Hardening là gì

Hardening là gì? Tại sao phải Hardening ? Khi như thế nào thì nên Hardening? Hardening là quy trình nâng cao tính bảo mật thông tin cho 1 khối hệ thống bởi những luật lệ, các cấu hình thiết lập bảo mật hệ thống và hệ thống, đó là hầu hết luật lệ, chế độ mà lại tín đồ quản trị yêu cầu thiết lập cấu hình, giới thiệu nhằm áp dụng mang lại cục bộ hệ thống của bản thân mình.

Bạn đang xem: Hardening là gì

Từ đó ta rất có thể sút thiểu các khủng hoảng security từ hầu như các dịch vụ đang chạy trên máy chủ đó.Mình đã hướng dẫn các bạn cách thực thi bên trên sever Windows Server năm nhâm thìn. VIệc Hardening chúng ta nên xúc tiến sau thời điểm vừa thiết đặt mới kết thúc sever.1.

Đang xem: Hardening là gì

Làm sao nhằm chạy các lệnh cơ mà bản thân đã cung ứng bên dưới đây?Trên tkhô giòn taskbar -> Start-> powershell ise -> kích phải -> run as AdministratorHoặc lưu giữ tệp tin viết tên cùng với ext ps1 ví dụ: Hardening.ps1 -> kích nên -> xuất hiện PowerShell window here as administrator

*

# Hardening OS# Disable NLA, SMBv1, NetBIOS over TCP/IPhường., PowerShellV2, Audit log# Enables UAC, SMB/LDAPhường Signing, Show hidden files# Fix CredSSP..

Xem thêm: " Ngoại Ô Là Gì ? Nghĩa Của Từ Ngoại Ô

Remote Desktop# ———————#Set TimeZone GMT +7 HaNoiSet-TimeZone -Name “SE Asia Standard Time”reg add “HKLMSOFTWAREPoliciesMicrosoftWindows NTDNSClient” /v EnableMulticast /t REG_DWORD /d 1 /freg add “HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters” /v SMB1 /t REG_DWORD /d 0 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v EnableLUA /t REG_DWORD /d 1 /freg add “HKLMSystemCurrentControlSetControlLsa” /v LMCompatibilityLevel /t REG_DWORD /d 5 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWpad” /v WpadOverride /t REG_DWORD /d 1 /f# https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/# https://en.hacknbởi vì.com/pass-the-hash/reg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v FilterAdministratorToken /t REG_DWORD /d 1 /f# Prevent (remote) DLL Hijacking# https://www.greyhathacker.net/?p=235# https://www.verifyit.nl/wp/?p=175464# https://support.microsoft.com/en-us/help/2264107/a-new-cwdillegalindllsearch-registry-entry-is-available-to-control-the# The value data can be 0x1, 0x2 or 0xFFFFFFFF. If the value name CWDIllegalInDllSearch does not exist or the value data is 0 then the machine will still be vulnerable khổng lồ attaông chồng.# Blocks a DLL Load from the current working directory if the current working directory is phối lớn a WebDAV thư mục (set it to lớn 0x1)# Blocks a DLL Load from the current working directory if the current working directory is set to lớn a remote thư mục (such as a WebDAV or UNC location) (set it to 0x2)# ———————reg add “HKLMSYSTEMCurrentControlSetControlSession Manager” /v CWDIllegalInDllSearch /t REG_DWORD /d 0x2 /f# Disable IPv6# https://tư vấn.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users# ———————reg add “HKLMSYSTEMCurrentControlSetservicescpip6parameters” /v DisabledComponents /t REG_DWORD /d 0xFF /f# Disable SMBv1Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -norestart# Disable Powershellv2Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart######################################################################### Harden lsass to lớn help protect against credential dumping (Mimikatz)# Configures lsass.exe cộ as a protected process và disables wdigest# https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx# https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5# ———————reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsLSASS.exe” /v AuditLevel /t REG_DWORD /d 00000008 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v RunAsPPL /t REG_DWORD /d 00000001 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v DisableRestrictedAdminOutboundCreds /t REG_DWORD /d 00000001 /freg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest” /v UseLogonCredential /t REG_DWORD /d 0 /freg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest” /v Negotiate /t REG_DWORD /d 0 /f# Enable Firewall Logging# ———————netsh advfirewall phối currentprotệp tin logging filename %systemroot%system32LogFilesFirewallpfirewall.lognetsh advfirewall phối currentprotệp tin logging maxfilekích thước 4096netsh advfirewall phối currentprotệp tin logging droppedconnections enable#Disable AutoRun# ———————reg add “HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f##Show known tệp tin extensions và hidden files# ———————reg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “HideFileExt” /t REG_DWORD /d 0 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “HideFileExt” /t REG_DWORD /d 0 /freg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “Hidden” /t REG_DWORD /d 1 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “Hidden” /t REG_DWORD /d 1 /freg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “ShowSuperHidden” /t REG_DWORD /d 1 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “ShowSuperHidden” /t REG_DWORD /d 1 /f#### Microsoft Windows Security Update Registry Key Configuration Missing (ADV180012) (Spectre/Meltdown Variant 4) ########Impact : An attacker who has successfully exploited this vulnerability may be able lớn read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to lớn exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern website browsers, it may be possible for an attacker lớn supply JavaScript that produces native sầu code that could give rise lớn an instance of CVE-2018-3639#Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetControlSession ManagerMemory Management” -Name “FeatureSettingsOverride” -Value “00000008”Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetControlSession ManagerMemory Management” -Name “FeatureSettingsOverrideMask” -Value “00000003”##### Windows Registry Setting To Globally Prevent Socket Hijacking Missing ########Impact: If this registry setting is missing, in the absence of a SO_EXCLUSIVEADDRUSE kiểm tra on a listening privileged socket, local unprivileged users can easily hijachồng the socket & intercept all data meant for the privileged process #####Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetServicesAFDParameters” -Name “ForceActiveDesktopOn” -Value “00000001”####MS15-011 Hardening UNC Paths Breaks GPO Access -Microsoft Group Policy Remote Code Execution Vulnerability (MS15-011) #########Impact: The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect lớn an attacker-controlled network ###Set-ItemProperty -Path “hklm:SOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths” -Name “*etlogon” -Value “RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1″Set-ItemProperty -Path “hklm:SOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths” -Name “*sysvol” -Value “RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1″##### Enabling strong cryptography for .NET V4…#x64Set-ItemProperty -Path “HKLM:SOFTWAREWow6432NodeMicrosoft.NetFrameworkv4.0.30319” -Name “SchUseStrongCrypto” -Value “1” -Type DWord#####Disable SMBv3 SMBGhost RCE (CVE-2020-0796)Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force#####Fix CredSSPREG Địa chỉ cửa hàng HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2 /f#####Disable NLAreg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f#Audit Logauditpol /set /category:”System” /failure:enable /success:enableauditpol /set /category:”Account Management” /failure:enable /success:enableauditpol /mix /category:”Account Logon” /failure:enable /success:enableauditpol /mix /category:”Logon/Logoff” /failure:enable /success:enableauditpol /phối /category:”Policy Change” /failure:enable /success:enable#Fix DNS 2020-1350reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /fnet stop DNS && net start DNSWrite-Host “Hardening successfully “Invoke-Comm& -ScriptBloông xã gpupdate /force #Create new user Admin & add khổng lồ group Administrators#Base64 decode $SystemObfuscation lớn get your password$SystemObfuscation = “UmVwbGFjZV9teV93aXRoX2Jhc2U2NF9lbmNvZGU=”$SystemConvert = ::UTF8.GetString(::FromBase64String($SystemObfuscation))net user /add admin $SystemConvertnet localgroup administrators admin /add#####Set user admin password never expireSet-LocalUser -Name “admin” -PasswordNeverExpires 1#################################################