The document discusses system hardening and outlines several challenges and approaches to implementing hardening. It begins with examples of real-world cyberattacks to illustrate the importance of hardening. It then discusses common hardening techniques like reducing attack surfaces and managing user rights assignments. The document also provides recommendations for how to plan and roll out hardening projects through a phased approach and highlights some potential pitfalls to avoid.

1. IT-SECURITY „MUST HAVE“:
HARDENING AS PART OF A
HOLISTIC
SECURITY STRATEGY
19.04.2023

2. Who is talking to you?
Introduction
2 TEAL Technology Consulting GmbH
19.04.2023
Fabian Böhm
CEO & Founder @ TEAL
Florian Bröder
CEO & Founder @ FB Pro GmbH
https://www.fb-pro.com/
LinkedIn
https://www.teal-consulting.de/
LinkedIn

3.  Hardening – the why
 Hardening – the what
 Hardening – tool based
 Hardening – how to rollout
 Hardening – how hard can it be
 Q&A
AGENDA
3

4. 4 TEAL Technology Consulting GmbH
19.04.2023
HARDENING – THE WHY

5. Real life examples
HARDENING – THE WHY
5 TEAL Technology Consulting GmbH
19.04.2023
Cyber-Angriff auf IT-Dienstleister Materna​ | heise online
Lürssen-Werft wurde zum Ziel von Ransomware-Attacke (handelsblatt.com) NZZ: Schweizer Zeitungen durch Cyberangriff massiv
beeinträchtigt | heise online

6. Real life examples
HARDENING – THE WHY
6 TEAL Technology Consulting GmbH
19.04.2023
Bericht des "Handelsblatt": Gehackte Daten von Continental im Darknet |
tagesschau.de
Nach Cyberangriff auf Continental: Hacker veröffentlichen Liste mit erbeuteten Daten
(handelsblatt.com)
Medibank hack: Email reveals staff details compromised by data
breach | news.com.au — Australia’s leading news site

7. Real life examples
HARDENING – THE WHY
7 TEAL Technology Consulting GmbH
19.04.2023
Investigation Regarding Misconfigured Microsoft Storage Location – Microsoft Security Response Center

8. Real life examples
HARDENING – THE WHY
8 TEAL Technology Consulting GmbH
19.04.2023
Amazon Web Services (AWS) Data Breaches: Full Timeline Through 2022 (firewalltimes.com)

9. Real life examples
HARDENING – THE WHY
9 TEAL Technology Consulting GmbH
19.04.2023
PrintNightmare: Schon wieder eine Drucker-Lücke in Windows ohne Patch | heise online

10. Real life examples
HARDENING – THE WHY
10 TEAL Technology Consulting GmbH
19.04.2023
Top 5 AWS Misconfigurations That Led to Data Leaks in 2021 | Spiceworks It Security
Clear statement
 99% of cloud breaches is “misconfiguration”
 Missing secure configuration
 Missing “hardening”
 No control
 No process / no checks

11. Questions
11 TEAL Technology Consulting GmbH
19.04.2023
HARDENING – THE WHY

12. 12 TEAL Technology Consulting GmbH
19.04.2023
“Measures in detection and response area need
to be enriched as they are no longer sufficient
to ensure adequate information security!"
“Shifting responsibility of IT security and protection
of assets to backoffice, accounting and non IT
people seems to be a very strange approach.”

13. 13 TEAL Technology Consulting GmbH
19.04.2023
HARDENING – THE WHAT

14. Definition
HARDENING – THE WHAT
14 TEAL Technology Consulting GmbH
19.04.2023
In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when
a system performs more functions
Hardening
…considers information security as well as
data protection
…is one of several technical measures organizations
may adopt
Legal requirements are in place
 …GDPR enforce “state of technology” (Art. 32
“security of processing”)
 “State of the art” is defined (see Teletrust e.V.)
 Several industry specific requirements enforce more detailed
configuration (e. g. VAIT for insurances, IT-Sicherheitsgesetz for
KRITIS relevant organizations, ISO 27001:2022 and many
more…)

15. It is necessary
HARDENING – THE WHAT
15 TEAL Technology Consulting GmbH
19.04.2023
Product law in America
Designed to make “everything” work to avoid legal impacts
 “Dry the guinea in a microwave oven”
 …other stories
Vendors recommend hardening
Microsoft: “We recommend that you implement an industry-
standard configuration that is broadly known and well-tested,
such as Microsoft security baselines, as opposed to creating
a baseline yourself. This helps increase flexibility and reduce
costs.”
How critical is secure configuration?
 A running print spooler service was considered uncritical
until printer nightmare end of 2021.
 Using SMBv1 was uncritical until WannaCry Ransomware
used EternalBlue exploit in 2017
 Using Kerberos tickets based on RC4 encryption is
outdated since 2015 – why is it still activated?
 A “non configured” Office installation is again target of an
attack - so is “non configuration” of Office uncritical?
…an open door in your house is uncritical until somebody
walks in who is not allowed to do so?
Security baselines guide - Windows security | Microsoft Docs

16. It is necessary
HARDENING – THE WHAT
16 TEAL Technology Consulting GmbH
19.04.2023
The NIST Cyber Security Framework covers five critical functions
where the marked ones are most relevant for securing (known)
endpoints.
PROTECT
DETECT
RESPOND
RECOVE
R
IDENTIFY
Technology PROTECT DETECT RESPOND
Anti-Malware solutions X X
Threat-Intel solutions X X
EDR/XDR solutions X X
MDR solutions X X
Vulnerability scanner X
SIEM solutions X
X
(SOC, IM
process)
Compromise Assessment X X
Hardening X
Enforce Administrator X X IM process
What does make more sense? Have a 24/7 team monitoring the door or just close the door and lock it?

17. Frameworks and legal:
System hardening is widely mentioned (some examples)
HARDENING – THE WHAT
17 TEAL Technology Consulting GmbH
19.04.2023
https://www.cisecurity.org/controls/
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kom
pendium/IT_Grundschutz_Kompendium_Edition2020.pdf?__blob=publication
File&v=6
https://www.teletrust.de/publikationen/broschueren/stand-der-
technik/?tx_reintdownloadmanager_reintdlm%5Bdownloaduid%5D=10505&
cHash=f39d74868a8b38e98e6cc09b0ab16f6f

18. HARDENING – THE WHAT
18 TEAL Technology Consulting GmbH
19.04.2023
Frameworks and legal
Extract from SWIFT questionnaire (end 2021)
BAFIN for banking and insurance sector (03/2022)
Cyber risk insurance questionaire (2022)
Questions for companies starting with 50.000.000 €
revenue up to 150.000.000 €. “Hardening” is first
questions in sector “basic”.

19. HARDENING – THE WHAT
19 TEAL Technology Consulting GmbH
19.04.2023
Frameworks and legal:
System hardening (“secure configuration”) in ISO 27001(2):2022
ISO 27001:2022
is updated and published!

20. System hardening - strategical part
HARDENING – THE WHAT
20 TEAL Technology Consulting GmbH
19.04.2023
NIST defines it as…
“The management and control of configurations
for an information system to enable security and
facilitate the management of risk.”
NIST also published a…
Guide for Security-Focused Configuration
Management of Information Systems | NIST
SecCM consists of four phases:
Security Configuration Management (SecCM) - Glossary | CSRC (nist.gov)
Guide for Security-Focused Configuration Management of Information Systems (nist.gov)
Planning
Identifying and
Implementing
Configurations
Controlling
Configuration
Changes
Monitoring
Figure 2-1 – Security-focused Configuration Management Phases

21. Hardening in context of a security landscape
HARDENING – THE WHAT
21 TEAL Technology Consulting GmbH
19.04.2023
Infrastructure Security Endpoint Security Application Security
Managed Security Service Provider Messaging Security Web Security
IoT Security Security Operations & Incident Response Threat Intelligence Mobile Security Data Security
Cloud Security
Identity & Access Management
Risk & Compliance
Specialized Threat Analysis & Protection
Transaction Security

22. Hardening in context of a security landscape
HARDENING – THE WHAT
22 TEAL Technology Consulting GmbH
19.04.2023
Infrastructure Security Endpoint Security Application Security
Messaging Security Web Security
IoT Security Security Operations & Incident Response Threat Intelligence
Risk & Compliance
Specialized Threat Analysis & Protection
Transaction Security
Mobile Security Data Security
Cloud Security
Identity & Access Management
Managed Security Service Provider

23. 23 TEAL Technology Consulting GmbH
19.04.2023
HARDENING – TOOL BASED

24. HARDENING – TOOL BASED
24 TEAL Technology Consulting GmbH
19.04.2023
Hardening is not only „scripting“ and technology
There are different approaches to
“harden” systems
Several technological approaches exist in the wild:
 Several Computer news papers deliver “security tools” |
Who wants to use this in a professional area?
 Github repositories with thousands of lines of code |
Who wants to take the risk to deploy it to a SME company?
 Consulting providers deliver “hardening” on time & material base |
What happens if provider leaves, but something is not working as
expected?
Your advantages of a tool based approach
 Automated optimization of your system configuration
 Continuous monitoring of your security
 Comprehensive and up-to-date system curing packages
 Reduced operating costs through auto-optimization
 Professional operation via “Managed services”
Technology based approach
Integrated approach
Just search for „hardening tools“ in
your favorite search engine

25. Why not via “Group Policy objects”?
25 TEAL Technology Consulting GmbH
19.04.2023
1) How quickly are several hundred hardening settings implemented? We are ready to use after installation.
2) How is it controlled that all settings arrive on the target systems?
3) How is a "restore" of settings performed when an application is no longer functional due to hardening
configurations?
4) How is the IT team notified if IT systems are suddenly no longer "compliant" with the specified settings?
5) How does meaningful process integration (incident management, ConfigMgmt) take place?
HARDENING – TOOL BASED

26. 26 TEAL Technology Consulting GmbH
19.04.2023
System hardening – the benefits
Security
Configuration
Management
Raise efficiency and save
(internal) resources
Raise protection
level
Be compliant and
transparent
Security of investment
A new insight?
Detected mistakes fixed early in a chain reduce
overhead and save money in the end.
Conclusion: Hardening is cost effective!
§
€
HARDENING – TOOL BASED

27. 27 TEAL Technology Consulting GmbH
19.04.2023
HARDENING – HOW TO ROLLOUT

28. Useful approaches
28 TEAL Technology Consulting GmbH
19.04.2023
HARDENING – HOW TO ROLLOUT
 Hardening should be a continuously iterative process. Do not try to
achieve too much at once!
 Based on our experience we recommend the following approach:
 Identify critical systems (Tier0). Harden those service with a
strict hardening configuration to achieve high security.
 Create a solid benchmark for new Client and Server
installations. Every new system or system which will be
reinstalled should comply with this benchmark.
 Create a basic benchmark for existing Servers and Clients
to accelerate the rollout and to achieve a good hardening
status quickly.
 The benefits of this approach is:
 Critical systems are secured very strict
 Much quicker basis hardening on almost all clients and
servers
 Hardening is integrated in provisioning / reinstallation
processes
 Overall, the attack surface decreases significantly

29. Examples of rollout approaches
29 TEAL Technology Consulting GmbH
19.04.2023
Rollout approach depends on customers infrastructure and could be controlled via several dimensions, for example:
 Role oriented
 Technology oriented (operating system, e.g.)
 Location oriented
 Rollout approach targeting newly deployed systems
Wave 1
• Domain
Controllers
Wave 2
• Member
Servers (file,
application)
Wave 3
• Web, DB
Servers
Wave 4
• Clients of IT
team
• Clients org
oriented
Wave 1
• (New) Windows
Server 2022
systems
Wave 2
• Installed systems
risk oriented
Wave 3
• Client world
starting with
Windows 10 (not
7,8)
HARDENING – TOOL BASED

30. Common “pit falls” in hardening projects
30 TEAL Technology Consulting GmbH
19.04.2023
Hardening projects really support in creating a better cyber hygiene! Possible exploited attack vectors are deactivated.
Some things can be automated, some things need to be tested/evaluated. So, in most cases hardening projects support in getting to
know the own infrastructure better as before:
 Which services are activated but never used
 Which server (or business critical application) is still running on old operating system
 Are administrators still using one account / one machine for internet surfing and administering?
 Are “built in accounts” still active and/or even more critical still in use?
 And many more…
HARDENING – TOOL BASED
So, most common pit falls are amongst others the following ones:
 Missing knowledge of own infrastructure
 Missing documentation and overview of systems
 Missing documentation and overview of application
 Missing knowledge of how for example administrators maintain systems
 “Old fashioned” (aka insecure) ways to maintain/administer IT systems

31. 31 TEAL Technology Consulting GmbH
19.04.2023
HARDENING –
HOW HARD CAN IT BE

32. 32 TEAL Technology Consulting GmbH
19.04.2023
SMBv1 NTLM v1
Client
challenges
Attack surface
reduction rules
User rights
assignment
LDAP signing /
channel binding

33. 33 TEAL Technology Consulting GmbH
19.04.2023
SMBv1 NTLM v1
Client
challenges
Attack surface
reduction rules
User rights
assignment
LDAP signing /
channel binding
CHALLENGE
SMB v1 is outdated - still being used in customer environments example: A board member used an unmanaged tablet to access an
old NAS to view presentations stored there.
KNOWN ATTACKS
https://www.golem.de/news/wannacry-nsa-exploits-legen-weltweit-windows-rechner-lahm-1705-127801.html
HOW TO SOLVE
Either the systems can be configured for SMB v2 or v3, or they need to be replaced.
HOW TO VERIFY
whether SMB v1 is still in use. To do this, you can enable auditing in smaller environments via PowerShell (Set-
SmbServerConfiguration -AuditSmb1Access $true) or distribute the following registry key via GPO in larger environments.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameter s
“AuditSmb1Access”=dword:00000001
Auditing should be performed at least on all domain controllers and file servers. The logs can either be collected via PowerShell or
forwarded to a log collector via event log forwarding.

34. 34 TEAL Technology Consulting GmbH
19.04.2023
CHALLENGE
NTLM v1 is outdated - still being used in customer environments
KNOWN ATTACKS
ProxyLogon (CVE-2021-28655 , CVE-2021-27065) and ProxyShell (CVE-2021-34473, CVE-2021-
34523, CVE-2021-31207) from Orange Tsai, PetitPotam (VDB-179650), topotam,
Active Directory Certificate Services (ADCS) from Will Schroeder and Lee Christensen
HOW TO SOLVE
Turn NTLM authentication off or enforce ntlm v2 only.
If a system needs to be reconfigured anyway, this is a good time to move directly to Kerberos if the application
supports it.
HOW TO VERIFY
Audit ntlm v1 usage via a gpo setting
Collect event:
$Events = Get-WinEvent -Logname Security -FilterXPath “Event[System[(EventID=4624)]]and
Event[EventData[Data[@Name=’LmPackageName’]=’NTLM V1′]]” | Select-Object `
@{Label=’Time’;Expression={$_.TimeCreated.ToString(‘g’)}},
@{Label=’UserName’;Expression={$_.Properties[5].Value}},
@{Label=’WorkstationName’;Expression={$_.Properties[11].Value}},
@{Label=’LogonType’;Expression={$_.properties[8].value}},
@{Label=’ImpersonationLevel’;Expression={$_.properties[20].value}}
SMBv1 NTLM v1
Client
challenges
Attack surface
reduction rules
User rights
assignment
LDAP signing /
channel binding

35. 35 TEAL Technology Consulting GmbH
19.04.2023
CHALLENGE
Microsoft already tried 3 years ago to force LDAP signing (ADV190023).
This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing
is not enforced (the default settings).
KNOWN ATTACKS
https://github.com/Dec0ne/KrbRelayUp
HOW TO SOLVE
After the list of servers which establishes an LDAP connection is generated, configure the application to use LDAPS. We had cases
where the OpenSSL package used in the OS didn’t support LDAPS. Thus, the server had to be reinstalled with a newer version of the
operating system.
HOW TO VERIFY
Enable logging via registry key on the DCs:
Reg Add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics /v “16 LDAP Interface
Events” /t REG_DWORD /d 2
Log CBT signing event 3041 by configuring “Domain controller: LDAP server channel binding token requirements” to
“When supported”
SMBv1
NTLM v1
Client
challenges
Attack surface
reduction rules
User rights
assignment
LDAP signing /
channel binding

36. 36 TEAL Technology Consulting GmbH
19.04.2023
CHALLENGE
Sometimes there are problems with the User Right Assignments.
For example, both CIS and MS Baseline configure “Ensure ‘Access this computer from the network’ is set to ‘Administrators,
Authenticated Users'”. However, when using Defender for Identity, it is necessary that the service account used has just this right.
HOW TO SOLVE
You need to verify the user rights assignments with the respective application owner and, if not not documented properly, test it in a
test environment upfront rolling it out completely.
HOW TO VERIFY
User Rights Assignments can be configured via GPO as well as locally, making it difficult to conclusively check the issue
up front. If one uses the Enforce Administrator for hardening, then one can match the settings with GPOs when creating
the hardening and at least check this way conclusively. To check locally configured settings, one could run a script
like this on all systems and check the output.
SMBv1
NTLM v1
Client
challenges
Attack surface
reduction rules
LDAP signing /
channel binding
User rights
assignment

37. 37 TEAL Technology Consulting GmbH
19.04.2023
CHALLENGE
Attack Surface Reduction is a fairly new feature of Windows Defender. It is supposed to help prevent cyber attacks.
HOW TO SOLVE
To be on the safe side, it is advisable to first configure the rules in audit mode, check the messages in the event viewer and only
when all problems have been solved, switch the rules to block mode.
The common curing standards do not call for all ASR Rules to be turned on, however, we think it is a good idea, even if it is a
little more work.
SMBv1
NTLM v1
Client
challenges
LDAP signing /
channel binding
User rights
assignment
Attack surface
reduction rules

38. 38 TEAL Technology Consulting GmbH
19.04.2023
CHALLENGE 1 - APPLICATIONS AND UNC PATHS
Applications are often placed on network shares and launched from there
via a UNC path to simplify application updates. After applying the Security
Baseline for Windows in such cases, you may receive a popup with the
security warning: “The publisher could not be verified. Are you sure you
want to run the software”. By clicking Run, the user can still launch the
application.
SMBv1 NTLM v1
LDAP signing /
channel binding
User rights
assignment
Attack surface
reduction rules
Client
challenges

39. 39 TEAL Technology Consulting GmbH
19.04.2023
HOW TO SOLVE
This error message is annoying for the user but can be disabled by adding the UNC path
to the Intranet Zone file. For this purpose, there is a so-called Site to Zone Mapping which
is stored in the registry (the mapping can be set for the whole system or for the user):
• HKLMSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet
SettingsZoneMap
• HKCUSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet
SettingsZoneMapKey
Both settings can also be configured via Group Policy configure:
• Computer Configuration > Administrative Templates > Windows Components >
Internet Explorer > Internet Control Panel > Security Page
• User Configuration > Administrative Templates > Windows Components >
Internet Explorer > Internet Control Panel > Security Page
The name of the server is entered there, e.g., file://myserver1 with a value of 2, which
stands for the intranet zone.
SMBv1 NTLM v1
LDAP signing /
channel binding
User rights
assignment
Attack surface
reduction rules
Client
challenges

40. 40 TEAL Technology Consulting GmbH
19.04.2023
CHALLENGE 2 – OFFICE FILE FORMAT
A recurring theme in client hardening is the handling of older Office formats.
The Microsoft 365 Apps for Enterprise Baseline and the CIS Microsoft Office
Excel Benchmark are quite restrictive and disable all older Office formats.
This affects all old binary formats of the Office version older than 2007,
before Office had introduced modern file formats based on XML. Most
companies still use older Office formats at least in some areas and therefore
have to soften the Microsoft baseline again in this area.
SMBv1 NTLM v1
LDAP signing /
channel binding
User rights
assignment
Attack surface
reduction rules
Client
challenges

41. 41 TEAL Technology Consulting GmbH
19.04.2023
HOW TO SOLVE
Verify which old office templates exists which cannot be renewed….
Unblock excel version via GPO
User Configuration > Administrative Templates > Microsoft Excel 2016 > Excel Options > Security
> Trust Center > File Block Settings > Excel 97-2003 workbooks and templates.
We provide here a small script that searches a certain directory incl. subdirectories for files with the
extension . xls and determines the exact version. However, the script must open the file, so it must
only be applied to trusted files, because macro code may be executed when the file is opened, and
macros that start automatically and display a dialog box, for example, must be clicked away
manually.
After knowing which file formats are available, it should first be checked to what extent the older file
formats can be converted into the current XML-based file formats of Office. Here, it should be
checked whether there are applications that process these documents automatically (e.g.
automated scanning and / or OCR software) and only support the old format.
SMBv1 NTLM v1
LDAP signing /
channel binding
User rights
assignment
Attack surface
reduction rules
Client
challenges

42. 42 TEAL Technology Consulting GmbH
19.04.2023
Q & A
Any questions left?

43. Contact us for more information
FB Pro and TEAL
43 TEAL Technology Consulting GmbH
19.04.2023
INFO PAGE
https://aktionen.teal-consulting.de/
enforce-suite/
CONTACT US
E-Mail: info@teal-consulting.de
Phone: 0211/93675225

44. 44 TEAL Technology Consulting GmbH
19.04.2023
THANK YOU!