Dark Reading is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Also, one thing about Hyper-V, if we apply the same rules to the Hyper-V environment, we can isolate Hyper-V's use to the localsubnet so no-one outside of the network could access those servers. It could be locked down even further using Encryption and Authentication.
Incorporating a Prevention Mindset into Threat Detection and ResponseThreat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time.
The report covers areas enterprises should focus on:
What positive response looks like.
Improving security hygiene.
Combining preventive actions with red team efforts.
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
0 Comments
User Rank: Ninja
7/19/2019 | 5:30:27 PM
We have identified ways to address this issue.
# Identify Administrators users $users = New-Object -TypeName System.Security.Principal.NTAccount ("Administrators") # Security Principles for users accessing systems $SIDofSecureUserGroup = $users.Translate([System.Security.Principal.SecurityIdentifier]).Value # Secure User Groups found in the Administrators Group $SecureMachineGroupSDDL = "D:(A;;CC;;; $SIDofSecureUserGroup)" # Remote Desktop DisplayName for individual rules $rule = (Get-NetFirewallRule -DisplayName "Remote Desktop*").DisplayName foreach ($i in $rule) { Set-NetFirewallRule -DisplayName $i -Profile "Private" } # Set Remote Desktop, add Builtin\Administrators groups to the filter $nfSecurityFilter = Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallSecurityFilter # Set NetFirewallSecurity Filter Settings for Authorized Users, login required for local users Set-NetFirewallSecurityFilter -RemoteMachine $SecureMachineGroupSDDL -InputObject $nfSecurityFilter -Authentication Required -Encryption Required #This cmdlet can be run using only the pipeline. foreach ($i in $rule) { Get-NetFirewallRule -DisplayName $i | Get-NetFirewallSecurityFilter | Set-NetFirewallSecurityFilter -RemoteMachine $SecureMachineGroupSDDL -Authentication Required -Encryption Required } #Looks for Remote Desktop rule, then sends the results to a file on your desktop call fwrules.txt (append) Get-NetFirewallRule -DisplayName "Remote Desktop*" | out-file $env:USERPROFILE\desktop\fwrules.txt -Append Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallSecurityFilter | out-file $env:USERPROFILE\desktop\fwfilter.txt -AppendWe have implemented this fix on our site, maybe someone from the various teams could utilize this code to ensure RDP is not compomised.
Todd