Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Techniques Addressed by Mitigation
To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located
Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing.
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:
Consider reducing the default BITS job lifetime in Group Policy or by editing the
|Enterprise||T1092||Communication Through Removable Media||
Disallow or restrict removable media at an organizational policy level if they are not required for business operations.
Protect domain controllers by ensuring proper security configuration for critical servers.
Consider disabling or restricting NTLM.
|Enterprise||T1011||Exfiltration Over Other Network Medium||
Prevent the creation of new network adapters where possible.
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the
Make sure that the
|Enterprise||T1490||Inhibit System Recovery||
Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.
|Enterprise||T1130||Install Root Certificate||
Windows Group Policy can be used to manage root certificates and the
|Enterprise||T1174||Password Filter DLL||
Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (
|Enterprise||T1076||Remote Desktop Protocol||
Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at
|Enterprise||T1166||Setuid and Setgid||
Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.
Similarly, ensuring that the
- Microsoft. (n.d.). Configure Network Level Authentication for Remote Desktop Services Connections. Retrieved June 6, 2016.
- UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.
- Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.
- Microsoft. (n.d.). Configure Timeout and Reconnection Settings for Remote Desktop Services Sessions. Retrieved December 11, 2017.
- Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.
- Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
- Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017.