This document provides security tips and recommendations from Sami Laiho, a senior technical fellow specializing in Windows security. Some of the key recommendations include: implementing whitelisting like AppLocker and following the principle of least privilege; using Windows 10 Enterprise over Windows 7 for improved security features; choosing hardware with TPM and virtualization support; applying full disk encryption with BitLocker; restricting administrative access and using tools like Avecto DefendPoint for privilege elevation; and implementing password policies and end user training. Contact information is provided to learn more about security training and services.

2. The Night is Dark and full of
Hackers: Security Tips & Tricks
from Beyond the Wall
AKA: ”Security affordable – this is how I do it!”
2

3. Sami Laiho
Senior Technical Fellow
adminize.com
• IT Admin since 1996
• MVP in Windows OS since 2011
• Specializes in and trains:
• Troubleshooting
• Security
• Windows Internals
• Trophies:
• Best and 3rd session at MCT Summit 2018
• Best two Sessions at IGNITE 2018! (out of 1708 session in total)
• Best Session at AppManagEvent 2017 and 2018, Utrecht
• Best External Speaker at Ignite 2017
• Best Sessions (#1 and #2) at TechTalks 2017, Helsinki
• TechDays Sweden 2016 – Best Speaker
• NIC 2016, 2017 - Best Speaker
• Ignite 2015 – Best male presenter ;) (#2 out of 1000 speakers)
• TechEd Europe and North America 2014 - Best session, Best
speaker

4. I got Certs

5. 1,2 kilos of
them

6. • Established in 1983
• Just Me, Myself and I
• We deliver:
• Training!
• Private classes anywhere in the World!
• Around 1000€/1200$ per head for 4 days
• Security Audit for Windows environments
• Two days onsite/online
• Two days of reporting/documenting offsite
• 10000€/12000$
• AppLocker/Whitelisting implementation
• 10000€/12000$ + t&e
• Takes around 4 days
• VoD Training
• https://win-fu.com/dojo
• Best at a very cheap price!
• I deliver training through PluralSight as well but not the
same content
Adminize.com

7. Windows XP Deep Dive in 2001

8. • sami@adminize.com
• Twitter: @samilaiho
• Blog: http://blog.win-fu.com/
• Free newsletter:
http://eepurl.com/F-GOj
Contact

9. @samilaiho
If you are not on Twitter – get on Twitter!
9

10. Security is a compromise
Secure

11. Most Important Rules in Windows Security
• You have no security in Windows unless
• You have Full Disk Encryption
• You follow the Principle of Least Privilege

12. Gartner, NIST and others
• Say that the most important security feature to implement in 2018 is
Whitelisting
• #2 is Principle of Least Privilege
• #3 is Hard Disk Encryption
12

13. Choosing the correct hardware
13

14. Choosing Harware
• 64-bit
• UEFI with SecureBoot
• Virtualization support: Intel VT or
AMD-V
• SLAT: Intel EPT or AMD RVI
• TPM
• 1.2 ok for Windows 7
• 2.0 for Windows 10 is better
• DMA-ports?
• No on Windows 7
• TB3 on Windows 10 is OK
• Nice to have:
• IO-MMU
• Intel VT-d or AMD-Vi
• I would require:
• PXE boot available and ON
• Virtualization and TPM ON
• For Windows 7 SecureBoot OFF
14

15. Operating System
• I would go for Windows 10 Enterprise if I can choose
• SecureKernel stuff like Credential Guard, Device Guard
• Windows Defender Application Guard
• AppLocker
• Windows 7 Enteprise is fine as well
• General rule: get the hell away from Windows 8 and 8.1
15

16. Network Infrastructure
• Managed network devices that are easy to manage and monitor
• Meraki (Awesome if money is no object)
• Unifi (I’m in love with these because of the price)
• I prefer my devices to connect to corporate network with Direct
Access
• BUT…
16

17. AD-infrastructure
• Domain names
• No company name
• TLD to be .local or .ds
• Always build two DFS-roots
• One for shares used by users
• One for IT’s needs and AD’s use
• If you have insecure remote locations use RODC
• Use Redircmp and Redirusr
17

18. Applying Principle of Least
Privilege
18

19. Admin Access
• No end user get admin access to their device
• Not the Boss, not the girlfriend and not the devs
• No IT-admin interactively logs on to their box with an administrative
account
• They use Runas-solutions like UAC
19

20. Avecto DefendPoint
• You can
• Auto elevate
• Auto elevate with a warning
• Auto elevate with a question for reason
• Elevate with a managers approval
• Elevate with a challenge code
20

21. Examples
• Applications that require admin rights
• Updating things you don’t have to time manage
• IP-addresses and Networking
• Joining the domain
• Hyper-V Management
• Visual Studio
21

22. Extra from Avecto
• Whitelisting is better than AppLocker
• Better pinpointing at a task
• Grey list
• Better messaging
• Sandboxing for browsers
• Neat but not without some problems
• No admin + good whitelisting = very little need for this…
22

23. Administering local admin
accounts
23

24. Randomizing Passwords
• LAPS is fine
• Randomizes passwords
• AD-Domains only
• Needs online access to AD
• Doesn’t change password based on usage
• This is a good thing for some people
• I use Adminizer ;)
• Randomizes passwords
• Workgroups, Azure AD, BYOD etc.
• Totally Offline and self-sufficient
• Changes password both based on usage and based on time
24

25. Other stuff
• I let the local Administrator be named Administrator as it will anyway
have the same SID
• I don’t intentionally disable them either
• Guest I disable but don’t rename
25

26. Using AD administrative accounts
(Domain, Enterprise, Schema)
26

27. Enterprise and Schema Admins
• These group are and stay empty
• Only added a domain admin user when needed
• If you doubt yourself or colleagues just create a scheduled task on a
DC to clear them
• Schema Admins are only needed when changing the schema
• Enterprise Admins are needed mainly for
• DHCP authorize
• Adding or removing domains
• Site applied GPOs
27

28. Domain Admins
• Only used for administering DC’s or AD
• Remember to administer from an administration Work Station or Server –
NOT BY LOGGING ON TO A DC!!
• Are denied from logging on to anywhere else but Domain Controllers
– By Policy!
28

29. Mitigating PtH?
• Split your environment into three layers
• Never allow higher layer admins to logon to lower layers
Power
(DCs)
Data (Servers and
Apps)
Access (Endpoints)
Domain Admins
Server Admins Workstation Admins

30. Recommended settings for
BitLocker
30

31. BitLocker
• BitLocker on all machines that are outside of the server rooms
• Unless you can’t trust your admins → Include Servers
• Aim for TPM only
• Make sure your recovery keys are stored in AD
• Increase encryption to 256 with a diffuser
31

32. BitLocker FlowChart by me
• http://win-fu.com/files/TPM-FlowchartV3.pdf
32

33. Recommended settings for UAC
33

34. Normal UAC
• No changes to security needed but I always disable UAC Virtualization
34

35. High Secure UAC
• Change the prompt for UAC to ask for credentials for admins
• Kills all BadUSB and Rubber Ducky –attacks
• Also disable UAC virtualization
35

36. Recommended settings for
AppLocker, SRP or other
whitelisting
36

37. My own device
• Relies on the knowledge of the user
37

38. My customer devices
• Basic rules + AccessChk revealed exceptions
• Use certificates if you can (and trust the company)
• Then add required network locations with
• UNC
• IP
• FQDN
• Then add local applications outside of the default folders with Certs,
Folders (if they can be blocked from writing to by limited users)
• Problematic ones
• Self-updating, not signed and stored in users profile
38

39. Recommended settings for Share
permissions
39

40. Share settings are easy
• Always change two things
1. Block Offline use by default
2. EVERYONE – FULL CONTROL
• NTFS-ACL’s are always more granular and better
• I won’t kill you if you want to set different for user redirected folders
• EVERYONE – CHANGE
• Blocks users from sharing their files with other as they will by default get Full
Control to these
40

41. Recommended settings for builtin
certificates
41

42. EFS
• Remember to replace the default Administrator certificate from your
CA
42

43. Recommended settings for AV
and Firewalls
43

44. Things to note about Defender
• Only things that Defender can’t do
• Centralized Reporting
• Centralized Management
• Talk to the Firewall
• We can say that the engine of Defender is just fine
• 1% more found malware in tests currently means 10000 malware samples that were
not detected → Basically useless!
• I choose by
• The size of the wallet
• Burden on the OS
• Honestly:
• If you have System Center use SCEP
• Take a look at ATP!
44

45. Recommended settings for IPsec
45

46. How I use IPsec
• Require Inbound, Request Outbound
• Kerberos for users and computers
• Exclude DC’s and hard cases – You don’t need to get to 100%!
• Buy printers (etc) that can have a certificate if possible
46

47. Common recommendations for
Windows Security
47

48. Group Policies and Security
Policies
48

49. My Policies
• Document with the Group Policy Settings Reference
• Many policies are not needed anymore for most, like:
• Always wait for the network on startup and logon
• Disable System Restore
• I nowadays try to avoid GPUPDATE /FORCE by changing group policy
CSE’s to process even if the policy has not changed
• For troubleshooting I always change a few things as well:
49

50. Detailed error messages
50

51. Ability to read RSOP data
51

52. Password Policies
52

53. End User Training on Good Passwords
• For everyone
• Minimum length of 8 characters (but don’t advertise this)
• Complexity required
• Numbers
• at the beginning and end
OR
• in the middle
• For important users like admins it’s
• Minimum length of 15 characters
53

54. End User Training on Good Passwords
• Show people http://haveibeenpwned.com/ and teach to use different
passwords on every site
• Like
• Flower10SkypeGrows!
• Flower10DropbGrows!
• Massively10HardIL
• Massively10HardPO
• Massively10HardBM
54

55. Implement PAWs
55

56. https://www.cisecurity.org/controls/
• Block 97% of threats

57. Contact
• sami@adminize.com
• Twitter: @samilaiho
• Blog: http://blog.win-fu.com/
• Free newsletter:
http://eepurl.com/F-GOj
• Video-based training:
• http://www.pluralsight.com/
• Want free codes? Email me!
• NOW: http://win-fu.com/dojo
•Trial2018