If your endpoint protection software fails or is bypassed/over-ridden by user-error, the next step in your prevention policy should be to do everything possible to restrict lateral movement. PCs on your network should NOT be talking to each other, yet by default Microsoft allows this behavior. You can use netstat -ano to determine existing applications and their listening ports. Here are a few steps to take to lock down your Windows 10/11 network PCs to prevent lateral movement of malware using Windows Firewall Rules and other settings:
The most common lateral movement techniques abuse the Windows PC local admin$ and c$ administrative shares. These cannot be disabled nor can permissions be changed. However, restricting SMB-in traffic prevents the use of these shares. On a domain-joined PC you may have to allow SMB-in from Domain Controllers for group policies, but in that case only allow traffic by the DC's IP address and only via an encrypted session. The second most-abused lateral movement technique is RDP. It should be disabled. If RDP is a requirement, then restrict RDP-in to specific IP addresses and USERIDs, and enable encrypted traffic only. Secure RDP by requiring successful kerberos authentication from trusted computers and users and installing a 2FA solution such as Duo. Coming in third is Powershell. Disabling Remote Powershell (psexec), restricting powershell script execution, and disabling the use of powershell executables helps prevent this tactic. Dane Stucky has a great write-up over on Medium regarding endpoint isolation tactics, including how to implement secure RDP: https://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a795f4cfb
While this is by far not an exhaustive list of all of the tactics that can be implemented to prevent lateral movement, it is a great starting point. Implement rules one at a time, test your applications to make sure the rule doesn't "break" the application, and as always, back up your computer, your registry and local/domain group policies BEFORE attempting any of the above steps.
One added note. On your test system where you're implementing all of these changes, one way to get better visibility into the results is to install Glasswire ($36/yr subscription) on the test box and monitor for open ports, applications attempting outbound or inbound connections, etc.
Oh, and if I missed anything, please add to the list in the comments.
- Block SMB-in traffic (port 445)
- Block Netbios/NBT-in traffic (TCP/UDP ports 137,138,139)
- Block RPC/DCom/WMi-in traffic (TCP/UDP ports 135,593)
- Block RDP-in traffic (TPC port 3389)
- Block IRC ports (TCP 194, 6660-6669, 6697, 7000)
- Block Calc.exe outbound traffic (\system32 and \syswow64)
- Block Notepad.exe outbound traffic (\system32 and \syswow64)
- Block Conhost.exe outbound traffic (\system32 and \syswow64)
- Block mshta.exe outbound traffic (\system32 and \syswow64)
- Block CertUtil.exe outbound traffic (\system32 and \syswow64)
- Block cscript.exe outbound traffic (\system32 and \syswow64)
- Block wscript.exe outbound traffic (\system32 and \syswow64)
- Block runscripthelper.exe outbound traffic (\system32 and \syswow64)
- Block regsvr32.exe outbound traffic (\system32 and \syswow64)
- Block hh.exe outbound traffic (\system32 and \syswow64)
- Disable SSH server and Block inbound connections on Port 22
- Disable Windows Update Optimization (this allows other PCs on your network to get updates from your PC and vice versa): Select Start > Settings > Windows Update > Advanced options Select Delivery Optimization. Under Allow downloads from other PCs, select Devices on my local network. Disable. Also, block Inbound and Outbound traffic on port 7680 in Windows Firewall..
- Disable firewall inbound-outbound rules for superfluous Windows applications. Do you use Skype? Why is Xbox even installed on your office PC? Do your users really need the News and Weather "gadget" on the taskbar?
- Run Powershell as administrator. Execute: Disable-PSRemoting to disable remote powershell execution. Execute: Set-ExecutionPolicy Restricted to restrict powershell execution.
- Use gpedit.msc or AD GPO to restrict the following commands from running (admin templates section): cmd.exe, netstat.exe, ipconfig.exe, powershell.exe, psexec.exe, paexec.exe, regedit.exe, and powershell_ise.exe
- Use gpedit.msc or AD GPO to disable LLMNR (computer-admin templates-network-dnsclient-turn off multicast name resolution)
- Disable RDP (see additional RDP information below)
- Disable Windows Remote Management service
- Associate Commonly Abused File Extensions such as .WS, .WSF, .HTA, .PIF, .VB, .VBS, .JS, .JSE, .WSC, .WSH, .PS1, .PS1XML, .PS2, .PS2XML, .PSC1, .PSC2, .MSH, .MSH1, .MSH2, .MSHXML, .MSH1XML, .MSH2XML, .SCF, .LNK, .INF and .REG (just to name a few) with Notepad.exe. This is becoming more difficult with the newer versions of Windows10/11 thanks to Microsoft's recent updates. Check out this list of dangerous file extensions over on HowToGeek: https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/
- Disable Macros in MS Office applications
- Ensure that PDF sandboxing is enabled in your PDF reader. *note: It is advisable to scan ALL pdf files before opening
- User logins should not be given local administrator rights
- Users should not be allowed to install software on their PC; this should only be done by administrators, and only after testing to ensure app safety.
- UAC should be enabled and set to high security
The most common lateral movement techniques abuse the Windows PC local admin$ and c$ administrative shares. These cannot be disabled nor can permissions be changed. However, restricting SMB-in traffic prevents the use of these shares. On a domain-joined PC you may have to allow SMB-in from Domain Controllers for group policies, but in that case only allow traffic by the DC's IP address and only via an encrypted session. The second most-abused lateral movement technique is RDP. It should be disabled. If RDP is a requirement, then restrict RDP-in to specific IP addresses and USERIDs, and enable encrypted traffic only. Secure RDP by requiring successful kerberos authentication from trusted computers and users and installing a 2FA solution such as Duo. Coming in third is Powershell. Disabling Remote Powershell (psexec), restricting powershell script execution, and disabling the use of powershell executables helps prevent this tactic. Dane Stucky has a great write-up over on Medium regarding endpoint isolation tactics, including how to implement secure RDP: https://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a795f4cfb
While this is by far not an exhaustive list of all of the tactics that can be implemented to prevent lateral movement, it is a great starting point. Implement rules one at a time, test your applications to make sure the rule doesn't "break" the application, and as always, back up your computer, your registry and local/domain group policies BEFORE attempting any of the above steps.
One added note. On your test system where you're implementing all of these changes, one way to get better visibility into the results is to install Glasswire ($36/yr subscription) on the test box and monitor for open ports, applications attempting outbound or inbound connections, etc.
Oh, and if I missed anything, please add to the list in the comments.
RSS Feed