This post will explain the current configuration creation for CCDC. This is used for CCDC, but could be useful for anyone wanting a quick decently secure ad setup.
CCDC is a defensive based competition where students act as an incidence response team, who must remediate and lock down networks as quickly as possible. Trained red teamers attack as students are given many tasks to complete. I’m expecting to deal with ~6 windows computers, running varying services.
This has not been tested yet! This is simply my current planning for house to attack CCDC. I know no one who has participated in the past. All of this is a general idea that I will test this spring, and see how it goes.
This is a much more note-like post. I hope this is useful for someone. This will focus more on GPOS and plans that need to be automated.
General plan:
- run resetkrgbtgt first.
- run local hardening script on the dc.
- run dchardening on the dc. this imports a good security baseline as well for a good gpo.
- reset local admin acc on every computer and run local hardening script
- run local hardening on every single computer.
- apply applocker in audit mode-? maybe. might be better to forward logs to splunk first, all set to enforce, and watch as we get blocks in real time. then edit policy from there.
- change applocker to fully deny
- now apply the laps gpo.
GPO settings
changes made to applocker gpo: windows settings -> security settings -> system services -> application identiy : automatic in windows settings -> security settings -> application control policies disabled the store in administrative templates -> store disable the store application: enabled disable all apps from ms store: true
added default rules banned dirs for scripts and executables:
%WINDIR%\Temp* %WINDIR%\Tasks* %WINDIR%\System32\Tasks* %WINDIR%\System32\spool\drivers\color* %WINDIR%\System32\com\dmp* %WINDIR%\SysWOW64a\Tasks* %WINDIR%\System32\spool\PRINTERS* %WINDIR%\System32\spool\SERVERS* %WINDIR%\SysWOW64\com\dmp* %WINDIR%\System32\fxstmp* %WINDIR%\SysWOW64\fxstmp* %WINDIR%\Tracing* %WINDIR%\Registration\CRMLog* %WINDIR%\System32\winevt\Logs* %WINDIR%\System32\LogFiles* %WINDIR%\System32\wbem\Logs* %WINDIR%\System32\Microsoft\Crypto\RSA\MachineKeys* %WINDIR%\ServiceProfiles\LocalService*
just executables:
%PROGRAMFILES%\WindowsApps\Microsoft.DesktopAppInstaller_*\winget.exe
%WINDIR%\Microsoft.NET\Framework\*\Aspnet_Compiler.exe %WINDIR%\Microsoft.NET\Framework64\*\Aspnet_Compiler.exe
%WINDIR%\System32\bash.exe
%WINDIR%\Microsoft.NET\Framework\*\Dfsvc.exe %WINDIR%\Microsoft.NET\Framework64\*\Dfsvc.exe
%WINDIR%\Microsoft.NET\Framework\*\Installutil.exe %WINDIR%\Microsoft.NET\Framework64\*\Installutil.exe
%WINDIR%\Microsoft.NET\Framework\*\Microsoft.Workflow.Compiler.exe
%WINDIR%\Microsoft.NET\Framework64\*\Microsoft.Workflow.Compiler.exe
%PROGRAMFILES%\Windows Defender\MpCmdRun.exe
%WINDIR%\System32\msdt.exe
%WINDIR%\Microsoft.NET\Framework\*\Regasm.exe
%WINDIR%\Microsoft.NET\Framework64\*\Regasm.exe
%WINDIR%\Microsoft.NET\Framework\*\Regsvcs.exe %WINDIR%\Microsoft.NET\Framework64\*\Regsvcs.exe
%PROGRAMFILES%\WindowsApps\Microsoft.WindowsTerminal_*\wt.exe
%WINDIR%\System32\cmstp.exe
%WINDIR%\SysWOW64\cmstp.exe
%WINDIR%\Microsoft.NET\Framework\*\msbuild.exe %WINDIR%\Microsoft.NET\Framework64\*\msbuild.exe
%WINDIR%\System32\mshta.exe
%WINDIR%\SysWOW64\mshta.exe
%WINDIR%\System32\certutil.exe
%WINDIR%\SysWOW64\certutil.exe
%WINDIR%\System32\wbem\wmic.exe
%WINDIR%\SysWOW64\wbem\wmic.exe
%WINDIR%\System32\cscript.exe
%WINDIR%\SysWOW64\cscript.exe
%WINDIR%\System32\wscript.exe
%WINDIR%\SysWOW64\wscript.exe
%WINDIR%\System32\schtasks.exe
%WINDIR%\SysWOW64\schtasks.exe
%WINDIR%\System32\hh.exe
%WINDIR%\SysWOW64\hh.exe
%WINDIR%\System32\control.exe
%WINDIR%\SysWOW64\control.exe
%WINDIR%\Microsoft.NET\Framework\*\csc.exe
%WINDIR%\Microsoft.NET\Framework64\*\csc.exe
%WINDIR%\System32\diskshadow.exe
%WINDIR%\System32\odbcconf.exe
%WINDIR%\SysWOW64\odbcconf.exe
script blocks:
%WINDIR%\System32\winrm.vbs
%WINDIR%\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
%WINDIR%\System32\Syncappvpublishingserver.vbs
DLL rules:
%WINDIR%\System32\Dfshim.dll
%WINDIR%\System32\Scrobj.dll
%WINDIR%\SysWOW64\Scrobj.dll
created an exeption for mpoav, its for defender to scan new files.
MPOAV.DLL, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
rules with exeptions: (set allow for everyone and put an execption for powershell.exe, then create an allow rule for admins with these paths:)
%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe
%WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
%WINDIR%\System32\cmd.exe
%WINDIR%\SysWOW64\cmd.exe
%WINDIR%\System32\mmc.exe
deleted default windows installer rules.
denied error codes: 8004 - exe and dll 8007 - msi and script 8025 - packaged app (ms store)
no longer banning: (for system security issues)
%WINDIR%\System32\regsvr32.exe
%WINDIR%\SysWOW64\regsvr32.exe
%WINDIR%\System32\rundll32.exe
%WINDIR%\SysWOW64\rundll32.exe
%WINDIR%\System32\mmc.exe
%WINDIR%\System32\Syssetup.dll
%WINDIR%\SysWOW64\Syssetup.dll
%WINDIR%\System32\bitsadmin.exe
%WINDIR%\SysWOW64\bitsadmin.exe
changes made to default gpo from windows server 2022: passwords ——— account lockout duration: 5, set to 30 minutes.
accounts ———— rename administrator accounts: prccdcadmin guest account status: disabled block users from adding microsoft accounts
devices ———– prevent users from installing printer drivers
interactive logon ——- do not display last signed in username Number of previous logons to cache: 0
network access —— Do not allow anonymous enumeration of SAM accounts and shares let everyone permissions apply to annymous users - disabled
network security —– LAN Manager authentication level, ntlmv2 only. LDAP: require signing
microsoft network client —- digitally sign communication - always (this is for smb)
domain controller —- ldap server signing requirements - enabled ldap chanel binding token requirements - enabled
disable llmnr: admin templates -> network -> dns client -> turn off multicast name resolution
user rights assement -> allow logon through remote desktop services -> remote desktop users allowed.
administrator templates -> system/group policy set interval for computers to refresh from gpo: 1 minute. random time:0.
powershell snippet for startup. disables netbt, and ipv6, and old powershell v2.
$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name "DisabledComponents" -Value 0xFF
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -NoRestart
possibly disable mdns altogther. Might be smart if it blocks inveigh/responder.
Changes made to laps gpo:
in policies -> administrative settings -> system -> laps
disabled - dsrm is not backed up in ad enabled - password encryption post authentiications actions - after 1 hour, reboot machine and reset password. name of administrator account to manage - disabled. this means it manages the prccdcadmin account. password complexity - 14 characters, length: 30 days. need this so if they loose access to dc, we can still get the passwords. configure laps backup directory - active directory. we are not useing azure. configure authorized password decryptors -> disabled (so domain admins do it) do not allow password expiertation longer than policy - > disabled (so default policy is not followed and password shouldnt be reset)
in local policies -> security options -> accounts local administrator account is set to enabled.
in local policies -> security options -> user rights deny domain admins account logon for batch, network, and all the above
then run this:
Update-LapsADSchema
then this:
Add-KdsRootKey -EffectiveImmediately
for each ou:
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=prccdc,DC=htb"
Only one account is delegated under workstations ou. right click -> delegate control -> add computers -> create child accounts -> finish. Now no one can add computers to a domain exept for this account. (As long as you set max account creation to 0)