps1 -> kích phải -> Open PowerShell window here as administrator
Xem thêm: Nhắng Nướng Là Gì – Quán Nhắng Nướng Đại Cồ Việt, Quan
# Hardening OS# Disable NLA, SMBv1, NetBIOS over TCP/IP, PowerShellV2, Audit log# Enables UAC, SMB/LDAP Signing, Show hidden files# Fix CredSSP Remote Desktop# ———————#Set TimeZone GMT +7 HaNoiSet-TimeZone -Name “SE Asia Standard Time”reg add “HKLMSOFTWAREPoliciesMicrosoftWindows NTDNSClient” /v EnableMulticast /t REG_DWORD /d 1 /freg add “HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters” /v SMB1 /t REG_DWORD /d 0 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v EnableLUA /t REG_DWORD /d 1 /freg add “HKLMSystemCurrentControlSetControlLsa” /v LMCompatibilityLevel /t REG_DWORD /d 5 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWpad” /v WpadOverride /t REG_DWORD /d 1 /f# https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/# https://en.hackndo.com/pass-the-hash/reg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v FilterAdministratorToken /t REG_DWORD /d 1 /f# Prevent (remote) DLL Hijacking# https://www.greyhathacker.net/?p=235# https://www.verifyit.nl/wp/?p=175464# https://support.microsoft.com/en-us/help/2264107/a-new-cwdillegalindllsearch-registry-entry-is-available-to-control-the# The value data can be 0x1, 0x2 or 0xFFFFFFFF. If the value name CWDIllegalInDllSearch does not exist or the value data is 0 then the machine will still be vulnerable to attack.# Blocks a DLL Load from the current working directory if the current working directory is set to a WebDAV folder (set it to 0x1)# Blocks a DLL Load from the current working directory if the current working directory is set to a remote folder (such as a WebDAV or UNC location) (set it to 0x2)# ———————reg add “HKLMSYSTEMCurrentControlSetControlSession Manager” /v CWDIllegalInDllSearch /t REG_DWORD /d 0x2 /f# Disable IPv6# https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users# ———————reg add “HKLMSYSTEMCurrentControlSetservices cpip6parameters” /v DisabledComponents /t REG_DWORD /d 0xFF /f# Disable SMBv1Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -norestart# Disable Powershellv2Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart######################################################################### Harden lsass to help protect against credential dumping (Mimikatz)# Configures lsass.exe as a protected process and disables wdigest# https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx# https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5# ———————reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsLSASS.exe” /v AuditLevel /t REG_DWORD /d 00000008 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v RunAsPPL /t REG_DWORD /d 00000001 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v DisableRestrictedAdminOutboundCreds /t REG_DWORD /d 00000001 /freg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest” /v UseLogonCredential /t REG_DWORD /d 0 /freg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest” /v Negotiate /t REG_DWORD /d 0 /f# Enable Firewall Logging# ———————netsh advfirewall set currentprofile logging filename %systemroot%system32LogFilesFirewallpfirewall.lognetsh advfirewall set currentprofile logging maxfilesize 4096netsh advfirewall set currentprofile logging droppedconnections enable#Disable AutoRun# ———————reg add “HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f##Show known file extensions and hidden files# ———————reg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “HideFileExt” /t REG_DWORD /d 0 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “HideFileExt” /t REG_DWORD /d 0 /freg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “Hidden” /t REG_DWORD /d 1 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “Hidden” /t REG_DWORD /d 1 /freg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “ShowSuperHidden” /t REG_DWORD /d 1 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “ShowSuperHidden” /t REG_DWORD /d 1 /f#### Microsoft Windows Security Update Registry Key Configuration Missing (ADV180012) (Spectre/Meltdown Variant 4) ########Impact : An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639#Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetControlSession ManagerMemory Management” -Name “FeatureSettingsOverride” -Value “00000008”Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetControlSession ManagerMemory Management” -Name “FeatureSettingsOverrideMask” -Value “00000003”##### Windows Registry Setting To Globally Prevent Socket Hijacking Missing ########Impact: If this registry setting is missing, in the absence of a SO_EXCLUSIVEADDRUSE check on a listening privileged socket, local unprivileged users can easily hijack the socket and intercept all data meant for the privileged process #####Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetServicesAFDParameters” -Name “ForceActiveDesktopOn” -Value “00000001”####MS15-011 Hardening UNC Paths Breaks GPO Access -Microsoft Group Policy Remote Code Execution Vulnerability (MS15-011) #########Impact: The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network ###Set-ItemProperty -Path “hklm:SOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths” -Name “\*
etlogon” -Value “RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1″Set-ItemProperty -Path “hklm:SOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths” -Name “\*sysvol” -Value “RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1″##### Enabling strong cryptography for .NET V4…#x64Set-ItemProperty -Path “HKLM:SOFTWAREWow6432NodeMicrosoft.NetFrameworkv4.0.30319” -Name “SchUseStrongCrypto” -Value “1” -Type DWord#####Disable SMBv3 SMBGhost RCE (CVE-2020-0796)Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force#####Fix CredSSPREG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2 /f#####Disable NLAreg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f#Audit Logauditpol /set /category:”System” /failure:enable /success:enableauditpol /set /category:”Account Management” /failure:enable /success:enableauditpol /set /category:”Account Logon” /failure:enable /success:enableauditpol /set /category:”Logon/Logoff” /failure:enable /success:enableauditpol /set /category:”Policy Change” /failure:enable /success:enable#Fix DNS 2020-1350reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /fnet stop DNS && net start DNSWrite-Host “Hardening successfully “Invoke-Command -ScriptBlock { gpupdate /force }#Create new user Admin and add to group Administrators#Base64 decode $SystemObfuscation to get your password$SystemObfuscation = “UmVwbGFjZV9teV93aXRoX2Jhc2U2NF9lbmNvZGU=”$SystemConvert =
