HARDENING LÀ GÌ

  -  

Hardening là gì? Tại sao bắt buộc Hardening ? Khi làm sao thì nên cần Hardening? Hardening là quá trình cải thiện tính bảo mật thông tin cho một khối hệ thống bằng các luật lệ, những tùy chỉnh thiết lập bảo mật thông tin server và hệ thống, đó là hầu hết nguyên tắc, cơ chế cơ mà bạn cai quản trị cần tùy chỉnh cấu hình, chỉ dẫn nhằm áp dụng mang đến toàn thể hệ thống của bản thân mình. Từ kia ta hoàn toàn có thể sút tgọi các khủng hoảng rủi ro security từ các các dịch vụ đang làm việc trên máy chủ kia.Mình sẽ hướng dẫn chúng ta biện pháp triển khai bên trên máy chủ Windows Server 2016. VIệc Hardening các bạn đề nghị xúc tiến sau khoản thời gian vừa thiết đặt bắt đầu hoàn thành máy chủ.1.

Đang xem: Hardening là gì

Làm sao nhằm chạy những lệnh mà lại bản thân đang hỗ trợ bên dưới đây?Trên thanh hao taskbar -> Start-> powershell ise -> kích cần -> run as AdministratorHoặc giữ tệp tin viết tên với ext ps1 ví dụ: Hardening.ps1 -> kích cần -> mở cửa PowerShell window here as administrator

*

# Hardening OS# Disable NLA, SMBv1, NetBIOS over TCP/IP, PowerShellV2, Audit log# Enables UAC, SMB/LDAP Signing, Show hidden files# Fix CredSSP Remote Desktop# ———————#Set TimeZone GMT +7 HaNoiSet-TimeZone -Name “SE Asia Standard Time”reg add “HKLMSOFTWAREPoliciesMicrosoftWindows NTDNSClient” /v EnableMulticast /t REG_DWORD /d 1 /freg add “HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters” /v SMB1 /t REG_DWORD /d 0 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v EnableLUA /t REG_DWORD /d 1 /freg add “HKLMSystemCurrentControlSetControlLsa” /v LMCompatibilityLevel /t REG_DWORD /d 5 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWpad” /v WpadOverride /t REG_DWORD /d 1 /f# https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/# https://en.hackndo.com/pass-the-hash/reg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v FilterAdministratorToken /t REG_DWORD /d 1 /f# Prevent (remote) DLL Hijacking# https://www.greyhathacker.net/?p=235# https://www.verifyit.nl/wp/?p=175464# https://support.microsoft.com/en-us/help/2264107/a-new-cwdillegalindllsearch-registry-entry-is-available-to-control-the# The value data can be 0x1, 0x2 or 0xFFFFFFFF.


Bạn đang xem: Hardening là gì


Xem thêm: Payment By Cheque Là Gì, Nghĩa Của Từ Cheque, Đặc Điểm Của Cheque Là Gì


Xem thêm: Tiến Trình Rundll Là Gì Và Làm Thế Nào Để Sửa Chữa Rundll Lỗi Khi Khởi Động


If the value name CWDIllegalInDllSearch does not exist or the value data is 0 then the machine will still be vulnerable lớn attaông xã.# Blocks a DLL Load from the current working directory if the current working directory is set lớn a WebDAV thư mục (mix it khổng lồ 0x1)# Blocks a DLL Load from the current working directory if the current working directory is set to a remote folder (such as a WebDAV or UNC location) (mix it lớn 0x2)# ———————reg add “HKLMSYSTEMCurrentControlSetControlSession Manager” /v CWDIllegalInDllSearch /t REG_DWORD /d 0x2 /f# Disable IPv6# https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users# ———————reg add “HKLMSYSTEMCurrentControlSetservicescpip6parameters” /v DisabledComponents /t REG_DWORD /d 0xFF /f# Disable SMBv1Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -norestart# Disable Powershellv2Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart######################################################################### Harden lsass to lớn help protect against credential dumping (Mimikatz)# Configures lsass.exe as a protected process & disables wdigest# https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx# https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5# ———————reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsLSASS.exe” /v AuditLevel /t REG_DWORD /d 00000008 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v RunAsPPL /t REG_DWORD /d 00000001 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v DisableRestrictedAdminOutboundCreds /t REG_DWORD /d 00000001 /freg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest” /v UseLogonCredential /t REG_DWORD /d 0 /freg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest” /v Negotiate /t REG_DWORD /d 0 /f# Enable Firewall Logging# ———————netsh advfirewall mix currentprotệp tin logging filename %systemroot%system32LogFilesFirewallpfirewall.lognetsh advfirewall mix currentprotệp tin logging maxfilesize 4096netsh advfirewall set currentprofile logging droppedconnections enable#Disable AutoRun# ———————reg add “HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f##Show known tệp tin extensions & hidden files# ———————reg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “HideFileExt” /t REG_DWORD /d 0 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “HideFileExt” /t REG_DWORD /d 0 /freg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “Hidden” /t REG_DWORD /d 1 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “Hidden” /t REG_DWORD /d 1 /freg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “ShowSuperHidden” /t REG_DWORD /d 1 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “ShowSuperHidden” /t REG_DWORD /d 1 /f#### Microsoft Windows Security Update Registry Key Configuration Missing (ADV180012) (Spectre/Meltdown Variant 4) ########Impact : An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to lớn exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native sầu code that could give sầu rise to an instance of CVE-2018-3639#Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetControlSession ManagerMemory Management” -Name “FeatureSettingsOverride” -Value “00000008”Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetControlSession ManagerMemory Management” -Name “FeatureSettingsOverrideMask” -Value “00000003”##### Windows Registry Setting To Globally Prevent Socket Hijacking Missing ########Impact: If this registry setting is missing, in the absence of a SO_EXCLUSIVEADDRUSE kiểm tra on a listening privileged socket, local unprivileged users can easily hijack the socket và intercept all data meant for the privileged process #####Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetServicesAFDParameters” -Name “ForceActiveDesktopOn” -Value “00000001”####MS15-011 Hardening UNC Paths Breaks GPO Access -Microsoft Group Policy Remote Code Execution Vulnerability (MS15-011) #########Impact: The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system lớn connect to an attacker-controlled network ###Set-ItemProperty -Path “hklm:SOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths” -Name “*etlogon” -Value “RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1″Set-ItemProperty -Path “hklm:SOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths” -Name “*sysvol” -Value “RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1″##### Enabling svào cryptography for .NET V4…#x64Set-ItemProperty -Path “HKLM:SOFTWAREWow6432NodeMicrosoft.NetFrameworkv4.0.30319” -Name “SchUseStrongCrypto” -Value “1” -Type DWord#####Disable SMBv3 SMBGhost RCE (CVE-2020-0796)Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force#####Fix CredSSPREG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2 /f#####Disable NLAreg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f#Audit Logauditpol /phối /category:”System” /failure:enable /success:enableauditpol /phối /category:”Account Management” /failure:enable /success:enableauditpol /set /category:”Account Logon” /failure:enable /success:enableauditpol /phối /category:”Logon/Logoff” /failure:enable /success:enableauditpol /set /category:”Policy Change” /failure:enable /success:enable#Fix DNS 2020-1350reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /fnet stop DNS && net start DNSWrite-Host “Hardening successfully “Invoke-Comm& -ScriptBloông chồng gpupdate /force #Create new user Admin & add to lớn group Administrators#Base64 decode $SystemObfuscation to get your password$SystemObfuscation = “UmVwbGFjZV9teV93aXRoX2Jhc2U2NF9lbmNvZGU=”$SystemConvert = ::UTF8.GetString(::FromBase64String($SystemObfuscation))net user /add admin $SystemConvertnet localgroup administrators admin /add#####Set user admin password never expireSet-LocalUser -Name “admin” -PasswordNeverExpires 1#################################################