To some it may have passed under the radar, for others it might be of interest.
Microsoft has released a bug bounty program for hackers, white hats, bug hunters and security researchers alike to discover, find and report vulnerabilities to Microsoft to strengthen the Microsoft portfolio.
Microsoft having dominated the market for home users and business computers have long been a favored target for cyber criminals, hobby hackers and other nefarious operatives. Meaning that just a zero-day vulnerability or any breach can cause a crisis like the recent WannaCry ransomware attack.
Microsoft has previously had bug bounty programs, but mostly they have been limited in time, or for specific suites.
Busy days, we had WannaCry remind us about the importance of patch compliance and mitigation (add political pun about encryption and weapons) and we saw IT and business rally to mitigate, patch and get their heads over water.
NotPetya spread over the same attack vector and utilized PsExec with the SMBv1 vulnerability but had a much more complicated payload, which turned out to not be ransomware, but a wiper prompting for a ransom, allowing no way to decrypt essentially rendering the data lost.
So with that in mind I decided to write a post about the upcoming Windows 10 Fall Creators Update, touching on Windows Defender ATP and security in general, and my thoughts surrounding it..
First off, it integrates Windows Defender Advanced Threat Protection (ATP) into Windows 10 essentially unifying the Windows threat protection stack.
To sum it up, it’s built in and not added on.
Security is complicated, it involves layer upon layer, there is exterior security, interior security, network, information, os hardening, user training and so on.
One of the best things with ATP?
It integrates with cloud intelligence and the rest of your security, giving you a single pane of glass for administration.
Now what is the ATP? It covers a range of features such as:
Windows Defender Exploit Guard
Windows Defender Explot Guard (WDEG) uses information from the Microsoft Intelligent Security Graph (ISG) and provides a heavy set of intrusion rules and policies to assist and prrevent advanced threats, as well as zero day exploits.
Windows Defender Application Guard
A real winner here I believe, we’ll see how it turns out when it goes live for everyone, but I like the idea of Windows Defender Application Guard (WDAG) because even if the OS stack, network stack is secure, does not necessarily mean your third-party applications for example your browser is. Example and point: when Tim in accounting accidentally downloads malicious malware or Rambo in security triggers a zero-day worm whilst researching in the wrong container, WDAG will isolate and contain the threat. Keeping your device, apps and data secure. At least in theory.
Windows Defender Device Guard
Also integrated into ATP, Device Guard allows whitelisting of applications on a per-device basis and if anything it gives the Security Operations Center better insight, and automated application control as well as implementation of DDG into ATP gives organizations an easy implementation. Well improved detection, response capabilities and a growing detection dictionary that includes more indicators of attacks (IoA) with a large suite being gathered into one product in the Windows threat protection stack will allow you to remedy, as well as spot weaknesses far faster then before, and reduces the overhead required and the custom implementations required to make all the systems “talk“.
So what is my take from this? I thoroughly believe that the creator of a product (Microsoft) is most likely the best to create a security solution best suited for their product (Windows and surrounding services).
To sum it up ATP integrated with Windows 10, and Cloud Intelligence (Office 365, Microsoft Azure) will be a huge step in the right direction, and be a valuable asset to any Service Operations Center or IT operation team.
As always if you have any suggestions about topics, articles, how-to’s and what not hit me up here or on twitter at @UlvBjornsson
You can also remove it with “Server Manager” or use this snippet:
If you want to check whether or not SMB 1.0 is active on your server you can run:
As you can see it states that EnableSMB1Protocol is currently True we wantto set this to False.
We can accomplish this by running the following snippet:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force’ cmdlet, as shown below.
(Force is added to prevent it from pausing for confirmation, and run through.)
Let’s run this again to see if the configuration changed:
It is now set to false.
Patch your clients and servers.
WannaCrypt takes advantage of the MS17-010 vulnerability also known as the SMBv1 vulnerability, thankfully it has been patched with MS17-010. Depending on your patch regime, you should expedite and ensure that this patch goes through.
If your systems have been affected; DOUBLEPULSAR will have also been installed, so this will need to also be removed. A script is available (by COUNTERCEPT) that can remotely detect and remove the DOUBLEPULSAR backdoor.