Six (or so) Quick Wins for Security

The majority of clients that my company does pentesting for tend to be smaller businesses with perhaps 150 to 1000 employees, so most of them do not have a dedicated team focused strictly on “security.” It may be a small part of one or two people’s jobs, but generally there isn’t someone tasked with overseeing the security plan or day-to-day details.

Sure, the CIO or IT Director is technically in charge, but they have a million other things to worry about. But one thing that I hear frequently on pentests is “…but you didn’t find anything major, right?” Usually this follows a discussion of how I, or someone on my team was able to escalate to domain admin and pillage their network at will.

While no, perhaps one finding on its own isn’t earth-shattering, a few low to medium findings can easily lead up to a compromise. Take LLMNR and NBT-NS for example…there hasn’t been a pentest yet where I’ve found that either was disabled. You then walk the client through how you managed to capture/crack hashes or get plain text credentials via WPAD poisoning and you see their interest peak a bit.

Then, you explain how you took those user credentials, connected to their sysvol share, and because they had a password stored in a GPP file, you were then able to get DA access (because of course it was a DA password) and went about your business of finding the important stuff (because you didn’t just stop once you got DA, did you?)

So after reviewing other findings with the client, that’s usually when I hear the “…but you didn’t find anything major, right?” This consistently baffles me. What qualifies as major? My typical response is something along the lines of “Well, getting domain admin access isn’t really a good thing…but let’s talk about it.”

None of this is really new or earth-shattering news, but I guess the point of all of this is that we need to constantly be aware of “all the little things” that go into securing our environments. Yes, that’s what clients are paying us for…to find these things and to make recommendations, but death by a thousand paper cuts is still death.

With that said, here’s a list of quick (generally easy) wins to help tighten things up a bit. (In no particular order)

  • Disable LLMNR and NBT-NS
  • Disable SMBv1
  • Configure a DNS entry for WPAD that points to your current corporate proxy
  • Verify Null Sessions are not permitted to your domain controllers
  • User education (easier said than done, I know…)
    • Password length >= 15 characters
      • No complexity requirements
      • The longer, the better…but at least 15 characters.
    • Encourage the use of password managers, and how to properly secure them
  • MFA/2FA (also easier said than done, but worth the headache)

I’m sure there are other tasks that are relatively easy, but this isn’t intended to be a comprehensive list, just a basic list of quick wins. None of them alone will stop someone with the knowledge and determination, but can make it more of a challenge.