Hardening là gì? lý do phải Hardening ? khi nào thì đề nghị Hardening? Hardening là thừa trình nâng cấp tính bảo mật cho một khối hệ thống bằng những quy tắc, các tùy chỉnh thiết lập bảo mật server và hệ thống, đó là những quy tắc, cơ chế mà bạn quản trị yêu cầu thiết lập, đưa ra để vận dụng cho toàn bộ hệ thống của mình. Từ đó ta có thể giảm thiểu các rủi ro security từ những dịch vụ đang làm việc trên sever đó.Mình đã hướng dẫn chúng ta cách triển khai trên sever Windows vps 2016. Việc Hardening chúng ta nên thực thi sau thời điểm vừa thiết lập mới ngừng máy chủ.1.

Đang xem: Hardening là gì

làm thế nào để chạy những lệnh nhưng mình sẽ hỗ trợ dưới đây?Trên thanh taskbar -> Start-> powershell ise -> kích đề nghị -> run as AdministratorHoặc lưu giữ file khắc tên với ext ps1 ví dụ: Hardening.ps1 -> kích đề nghị -> mở cửa PowerShell window here as administrator

*

# Hardening OS# Disable NLA, SMBv1, NetBIOS over TCP/IP, PowerShellV2, phân tích và đo lường log# Enables UAC, SMB/LDAP Signing, Show hidden files# Fix CredSSP Remote Desktop# ———————#Set TimeZone GMT +7 HaNoiSet-TimeZone -Name “SE Asia Standard Time”reg địa chỉ “HKLMSOFTWAREPoliciesMicrosoftWindows NTDNSClient” /v EnableMulticast /t REG_DWORD /d 1 /freg địa chỉ cửa hàng “HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters” /v SMB1 /t REG_DWORD /d 0 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v EnableLUA /t REG_DWORD /d 1 /freg địa chỉ “HKLMSystemCurrentControlSetControlLsa” /v LMCompatibilityLevel /t REG_DWORD /d 5 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWpad” /v WpadOverride /t REG_DWORD /d 1 /f# https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/# https://en.hackndo.com/pass-the-hash/reg địa chỉ “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /freg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v FilterAdministratorToken /t REG_DWORD /d 1 /f# Prevent (remote) DLL Hijacking# https://www.greyhathacker.net/?p=235# https://www.verifyit.nl/wp/?p=175464# https://support.microsoft.com/en-us/help/2264107/a-new-cwdillegalindllsearch-registry-entry-is-available-to-control-the# The value data can be 0x1, 0x2 or 0xFFFFFFFF. If the value name CWDIllegalInDllSearch does not exist or the value data is 0 then the machine will still be vulnerable to attack.# Blocks a DLL Load from the current working directory if the current working directory is set to a WebDAV thư mục (set it lớn 0x1)# Blocks a DLL Load from the current working directory if the current working directory is set to lớn a remote thư mục (such as a WebDAV or UNC location) (set it to lớn 0x2)# ———————reg địa chỉ “HKLMSYSTEMCurrentControlSetControlSession Manager” /v CWDIllegalInDllSearch /t REG_DWORD /d 0x2 /f# Disable IPv6# https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users# ———————reg địa chỉ “HKLMSYSTEMCurrentControlSetservicescpip6parameters” /v DisabledComponents /t REG_DWORD /d 0xFF /f# Disable SMBv1Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -norestart# Disable Powershellv2Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart######################################################################### Harden lsass to lớn help protect against credential dumping (Mimikatz)# Configures lsass.exe as a protected process và disables wdigest# https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx# https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5# ———————reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage tệp tin Execution OptionsLSASS.exe” /v AuditLevel /t REG_DWORD /d 00000008 /freg add “HKLMSYSTEMCurrentControlSetControlLsa” /v RunAsPPL /t REG_DWORD /d 00000001 /freg showroom “HKLMSYSTEMCurrentControlSetControlLsa” /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /freg showroom “HKLMSYSTEMCurrentControlSetControlLsa” /v DisableRestrictedAdminOutboundCreds /t REG_DWORD /d 00000001 /freg showroom “HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest” /v UseLogonCredential /t REG_DWORD /d 0 /freg địa chỉ “HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest” /v Negotiate /t REG_DWORD /d 0 /f# Enable Firewall Logging# ———————netsh advfirewall set currentprofile logging filename %systemroot%system32LogFilesFirewallpfirewall.lognetsh advfirewall phối currentprofile logging maxfilesize 4096netsh advfirewall phối currentprofile logging droppedconnections enable#Disable AutoRun# ———————reg showroom “HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /freg địa chỉ “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f##Show known tệp tin extensions and hidden files# ———————reg địa chỉ “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “HideFileExt” /t REG_DWORD /d 0 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “HideFileExt” /t REG_DWORD /d 0 /freg add “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “Hidden” /t REG_DWORD /d 1 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “Hidden” /t REG_DWORD /d 1 /freg showroom “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “ShowSuperHidden” /t REG_DWORD /d 1 /freg add “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced” /v “ShowSuperHidden” /t REG_DWORD /d 1 /f#### Microsoft Windows Security Update Registry Key Configuration Missing (ADV180012) (Spectre/Meltdown Variant 4) ########Impact : An attacker who has successfully exploited this vulnerability may be able lớn read privileged data across trust boundaries.


Bạn đang xem: Hardening là gì


Xem thêm: Trò Chơi Escape Room Là Gì ? Escape Room Là Gì Lý Giải Escape Room Game Là Gì

Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker lớn exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern website browsers, it may be possible for an attacker lớn supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639#Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetControlSession ManagerMemory Management” -Name “FeatureSettingsOverride” -Value “00000008”Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetControlSession ManagerMemory Management” -Name “FeatureSettingsOverrideMask” -Value “00000003”##### Windows Registry Setting to Globally Prevent Socket Hijacking Missing ########Impact: If this registry setting is missing, in the absence of a SO_EXCLUSIVEADDRUSE kiểm tra on a listening privileged socket, local unprivileged users can easily hijack the socket và intercept all data meant for the privileged process #####Set-ItemProperty -Path “hklm:SYSTEMCurrentControlSetServicesAFDParameters” -Name “ForceActiveDesktopOn” -Value “00000001”####MS15-011 Hardening UNC Paths Breaks GPO Access -Microsoft Group Policy Remote Code Execution Vulnerability (MS15-011) #########Impact: The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system khổng lồ connect to lớn an attacker-controlled network ###Set-ItemProperty -Path “hklm:SOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths” -Name “*etlogon” -Value “RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1″Set-ItemProperty -Path “hklm:SOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths” -Name “*sysvol” -Value “RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1″##### Enabling strong cryptography for .NET V4…#x64Set-ItemProperty -Path “HKLM:SOFTWAREWow6432NodeMicrosoft.NetFrameworkv4.0.30319” -Name “SchUseStrongCrypto” -Value “1” -Type DWord#####Disable SMBv3 SMBGhost RCE (CVE-2020-0796)Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force#####Fix CredSSPREG địa chỉ cửa hàng HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2 /f#####Disable NLAreg địa chỉ cửa hàng “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f#Audit Logauditpol /set /category:”System” /failure:enable /success:enableauditpol /set /category:”Account Management” /failure:enable /success:enableauditpol /set /category:”Account Logon” /failure:enable /success:enableauditpol /set /category:”Logon/Logoff” /failure:enable /success:enableauditpol /set /category:”Policy Change” /failure:enable /success:enable#Fix DNS 2020-1350reg showroom “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /fnet stop DNS && net start DNSWrite-Host “Hardening successfully “Invoke-Command -ScriptBlock gpupdate /force #Create new user Admin and địa chỉ to group Administrators#Base64 decode $SystemObfuscation lớn get your password$SystemObfuscation = “UmVwbGFjZV9teV93aXRoX2Jhc2U2NF9lbmNvZGU=”$SystemConvert = ::UTF8.GetString(::FromBase64String($SystemObfuscation))net user /add admin $SystemConvertnet localgroup administrators admin /add#####Set user admin password never expireSet-LocalUser -Name “admin” -PasswordNeverExpires 1#################################################