Adding new hardening method

[RichardLazaro]

Hello,

I wanted to add some hardening feature on the tool, but i'm not sure it's something that can be considered has "hardening".
So i'm creating this thread to discuss and be sure that my contribution will not be rejected for being "out of scope"

The new methods I want to add are :

• User/group creation (this can be considered as "hardening" since recommendation is to disable default admin account and replace with a new one) and some local group can be needed for RBAC
• NTFS permissions (this one is a little weird, but can be considered as needed for RBAC), this method will be hard to implement (inheritance, fine permissions, permissions list, ...)

Best Regards,
Richard.

[endoleg]

i like this idea (i am only a user!). Maybe you can drop some URLs about this topics here ?

[RichardLazaro]

Hi,

You can find some MS information following this link : Appendix H: Securing Local Administrator Accounts and Groups

On new OS install, default admin account is disabled by default and a new admin account is created during installation of W10.
But we have a dedicated account for breaking glass, and i want to be sure that local admin stay disabled and the dedicated account present.

Another link, but not official : Accounts: Local Administrator account should be disabled

Richard.

[0x6d69636b]

Microsoft published with Windows 10/11 22H2 the setting Allow Administrator account lockout which mitigates brute force attacks against the account. This is an improvement at least :)

[0x6d69636b]

Both modules cover an individual need, which is why they are not really covered in any framework so far. CIS recommends renaming the administrator, for example, but makes no specification. Therefore, there is no HailMary module for renaming users yet. In other words, I would not include a user in my list 0x6d69636b.

What also worries me is how the password for a user is stored. I would not accept a clear text password. Creating a user without a password doesn't make much sense to me. That leaves either finding an encryption (how is the key managed?) or entering the password on input during the hardening script. This would have an influence on the flow and, depending on the use, an influence on the automation. This would also have to be taken into account.

What are NTFS permissions about, are we talking about default directories in Windows?

[0x6d69636b]

For the password, a random password could be generated and written into the output, at least then no password would be permanently stored

[RichardLazaro]

Yes, I think it's not covered by any framework because a breaking glass account is hard to detect and each company has is strategy concerning such account.
That was my worry about developing such module before talking to the community.

And yes, password management is a pain to deal with.

For NTFS, in our process we need to changes some settings on software's folder permissions. Again I understand it's an individual need.