Five immediate measures for system hardening
Guardicore provides end-of-support security advisories for Windows Server R2, Windows Server 2008, and Windows 7. Beginning of January 14, 2020, users of these Microsoft operating systems will no longer receive free security updates and online updates. Without security-related updates, the affected IT systems will no longer be protected against newly discovered vulnerabilities.
While some of the operating systems mentioned are more than a decade old, it is estimated that Windows Server 2008/2008 R2 alone is still in use on nearly one in three servers worldwide. Many organizations cannot switch to current operating system versions because they are subject to complicated legal and certification requirements, or simply do not have the necessary budget available. Bridging solutions are therefore in demand to support time-consuming migration processes.
In a recent blog post, Guardicore security researcher Daniel Goldberg offers five security recommendations:
1. Organizations should follow the official best practice recommendations for hardening Windows Server 2008 R2 and Windows 7. Microsoft periodically publishes these guidelines as part of its free Microsoft Baseline Security Analyzer, which scans for faulty security configurations and missing security updates, update rollups, and service packs.
2. If possible, message signing should be disabled for the SMBv1 and SMBv2 (Server Message Block) network protocols. This will prevent many attacks via Network Lateral Movement, such as any attacks that rely on the EternalBlue exploit or other attack techniques through NTLM Relaying (NT LAN Manager).
3. Set network settings for authentication to block the use of outdated and weak authentication methods such as NTLMv1 or LanMan. This measure can prevent many token theft attacks (for example, via the Mimikatz attack tool).
4. To verify all security incidents and to connect log file manipulations, it is recommended to forward all event logs to a central and hardened server. Microsoft provides detailed instructions on how to do this, and Palantir provides more sample scenarios and helper programs.
5. Security segmentation - Segmentation deprives attackers of their options when moving laterally across the network. By separating the network into individual logical segments, organizations can significantly reduce the attack surface for network attacks and reduce the risk of data breaches. For example, in most enterprise networks, desktops do not need to communicate directly with each other. By using micro-segmentation, traffic between machines in a segment can be blocked to slow down rapid attack movements.
