Tuesday, May 23, 2017

Harden Windows with Group Policy : : Common Exploit Mitigation




Disable a number of "features" exposed by  Windows, office and Adobe reader  applications simply reduce the attack surface .


SL#
Common Exploit s  Mitigation

Generic Windows Features
1
Disable Windows Script Host. Windows Script Host allows the execution of VBScript and Javascript files on Windows operating systems. This is very commonly used by regular malware (such as ransomware) as well as targeted malware.
2
Disabling AutoRun and AutoPlay. Disables AutoRun / AutoPlay for all devices. For example, this should prevent applicatons from automatically executing when you plug a USB stick into your computer.
3
Disables powershell.exe, powershell_ise.exe and cmd.exe execution via Windows Explorer. You will not be able to use the terminal and it should prevent the use of PowerShell by malicious code trying to infect the system.
4
Sets User Account Control (UAC) to always ask for permission (even on configuration changes only) and to use "secure desktop".

Microsoft Office
1
Disable Macros. Macros are at times used by Microsoft Office users to script and automate certain activities, especially calculations with Microsoft Excel. However, macros are currently a security plague, and they are widely used as a vehicle for compromise. macro documents options  "Enable this Content" notification is disabled too, to prevent users from being tricked.
2
Disable OLE object execution. Microsoft Office applications are able to embed so called "OLE objects" and execute them, at times also automatically (for example through PowerPoint animations). Windows executables, such as spyware, can also be embedded and executed as an object. This is also a security disaster which we observed used time and time again, particularly in attacks against activists in repressed regions.  
3
Disabling ActiveX. Disables ActiveX Controls for all Office applications.

Acrobat Reader
1
Disable JavaScript in PDF documents. Acrobat Reader allows to execute JavaScript code from within PDF documents. This is widely abused for exploitation and malicious activity.
2
Disable execution of objects embedded in PDF documents. Acrobat Reader also allows to execute embedded objects by opening them. This would normally raise a security alert, but given that legitimate uses of this are rare and limited,

No comments: