Share this page!

Sami Laiho Profile picture
Twitter logo
Mar 2 22 tweets 6 min read
Because of the current state of cybersecurity, and to protect the COMPANY networks in Ukraine, I have decided to publish easy to implement and free instructions for protecting Windows environments against an invader. Read the whole thread and if you find it useful  Retweet!
I could tell you that you should remove end-user admin rights, deploy AppLocker etc. but in reality those are not done in a matter of days. So these instructions are meant to give fast gains and real-life effect in defending against cyber-attacks.
At the end of the day, security is simple. It’s more about correct ways of operating, concepts, than expensive products.
In this thread I’m going through what I would personally do if I was at war and protections would have to upped to the next level in hours without disconnecting the systems from the Internet.
The instructions are meant to prevent losing your biggest treasure – the Directory Service. A few soldiers might be lost but the directory service will not be compromised.
Companies don’t get on the news by having ransomware on one computer, but by someone controlling the whole infrastructure and keeping your operations as hostage.
These instructions are simple and apply to any company that uses a Directory Service (AD/AAD). These could be better by taking time with the customer and tailoring it for them – but now I aim to build instructions that work for most if not all.
You can always create better but remember that “in security, don’t let perfect be the enemy of good”. Now we need to DEPLOY things FAST so that innocent companies stay safe! There’s no time for “This is only 99% secure” or “There is probably a way around this”
We need to make things BETTER, NOW! We can tweak and harden later, when we have the basics deployed!
1. Tier0-isolation. The holy grail of every attacker is a Domain Admin account. So that DA’s can’t be stolen, we block them from being used anywhere else than where they are needed. Link the following policy to every computer except your DC’s. Image
Since you can’t use DA to manage anything but DC’s, you need to add the following setting to the policy, so that members of ComputerAdmins can manage the other computers. Image
3.Same for Azure. You can achieve the same even if settings are not exactly the same. These pics show how I do it and how I block limited users from accessing the portal.. techcommunity.microsoft.com/t5/intune-cust… ImageImageImage
You can later tweak and split your AD into more tiers, deploy PAWs etc. Now the Tier0 isolation is the one you MUST DO NOW!
4. Containing PowerShell. PS is used by almost all malware. It attacks, takes orders and sends precious information to the attacker. So, let’s block it by adding Outbound Firewall Rules to the policy as seen in the pic: Image
5. UAC-settings in order. If you have computers that are logged in by admins, add this UAC setting to the policy. If you don’t, GREAT, your mitigating 80% of attacks! Image
6. Least Privilege. If you logon to your computer with an admin account at home or work, STOP RIGHT NOW! Your computer works better, longer and with less reinstallations. Even your SSD will last longer!
7. Create a separate Admin account and drop your current to a Limited. If you have a fingerprint reader, register your index finger for your limited user and your middle for your admin. From now on you use your Admin-finger only when UAC requests elevation or to wave at Putin!
8. Start to deploy the Privileged Access Workstation concept. Don’t surf the web and read email from a computer that can take down your network, like connecting with RDP to your DCs. Later you’ll do it cool with VMs but for now just operate safe.
9. Use MFA everywhere. If you have servers that accept RDP, protect them with for example Cisco DUO. Do the same for the computers you use to manage your services. If you don’t need RDP, block it!
REMEMBER “In security, don’t let perfect be the enemy of good”. We can tweak, harden and play smart later – Let’s DO THIS NOW!
11. I would recommend everyone to read Mikko Hyppönen’s book “Internet”, but it’s currently encrypted in Elvish: wsoy.fi/kirja/mikko-hy…
Thanks for reading, stay safe – Glory to Ukraine!
The whole thread can be found here: blog.win-fu.com/2022/03/glory-…

#UkrainiansWillResist
#StandWithUkraine
#StopPutin

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sami Laiho

Sami Laiho Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @samilaiho

Sami Laiho Profile picture
Mar 2
Через поточний стан кібербезпеки, та для захисту КОРПОРАТИВНИХ мереж в Україні я вирішив опублікувати прості та безкоштовні інструкції щодо захисту середовищ Windows від зловмисників. Прочитайте весь тред і, якщо вважаєте його корисним, зробіть ретвіт! #StandWithUkraine️
Я міг би сказати, що ви повинні видалити права адміністратора кінцевих користувачів, налаштувати AppLocker і так далі, але це не робиться за кілька днів. Тому, ці інструкції призначені для отримання швидкого та реального ефекту захисту від кібератак.
Безпека може бути простою. Це швидше про правильні шляхи роботи, концепції, ніж про дорогі продукти. У цьому треді я розповім про те, що б я зробив особисто, якби працював в умовах війни, і захист довелося б покращувати за кілька годин, не відключаючи системи від Інтернету.
Read 22 tweets
Sami Laiho Profile picture
Mar 1
Muuttuneen kyberturvallisuustilanteen johdosta, maanpuolustushengessä, päätin julkaista mahdollisimman yksinkertaiset ohjeet Windows-ympäristön puolustamiseen, ulkoista hyökkääjää vastaan. LUE KOKO KETJU, ja jos koet, että tästä on hyötyä --> Retweet!
For all my English followers, normally I would tweet in English but this is a matter of protecting my own country. I’ll translate ASAP, until --> Google.
Voisin ohjeistaa, että teidän pitää ottaa pois admin-oikat, asentaa AppLocker jne. mutta tosiasia on, että näitä ei tehdä päivässä, eikä kahdessa. Joten seuraavassa nopeat ohjeet, joilla on oikeasti merkitystä ja välitön teho, kyberhyökkäyksiä vastaan.
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @samilaiho has new unrolls!

Check out other threads from @samilaiho!

Read all threads by @samilaiho

:(