Photo by Dane Deaner on Unsplash

Photo by Dane Deaner on Unsplash

Reducing the Windows 10 attack surface

Digging In

Article from ADMIN 62/2021
By
Windows attack surface reduction policies make significant progress in protecting your entire IT infrastructure.

Microsoft has been providing tools to administrators to prevent attacks against Windows systems for several years now. The Attack Surface Analyzer introduced in Windows Vista was replaced by Attack Surface Reduction in Windows 10. In this article, we highlight the available protection mechanisms and show you how to use them effectively.

An attacker's goal is to exploit application and computer vulnerabilities (especially their operating systems) alike. In the process, not only servers and workstations attract the attention of attackers, but network devices such as routers, switches, and access points have become targets, especially in recent years. Security researchers are increasingly detecting malware on peripheral devices [1]. If you issue smartphones to your employees with access to the internal network, these devices are also potential gateways for attackers.

Several hundred different attack vectors are known in the literature. Of these, some are well researched and well known to both attackers and system owners, which makes it easy to provide protection against exploits. Brute force attacks on SSH servers, the lack of encryption in communications, and distributed denial of service (DDoS), for example, can be well managed by tools such as Fail2Ban, a public key infrastructure, and load balancing service providers such as Cloudflare. Although CEO fraud has been very successful in recent years, it can often be averted through awareness campaigns. Zero-day exploits targeting unpublished vulnerabilities in hardware or software have virtually no effective countermeasures.

Ransomware, Phishing, and Insiders

Three different attack vectors have been the subject of recent public discussion. Blackmail trojans, or ransomware, often enter organizational networks through forged email or manipulated email attachments. If the recipient opens the supposedly harmless office file in the attachment and enables the macros it contains, the malware can embed itself in the system. Once in place, the malicious programs first wait and analyze access patterns, working hours, shares on the local network, or existing backup systems. Once they have collected enough information, the race against time begins.

The malware encrypts as much data as possible without attracting attention, preferably also the backups if they are not access protected. By the time the data owner notices the damage, it is often already too late. Important files are encrypted and a message is sent with an option to receive the code to unlock and decrypt the data by paying a ransom. Often, the programs even offer to decrypt individual files on a test basis. This function is specifically offered by the criminals to strengthen the users' trust in the functionality. The victims are then often much more willing to pay the demanded ransom.

Stolen identity data is another attack vector that has caused more and more damage in recent years. Account hijacking is a problem that should not be underestimated, especially in the area of online stores. In particular, criminals take advantage of the fact that many users use the same passwords to access different services. However, the identity data are not always captured from the service providers themselves. Although many large online services have had to admit to illegal access to customer data because of a vulnerability in their systems, criminals are unfortunately still very successfully sending very realistic looking phishing email to users. In this way, they can usually rely on obtaining valid access credentials for online accounts directly from the hands of the users themselves.

Often enough, insiders are part of successful attack vectors. Although many companies restrict remote access through firewalls, VPN, and special access rights to the local network, the same is not true for physical access to resources on site. Therefore technicians, cleaning staff, or other employees with extensive access to offices and printer and server rooms can also access systems directly. Unlocked user sessions, the ability to boot systems with USB devices, or installed hardware keyloggers that tap user passwords pose a major risk to the integrity of workstations, servers, and printers.

Reducing the Attack Surface

Simple methods can help you reduce the attack surface of a system. The example in this article is a database system. In the standard use case, the database system opens a network socket and listens for incoming connections on all IP addresses used by the operating system – including connections from the Internet, of course. However, if you only use local database access, you will want to select the network interface for the server process or configure the local IP address to rule out access from the Internet.

Incidentally, a firewall installed at the perimeter has a similar effect, at least as far as access from the Internet is concerned. However, if an attacker is already on your network, this firewall can no longer protect your company, but you can restrict local attackers. Many distributions offer passwordless access to the database administrator account for locally logged-in users. You need to restrict this account, too. With just a simple few steps, you have now reduced your database server's attack surface.

Protection with Windows Defender

Introduced in Windows 10 version 1709, Microsoft Windows Defender Exploit Guard comprises four components: attack surface reduction (ASR), network protection, controlled folder access, and exploit protection. (The abbreviation ASR is used in other ways by Microsoft; for example, it can also mean Azure Site Recovery.) ASR uses various measures to provide protection against malware looking to attack your system through installed Office programs, scripts, or email. Network protection protects your system by expanding the scope of Defender SmartScreen, adding further rules that prevent outgoing HTTP traffic to destinations whose domain names or hostnames are untrustworthy.

Controlled folder access protects your data in certain folders from access by less trusted programs on your system. You can configure this feature in the Windows Defender Security Center. When a program from an untrusted source accesses one of your protected folders, the user sees an Access Denied message from Windows Defender. Exploit protection is the logical successor to the Enhanced Mitigation Experience Toolkit (EMET) and offers additional features such as Code Integrity Guard, blocking Win32k system calls, or the ability to check the integrity of the heap memory area. You can try out all the security features of Windows Defender Exploit Guard after enabling it on Microsoft's specially set up demo website [2].

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

comments powered by Disqus