Author, Blue Team, Informational, Jordan Drysdale, Kent Ickler, Webcasts Best Practices, CMD, Group Policies, honey accounts, Jordan Drysdale, Kent Ickler, Kerberos, LAPS, LLMNR, Local Admin Controls, Logging, PowerShell, SMB Message Signing, Sysmon

Webcast: Group Policies That Kill Kill Chains

On this webcast, we’ll guide you through an iterative process of building and deploying effective and practical Group Policy Objects (GPOs) that increase security posture.

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_GroupPoliciesThatKillKillChains.pdf

0:45 Introducing what a kill chain is and general background you need for this webcast

15:53 Getting into group policies, best practices, group policies that we’re not covering today but you should be doing already

20:56 Local admin controls, honey accounts, LAPS, making a policy for admin groups

27:02 Addressing LLMNR, SMB signing, configuring host firewalls

33:43 Limiting and restricting logons, configuring your web proxies/WPAD, logging your network and alerts

42:46 Kerberos ticket operations, catching Powershell and CMD, utilizing Sysmon

47:44 Q&A

Jordan and Kent are back again!

On this webcast, we’ll guide you through an iterative process of building and deploying effective and practical Group Policy Objects (GPOs) that increase security posture. The GPOs will specifically focus on things that make attacker’s lives difficult and assist in shutting down the kill chain.

Windows Auditing, Logging, Event Forwarding? Yes.

Sysmon? Yes.

Destroy LanMan? Killing LLMNR? Extending the AD schema for longer minimum password length?

Yes. Yes. Yes.

Limiting admin network logons? Yes.

LAPS? Sure, why not?

ADExplorer? Yes.

Much much more.

Plus additional commentary on striking a balance between user convenience and practical security.

These are the Group Policies that trip us up on every pentest in some fashion or another. Combining these configurations creates a baseline security that stops attackers in their tracks and causes them to move on to an easier victim.

Join us for another feast at the smorgasbord of Windows configuration options and let us help you narrow your sysadmin focus for maximum results with minimal effort.

Q&A:

We had a ton of great questions asked during the webcast and many people asked us to make them available. So, here is a downloadable PDF of all the Questions & Answers.

Want to learn more mad skills from the person who wrote this blog?

Check out this class from Kent and Jordan:

Defending the Enterprise

Available live/virtual and on-demand!