Endpoint Hardening (& EDR)
Endpoint devices are the primary entry points for most cyberattacks, especially those originating from internet-based threats like malicious websites, email attachments, or executables. To mitigate these risks, endpoint hardening is essential. Below are technical examples of how to implement key endpoint hardening measures:
Disable LLMNR/NetBIOS:
Why: Link-Local Multicast Name Resolution (LLMNR) and NetBIOS are legacy protocols that attackers often exploit in man-in-the-middle (MITM) attacks or NTLM relay attacks.
How: Use Group Policy to disable LLMNR and NetBIOS:
Navigate to
Computer Configuration > Administrative Templates > Network > DNS Client.Enable the policy "Turn off multicast name resolution."
For NetBIOS, disable it via the network adapter settings or through Group Policy under
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
Implement LAPS (Local Administrator Password Solution):
Why: Prevents attackers from using default or shared local admin passwords across endpoints.
How: Deploy LAPS via Group Policy:
Install the LAPS MSI package on domain controllers and client machines.
Configure Group Policy to enable LAPS and specify password complexity requirements.
Use PowerShell to verify LAPS is functioning:
Remove Administrative Privileges from Regular Users:
Why: Limits the ability of malware to escalate privileges or make system-wide changes.
How: Use tools like Microsoft Intune or Group Policy to enforce least privilege:
Create a standard user group and assign permissions only as needed.
Audit privileged accounts regularly using PowerShell:
Disable or Configure PowerShell in "ConstrainedLanguage" Mode:
Why: Reduces the attack surface by limiting PowerShell's capabilities to execute malicious scripts.
How: Set PowerShell to ConstrainedLanguage mode via Group Policy:
Navigate to
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.Enable "Turn on Script Execution" and set it to "Allow only signed scripts."
Enable Attack Surface Reduction (ASR) Rules:
Why: Blocks common attack techniques used by malware, such as process injection or script obfuscation.
How: Configure ASR rules using PowerShell:
Example Rule ID:
D4F940AB-401B-4EFC-AADC-AD5F3C50688A(blocks Office apps from creating child processes).
Implement Application Whitelisting:
Why: Prevents unauthorized executables from running, especially from user-writable folders like Downloads or AppData.
How: Use AppLocker or Windows Defender Application Control (WDAC):
Block execution from risky paths:
Block specific script types like
.hta,.vbs,.js, etc., using WDAC policies.
Utilize Host-Based Firewalls:
Why: Restricts unnecessary communication between endpoints and blocks outbound traffic to known malicious destinations.
How: Configure Windows Defender Firewall:
Block workstation-to-workstation communication:
Block outbound traffic to LOLBins (Living Off the Land Binaries):
Deploy an EDR (Endpoint Detection and Response) Product:
Why: Provides real-time monitoring, threat detection, and response capabilities.
How: Choose an EDR solution that integrates with AMSI (Antimalware Scan Interface), such as Microsoft Defender for Endpoint:
Enable AMSI logging to inspect obfuscated scripts:
Last updated