An in depth look at Server 2019 and Windows 10 RS5 Security Baselines

rootsecdev
5 min readOct 18, 2018

At the time of this writing these baselines are still in a “draft” status. The draft baselines can be found at the following URL:

There are still issues with Microsoft recommendations that probably need to change. Currently I am using the following Microsoft baselines unmodified with the exception of credential guard. I’ll get to why I had to modify that later in this post.

Issue 1:

I am still able to capture hashes over multicast when someone mistypes an SMB share.

How to correct issue 1:

Disable Multicast Name Resolution in group policy as shown below.

Issue 2:

NBT-NS (Netbios) poisioning is still an issue. I was not able to capture anymore hashes using the same method that I used from issue number 1. Netbios should be turned off if not in use on your network.

Fix:

Either by group policy preference or manual registry key insert, you will need to create the following registry key. (Dword Value NodeType)

Issue 3: Even though SMB signing is enabled on both the network client and domain member I can simply browse to the responder SMB share or embedded the share on a webpage and make it hidden and still dump hashes.

Screenshot trying to establish an SMB connection to responder.

Password hash is immediately dumped. No input required.

This is the following command that was executed in responder. This isn’t a WPAD issue but simply and SMBv2 issue with dumping NTLM hashes.

Fix for issue #3:

Restrict outgoing NTLM Traffic. You should audit first before setting a rule to Deny All. Auditing will allow you to gather NTLM related events in the NTLM operational log . At minimum this should be done on a privileged access workstations. If you have a remote system that you access and it doesn’t understand anything other than NTLM such as Kerberos…you will have some issues with this setting. Luckily there is another setting to allow server exceptions that require NTLM authentication.

Event log indicating accessing the CIFS share for responder was blocked.

Below is the illustration of the block and failing to capture hashes with responder.

If you wish to read more on this setting you can at the following Microsoft document URL:

If you wish to restrict NTLM to your entire domain you can do so also:

Issue #4 A few notes on WPAD:

Proxy auth with responder is available as of version 2.3.2. I tried to force authentication to get creds transparently with no interaction required. This did not work with Windows 10 RS5 but was able to get NTLM responses by going to the responder IP.

Restricting outbound NTLM authentication from issue #3 is an effective countermeasure for rogue WPAD proxy servers because responder is going to try and capture credentials using NTLM auth.

There are a few issues with Windows 10 RS5 (V1809) in this area. Automatic proxy discovery is on by default.

Also the WinHTTP Web Proxy Auto-Discovery Service is running by default and unfortunately is running with dependencies.

I would recommend turning off the “Automatically detect settings” setting on the proxy page. This really should be off by default. If it has to be on I would recommend an always on vpn connection with free wifi hotspots to prevent the unintentional disclosure of password hashes.

If I see any other issues to be on the lookout for or if you are reading this and have suggestions let me know and I will add it here.

--

--