search

Endpoint Hardening (& EDR)

Endpoint devices are the primary entry points for most cyberattacks, especially those originating from internet-based threats like malicious websites, email attachments, or executables. To mitigate these risks, endpoint hardening is essential. Below are technical examples of how to implement key endpoint hardening measures:

  • Disable LLMNR/NetBIOS:

    • Why: Link-Local Multicast Name Resolution (LLMNR) and NetBIOS are legacy protocols that attackers often exploit in man-in-the-middle (MITM) attacks or NTLM relay attacks.

    • How: Use Group Policy to disable LLMNR and NetBIOS:

      • Navigate to Computer Configuration > Administrative Templates > Network > DNS Client.

      • Enable the policy "Turn off multicast name resolution."

      • For NetBIOS, disable it via the network adapter settings or through Group Policy under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

  • Implement LAPS (Local Administrator Password Solution):

    • Why: Prevents attackers from using default or shared local admin passwords across endpoints.

    • How: Deploy LAPS via Group Policy:

      • Install the LAPS MSI package on domain controllers and client machines.

      • Configure Group Policy to enable LAPS and specify password complexity requirements.

      • Use PowerShell to verify LAPS is functioning:

        Get-ADComputer <ComputerName> -Properties ms-Mcs-AdmPwd

  • Remove Administrative Privileges from Regular Users:

    • Why: Limits the ability of malware to escalate privileges or make system-wide changes.

    • How: Use tools like Microsoft Intune or Group Policy to enforce least privilege:

      • Create a standard user group and assign permissions only as needed.

      • Audit privileged accounts regularly using PowerShell:

        Get-LocalGroupMember -Group "Administrators"

  • Disable or Configure PowerShell in "ConstrainedLanguage" Mode:

    • Why: Reduces the attack surface by limiting PowerShell's capabilities to execute malicious scripts.

    • How: Set PowerShell to ConstrainedLanguage mode via Group Policy:

      • Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

      • Enable "Turn on Script Execution" and set it to "Allow only signed scripts."

  • Enable Attack Surface Reduction (ASR) Rules:

    • Why: Blocks common attack techniques used by malware, such as process injection or script obfuscation.

    • How: Configure ASR rules using PowerShell:

      Add-MpPreference -AttackSurfaceReductionRules_Ids <RuleID> -AttackSurfaceReductionRules_Actions Enabled

      Example Rule ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A (blocks Office apps from creating child processes).

  • Implement Application Whitelisting:

    • Why: Prevents unauthorized executables from running, especially from user-writable folders like Downloads or AppData.

    • How: Use AppLocker or Windows Defender Application Control (WDAC):

      • Block execution from risky paths:

        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
  <FilePathRule Path="%USERPROFILE%\Downloads\*" />
</FilePublisherCondition>

      • Block specific script types like .hta, .vbs, .js, etc., using WDAC policies.

  • Utilize Host-Based Firewalls:

    • Why: Restricts unnecessary communication between endpoints and blocks outbound traffic to known malicious destinations.

    • How: Configure Windows Defender Firewall:

      • Block workstation-to-workstation communication:

        New-NetFirewallRule -DisplayName "Block Workstation-to-Workstation" -Direction Inbound -Action Block

      • Block outbound traffic to LOLBins (Living Off the Land Binaries):

        New-NetFirewallRule -DisplayName "Block LOLBin Outbound" -Direction Outbound -Program "C:\Windows\System32\certutil.exe" -Action Block

  • Deploy an EDR (Endpoint Detection and Response) Product:

    • Why: Provides real-time monitoring, threat detection, and response capabilities.

    • How: Choose an EDR solution that integrates with AMSI (Antimalware Scan Interface), such as Microsoft Defender for Endpoint:

      • Enable AMSI logging to inspect obfuscated scripts:

        Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.Id -eq 1117 }

Last updated