Implment Server Hardening Solutions Flashcards

Question

Can BitLocker be implemented on a device without TPM 1.2 or newer?

Answer 1

- Yes. However, it will require either a USB key to start or resume from hibernation. - Windows 8 and Newer may use a password to protect systems without TPMs - Without a TPM, there are no pre-startup system integrity verification

Answer 2

- An extension to AD that enables locating and viewing BitLocker Drive Encryption recovery passwords that have been backed up to AD - Can be used to help recover data that is stored on a drive encrypted with BitLocker

Answer 3

- Right Click the computer object in AD \ Properties | - Right-Click the domain container and search for the recovery password

Answer 4

Domain Administrator. This can be delegated.

Answer 5

- Command Line: manage-bde and repair-bde | - Powershell Cmdlets for Powershell

Answer 6

Disaster recovery scenarios where a BitLocker protected drive cannot be unlocked normally using the recovery console.

Answer 7

- For system integrity check: Use TPM 1.2 or newer - Without a TPM, BitLocker requires a startup key on a removable drive (e.g. USB) - TPMs must have a TCG-compliant BIOS or UEFI (not required for non-TPM) - BIOS must support usb mass storage, inlucidng reading small files in a pre-OS environment. - Hard disk must be partitioned with at least 2 partitions/volumes - - OS (Boot) Drive must be NTFS - - System drive with files used to load Windows after firmware has prpared the drive. Not BitLocker protected. Must be formatted FAT32 (UEFI) or NTFS (Bios). Recommended size 350MB - - Windows should be able to create these partitions automatically. - When installing BitLocker on a server OS use the Enhanced Storage Feature for hardware encryption drive support.

Answer 8

- XTS-AES Support - Encrypt and recover device with Azure AD - DMA Port protection - GPO for Configuring Pre-Boot Recovery

Answer 9

- AES-128: Default - AES-256: Same as 128 but double cipher length - XTS-AES-128: FIPS Compliant, Incompatible with pre-Server 2016 - XTS-AES-256: Same as XTS-AES-128 but double cipher length

Answer 10

- Kernel debugger may be able to access BitLocker keys and other sensitive data - If a debugger is used, OS will automatically restart after every boot.

Answer 11

Utilize the "BitLocker Drive Preparation Tool" to configured required volumes.

Answer 12

- TPM - PIN (Numeric) - Enhanced PIN (Alphanumeric) - Startup Key - Recovery Password - Recovery Key

Answer 13

Startup Key

Answer 14

TPM-only. TPM-only protects against attacks to modify the early boot components. It encrypts drives, but, as in the case with a laptop, the TPM would still allow an attacker to boot the system and potentially compromise the storage within. This is mitigated by incorporating other factors to provide multi-factor access to the system.

Answer 15

TPM + Network Key

Answer 16

The Windows RE boot image must reside on the volume not protected by BitLocker.

Answer 17

yes. Using WinPE a randomly generated key can be applied to the formatted volume and encrypt it prior to the Windows install.

Answer 18

(Hint: What portion of the drive can be encrypted) - Used Space Only - Encrypts only used space. Useful for systems with freshly provisioned drives. Faster - Full encryption - Encrypts entire drive. Used for repurposed drives.

Answer 19

Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ \ Choose how BitLocker protected drives can be recovered?

Answer 20

- 48-digit recovery password | - Key package data. Can be used to decrypt the drive if it is severely damaged

Answer 21

Server 2012 R2/Windows 8.1

Answer 22

- US Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems used by the US Federal Government. - FIPS 140 defines approved cryptographic algorithms

Answer 23

- BitLocker would prevent the creation or use of recovery passwords and force users to create recovery keys

Answer 24

- FIPS compliant recovery passwords can be created - FIPS compliant recovery passwords can be distinguished from those created with other systems. - FIPS compliant recovery passwords will unlock a drive and allow read/write access even while in FIPS mode - FIPS compliant recovery passwords may be exported to and stored in AD

Answer 25

No. These are incompatible with one another

Answer 26

Yes. BitLocker does require at least two partitions on a drive, however, the drive can be repartitioned without using data using the Bdehdcfg tool.

Answer 27

- BitLocker Control Panel - Windows Explorer - Manage-bde command line - BitLocker Windows Powershell cmdlets

Answer 28

Choose the Manage BitLocker option in the control panel. Select "Turn on BitLocker"

Answer 29

Only formatted drives with assigned drive letters

Answer 30

- Drive must be in an uninitialized state and in the security inactive state - System must also always boot with UEFI 2.3.1 or higher and the CSM should be disabled.

Answer 31

- Should be printed, saved on removable media, or on a network folder. - Key cannot be stored in the root-directory of a non-removable drive on on the encrypted drive. - Ideally the key should be stored separate from the computer.

Answer 32

Encrypt the whole drive. While encrypting only used space is faster, but in this scenario full encryption ensures even deleted files are encrypted and secured.

Answer 33

Until BitLocker encryption is complete the options for management are limited. Wait until encryption has completed (manage-bde -status) and you will be able to do more after that.

Answer 34

CMD: manage-bde -status PS: Get-BitLockerVolume

Answer 35

- Password - Smart Card - Automatically unlock this drive on this computer

Answer 36

The drive will be unlocked if the system drive is unlocked.

Answer 37

- Computers cannot be domain joined | - User must be using a Microsoft account

Answer 38

This is available on client OSes by default and can be added to Server OSes by installing the BitLocker and Desktop Experience role.

Answer 39

The drive was encrypted on Windows 8 using "Used Space Only"

Answer 40

Yes. BitLocker can protect cluster-aware disk by adding protects to the Cluster Name Object that allow the disk to properly failover and be unlocked by any member computer

Answer 41

Yes. It will require an additional protector (TPM, PIN, RecoveryKey, etc).

Answer 42

BitLocker in Windows 8+ will complete the encryption regardless of policy.

Answer 43

An additional protect is required and the SID-based protector does not unlock the OS in the pre-boot environment.

Answer 44

Unlocking Failover Cluster enabled volumes

Answer 45

- Control Panel - Windows Explorer - Manage-BDE - WIndows Powershell (Get-BitLockerVolume)

Answer 46

- BitLocker is enabled with a clear protector key and it requires further action to be fully protected. - Add the keys via Control Panel, Manage-BDE, or WMI and it should start working.

Answer 47

No. Decryption should only be done at the end of a drive's life or if there is an issue with BitLocker that prevents the volume from being encrypted or unlocked readily.

Answer 48

In the schema, modify the searchFlags on the object and enable bit 7 (128 decimal)

Answer 49

- msTPM-OwnerInformation - msFVE-KeyPackage - msFVE-RecoveryPassword - msFVE-RecoveryInformation

Answer 50

This attribute contains the owner information of a computer's TPM module. This attribute is applied to the computer object.

Answer 51

This attribute contains the BitLocker encryption key secured by the corresponding recovery password. This attribute is applied to the msFVE-RecoveryInformation object.

Answer 52

This attribute contains the BitLocker encryption key secured by the corresponding recovery password. This is applied to the msFVE-RecoveryInformation object.

Answer 53

This object is created for every encrypted volume and is stored as a sub-attribute of the computer's objec where the volume was encrypted. Contains the recovery attributes associated with a BitLocker recovery.

Answer 54

Control_Access Extended right (viewable/settiable via LDP) | Also grants permission to LAPS passwords

Answer 55

- Read | - Control_access (set via LDP or script)

Answer 56

Go into Group Policy. Modify the policy that configures "Computer Configuration \ Windows Security \ Security Settings \ Local Policies \ Security Options \ System Cryptography: Use FIPS Compliant Algorithms for encryption, hasing, and signing" and disable the setting. Note: This error may also present as "Cannot decrypt disk. Policy requires a password which is not allowed with the current security policy about use of FIPS algorithms." This error may appear when a drive is encrypted and an recovery key is created but no password is created as its protector or when the recovery password is not archived in AD.

Answer 57

Symmetric uses a single key to encrypt and decrypt. - Often referred to as single-key, secret-key, shared-key, or private-key - AES, DES, or 3DES are examples Asymmetric uses two keys: one for encrypting and one for decrypting. - Often called public key cryptography - SSL/TLS and PGP are examples of protocols that use asymmetric keys - Common encryption methods are Diffe-Hellman and RSA

Answer 58

Server 2008 / Windows Vista

Answer 59

Windows 10 version 1511 / Server 2016

Answer 60

"Require additional authentication at startup" is required via GPO. Located under "Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives.

Answer 61

This will enable BitLocker on the data drive. However, the drive will not be protected as no authenticating protector is installed. You'll need to enable a protector after the fact to fully protect the drive. The drive is encrypted, just not protected.

Answer 62

Assuming C: is the OS volume and a TPM is installed, the OS volume will be encrypted with TPM-only and no recovery key.

Answer 63

manage-bde -status

Answer 64

manage-bde -Protectors -add C: -StartupKey E: | manage-bde -on C:

Answer 65

manage-bde -protectors -get $VolumeLetter

Answer 66

manage-bde -protectors -add $VolLetter -pw -sid $UserOrGroupSid

Answer 67

manage-bde -protectors -add -pw C: | manage-bde -on C:

Answer 68

manage-bde -off C:

Answer 69

Remove-BitLockerKeyProtector

Answer 70

1. First identify the key protector ID $Volume = Get-BitLockerVolume $KeyProtectors = $Volume.KeyProtector 2. Identify the KeyProtectorID that needs removed and remove it. Remove-BitLockerKeyProtector $VolumeLetter -KeyProtectorId $KeyProtectorID

Answer 71

Enable-BitLocker $VolumeLetter

Answer 72

-SkipHardwareTest

Answer 73

Enable-BitLocker $DriveLetter -AdAccountOrGroupProtector -AdAccountOrGroup $GroupOrUserOrSid

Answer 74

Get-BitLockerVolume $VolumeLetter

Answer 75

Disable-BitLocker $VolumeLetter

Answer 76

Select a 64-bit CPU

Answer 77

Windows 10 Pro, Enterprise, or Education

Answer 78

``` FireWire ThunderBolt ExpressCard PCI Express PCMCIA PCI PCI-X ```

Answer 79

Block DMA via Policy WIndows 10 - Automatically blocks DMA from being installed until the computer is unlocked "Instant Go" devices do not have DMA ports IO-MMU prevents DMA attacks when running a Hypervisor

Answer 80

Secure Boot

Answer 81

Computer Configuration \ Policies \ Administrative Templates \ System \ Trusted Platform Module Services

Answer 82

Turn on TPM backup to Active Directory Domain Services Configure the list of blocked TPM commands Configure the level of TPM owner authorization information available to the OS Configure standard user lockout duration Standard User individual lockout threshold

Answer 83

Windows 8 / Server 2012 +

Answer 84

``` Fedora 18+ openSUSE 12.3+ RHEL 7+ CentOS 7+ Unbuntu 12.04.2+ ```

Answer 85

GPO: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives - Configure "Allow Secure Boot for integrity validation"

Answer 86

By default, BitLocker will use Secure Boot-based integrity validation unless policy is set to disabled via GPO.

Answer 87

Generation 2

Answer 88

VM Settings \ Security node \ select "Enable Secure Boot" | This feature is enabled by default

Answer 89

Yes. By enabling TPMs on the Hyper-V VMs without a physical TPM, you utilize a virtual TPM.

Answer 90

No. Only GPT disks are supported with UEFI.

Answer 91

Get-TPM | Select-Object LockoutMax | Note: LockoutCount shows how many attempts have been made and LockedOUt will show if the TPM is locked out.

Answer 92

You do not, this can only be adjusted with a TPM 2.0.

Answer 93

Get-WmiObject -Class Win32_TPM -Namespace root\cimv2\Security\MicrosoftTPM | Select-Object SpecVersion

Answer 94

Password Smart Card Automatic Unlock

Answer 95

GPO: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives - Enable the setting "Allow Secure Boot for integrity validation" - Note: This feature is enabled by default. Use this policy to enforce the setting.

Answer 96

BCD Settings can be repaired during boot without triggering a recovery event

Answer 97

AES-128 or AES-256 | Support for XTS-AES came later in Windows 10 and drives equipped with the newer protocols do not work on older systems.

Answer 98

``` Backup your recovery key Change password Remove password Add smart card Turn on auto-unlock Turn off BitLocker ```

Answer 99

Users have the ability to do this, however, they must first know the existing PIN.

Answer 100

A user has five tries before BitLocker locks out the account and an administrator must reset the PIN or password. The system can be rebooted to reset the counter.

Answer 101

Group Policy: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption Modify "Configure use of passwords for fixed drives"

Answer 102

Enables users to encrypt removable USB drives without requiring the device go through recovery on the other systems.

Answer 103

Server 2008 R2 / Windows 7 Insert USB and configure encryption No TPM Required

Answer 104

Group Policy: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption

Answer 105

- Require all removable drives to be BitLocker-protected before data can be saved to them - Require or disallow specific methods for unlocking BitLocker-Protected Drives - Configure methods to recover data from BitLocker-protected drives - Configure the BitLocker recovery passwords that is stored in ADDS - Require or disallow different types of recovery password storage or make them optional. - Prevent BitLocker from activating if it is not able to backup keys to AD DS. - Choose drive encryption method and cipher strength.

Answer 106

Server 2016

Answer 107

If you don't protect volumes prior to this, the resource will need to be placed in maintenance mode later to complete the operation.

Answer 108

Used Disk Space Only

Answer 109

1. Clear Key 2. Driver-based auto-unlock key 3. ADAccountOrGroup Protector (Service context then user context) 4. Registry-based auto-unlock key

Answer 110

Server 2012 / Windows 8

Answer 111

In WinPE execute the following command: Manage-bde -on X:

Answer 112

Network Unlock provides an automatic unlock of OS volumes at system reboot when connected to a trusted, wired corporate network.

Answer 113

- Windows 8 / Windows Server 2012 with UEFI Support - Any OS must have UEFI DHCP Drivers - Unlock clients require TPM and at least one TPM protector - BitLocker Network Unlock Feature installed - Server 2016 WDS Role - DHCP, separate from WDS and the DC - A Network Unlock Certificate - Network Unlock GPO settings

Answer 114

BitLocker displays the startup key unlock screen.

Answer 115

1. Install WDS Role 2. Ensure WDS is running 3. Install Network Unlock feature 4. Create/Install Network Unlock Certificate 5. Deploy Private Key and Certificate to WDS 6. Configure GPO for Network Unlock 7. Require TPM + PIN protectors at startup

Answer 116

Duplicate the User Template and change the following - Certificate Recipient: Server 2012/Windows 8 - Enable publishing to AD - Purpose: Encryption - Allow private key to be exported - Minimum Key Size: 2048 - Subject Name: Supply in request - Extensions - Remove: Client Authentication, Encrypting File System, Secure Email - Extensions - Add: BitLocker Network Unlock (this may need to be created) - Key Usage: Allow key exchange with key encryption.

Answer 117

Personal Information Exchange - PKCS #12 (.PFX)

Answer 118

GPO: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption Network Unlock Certificate

Answer 119

MBAM tool provides a single interface to manage BitLocker encryption policies; simplifies deployment and key recovery; centralizes provisioning; and assesses compliance and encryption stations across the organization.

Answer 120

Microsoft BitLocker Administration and Monitoring (MBAM) is part of the Microsoft Desktop Optimization Pack (MDOP)

Answer 121

Administration and monitoring server MBAM Client Policy Template

Answer 122

The Recovery and Hardware Database is part of the MBAM Administration and monitoring server. It maintains the recovery key and the hardware information collected from the MBAM agents managed by MBAM.

Answer 123

The compliance and audit database holds information for the OS drive, fixed data drives, and removable storage drives. It uses GPO to enforce encryption parameters and to send recovery, hardware, and compliance information to the appropriate entities.

Answer 124

It is used to configure BitLocker Administration and Monitoring client policies used to determine the encryption policy options for BitLocker Drive Encryption.

Answer 125

Policy Template

Answer 126

MBAM. | It includes a self-service portal.

Answer 127

Utilize the MBAM it has several compliance reporting features, most notably the Policy Template feature.

Answer 128

Server 2008, however, they were not built-in and had to be installed manually. Server 2012, however, included them by default.

Answer 129

Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Store BitLocker Recovery Information in Active Directory - Require BitLocker Backup to AD DS - Set BitLocker recovery information to store recovery passwords and key packages. For each type of drive being backed up configure the following - Allow data recovery agent - Save BitLocker Recovery information to AD DS for drives - Set Configure storage of BitLocker Recovery information to AD DS to backup recovery passwors and key packages

Answer 130

A DRA is a user account that is an administrator who is authorized to recover BitLocker fixed drives for the entire or using a certificate on a smart card.

Answer 131

In "Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption \ Provide the unique identities for your organization" add the user account. Enable DRA recovery for each type of BitLocker resourced you wish to recover. Note: The BitLocker DRA certificate template is not available by default in Server 2016 but can be downloaded.

Answer 132

Windows 8 / Server 2012

Answer 133

Yes. It utilizes the link-local address to create DHCPv6 packets needed without the need for setting up DHCPv6 servers.

Answer 134

DHCP Relay needs configured to forward DHCP info across subnets.

Answer 135

Make sure that WDS is not hosted alongside DHCP: the two roles must be separate for Network Unlock Install the Network Unlock Feature

Answer 136

Install-WindowsFeature -Name BitLocker-NetworkUnlock

Answer 137

Yes. but it is not recommended due to potential for WIFI spoofing, the difficulty in preventing relay attacks, and wifi goes beyond the physical boundaries of the building.

Answer 138

No. It does not. However, TPM plus one other protector is a requirement.

Answer 139

certutil -verifystore FVENKP

Answer 140

The WDS Certificate (public key) should be uploaded to "Computer Configuration \ Policies \ WIndows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption Network Unlock Certificate"

Answer 141

Registry - HKLM:\Software\Policies\Microsoft\SystemCertificates\FVE_NKP

Answer 142

Only the servers with the network provider will respond as it is the only one capable of analyzing network unlock packets.

Answer 143

Ensure that multiple WDS servers are configured with he unlock certificate.

Answer 144

You don't. BitLocker utilizes Secure Boot which requires GPT drives.

Answer 145

To allow enterprises to unlock BitLocker protected systems for patching unattended workstations and remotely managed servers.

Answer 146

UEFI must be in native mode without a compatibility support mode (CSM) enabled (UEFI cannot be in legacy mode)

Answer 147

Network Unlock stops enumerating adapters when it reaches on with a DHCP port failure for any reason. This is important on system with multiple adapters. Ensure the first adapter is DHCP enabled.

Answer 148

1. Install WDS Role Feature (Network Unlock will do this if it isn't already done) 2. Configure WDS to communicate with DHCP 3. Verify WDS is working 4. Install Network Unlock Feature 5. Create certificate template for Network Unlock 6. Create Network Unlock Certificate 7. Deploy Certificate with Private Key to WDS Server 8. Configure Network Unlock GPO 9. [Optional] Configure subnet policy on WDS

Answer 149

Modify the configuration file %windir%\System32\bde-network-unlock.ini to list subnets that Network Unlock will respond to.

Answer 150

Unregister the PXE provider from WDS. Remove/Disable the GPO that provides the 'Allow Network Unlock at startup' setting.

Answer 151

Import/Generate new certificates for the server and update the certificate in group policy.

Answer 152

manage-bde -protectors -get C:

Answer 153

Event Viewer \ Applications and Services Log \ Microsoft \ Windows\ Deployment-Services-Diagnostics \ Debug Right-Click \ Enable Log Note: This can also be done with wevtutil

Answer 154

The "Store BitLocker recovery information in Active Directory Domain Services" is only used for Windows Vista and Server 2008. To configure BitLocker backup to AD for new OSes use "Choose how BitLocker-protected Operating System Drives can be recovered" setting.

Answer 155

If you allow users to configure BitLocker and they cannot create the recovery options, the system could be permanently locked out and unrecoverable.

Answer 156

GPO: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption - Operating System Drivers \ Require Additional authentication at startup - - Set all settings to "Do not allow" - Fixed Data Drives - - Configure use of smart cards on fixed data drives \ Disabled - - Configure use of passwords for fixed data drives \ Disabled - Removable Data Drives \ Control use of BitLocker on removable driver \ Disabled. `

Answer 157

Server 2008 and Newer | - Server 2008 will require some extensions

Answer 158

Schema version 39 | Note: Check this with Get-ADObject

Answer 159

GPO: Computer Settings \ Policies \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Require additional authentication at startup - Check "Allow BitLocker with compatible TPM"

Answer 160

Either a USB Startup key or a Password should be configured.

Answer 161

Start WinRE and enter the BitLocker recovery key | Run CHKDSK as normal

Answer 162

GPO: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption - Choose how BitLocker Protected drives can be recovered \ Check "Allow Data Recovery Agent" - Provide the unique identifiers for your organization - - BitLocker Identification Field - - Allowed BitLocker Identification Field Configure a recovery certificate (PFX) GPO: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ BitLocker Drive Encryption \ \ R-Click "Add Data Recovery Agent" \ Select DRA certificate

Answer 163

View the volumes BitLocker information and you should see "Data Recovery Agent" listed.

Answer 164

manage-bde -unlock $DriveLetter -cert -ct $DRACertThumbprint

Answer 165

Ensure the certificates;s private key is actually installed into your certificate stores.

Answer 166

Boot into WinPE and execute a format against the disk. This removes the information and leave the drive encrypted.

Answer 167

dsacls $Object /G $User:CA;$objType | Note: The CA in the permission above indicates Control_Access

Answer 168

Configure the schema searchFlags to decimal 128 (0x00000080).

Answer 169

No. It only supports basic disks.

Answer 170

For BitLocker to function, the bare minimum would be drive partitions. TPM and security key are neither required by themselves and Group Policy is not required but does help manage BitLocker.

Answer 171

Place the CSV in maintenance mode. Get-ClusterSharedVolume $ResourceName | Suspend-ClusterResource Note: Traditional PDRs will use the Get-ClusterResrouce command instead. This command does not show Cluster Shared Volumes

Answer 172

Nothing. Cluster Shared Volumes are exposed via the Get-ClusterSharedVolume cmdlet and do not show in Get-ClusterResource.

Answer 173

1. Install BitLocker Drive Encryption Feature 2. Ensure Disks are formatted NTFS and have drive letters. 3. Identify the cluster: Get-Cluster 4. Enable BitLocker on the volume of choice: Enable-BitLocker -ADAccountOrGroupProtector -ADAccountOrGroup $Group 5. Repeat for each disk 6. Add the volumes to the cluster

Answer 174

Server 2012 or Newer DCs

Answer 175

The Cluster Name Object (CNO) is configured in the protect or a member of the group the protector is using.

Answer 176

Enable-BitLocker -MountPoint $CSVPath -ADAccountOrGroupProtector -ADAccoutOrGroup $CNO

Answer 177

Repair-BDE

Answer 178

- You first need the recovery and an external disk which needs to be wiped - Repair-BDE $SourceDisk $ExternalDisk -rp $RecoveryKey [-lf $LogPath] - This will take awhile to run and give information about what it could salvage.

Answer 179

Manage-bde -protectors -adbackup C: -id $RecoveryPasswordId

Answer 180

Manage-bde -protectors -get C:

Answer 181

Add-BitLockerProtector $DriveLetter -AdDAccountOrGroupProtector -ADAccountOrGroup $Identity

Answer 182

- $GPOPath = (Get-GPO -Name $GPOName).Path - $XML = Get-AppLockerPolicy -Domain -LDAP "LDAP:\\$GPOPath" -XMl - Test-AppLockerPolicy -XmlPolicy $Xml -Path $ExecutiblePath

Answer 183

Check status of Windows Defender | Initiate a Scan

Answer 184

No. The rule blocks any files that match that name in the entire hierarchy beneath where the rule is configured.

Answer 185

That Defender is monitoring and attempting to catch malware behavior.

Answer 186

Programs copying themselves into other programs Programs that try to write to the disk directly Programs trying to manipulate critical system files

Answer 187

Quick scans check areas that malicious software is likely to infect. Full scan checks all files on the disk and running programs.

Answer 188

- Real-time Protection Status - Virus and Spyware definitions status - Scan Options - Scan Details - When the last scan was run

Answer 189

- Quarantine Items - Allowed Items - All Detected Items

Answer 190

Items that are not allowed to run but are not removed from the computer.

Answer 191

1. Launch Windows Defender 2. History Tab 3. Quarantined Items 4. View Details 5. Select the Item 6. Click Remove

Answer 192

- Enable/disable real-time protection - Enable/disable cloud-based protection (this controls the sending of items to Microsoft) - Enable/disable automatic sample submission - Select files, folders, file types, etc. to exclude from scans.

Answer 193

- Enable/disable real-time protection - Enable/disable cloud-based protection (this controls the sending of items to Microsoft) - Enable/disable automatic sample submission - Select files, folders, file types, etc. to exclude from scans.

Answer 194

Task Scheduler \ Task Scheduler Library \ Microsoft \ Windows \ Windows Defender Configure the "Windows Defender Scheduled Scan"

Answer 195

Launch WSUS \ Options \ Products and Classifications \ Classifications Tab \ Check "Definitions Updates"

Answer 196

- Enable Headless UI Mode - Suppress Notifications - Suppress reboot notifications - Exclusions (Extension, Path, and Process) - Configure removal of items from quarantine - Scheduled Scans - Turn Windows Defender on and off

Answer 197

- Enable Headless UI Mode - Suppress Notifications - Suppress reboot notifications - Exclusions (Extension, Path, and Process) - Configure removal of items from quarantine - Scheduled Scans - Turn Windows Defender on and off

Answer 198

Get-MpComputerStatus

Answer 199

Get-MpThreat

Answer 200

Remove-MpThreat

Answer 201

Start-MpScan

Answer 202

Update-MpSignature

Answer 203

A scan that occurs after a reboot and before an OS is fully initialized. It is intended to capture rootkits and other highly persistent malware.

Answer 204

Start-MpScan -ScanType QuickScan

Answer 205

Start-MpScan -ScanType FullScan

Answer 206

Set-MpPreference

Answer 207

History Tab

Answer 208

A scanning tool that runs from a trusted environment without the OS starting up.

Answer 209

Windows 10/8.1/7

Answer 210

If Windows detects a rootkit or other highly persistent malware on your system it will alert you to use Windows Defender Offline. If you suspect your system has malware hiding but the security software isn't detecting it.

Answer 211

1. Start \ Settings \ Update and Security \ Windows Security \ Virus and Threat Protection 2. Current Threats 3. Select "Windows Defender Offline Scan" \ Scan Now 4. Reboot the system

Answer 212

Restricting /Removing Admin Rights | Configure AppLocker

Answer 213

Server 2012 / Windows 7

Answer 214

Application Identity Service

Answer 215

Application Identity Service needs to be running.

Answer 216

Group Policy: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Application Control Policies \ AppLocker

Answer 217

- Executable Rules - Windows Installer Rules - Packaged App Rules - Script Rules

Answer 218

.EXE | .COM

Answer 219

``` .ps1 .bat .js .cmd .vbs ```

Answer 220

.MSI .MST .MSP

Answer 221

Audit Mode | No rules configured for any rule types

Answer 222

Create New Rule Automatically Generate Rules Create Default Rules

Answer 223

The wizard will walk you through the process of creating and AppLocker rule one rule at a time. You will manually configure permissions, publishers, exceptions, and provide a name for the rule.

Answer 224

The wizard creates rules for many apps in a single step. | You select a folder and let the wizard create rules for that folder or for all packaged apps on a system.

Answer 225

The wizard creates rules meant to ensure that key Windows Paths are allowed (C:\Windows and C:\Program FIles). Without default rules in place, when creating a new rule, AppLocker will prompt to create default rules.

Answer 226

- Set Permissions - Set Conditions (Publisher, Path, or File Hash) - Add exceptions - Name the rule

Answer 227

Allow Deny Exceptions

Answer 228

Publisher File Hash Path

Answer 229

- Publisher identifies an application based on the manufacturer's digital signature. The advantage of this option is that the rule can survive the update of the application as well as a location change. The disadvantage is some manufacturers change their signature periodically. - Path identifies applications based on the physical location in the file system. This is less secure as files can simply be moved to this secure path to run. This risk is mitigated by limiting administrative access. - File Hash causes the system to compute the hash of the application. Each time the application is upgraded or patched, a new hash is needed making this method difficult to maintain.

Answer 230

- Allow everyone to run files found in C:\Program Files - Allow everyone to run files found in C:\Windows - Allow BUILTIN\Administrators to run all files.

Answer 231

You'll need to configure an exception to the default rules that allows for blocking calc.exe since it is part of the default rule set.

Answer 232

Export the policy and import it into AD. - GPEdit; Computer Configuration \ Windows Settings \ Security Setting s\ Application Control Policies - R-Click "AppLocker" \ Export Policy - Rename the Policy \ Save

Answer 233

Get-AppLockerPolicy - Local retrieves the local policy - Effective retrieves the system's configured total policy - Domain retrieves the domain policy - Xml displays the results in XML format

Answer 234

Get-AppLockerFileInformation

Answer 235

Deny. AppLocker operates using the "block by default, allow by exception" principle.

Answer 236

- Check for explicit deny actions (these always in) - Check for explicit allows - If no rule matches, apply the default deny action.

Answer 237

Last-write is preserved for enforcement. If a high-level enables AppLocker enforcement and a lower-level policy configures Audit Only, Applocker is placed in Audit Only Mode. As far as the configured rules, these rules are cumulative across linked GPOs with last-writer determining conflicts.

Answer 238

- Rule collections that are not configured will be enforced - Group Policy does not overwrite or replace rules from already linked GPOs. - AppLocker processes the explicit deny rule before allow rules. - For rule enforcement, the last writer policy applies.

Answer 239

Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path $Executible -User $TargetUser

Answer 240

- Code Integrity (Device Guard) - Credential Guard - Control Flow Guard

Answer 241

Device Guard

Answer 242

- Code Integrity (Device Guard) helps harden against malware by running only trusted applications. - Server 2016 uses virtualization-based security to isolate the code integrity service from Windows.

Answer 243

Credential Guard isolates and hardens key system and user identity information (LSA credentials).

Answer 244

OS components and security tokens (among other things) are isolated from one another using Windows containers under the hood. If one piece is compromised the other is not necessarily compromised.

Answer 245

- UEFI running in Native Mode (Legacy/Compatibility/CSM are not supported) - x64 Windows 10 Enteprrise / Server 2016 - x64 CPU with SLAT and Virtualization extensions (Intel VT or AMD-V) - Physical systems need to have hardware that is Windows 10 Enterprise ready or Server 2016 Ready - Virtual Systems must use Hyper-V Generation 2 VMs with Secure Boot and TPM

Answer 246

You do not. They are incompatible.

Answer 247

``` Hyper-V Manager \ Locate a Gen 2 VM Turn off the VM R-Click VM \ Settings \ Security Select "Enable Secure Boot" Select "Enable Trusted Platform Module" ```

Answer 248

Group Policy: Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard \ Turn on Virtualization Based Security - Click Enabled - Under "Virtualization Based Protection of Code Integrity" choose "Enable with UEFI Lock"

Answer 249

Launch System Information \ Look for "Device Guard Virtualization Based Security" to show if it is running.

Answer 250

Msinfo32.exe

Answer 251

There is a chance the software won't run. Code integrity policies must be configured to account for these scenarios.

Answer 252

Audit Mode. | This mode allows for fine-tuning the policy before enabling enforcement.

Answer 253

Create a trusted code integrity policy. Typically the first one is created to only allow trusted publisher-signed apps.

Answer 254

New-CIPolicy -Level Publisher -FilePath C:\CI\Audit-Publisher.xml -UserPES Audit

Answer 255

The XML needs converted to binary and copied to the code integrity folder. CopyFrom-CIPolicy $CIXml $NewCIBin Copy-Item $NewCIBinPath C:\Windows\System32\CodeIntegrity\sipolicy.p7b

Answer 256

An event is logged to the event log.

Answer 257

Merge-CIPolicy

Answer 258

- 0 Enabled UMCI - Restricts both user and kernel-mode binaries. Default restricts kernel only. - 2 Required WHQL - Requires every driver to be WHQL signed. No legacy. - 3 Enable Audit Mode - Enables execution of binaries outside of CI Policies but logs them. Remove this to enforce policies. - 4 Disabled Flight Signing - Code Integrity will not trust flightroot-signed binaries - 6 Enable Unsigned System Integrity Policy - Allows the policy to remain unsigned. If removed, the policy must be signed and have UpdatePolicySigners added to enable modifications. - 8 Required EV Signers - Requires that drives be both WHQL signed and have Extended Verification (EV) certificates. All Win10 drivers have this. - 9 Enabled Advanced Boot Options Menu - F8 menu is disabled by default. This turns it on. - 10 Enabled Boot Audit On Failure - Used with enforcement mode. If the driver hangs on start, CI is placed in audit mode so Windows boots.

Answer 259

Set-RuleOption -Option 3 -FilePath $CIPolicyPath -Delete | ConvertFrom-CIPolicy C:\CI\MergePolicy.xml C:\CI\AuditPublisher.bin

Answer 260

``` Unconstrained Kerberos Delegation NTLMv1 MS-CHAPv2 Digest Authentication CredSSP Kerbers DES Encryption ```

Answer 261

Registry Group Policy Device Guard and Credential Guard Readiness Tool

Answer 262

System Information (Msinfo32)

Answer 263

GPMC: Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard \ Turn on Virtualization Based Security \ Enabled GPMC: Computer Configuration \ Policies \ Administrative Templates \ System \ Device Guard \ Turn on Virtualization Based Security \ "Credential Guard" \ Enable with UEFI Lock

Answer 264

HKLM:\System\CurrentControlSet\Control\DeviceGuard - Add the DWORD "Enable VirtualizationBasedSecurity" with a value of 1 - Add the DWORD "RequirePlatformSecurityFeatures" and give it the value of 1 for Secure Boot or 2 for Secure Boot and DMA protection HKLM:\System\CurrentControlSet\Control\Control\LSA - Add the DWORD "LsaCfgFlags" with the value of 1 to enable Credential Guard with UEFI Lock or the value of 2 for Credential Guard without UEFI lock.

Answer 265

Download the tool and unzip | Run the following Powershell: DG_Readiness_Tool_v3.2.ps1 -Enable -Autoreboot

Answer 266

Only a subset of OS binaries needed for security. Nothing more (especially no drivers)

Answer 267

NTLMv1, MS-CHAPv2, Digest, and CredSSP | Apps may still use credentials stored in the WIndows Vault that are not protected by Credential Guard

Answer 268

You don't. Credential Guard disallows the use of Kerberos unconstrained delegation.

Answer 269

You wouldn't. DES is not supported with Credential Guard Enabled.

Answer 270

NTLM is a suite of security protocols that provide authentication, integrity, and confidentiality to users. NTLM is an integrated SSO mechanism built into Windows Authentication and is part of Integrated Windows HTTP Authentication. Provides the maximum compatibility across Windows platforms compared to Kerberos and is easier to implement

Answer 271

GPMC: Computer Configuration \ Policies \ WIndows Settings \ Security Settings \ Local Policies \ Security Options - Configure the following for all systems in the domain - - Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers - Audit All - - Network Security: Restrict NTLM: Audit Incoming NTLM Traffic - Enable Auditing for all accounts - Configure the following on Domain Controllers - - Network Security: Restrict NTLM: Audit NTLM Authentication in this Domain - Enable All

Answer 272

Event Viewer \ Applications and Services Log \ Microsoft \ Windows \ NTLM \ Operations

Answer 273

GPMC: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options - Network Security: LAN Manager Authentication Level - Network Security: Restrict NTLM: Add remote server exceptions for NTLM Authentication - Network Security: Restrict NTLM: Add server exceptions in this domain - Network Security: Restrict NTLM: Incoming NTLM Traffic - Network Security: Restrict NTLM: NTLM Authentication in this domain - Network Security: Restrict NTLM: Outgoing NTLM Traffic to remote servers

Answer 274

GPMC: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options - Network Security: Restrict NTLM: Add server exceptions for NTLM authentication.

Answer 275

Applications may break. Many applications, especially third party ones, have dependencies or default configurations built around NTLM

Answer 276

- Apps that allow various security configurations (e.g. IIS) - Apps that have not been correctly configured with SPNs (e.g. Sharepoint and SQL) - Apps that use IPs instead of DNS names - Apps with legacy code that only supports NTLM

Answer 277

It is discouraged. Kerberos was not in wide use at this time and there are likely compatibility issues.

Answer 278

- Event 8004 on the Domain Controller - Event 8003 on the member server - Event 8001 on the client workstation

Answer 279

A collection of configuration items from Microsoft for a product that provides prescribed values to help maintain the security of a system or solve a specific use case.

Answer 280

- Policy Analyzer (PolicyAnalyzer.exe) compares and analyzes GPOs and shows redundant settings, differences, etc. - LGPO (LGPO.exe) is a tool for transferring GPOs directly between a host's registry and a GPO backup. Allows for some level of testing prior to deployment.

Answer 281

1. Download the toolkit with the necessary baselines 2. Backup GPOs 3. Load an existing GPO backup and baseline into Policy Analyzer 4. Edit existing GPO Backup with Policy Analyzer \ Save 5. Use LGPO to load the revised backup into a host for testing 6. Restore revised backup as the new GPO for deployment

Answer 282

Download from Microsoft

Answer 283

Windows 10 Server 2012 R2 Server 2016

Answer 284

.NET Framework 4.6

Answer 285

- Registry Policy Files - Security Templates - Audit Policy Backup Files

Answer 286

C:\Windows\System32\GroupPolicy

Answer 287

LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\registry.pol

Answer 288

LGPO.exe /b $Path /n $DisplayName

Answer 289

- Highlight when a set of GPOs have redundant settings or internal inconsistencies. - Highlight differences between versions of GPOs - Compare GPOs against current local policy and local registry - Export results to Excel

Answer 290

``` Windows 10 Baselines (multiple versions) Windows Server Baselines (2012 R2, 2016, and 2019) Office Security Baselines (Office 2016) Policy Analyzer LGPO ```

Answer 291

- LGPO is a command-line utility designed to help automate the management of local group policy - LGPO can import registry.pol files, security templates, advanced auditing backup files, and formatted LGPO text files. - It can export LGPO to a GPO backup - It can convert a Local GPO to a LGPO text file.

Answer 292

Microsoft Security Compliance Manager | - Note: Not all the features of SCM aren't replicated in SCT (DCM and SCAP are unsupported)

Answer 293

Control Flow Guard is a highly optimized platform security feature that is used to combat memory corruption vulnerabilities. CFG is compiled into a program which prevents programs from executing code outside of their memory space by extending DEP.

Answer 294

The application will run but the CFG features will not be used.

Answer 295

EMET is a free security tool that is designed to protect software from undiscovered zero-day exploits without fixes. It cannot prevent 100% of attacks but it does reduce the attack surface.

Answer 296

Vista SP2+ / Server 2008 R2+ | Windows 10/ Server 2016 support mitigated for untrusted fonts.

Answer 297

.NET Framework 4

Answer 298

- Attack Surface Reduction (ASR) Mitigation - Data Execution Prevention (DEP) Mitigation - Structured Execution Handling Overwrite Protection (SEHOP) Security Mitigation - Heapspray Allocation Security Mitigation - NullPage Security Mitigation - Export Address Table Filtering (EAF) Security Mitigation - Mandatory Address Space Layout Randomization (ASLR) Security Mitigation - Bottom Up ASLR Security Mitigation - Load Library Check [ Return Oriented Programming (ROP) Security Mitigation] - Memory Protection [ROP Security Mitigation] - Caller Checks [ROP Security Mitigation - x86 only] - Simulate Execution Flow [ROP Security Mitigation - x86 only] - Stack Pivot [ROP Security Mitigation] - Windows 10 Untrusted Fonts - Certificate Trust

Implment Server Hardening Solutions Flashcards

Secure Boot BitLocker EFS Malware/Defender CredGuard DeviceGuard Security Baselines (329 cards)