What should I know about security? The massive list of links post
I maintain a list of links I call "security stuff every Microsoft customer should know" that I send to every customer I visit. The list ranges from basic things to more in depth security knowledge, and is now available even if I haven't visited you. :) You might want to bookmark this page, as it will get updated periodically.
My links on security I send to every customer :
Best Practices for Securing Active Directory http://aka.ms/bpsadtrd This whitepaper also contains a large quantity of monitoring guidance including which optional logs to turn on. I highly recommend at least skimming through this whole whitepaper.
Pass the Hash Whitepapers
http://microsoft.com/pth (this URL also hosts ongoing content and discussions on the topic of Pass the Hash – there are two whitepapers here, I recommend reading both. )
Channel9 Presentation of SLAM and Lateral Movement :
http://aka.ms/toppopslam
POP-EMET Presentation :
https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-Protect-Your-Enterprise-with-the-Enhanced-Mitigation-Experience-Toolkit
LAPS Video :
https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-How-to-tackle-Local-Admin-Password-Problems-in-the-Enterprise-with-LAPS
Download LAPS :
https://aka.ms/laps
JIT-JEA (just in time just enough admin – this is the future) :
http://channel9.msdn.com/events/Ignite/2015/BRK2470
AGPM :
http://channel9.msdn.com/events/TechEd/NorthAmerica/2011/WCL308
Advanced Threat Analytics :
https://channel9.msdn.com/events/Ignite/2015/BRK3870
Ransomware Talk:
https://channel9.msdn.com/Blogs/Taste-of-Premier/Ransomware101
Windows Event Forwarding and monitoring what matters (centralized logging for free!)
http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx
http://blogs.technet.com/b/jepayne/archive/2015/11/27/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts.aspx
http://blogs.technet.com/b/kfalde/archive/2015/11/18/laps-audit-reporting-via-wef-posh-and-powerbi.aspx
Blackbelt security from TechEd 2014
http://channel9.msdn.com/events/TechEd/Europe/2014/WIN-B318
KB2871997 Overview of the backported security features from 8.1/2012 to 7/2008R2. These features are critical for stopping lateral movement, especially the "Local Account" principal. (Highly recommend following the SRD blog in general, as it is one of the best sources from Microsoft) :
http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
How Cybersecurity investigations actually work - how real attacks happen, a little on what the Incident Response process looks like and a lot on what you could be doing to stop attackers
https://channel9.msdn.com/Events/Ignite/Australia-2015/WIN433
*the attack I show in this was based on this : http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html I'm not linking this to show you how to hack - that's not why I am here, but to show you people who do want to attack you can find clever ways quite easily. You should learn how these work so you can defend against them.
My Boss talking about Microsoft Incident Response :
https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-Cybersecurity-Incident-Response
Information on the JASBug/GPO patch - this bug would allow you to trick a Windows workstation into getting group policy from the internet. It was patched however there are steps that need to be configured post-patch to defend against it :
https://www.jasadvisors.com/additonal-jasbug-security-exploit-info/
https://www.jasadvisors.com/about-jas/jasbug-security-vulnerability-fact-sheet/
Blackhat talk on Golden Ticket and other attacks (which can be prevented by the controls we discussed)
https://www.youtube.com/watch?v=-IMrNGPZTl0 (PtH mitigations make all of this moot.)
SRD posts on some of the critical security issues in the last year: :
http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx
http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
Discussions on Powershell persistence and logging - this is a very popular technique now and most 2008R2/Win7 customers don't have sufficient logging or preventions :
https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html
https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-lazanciyan-investigating-powershell-attacks.pdf
Pretty good writeup of some webshell behavior to maintain persistence on a network (I’ve encountered this group/webshell before and this is pretty spot on even if not written my Microsoft) :
http://blog.crowdstrike.com/mo-shells-mo-problems-web-server-log-analysis/
Threatpost discussions of various attacks that can be used:
http://threatpost.com/tracking-malware-that-uses-dns-for-exfiltration/111147
http://threatpost.com/patched-windows-kernel-mode-driver-flaw-exploitable-with-one-bit-change/111020
http://threatpost.com/chinese-hackers-compromised-forbes-com-using-ie-flash-zero-days/110996 This one is really important, because this targeted malware being deployed simply by visiting a website. This is why defense in depth/desktop hardening/credential hygiene/EMET are so key.
“Admin Free” Active Directory blog posts (anything Laura writes is gold) :
http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-and-windows-part-1-understanding-privileged-groups-in-ad.aspx
http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-part-2-protected-accounts-and-groups-in-active-directory.aspx
Purging Legacy Authentication Protocols :
http://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx
Building custom X-Path filters :
http://blogs.technet.com/b/kfalde/archive/2014/03/25/xpath-event-log-filtering.aspx
Spotting the Adversary with Windows Event Forwarding from our dear friends at the NSA, which is a good write-up of basic monitoring (including gathering crash dumps, as they can indicate compromise in many instances) :
http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf
OCTAVE framework for threat modeling :
http://www.cert.org/resilience/products-services/octave/
http://www.sei.cmu.edu/reports/99tr017.pdf (this is the older version but still applicable!)
TechEd presentation on memory analysis which contains details on Pass the Hash and Golden Ticket :
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B350#fbid=
TechEd presentation on EMET to prevent zero days and other exploits (EMET is free!):
http://channel9.msdn.com/events/TechEd/Europe/2014/CDP-B348
Way more indepth overview of EMET :
http://channel9.msdn.com/events/TechEd/NewZealand/2014/PCIT417
TrustedSec giving EMET an endorsement:
https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/
Redirecting the default place computers joined to your domain go (remember Computers is a “Container” and can’t get policy such as randomized passwords and firewall.) :
http://support.microsoft.com/kb/324949
Reducing the number of computers someone can join to the domain so any person with credentials can’t add random Macs to the domain :
http://support.microsoft.com/kb/243327
Using Powershell to get local group membership like Admins :
http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/15/weekend-scripter-use-powershell-to-find-local-administrators-on-a-computer.aspx
Blocking out of date ActiveX on the internet :
http://technet.microsoft.com/en-us/library/dn761713.aspx
Hope these help!
-Jessica @jepayneMSFT









