Share this page!

Nathan McNulty Profile picture
Twitter logo
6 Feb, 10 tweets, 5 min read
I'm seeing another big push by vendors that their solution will fix education's ransomware woes

You can't make up for poor operational management by buying products

Do these free things first, then consider purchases that scale your staff

Note: #6 is for non-AD bound devices
1. For email filtering, I have a nice series here you can borrow ideas from:

blog.opsecedu.com/using-transpor…

For Office macros, it's how something like 90% of ransomware starts (rest is unpatched remote access).

At least block macros from the Internet:

microsoft.com/security/blog/…
3. Attackers move around your network easily when you have the same admin accounts on many machines. Make them all unique and make them work for it.

LAPS is a simple, effective way to do this.

blog.nowmicro.com/2018/02/28/con…

See @RyanLNewington's free LAPS Web:
github.com/lithnet/laps-w…
4. Defender's ASR rules are awesome (but Defender can't be in passive mode)

Enable ASR in audit mode, monitor the logs, and enable one at a time as you identify what is safe.

There's even a Warn mode now, so you can go audit - warn - block.

E5=EZ mode:

5. How often do you really Remote Desktop between workstations?

Let's not make edge cases the default - disable everywhere, then open it for specific use cases.

Make sure NLA is enabled, don't expose RDP to the Internet, and use Remote Credential Guard:

6. This is geared toward those non-AD bound systems - backup, VOIP, etc.

TrustedHosts is used for WinRM/Powershell remoting when you don't have HTTPS or Kerberos available.

Many articles just tell you to use *. Instead, limit the list to known systems:
windows-security.org/e20c9386972c5d…
7. Patch management is damn hard

Prioritize by impact - remote access, such as VPN, needs immediate consideration. Keep an eye on Patch Tuesday notes or similar for your OS's, evaluate and rush the critical ones.

Get to automating OS patches, even if it's just test/dev first.
Applications are a whole different struggle. I watch our TVM in Defender for Endpoint and cry...

PDQ, PatchMyPC, and others are out there at a cost I don't think you could actually save money by doing in house. Some tools are worth paying for to scale your staff.
8. I can't stop singing praises for @mysmartlogon's PingCastle

It's so simple, hundreds of K12 sysadmins have been using it to make very meaningful improvements.

Most of the issues covered in this thread are things his singular tool identifies for you:

And honorable mention to AppLocker because I do think that is achievable for everyone. It is very flexible application allow listing.

It also works on Pro SKU's which many may not be aware of:

msendpointmgr.com/2020/09/20/doe…

Thanks to Seth for bringing it up!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
5 Feb
You really should use (g)MSA's instead of user accounts for services, IIS, scheduled tasks, SQL, etc.

Even if you have a cred vault that rotates and handles dependencies, MSA's are probably still better.

Read Steve's thread for how they work, then this one for how to use them.
First, a couple of things Steve didn't mention:

1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)

2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this:

Get-KDSRootKey

If you get nothing, then run this:

Add-KDSRootKey –EffectiveImmediately

Now wait 10 hours.. seriously :(
Read 10 tweets
Nathan McNulty Profile picture
3 Feb
I could write a book...

You gain expertise through the process of fixing things, sometimes the things you break - don't fear mistakes.

As your expertise gets deeper, you find new exotic ways of breaking things where even Stack Overflow won't save you.

Here's a few of mine :)
First week on a new job, ran a driver cleanup script for ConfigMgr 2007 and forgot the params - dumped the entire driver catalog

Deployed apps based on UTC instead of local time

$list | % { Restart-Computer $_ } while the server I was running it from was in the list...
Filtered in Graylog to push a new client config without realizing it included some servers. New log sources flooded Graylog with 200GB of data.

Set up a mail flow rule to catch spoofing (from header contains domain) but forgot to specify from external... QT'd my outbound email.
Read 4 tweets
Nathan McNulty Profile picture
12 Jul 20
This is such an awesome writeup, but it's missing one thing - remediation steps

Some AD admins may know how to fix these issues, but it's fair to assume some do not.

I'd also highly recommend using PingCastle by @mysmartlogon as it audits most of this and more.

Thread time!
@mysmartlogon 1) Remove user rights to join devices to AD

Powershell: Set-ADDomain -Identity <Domain> -Replace @{"ms-DS-MachineAccountQuota"="0"} -Verbose
GPO: Modify Default Domain Controller Policy and remove Authenticated Users from the user rights assignment (1st pic)
ADSI: (2nd pic)
Instead, consider setting up bind accounts per tier/group/service and delegate to appropriate OU's:
moderndeployment.com/correct-domain…

Also, change binding to create objects in an OU with strict policies:
redircmp "OU=Bind,DC=Domain,DC=Com"

redirusr can be used for users if you want.
Read 17 tweets
Nathan McNulty Profile picture
6 Apr 20
Re: NYC blocking Zoom

I like Matthew a lot, but I don't feel this is a "dumb overreaction."

As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students, I would love to shed some light on the difficulties Zoom has created for us.
First, let's start with Zoombombing. The answer seems very simple - let's add a password. The problem is that many places allowed teachers to go create their own accounts, and we had to rely on them reading email from IT.

Is that ever 100% effective?

For those of us who do have an admin console to control settings, sure we can change the settings to add a password, but that only affects future meetings (according to the console), not past meetings.

Again, communicating to teachers to change existing meetings? This is hard.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @NathanMcNulty has new unrolls!

Check out other threads from @NathanMcNulty!

Read all threads by @NathanMcNulty