Preventing Pass-the-Hash

Working with different clients I’ve seen a lot of ignorance and neglect when it comes to PtH. Here are the control mechanisms that should be implemented to protect cached credentials and avoid Pass-the-Hash attacks:

1. Apply UAC restrictions to local accounts on network logons

This can be configured with group policy settings and it controls whether local accounts can be used for remote administration via network logon. As an alternative you can configure “Deny access to this computer from the network” group policy setting.

2. Disable WDigest Authentication

When WDigest authentication is enabled, Lsass.exe retains a copy of the user’s plain-text password in memory. Previous to Windows Server 2012 R2 this setting is enabled. To disable WDigest authentication you can use group policy or you can manually configure the following registry:

"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential"

Read More »

Advertisements

Top 10 Apache Security Configurations

Document root directory: /var/www/html  or  /var/www
Apache Configuration file: /etc/apache/apache2.conf  or  /etc/httpd/conf/httpd.conf
Apache Access Log: /var/log/httpd/access_log
Apache Error Log: /var/log/httpd/error_log

1. Make sure you have the latest Apache updates

2. Disable unused modules

3. Change Apache user account

Create a new special linux user for Apache.

# groupadd webuser
# useradd -d /var/www/ -g webuser -s /bin/nologin webuser

After creating the user, you need to tell Apache to run with this new user.

User webuser 
Group webuser

4. Remove version from Custom Error Pages

ServerSignature Off
ServerTokens Prod

Read More »

Shylock malware spam

I’ve just received notice that a malware called Shylock can be received through spam mail. There are some spam mail servers that have been used to send this malware so you need to make sure you block these domains. Run the following command on the Exchange 2013 mail server to block these spam servers:

Set-SenderFilterConfig -BlockedDomainsAndSubdomains aqu.su,atmgion.su,axr.su,azr.su,bai.su,bcv.su,bern.su,blz.su,caf.su,cif.su,dorwwc.su,eca.su,eevootii.su,ehk.su,eprotect.su,e-protections.su,e-statistics.su,feat.su,fve.su,gaso.su,grs.su,higuards.su,igate.su,iprotect.su,jcy.su,klr.su,lbb.su,leq.su,lud.su,many.su,maw.su,mouih.su,mue.su,nohtheer.su,oul.su,queiries.su,rnx.su,simkas.su,sito.su,soinstlen.su,tco.su,tnbc.su,vkloft.su,vng.su,wand.su,wbx.su,wsysinfonet.su,acx.su,aisuvied.su,ccl.su,dmf.su,exy.su,ezootoo.su,fey.su,main2woo.su,nfg.su,oogagh.su,pcg.su,pqe.su,r4i6nb.sxo.su,sge.su,sxo.su,thepohzi.su,umc.su,uphebuch.su,ahbee.su,ajeic.su,choop.su,eimiecha.su,tagoo.su,vun.su,wyp.su,teighoos.su,jan.su,navyfederal.jan.su,onlineaccess1.jan.su,apb.su,CDN-STORE.SU,egu.su,GREENCLOUD.SU,OHY.SU,STRONG-SERVICE.SU,TECH-SUPPORT-LLC.SU,YIEQUEIH.SU,YIMGSCORES.SU