Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Anchor
_Toc148340569
_Toc148340569
Introduction

Easy heading
linkText4
linkText10
linkText3
linkText6
linkText5
relatedLinksLabels
linkText2
linkText1
headingTagsH1,H2,H3
sidebarMaxHeight450
linkType2Page
linkType3Page
linkType1Page
linkType10Page
sidebarTitleON THIS PAGE
linkUrl3
linkUrl4
linkUrl1
linkUrl2
linkUrl10
includedPageModeDisable_Included_Pages
linkText8
linkText7
relatedLinksOrderLabels_First
sidebarModeOpened
headingNumberingModeDisable_Numbering
linkText9
sidebarMarginRight20
relatedLinksTargetNew_Window
relatedLinksTitleRELATED LINKS
linkUrl9
linkUrl7
linkUrl8
numberedHeadingTagsH1,H2,H3
linkUrl5
linkUrl6
linkType8Page
linkType9Page
linkType6Page
headingLinkTextModeWrap
linkType7Page
linkType4Page
linkType5Page
sidebarWidth240
sidebarTop160
headingLinkExpandModeCollapse_All_By_Default
headingLinkIndent10

Anchor
_Toc148340570
_Toc148340570
Product

Anchor
_Toc148340571
_Toc148340571
About GYTPOL

GYTPOL stands as a comprehensive and versatile cybersecurity solution meticulously engineered to safeguard and optimize your digital assets. Its robust functionality extends across various operating systems, encompassing Windows, Linux, and macOS. Whether your devices are desktops, laptops, servers, virtual or physical, domain or non-joined, GYTPOL seamlessly integrates to provide protection.

...

In summary, GYTPOL streamlines security and optimization efforts across diverse environments, automating key processes to ensure robust cybersecurity.

Anchor
_Toc148340572
_Toc148340572
Audience

This User Guide is primarily intended for individuals and teams responsible for implementing, managing, and maintaining the cyber security infrastructure within their organizations. It caters to both technical and non-technical users, providing clear instructions and explanations for all levels of expertise.

Anchor
_Toc136853501
_Toc136853501
Anchor
_Toc148340573
_Toc148340573
How to Use This User Guide

To help you navigate through this User Guide effectively, it is divided into various sections corresponding to different aspects of GYTPOL. Each section provides step-by-step instructions, best practices, and tips to maximize GYTPOLs potential.

Additionally, we have included screenshots and examples throughout the document to assist you in visualizing the interface and functionalities. Where applicable, we have also provided troubleshooting tips and frequently asked questions to address common concerns. The complete troubleshooting document is accessible both on our official website and through our dedicated support mailbox. If you encounter any challenges or require assistance, please refer to these resources for detailed guidance and solutions.

Anchor
_Toc136853502
_Toc136853502
Anchor
_Toc148340574
_Toc148340574
Contact Information

Should you have any questions, encounter difficulties, or require further assistance while using GYTPOL, please contact support@gytpol.com . Our dedicated support team is available to help you with any queries or concerns you may have.

...

Thank you for choosing GYTPOL, and we look forward to your success in safeguarding your digital assets.


Anchor
_Toc148340575
_Toc148340575
How GYTPOL Validator works

The primary data flow process within GYTPOL Validator unfolds through the following sequential stages:

...

  • It interfaces with various public APIs to support data exchange and integration with external systems.

  • Integration with Ticketing Systems like ServiceNow is established, streamlining the process of generating and managing tickets based on GYTPOL's findings.

  • Notably, the GYTPOL Server also integrates with Security Information and Event Management (SIEM) systems. Selected events and data are sent from GYTPOL to SIEM platforms, such as MicroFocus ArcSight, IBM QRadar, Sentinel, or Splunk. This integration enhances the security ecosystem by aggregating GYTPOL's insights into the broader context of security events and monitoring.

Anchor
_Toc148340576
_Toc148340576
Client Server Communication

The interaction between the client and the server operates in a one-way manner: the client initiates its scheduled task either on a daily or hourly basis (the client's tasks are elaborated upon in the client section). Following the task execution, the gathered data is transmitted to the GYTPOL server, where it undergoes analysis and subsequently appears in the user interface for review.

...

Should a GYTPOL operator execute a remediation action or any other task from the console, the client conducts periodic checks for new tasks every hour through its hourly task execution. Upon initiating the task locally, the client provides feedback to the server regarding the outcome, indicating either success or failure.

Anchor
_Client
_Client
Anchor
_Toc148340577
_Toc148340577
Client

Anchor
_Toc136196777
_Toc136196777
Anchor
_Toc136853492
_Toc136853492
GYTPOL provides support for Windows, Linux, and macOS operating systems. For a comprehensive overview of the supported platforms, please refer to the client installation guide available at this link: GYTPOL Client Installation Guide

The GYTPOL Client operates on a daily basis for a brief duration. Within this operational window, it accumulates data related to misconfigurations, unattended zero-day vulnerabilities, and outdated third-party software. This information is collected during the run and subsequently processed for further analysis.

Anchor
_Toc148340578
_Toc148340578
GYTPOL Client for Windows

Language-Code: GYTPOL is developed using a combination of C# and signed PowerShell.

...

Communication Protocol: GYTPOL employs the latest Transport Layer Security (TLS) version supported by the device for secure communication. All communication occurs over HTTPS to ensure data privacy and integrity.

Anchor
_GYTPOL_Client_for_1
_GYTPOL_Client_for_1
Anchor
_Toc136196778
_Toc136196778
Anchor
_Toc136853493
_Toc136853493
Anchor
_Toc148340579
_Toc148340579
GYTPOL Client for Linux/macOS

Language-Code: GYTPOL is implemented using the Go programming language (Go-lang).

...

Communication Protocol: GYTPOL employs the most recent Transport Layer Security (TLS) version supported by the device. All communication occurs over HTTPS, ensuring data confidentiality and integrity.


Anchor
_Toc148340580
_Toc148340580
Product overview

This section provides a quick overview of the GYTPOL Validator key capabilities and provides references to sections covering these capabilities in detail.

Anchor
_Toc148340581
_Toc148340581
User Interface

From an end user's viewpoint, GYTPOL Validator is a role-based web application that simplifies cybersecurity management. Here's a walkthrough of how users navigate the UI and some notable visual notations and instructions provided in the corresponding documentation section:

...

By offering a role-based interface with intuitive navigation and helpful notations, GYTPOL empowers users to efficiently manage their cybersecurity tasks. This groundwork prepares users for a deeper exploration of specific functional use cases within the application.

Anchor
_Toc148340582
_Toc148340582
Misconfigurations

Misconfiguration encompasses the mistakes made when setting up IT systems or security measures, which can result in vulnerabilities and potential security breaches. These errors often stem from insecure default settings, human oversights, incorrect application of Group Policy Objects (GPOs), and other factors.

...

GYTPOL provides a rapid solution to address misconfigurations, achieving this in a matter of minutes. For a comprehensive understanding of how to effectively manage misconfigurations, refer to the detailed guidance provided in the corresponding documentation section.

Anchor
_Toc148340583
_Toc148340583
Group Policy Validation

The Policy Validation module within GYTPOL focuses on identifying and resolving gaps and issues associated with the implementation of Group Policy Objects (GPOs). This encompasses a range of concerns, such as failures in applying Group Policy Preferences (GPPs), disparities in settings, occurrences of local GPOs, orphaned GPO instances, and settings that don't match as intended.

...

By structuring the information in this manner, GYTPOL enables users to swiftly grasp and address GPO-related problems. For a more comprehensive understanding of utilizing the Policy Validation module, refer to the detailed instructions provided in the corresponding documentation section.

Anchor
_Toc148340584
_Toc148340584
Login Profiler

The module serves to identify potential causes of slow startup or login times resulting from applied policies across the domain. This assessment can be performed according to various parameters, including device or user, specific policy extension, or organizational unit (OU). This module equips you with the capability to delve deeper into the analysis, pinpointing both the problematic policy and the specific settings or set of settings responsible for the observed latency.

...

For a comprehensive guide on utilizing the Login Profiler module effectively, refer to the the corresponding documentation section.

Anchor
_Toc148340585
_Toc148340585
CIS/NIST Benchmarks

The CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) Benchmarks serve as comprehensive guidelines for configuring a range of software, operating systems, and devices. These benchmarks provide specific instructions to secure these systems against well-known vulnerabilities.

...

For detailed guidance on utilizing the CIS/NIST Dashboards effectively, refer to the corresponding documentation section.

Anchor
_Toc136853571
_Toc136853571
Anchor
_Toc148340586
_Toc148340586
Active Directory / Group Policy Enhanced Security

The Active Directory / Group Policy Enhanced Security module provides visibility into public data accessible via a basic domain user's access rights. This information can be queried directly from domain controllers. The module offers insights into various aspects, including administrator groups, vulnerable file paths within GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, customized group change queries, and more.

...

For a comprehensive understanding of how to effectively utilize the Active Directory / Group Policy Enhanced Security module, refer to the corresponding documentation section.

Anchor
_Toc148340587
_Toc148340587
Maintenance

The Maintenance section of GYTPOL offers valuable recommendations to enhance the administration of Active Directory (AD) and Group Policy Objects (GPOs). This includes suggestions for optimizing the management of these crucial components. GYTPOL aids in identifying various issues for more effective administration:

...

These recommendations empower you to proactively enhance the administration of AD and GPOs. For a comprehensive guide on effectively using the Maintenance features, consult the detailed instructions provided in the corresponding documentation section.


Anchor
_Toc148340588
_Toc148340588
Administration

The Settings menu within GYTPOL offers a hub for various administrative tasks that you can perform to manage and customize your GYTPOL environment. This includes activities like group management, API access configuration, filters setup, and managing muted alerts.

...

For a comprehensive guide on navigating and effectively utilizing the Settings menu, refer to the detailed instructions provided in the corresponding documentation section. This resource will offer step-by-step guidance on performing administrative tasks and optimizing your GYTPOL configuration.

Anchor
_UI_Navigation
_UI_Navigation
Anchor
_Toc148340589
_Toc148340589
UI Navigation

The GYTPOL Validator Homepage offers a user-friendly gateway to different perspectives tailored for Windows, Linux, and macOS environments. Each perspective presents the top five alerts pertinent to its corresponding scope, providing a rapid overview of critical issues.

...

Upon selecting the Windows dashboard, the top bar presents key information such as the number of reporting servers, endpoints, Domain Controllers, and Virtual Desktop Infrastructures (VDIs) – indicating the distribution of monitored assets. Additionally, the top bar showcases metrics regarding users validated through GYTPOL's Policy Validation module and the count of missing devices. Further explanation about these metrics can be found in the Customization and Settings > Health Screen section.

Image RemovedImage Added

Anchor
_Toc148340590
_Toc148340590
Drill downs

Every element within the user interface is interactive, allowing you to navigate to more advanced levels of UI management effortlessly.

...

For every device listed, a further drill-down option is available. Activating this drill-down leads you to specific findings associated with that particular device. This in-depth exploration provides granular insights into the security and configuration status of the chosen device.

Image RemovedImage Added

Selecting any of the misconfiguration scopes, such as Servers or Endpoints, triggers the opening of the misconfiguration page, where all pertinent alerts relevant to that specific scope are presented. These alerts are systematically categorized according to the MITRE ATT&CK framework, enhancing their organization and clarity. Each alert possesses the capability to be further expanded, revealing the list of devices implicated in that misconfiguration.

...

For a comprehensive guide on navigating the Misconfigurations and Alerts section effectively, refer to the detailed instructions provided in the corresponding documentation.

Image RemovedImage RemovedImage AddedImage Added

Anchor
_Toc136853527
_Toc136853527
Anchor
_Toc148340591
_Toc148340591
Export

You have the capability to export either a single metric or a set of metrics to a CSV file. For instance, you can export all metrics related to Legacy Protocols by following these steps:

...

This CSV file will provide you with a structured record of the metrics related to Legacy Protocols, which you can then use for reporting or analysis purposes.

Image RemovedImage Added

Another example, is an export of a single finding:

...

Anchor
_Toc136853528
_Toc136853528
Anchor
_Toc148340592
_Toc148340592
Refresh

Within the user interface of GYTPOL, you have the flexibility to update information in two ways:

...

In opting for the targeted refresh, only the relevant metrics section that you select will be updated, aligning with your specific requirements. This feature enhances your ability to efficiently access the most recent information without refreshing the entire interface.

Image RemovedImage Added

Anchor
_Toc136853529
_Toc136853529
Anchor
_Toc148340593
_Toc148340593
Getting Help - Know How

GYTPOL's Knowledge Base serves as a valuable resource, covering a wide range of topics, including security risks and manual/alternative methods to address identified findings. The primary goal of our Knowledge Base, often referred to as "Know How," is to offer swift access to information related to specific topics or alerts.

...

The Knowledge Base empowers users with in-depth information, enabling them to tackle security challenges with informed solutions. Whether you access it through the top bar or directly within specific topics, the Know How feature is designed to enrich your experience within GYTPOL and enhance your ability to address security concerns.

Image RemovedImage RemovedImage RemovedImage AddedImage AddedImage Added

Anchor
_Toc136853562
_Toc136853562

Anchor
_Toc148340594
_Toc148340594
Search - find a computer or user

Locating specific computers belonging to users is a seamless process within GYTPOL:

...

  • GYTPOL will showcase the relevant misconfigurations that have been identified for the selected device.

  • This insight into misconfigurations empowers you to take targeted actions to address and rectify any issues.

...


Anchor
_Toc148340595
_Toc148340595
Achievements

The Achievements screen provides valuable insights into the time saved and potential time savings achieved by using GYTPOL for remediation compared to traditional methods involving 3rd party tools, scripts, and Group Policy Objects (GPOs).

...

  • The Achievements screen also enables you to access the computers that still require remediation within specific topics.

  • Clicking on a desired topic directs you to the leftover computers, facilitating targeted efforts.

...


Anchor
_Toc148340596
_Toc148340596
Getting started

Anchor
_Toc136853540
_Toc136853540
Anchor
_Toc148340597
_Toc148340597
Logging in

After installing the GYTPOL server, a desktop shortcut is automatically added for all users on the server, ensuring easy access. Additionally, you have the option to log in from any device within the network by using the following format: https://<gytpol-server-name>:9093

...

The login process is facilitated by Kerberos Single Sign-On (SSO), enhancing user convenience and security. To manage user access levels, navigate to the Roles and Permissions screen, where you can define and adjust user roles and permissions.

Anchor
_Toc136853541
_Toc136853541
Anchor
_Toc148340598
_Toc148340598
What you see when you first logged in

Upon successful login, you will be directed to the main homepage of GYTPOL. Here, you will immediately access a view showcasing devices that are actively reporting to GYTPOL. Additionally, you'll receive initial findings related to the Active Directory and Group Policy aspects.

...

For more comprehensive details and explanations about the user interface and its various features, please refer to the dedicated UI overview section within GYTPOL's documentation. This section will provide an in-depth understanding of how to navigate and utilize the interface effectively. It's a valuable resource to make the most of GYTPOL's capabilities and insights.

...

Anchor
_Toc136853542
_Toc136853542
Anchor
_Toc148340599
_Toc148340599
Verify that GYTPOL clients were successfully deployed

You can confirm a successful GYTPOL client deployment in two ways:

...

For more information, refer to the Health Screen overview section in the documentation.

...


Anchor
_Misconfigurations
_Misconfigurations
Anchor
_Toc136853543
_Toc136853543
Anchor
_Toc148340600
_Toc148340600
Misconfigurations

Anchor
_b1qstqp2wyho
_b1qstqp2wyho
Anchor
_Toc136853545
_Toc136853545
Anchor
_Toc136853544
_Toc136853544
Anchor
_Toc148340601
_Toc148340601
What is a Misconfiguration?

Anchor
_Hlk138237092
_Hlk138237092
Misconfiguration refers to errors in configuring IT systems or security controls, leading to vulnerabilities and potential breaches. Errors can come due to wrong or insecure default settings, human errors, GPO that wasn’t applied correctly and more.

It can occur in network devices, web applications, cloud services, servers/operating systems, encryption/key management, security tools, and access controls. Preventing misconfigurations requires following best practices, conducting audits, implementing secure configurations, enforcing change management, and providing training and awareness. GYTPOL can help you achieve this in minutes.

Anchor
_Toc148340602
_Toc148340602
Working with Misconfiguration Alerts

The GYTPOL Validator Homepage offers instant access to Windows, Linux, and macOS perspectives, each highlighting the top 5 alerts relevant to their respective scopes. It also facilitates UI customization through computer groups created by GYTPOL operators based on OS, name patterns, OUs, and more, as detailed in the Customization and Settings > Computer Groups section.

...

This comprehensive overview on the Homepage ensures swift access to key insights, customization options, and essential pages for effective management within GYTPOL.

Anchor
_Toc136853546
_Toc136853546
Anchor
_Toc148340603
_Toc148340603
Types of Misconfigurations

Our Misconfigurations module categorizes findings into topics aligned with the MITRE ATT&CK framework. These categories include:

...

  • Red (High): Represents high-severity misconfigurations that require immediate attention due to their critical impact on security.

  • Orange (Medium): Indicates medium-severity misconfigurations that should be addressed promptly to mitigate potential risks.

  • Yellow (Low): Denotes low-severity misconfigurations that may not pose an immediate threat but should still be resolved to enhance overall security posture.

  • Green (Complied): Signifies items that are in compliance and meet the expected security standards, resulting in no alerts generated.

...

  • Topic: Metrics are categorized into specific topics, aligning with the MITRE ATT&CK framework, to offer a structured overview of security concerns.

  • Subject: This highlights the specific aspect of the metric being assessed, pinpointing the area of concern.

  • Scope: Users can select the scope in the user interface to specify the context or range within which the metric is being evaluated.

  • Description: A detailed explanation of the metric's nature, implications, and potential security risks is provided to ensure a clear understanding.

  • Suggestion: Practical recommendations and steps for addressing and mitigating the identified issues are offered, guiding users toward effective remediation.

...

Anchor
_Toc136853547
_Toc136853547
Anchor
_Toc148340604
_Toc148340604
Navigating through Alerts (drill downs, pinning, etc.)

When you click on any of the scopes displayed on the main dashboard (such as Servers or Domain Controllers), it will lead you to the misconfiguration screen, designed as follows:

  • Metric Collection Boxes: Each box corresponds to a specific scope (e.g., Servers) and contains a collection of metrics grouped under their relevant topics (e.g., Remote Code Execution, Privilege Escalation).

  • Severity-Color Bars: Within each box, metrics are represented by colored bars indicating the severity level (Red = High, Orange = Medium, Yellow = Low). The number of devices affected by the alert is displayed alongside the bar, as well as the number of compliant devices. Alerts that weren't found at all won't be shown.

  • Drill-Down Functionality: Clicking on the colored bar provides a drill-down view, showing the list of devices associated with that alert's severity. This helps you pinpoint affected devices for focused remediation.

  • Actions: By clicking the wrench icon associated with a specific metric or alert, you can take actions at various levels. This allows you to address issues and apply remediation strategies based on your requirements.

Anchor
_Toc136853548
_Toc136853548
Anchor
_Toc148340605
_Toc148340605
Related Topics

In GYTPOL, topics are interconnected to enhance correlation and provide a more comprehensive understanding of security issues. This is achieved through the implementation of "Related Topics" for many alerts:

...

Clicking on any related topic takes you to a dedicated section that displays alerts related to that topic.

Anchor
_Toc136853549
_Toc136853549
Anchor
_Toc148340606
_Toc148340606
Remediable vs non-Remediable alerts

In GYTPOL, alerts are visually differentiated by the presence of a spanner icon, which conveys specific information about the remediation process:

  • Green Spanner: Alerts accompanied by a green spanner icon indicate that you can swiftly remediate the finding using the GYTPOL user interface. This streamlined process enables you to fix the identified misconfiguration in a matter of seconds. For more detailed guidance on the remediation process, refer to the provided resources.

  • Gray Spanner: If an alert is associated with a gray spanner icon, it signifies that the finding cannot be remediated through the user interface due to certain limitations or conditions. These limitations could include factors such as unsupported PowerShell versions or informational nature of the alert. This may also indicate that the item fully complied with GYTPOL standards or was already fixed.

...

Anchor
_Toc136853550
_Toc136853550

Anchor
_Toc148340607
_Toc148340607
Revertible vs non-Revertible

In GYTPOL, alerts are categorized into two types based on their remediation and revertability options:

...

This distinction helps users understand the level of remediation and revertability associated with each alert, allowing them to make informed decisions on how to address and potentially revert misconfigurations.

Anchor
_Toc136853551
_Toc136853551
Anchor
_Toc148340608
_Toc148340608
Spanner - Colors and Meaning

Color

Meaning

Image RemovedImage Added

Green – alert remediable and revertible

Image RemovedImage Added

Green with (!) – alert remediable but non-revertible

Image RemovedImage Added

Red – remediation failed (timeout, access)

Image RemovedImage Added

Orange – no error was reported during remediation, but the scanner found the same alert again

Image RemovedImage Added

Gray – action cannot be applied, either because the Powershell version is too old or there is no remediation action available for this finding

Image RemovedImage Added

Gray with a spinning icon – remediation is pending and ready to run on devices

...

Anchor
_Toc136853552
_Toc136853552

Anchor
_Export_found_misconfigurations
_Export_found_misconfigurations
Anchor
_Toc148340609
_Toc148340609
Export found misconfigurations to CSV

GYTPOL offers a convenient feature that allows you to export data from the dashboard to a CSV file, facilitating reporting and efficient tracking of information. Here's how it works:

...

By utilizing these export functionalities, GYTPOL empowers users to generate reports, gather insights, and maintain efficient records of misconfigurations and remediation efforts for better security management and documentation.

Image RemovedImage RemovedImage AddedImage Added

Anchor
_mw813pxgyzwv
_mw813pxgyzwv
Anchor
_Remediation_Action_types
_Remediation_Action_types
Anchor
_Toc136853553
_Toc136853553
Anchor
_Toc148340610
_Toc148340610
Remediation Action types

Anchor
_Toc136853554
_Toc136853554
Anchor
_Toc148340611
_Toc148340611
Remediation Process for Misconfigurations

Within GYTPOL Validator, users have the capability to rectify misconfigurations found on endpoints and servers by defining Remediation Actions. These actions facilitate the implementation of fixes across various devices, groups, or even individual machines. Here's how the process works:

  1. Defining Remediation Actions: Remediation Actions outline the corrective measures to be applied based on parameters like OU, Domain, or specified computer groups. The actions are grouped into topics, such as the SMB and Sharing topic including SMBv1 removal.

  2. Pending Status and Acknowledgment: After a GYTPOL admin initiates an action, it remains in a pending status until the client device checks in (hourly) and confirms the task for local application.

  3. Client Acknowledgment and Feedback: Once the client applies the task locally, it sends feedback to GYTPOL regarding the outcome. This feedback includes information on success, failure, and the reason for failure (e.g., timeout or access denial).

  4. Revert Capability: Numerous remediation actions can be reverted to the original state directly from the GYTPOL UI. This streamlines the process and eliminates the need for third-party tools or scripts. All reverts are executed on the device within an hour, maintaining consistency with the hourly check-in schedule.

Anchor
_Toc148340612
_Toc148340612
Remediation Action

A "Single Remediation Action" in GYTPOL Validator involves applying a corrective action to resolve a specific finding. Here's an overview of the process:

  1. Identify the Finding: Start by identifying a particular misconfiguration or security finding that needs to be addressed.

  2. Choose the Target Group: Select the group of devices on which you want to apply the remediation action. This can include specific devices, a group based on OU, Domain, or custom computer groups.

  3. Initiate the Remediation Action: Define the specific action or fix that needs to be implemented to address the finding. This action can involve changes to configurations, settings, or other relevant parameters.

  4. Pending Status and Client Check-In: After initiating the action, it enters a pending status. The respective client devices periodically check in (hourly) to receive and acknowledge the action.

  5. Client Acknowledgment and Feedback: Once the client applies the action locally, it sends feedback to GYTPOL indicating the success or failure of the task, along with reasons for any failures.

  6. Revert Capability (if applicable): If the action supports reversion to the original state, GYTPOL allows you to revert changes directly from the UI.

Image RemovedImage Added

Anchor
_Toc136853555
_Toc136853555
Anchor
_Toc148340613
_Toc148340613
Auto-remediation

An "Automatic Remediation Action" in GYTPOL Validator is designed to automatically apply fixes to any future alerts that match predefined criteria on selected devices within the Target group.

By utilizing the Automatic Remediation Action feature, GYTPOL empowers users to proactively respond to emerging security challenges, ensuring that devices remain aligned with organizational policies and security standards as new alerts are detected. This automated approach enhances the overall security posture of the organization.

Image RemovedImage Added

Anchor
_Toc136853556
_Toc136853556
Anchor
_Toc148340614
_Toc148340614
Mute

In GYTPOL Validator, users have the option to mute or "remove" alerts from the user interface and misconfiguration list. This feature is useful when an alert is acknowledged as a known risk and no further action is required. Here's how it works:

...

Anchor
_Toc136853557
_Toc136853557

Anchor
_Toc148340615
_Toc148340615
Generic

In GYTPOL Validator, you have the ability to execute a set of actions on selected devices within the Target group. These actions can be accessed from the Generic drop-down menu and offer various functionalities for managing devices and policies. Here are the available actions:

  1. Group Policy update Computer + user without restart: This operation triggers a gpupdate for both computer and user configurations without requiring a restart or logoff.

  2. Group Policy update Computer + user with restart: This operation performs a gpupdate for both computer and user settings, followed by a computer restart upon successful completion.

  3. Rescan Computer / User: This operation initiates a rescan of the computer or user ahead of the regular schedule, ensuring that the alert information is up to date.

  4. Remove Local Policy Settings: This operation removes locally defined policy settings on the computer, ensuring that no administrative changes have altered the local configuration.

  5. Sync Intune: This operation forces devices to retrieve updates from InTune, ensuring that the information remains current.

Image RemovedImage Added

Anchor
_Toc136853558
_Toc136853558

Anchor
_Toc148340616
_Toc148340616
Remediation Action

The remediation of findings in GYTPOL Validator can be initiated through the use of the green spanner icon. Once this icon is clicked, it opens an Action screen that facilitates the remediation process. Here's an explanation of the components within this screen using an example scenario of remediating the "SMB Everyone Shares" issue under the "SMB and Sharing" topic on non-DC servers:

...

Anchor
_Toc136853559
_Toc136853559

Anchor
_Toc148340617
_Toc148340617
Actions Screen

The screen provides a comprehensive view of both ongoing and completed tasks, categorized into specific tabs for efficient management:

...

By offering these filters and categorized tabs, the "Tasks" screen empowers you to effectively track, manage, and monitor the various tasks being executed within GYTPOL Validator.

...

Anchor
_Toc136853560
_Toc136853560
Anchor
_Toc148340618
_Toc148340618
Activate / Edit / Deactivate Remediation Rule

After creating a task using the Action/Remediation screen, you can manage and modify it through the Actions screen. This screen offers the following options:

...

Anchor
_Toc136853561
_Toc136853561

Anchor
_Toc148340619
_Toc148340619
Revert Action

The "Revert Action" functionality is accessed through the Actions screen. To perform a revert action, you have the following options:

  1. Revert All: This option enables you to revert the remediation action on all devices within the defined scope. By selecting this option, the remediation changes will be undone on all applicable devices.

  2. Revert on Selected Device(s): If you wish to revert the remediation action on specific devices within the scope, you can do so by clicking the "undo" icon for the respective device(s). This allows you to selectively revert changes on chosen devices.

Image RemovedImage Added


Anchor
_Toc148340620
_Toc148340620
Quick Wins

Anchor
_Hlk143429039
_Hlk143429039
"Quick-Wins" in GYTPOL Validator refer to misconfiguration topics that can be swiftly and easily remediated or auto-remediated without causing any adverse effects on the devices. These topics encompass low-hanging fruit in terms of security improvements.

...

Anchor
_Policy_Validation
_Policy_Validation
Anchor
_Toc136853569
_Toc136853569

Anchor
_Policy_Validation_(available
_Policy_Validation_(available
Anchor
_Toc148340621
_Toc148340621
Group Policy Validation (available to On-Prem customers)

From the Homepage, specifically under the Windows section, you can easily navigate to the policy validation screen.

...

Anchor
_Login_Profiler
_Login_Profiler
Anchor
_Toc136106139
_Toc136106139
Anchor
_Toc136853570
_Toc136853570

Anchor
_Toc148340622
_Toc148340622
Login Profiler (available to On-Prem customers)

...

Anchor
_Hlk138237460
_Hlk138237460
In this interface, you can readily assess whether any domain-wide policies might lead to sluggish startup or login durations. This evaluation is conducted based on factors such as the device/user, extension, or organizational unit (OU) impacted.

...

You have the capability to delve deeper into the details and pinpoint the policy that is causing the latency issues. Moreover, you can identify the specific settings or a group of settings within that policy that are contributing to the performance delays. This granular level of analysis empowers you to precisely identify and address the root causes of latency within your policy configurations.

...

Anchor
_Active_Directory_/
_Active_Directory_/
Anchor
_Hlk138245852
_Hlk138245852
Anchor
_Toc148340623
_Toc148340623
Active Directory / Group Policy Enhanced Security

This section showcases public data that can be queried from domain controllers using basic domain user access rights. The displayed information encompasses details like administrator groups, susceptible file paths within your GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, and the ability to query custom group changes, among other elements.

...

Clicking on a box within this interface provides a detailed list of the examined items. You can also navigate through a drill-down process from the specific topic to access more comprehensive insights into the data.

...

Anchor
_z94d04sz5p35
_z94d04sz5p35
Anchor
_Maintenance
_Maintenance
Anchor
_Toc136853572
_Toc136853572
Anchor
_Hlk138246117
_Hlk138246117
Anchor
_Toc148340624
_Toc148340624
Maintenance

The Active Directory and Group Policy module offers recommendations for enhancing cleanliness and optimizing performance. These insights and suggestions are presented at the organizational level, highlighting areas where adjustments can be implemented to enhance the organization of your Group Policy Objects (GPOs) and Active Directory (AD).

...

By drilling down into a specific box or topic, you can access a detailed list of identified items. Within the same topic, you'll encounter our "Know-How" feature represented by a hat icon. This resource provides comprehensive explanations about the findings and offers guidance on rectifying or modifying the identified issues, facilitating informed decision-making and proactive improvements.

...

Anchor
_CIS_/_NIST
_CIS_/_NIST
Anchor
_Toc136853573
_Toc136853573
Anchor
_Toc148340625
_Toc148340625
CIS / NIST benchmarks

The platform provides hardening recommendations aligned with the Center for Internet Security (CIS-8) and the National Institute of Standards and Technology (NIST 800-53) guidelines. These recommendations are detailed in the overview.

...

Accessible from the homepage, you can access the corresponding dashboard by selecting the relevant standard. Once clicked, the CIS or NIST dashboard will be displayed, presenting the benchmark results. Here's a breakdown of the color codes used:

  • Green: Indicates that the settings within your organization are compliant.

  • Red: Denotes that the settings within your organization are not compliant.

  • Orange: Indicates that the settings are not managed in your organization, and there is no detectable Group Policy Object (GPO) containing the relevant setting.

...

You can retrieve the list of computers to determine whether the specific setting you've chosen is applied or not. This allows you to quickly identify which computers are in compliance with the chosen setting and which ones are not.

...

Anchor
_pbn2rg7obtur
_pbn2rg7obtur
Anchor
_mlwfnpxpmdj4
_mlwfnpxpmdj4
Anchor
_zfk6hv6l9q22
_zfk6hv6l9q22
Anchor
_Customization_and_Settings
_Customization_and_Settings
Anchor
_Toc136106143
_Toc136106143
Anchor
_Toc148340626
_Toc148340626
Customization and Settings

Anchor
_Health_screen
_Health_screen
Anchor
_Toc136106144
_Toc136106144
Anchor
_Toc148340627
_Toc148340627
Health screen

This screen provides a comprehensive overview of reporting clients, including their status, the timestamp of their last successful scan, version information, operating systems, and the client scope (Endpoint, Server, or VDI).

...

Devices that are missing from reporting are color-coded as follows:

  • Blue: Devices reported within the last 24 hours.

  • Yellow: Devices that have not reported in the last 3 days.

  • Orange: Devices that have not reported in the last week.

  • Red: Devices that have not reported in 7-14 days.

...

Devices that have been removed from the organization or have missed reporting for over 14 days are moved to the "Missing over 14 days" section. If a device has not reported for over 30 days but was registered in Active Directory within the last 30 days, it will be moved to the "Never Reported" section. This helps to keep track of the reporting status of devices accurately.

...

Anchor
_Toc136106145
_Toc136106145
Anchor
_Toc148340628
_Toc148340628
What’s new

The "What's New" page is a dedicated section that showcases the updates, enhancements, bug fixes, and new features introduced in various versions and releases of GYTPOL. This page serves as a valuable resource for users to stay informed about the changes that have been implemented in the software. It includes information about the addition of new functionalities, improvements to existing features, resolutions for known issues, deprecation of certain elements, and any security updates that have been applied.

By referring to the "What's New" page, users can quickly understand the evolution of GYTPOL and make the most of the latest enhancements.

...

Anchor
_Toc136106146
_Toc136106146
Anchor
_Toc148340629
_Toc148340629
License

The license page is a section that outlines the terms and conditions under which the software application or system is licensed to users. The page will include details such as the license type, User/Computer limitations, the license expiration dates, disclaimers or any applicable liabilities.

The page is also used to generate a new license ID (when changes need to be made to the existing license) or upload a new license when purchased or updated.

...


Anchor
_Toc148340630
_Toc148340630
About

Information about the builds and versions for different system components. This data might be requested by the support team during troubleshooting or update processes.

...

Anchor
_Toc136106147
_Toc136106147

Anchor
_Toc148340631
_Toc148340631
Group Policy and Active Directory Filters

If any findings or recommendations related to Active Directory, Group Policy, or CIS/NIST benchmarks have been muted from the user interface, they will be categorized and displayed under the respective filters. This allows users to easily identify the items that have been muted and provides the option to unmute them if needed.

Unmuting an item would mean that it will again appear in the regular alerts or recommendations list, ensuring that no critical issues are overlooked and that the organization's security posture remains strong.

...

Anchor
_Managing_User_Accounts
_Managing_User_Accounts
Anchor
_Toc136106148
_Toc136106148
Anchor
_Toc148340632
_Toc148340632
Managing User Accounts

GYTPOL features a Role-Based Access Control (RBAC) system that enables administrators to define precise permissions levels within the user interface. To configure RBAC in GYTPOL, follow these steps:

...

This RBAC feature in GYTPOL helps organizations tailor access permissions to different teams or individuals, enhancing security and ensuring that users have the appropriate level of control and visibility within the system.

Anchor
_Computer_Groups
_Computer_Groups
Anchor
_Toc136106149
_Toc136106149
Anchor
_Toc148340633
_Toc148340633
Computer Groups

GYTPOL allows you to create custom computer groups, whether static or dynamic, based on various criteria such as name patterns, operating systems, organizational units (OUs), domains, or custom lists.

...

  1. Click on the "+" icon to initiate the creation of a new group.

  2. Provide a name for the group that represents its purpose or criteria.

  3. Select the devices you want to include in the group based on the available options on the screen. These options could include name patterns, operating systems, OUs, domains, or even arbitrary lists of devices.

  4. After specifying the criteria and devices, click "Add" or a similar confirmation button to create the custom group.

Image RemovedImage Added

By creating custom computer groups, you can efficiently manage and categorize your devices, allowing for easier organization, targeting of actions, and monitoring of specific sets of devices that meet certain criteria. This feature can enhance the flexibility and customization of your GYTPOL deployment.


Anchor
_Toc136853575
_Toc136853575
Anchor
_Toc148340634
_Toc148340634
References

Anchor
_Quick-Wins
_Quick-Wins
Anchor
_Toc136106154
_Toc136106154

Anchor
_Quick-Wins_1
_Quick-Wins_1
Anchor
_Toc148340635
_Toc148340635
Quick-Wins

As mentioned earlier – "Quick-Wins" in GYTPOL Validator refer to misconfiguration topics that can be swiftly and easily remediated or auto-remediated without causing any adverse effects on the devices. These topics encompass low-hanging fruit in terms of security improvements.

...

Anchor
_Toc133237047
_Toc133237047

Anchor
_Toc136106155
_Toc136106155
Anchor
_Toc148340636
_Toc148340636
Remote Code Execution

Anchor
_Toc148340637
_Toc148340637
Log4J (CVE-2021-44228, CVE-2021-45046)

LOG4J is pertinent for various operating systems, including Windows, Linux, and macOS. In GYTPOL, we have adopted the strategy of abstaining from software updates due to potential repercussions. Instead, we opted to modify two lines of code within the JNDI Lookup java class. These changes encompass:

...

Topic:

log4j2 Vulnerability

Subject:

log4j2 Vulnerability in JndiLookup

Description:

Remote Code Execution 0-Day Vulnerability (CVE-2021-44228, CVE-2021-45046).

Suggestion:

It is highly recommended to use Gytpol to secure the current version (ZERO-IMPACT!) – no software upgrade needed.

Reason:

Correcting the function to work as it should by validating the input parameter to be a DateTime and removing the execution which wasn't relevant to this function. Adopted by APACHE to 2.17.1 (Gytpol are not upgrading the Log4J, we just correcting the zero-day vulnerability in the code)

...

Anchor
_Toc148340638
_Toc148340638
Office Follina Attack (CVE-2022-30190)

Follina pertains to devices equipped with any version of Microsoft Office. Once again, Microsoft's response to the zero-day vulnerability was found lacking, prompting our discovery of two additional registry keys that necessitated removal from the devices. These registry keys, which were last utilized in 2013, were identified as contributing factors to the issue.

...

Topic:

Office Follina Attack

Subject:

Follina Attack (CVE-2022-30190)

Description:

A zero-day allowing code execution in Office products: Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.

Suggestion:

Remediate urgently with Gytpol (ZERO-IMPACT!).

Reason:

Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in System Settings as other or additional troubleshooters.

...

Anchor
_Toc148340639
_Toc148340639
MS Word RTF (CVE-2023-21716)

MS Word RTF exploits are applicable to devices equipped with any version of Microsoft Office. This instance involves another inadequately patched zero-day vulnerability. At GYTPOL, we took proactive measures by disallowing the opening of RTF files from unverified or untrusted sources. This action helps mitigate the risk associated with this vulnerability and enhances the security of the system.

...

Topic:

MS Word RTF Document

Subject:

MS Word RTF (CVE-2023-21716)

Description:

CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document.

Suggestion:

Remediate urgently with Gytpol (ZERO-IMPACT!), or: use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.

...

Anchor
_Toc148340640
_Toc148340640
Dell Driver (CVE-2021-21551)

Dell Driver concerns are relevant exclusively to Dell devices. In our approach at GYTPOL, we opted to align with Dell's guidance. This involved the removal of the driver situated within the Temp folder on the device. By adhering to Dell's recommendations, we aimed to enhance the security and functionality of Dell devices under our purview.

...

Topic:

Dell Driver

Subject:

BIOS Driver Privilege Escalation Flaws

Description:

(CVE-2021-21551): A security vulnerability affecting the dbutil_2_3.sys driver packaged. Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges.

Suggestion:

According to dell, it is highly recommended to remove the driver or update it using Dell System Inventory Agent. See more: https://www.dell.com/support/kbdoc/en-il/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability.

Reason:

The file located in c:\Windows\Temp and it is not needed for any Dell software or application

Anchor
_Toc133237048
_Toc133237048
Anchor
_Toc136106156
_Toc136106156
Anchor
_Toc148340641
_Toc148340641
Privilege Escalation

Anchor
_Toc148340642
_Toc148340642
Print Spooler Log 

Print Spooler Log pertains to Windows systems, enabling the monitoring of printer usage activity. This proactive approach helps to avert potential issues, such as the unaddressed print nightmare vulnerability. By scrutinizing the print spooler log, we can implement measures to prevent any such vulnerabilities from materializing, thereby enhancing the security and stability of the Windows environment.

...

Topic:

Print Spooler Log 

Subject:

Print Spooler Log

Description:

The Print Spooler Operational Log is disabled. By enabling the log - you create a visibility of active printing and attacks.

Reason:

Activating a log will give extra visibility prior to stopping the Print Spooler. The log size is limited to 1MB and will not consume much of disk space

...


Anchor
_Toc148340643
_Toc148340643
Print Spooler Service

Print Spooler functionality is applicable to Windows systems. When the printer log is enabled, it not only provides insights into mapped printers but also logs printing activities. This visibility underscores the simplicity of determining whether the service is necessary. If deemed unnecessary, the service can be disabled with ease. This approach aids in enhancing security and efficiency by preventing potential risks associated with the service when it's not in active use.

...

Topic:

Print Spooler

Subject:

Print Spooler service status

Description:

Many attackers use this service as their back door to the servers. It is recommended to disable this service via GYTPOL or group policy on all servers.

Reason:

The Spooler service is being disabled after we show that there are no Printing events, and no Printers are attached to the server/endpoint (spooler log must be enabled).

...


Anchor
_Toc148340644
_Toc148340644
Local Admins

Local Admins status pertains to Windows, Linux, and macOS systems. Our current capability encompasses not only identifying individuals designated as local administrators but also tracking recent usage patterns. This enhanced visibility allows us to make informed decisions. For instance, if there has been no logon activity within the last 90 days, it becomes straightforward to determine the need for remediation actions. This strategic approach aids in maintaining system security by promptly addressing potential risks associated with unused or unnecessary admin privileges.

...

Topic:

Local Admins

Subject:

Local administrator on computer

Description:

Detected a local administrator on the computer. In most cases users should not have the Local Administrator privilege, as it grants them total control over the computer and exposes the computer and the organization to malware risks.

Suggestion:

You should verify that these privileges are legitimate, and either Filter Out this warning or privilege from the user.

Reason:

Login events are shown, and the user is removed from the Local Admins after 90 days of inactivity.

...


Anchor
_Toc148340645
_Toc148340645
Local Users

Local Users management is applicable across Windows, Linux, and macOS platforms. Our current capabilities extend beyond identifying local user accounts and their group memberships. We now also possess the ability to track recent usage patterns. This enhanced visibility allows us to make informed decisions. For example, if there has been no logon activity within the last 90 days, it becomes a straightforward decision to initiate remediation actions. This approach contributes to bolstering system security by promptly addressing potential risks associated with underutilized or unneeded local user accounts.

...

Topic:

Local Users

Subject:

Local user activity

Description:

Detected active local user on the computer. Local users should not be created and must be removed unless it is the local Administrator account.

Suggestion:

Verify those accounts are correct and ignore if needed. Remediate in case the users are irrelevant.

Reason:

Login events are shown, and the user is removed from the Local Users after 90 days of inactivity.

...


Anchor
_Toc148340646
_Toc148340646
Guest Users

Guest User management pertains to Windows and macOS environments. Our capabilities now encompass the ability to identify instances where Guest Users have been overlooked or not properly disabled. This feature allows us to locate areas where these accounts may have been inadvertently left active. By detecting and rectifying these oversights, we enhance security measures and ensure that potential vulnerabilities associated with active Guest Users are promptly addressed in both Windows and macOS systems.

...

Topic:

Guests Users

Subject:

Local Guests Accounts Status

Description:

A guest account allows unauthenticated network users to gain access to the system. According to Microsoft, this can lead to the exposure or corruption of data.

Suggestion:

It is highly recommended to disable all Guests users.

Reason:

By default, Guest account should be prevented for login locally and access from the network.

...


Anchor
_Toc148340647
_Toc148340647
Batch Privilege (Log on as a Batch)

Batch Privilege management applies to both Windows and Linux environments. Our capabilities extend to the identification of users with the ability to run batches, encompassing various mechanisms such as task scheduler, crontab, and IIS App Pool. Similar to our approach with local admin privileges, we aim to provide a clear correlation by showcasing the associated group and its members. The identification of empty groups simplifies decision-making. This comprehensive view aids in promptly addressing security concerns, making it straightforward to take action in instances where unauthorized or unneeded batch privileges exist within both Windows and Linux systems.

...

Topic:

Batch Privilege 

Subject:

Dangerous privilege granted: Log on as a Batch

Description:

SeBatchLogonRight accounts can log on by using a batch-queue tool such as the Task Scheduler service.

Suggestion:

Change this setting to <Service Accounts> under 'Default Domain Policy' and under 'Default Domain Controller Policy': Go to Computer configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a Batch

Reason:

The group is empty and isn’t used. Once used, it will have the same access level for Batch and Tasks execution as the Local Admins group (usually will have Domain Admins in it).

...

Anchor
_Toc133237049
_Toc133237049
Anchor
_Toc136106157
_Toc136106157
Anchor
_Toc148340648
_Toc148340648
Lateral Movement

Anchor
_Toc148340649
_Toc148340649
Exchange WebShell

Exchange WebShell vulnerabilities are pertinent to Windows environments. This massive zero-day vulnerability often poses challenges for organizations utilizing on-premises Exchange servers in terms of consistent patching. At GYTPOL, we have devised a strategy to detect and combat this threat. Our approach involves identifying malicious DLL files that are created as part of the attack and subsequently removing them. By proactively addressing the issue, we contribute to safeguarding the security and integrity of Windows systems impacted by Exchange WebShell vulnerabilities.

...

Topic:

Exchange Temp WebShell

Subject:

Exchange Malicious Temp WebShells

Description:

HAFNIUM's attack tools found on host: Temp WebShell.

Suggestion:

Immediate action required: your server has been compromised! (1) Remove the file(s) immediately from the computer(s) and start an investigation. (2) Sometimes it is also recommended to restore the server before the attack date and to full patch it. (3) Check other servers for lateral movement.

Anchor
_Toc133237050
_Toc133237050
Anchor
_Toc136106158
_Toc136106158
Anchor
_Toc148340650
_Toc148340650
Credentials

Anchor
_Toc148340651
_Toc148340651
Credential Manager

Credential Manager concerns are relevant to Windows environments. In scenarios where accessing network paths or Remote Desktop Protocol (RDP) requires entering credentials, these credentials are often stored on the device, posing a security risk. GYTPOL's approach to remediation involves the permanent removal of these stored credentials from the user's profile. By implementing this measure, we mitigate the exposure of sensitive credentials, enhancing the overall security of Windows systems by preventing unauthorized access to stored credentials.

...

Topic:

Credential Manager

Subject:

User credentials stored on computer

Description:

The Windows Credential Manager is providing easy password management to the user, but exposes his account to security threats. Any process running in the user's account can get elevated access to the vault and steal the stored passwords.

Suggestion:

It is highly recommended to disable the Credential Manager and prevent local storage of user credentials via Group Policy: User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > Do not allow passwords to be saved > Enabled. Instead, you should opt to use the Windows Defender Credential Guard via the Group Policy.

...

Anchor
_Toc148340652
_Toc148340652
Unattended File

Unattended File concerns are specific to Windows environments. When generating a new system image and configuring fresh settings, an "unattended file" is often created. This file functions as an answer file, streamlining the deployment of the new image and its associated operating system settings to other devices. Occasionally, network configurations necessitate leaving credentials, typically administrative credentials, which can be exposed in plain text. Once the image has been established, the file becomes obsolete.

...

Topic:

Unattended File 

Subject:

Unattended Configuration File is Exposed

Description:

Unattended files are configuration files that save the organization configuration in a simple XML that anyone can read and has access to.

Suggestion:

It is highly recommended to remove this file via GYTPOL remediation and remove it permanently from any given Windows image.

Reason:

It is not used after the device is installed, added to domain and all settings are done. Safe to delete.

...

Anchor
_Toc133237051
_Toc133237051
Anchor
_Toc136106159
_Toc136106159
Anchor
_Toc148340653
_Toc148340653
SMB and Sharing

Anchor
_Toc148340654
_Toc148340654
SMBv1

SMBv1 (Server Message Block version 1) pertains to Windows, Linux, and macOS platforms. Our capabilities extend beyond identifying whether SMBv1 is enabled; we also provide insights into its recent usage. This information aids in making informed decisions regarding remediation, particularly in cases where SMBv1 has not been actively utilized. This approach simplifies the remediation process by facilitating the identification of opportunities to disable SMBv1 without causing any adverse impacts, as it has not been in use. This proactive strategy helps enhance the security and overall health of Windows, Linux, and macOS systems.

...

Topic:

SMB Version 1 

Subject:

Vulnerable SMB v1 Network File Sharing

Description:

The computer has SMB v1 installed, which lacks important protection mechanisms offered by later SMB protocol versions. It is a well-known security risk, exploited by various ransomware worms, Denial-of-Service and Remote Code Execution attacks. Bear in mind that some legacy software and network printers require SMB v1 to function.

Suggestion:

It is highly recommended to remove SMB v1 via GYTPOL. Do verify that there's no legacy software or network printers that requires SMB v1. If there are computers with legacy software (that demands admins browse via the so-called network aka network neighborhood master browser list) or computers running run old multi-function printers with old firmware in order to “scan to share” then do not remove until you upgrade that software.

Reason:

SMBv1 wasn’t used on the last 90 days (we can also show if ever used) and it is safely to disable by removing the feature from the device.

...

Anchor
_Toc148340655
_Toc148340655
Access to Shares Anonymously

Access to Shares Anonymously is a concern specific to Windows environments. Default values can often present challenges, requiring significant effort to track down and address all settings. This particular setting grants permission to anonymous users for access, a permission that most organizations do not require or desire.

...


Topic:

Accessing Shares Anonymously

Subject:

Accessing Shares Anonymously

Description:

When this setting is not set - sessions or pipes might have attributes and permissions that allow anonymous access. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks.

Suggestion:

It is highly recommended to not allowing accessing device shares anonymously.

Reason:

Anonymous access should be limited and prevented in a corporate network – access should be allowed for Authenticated users only.

...

Anchor
_Toc148340656
_Toc148340656
Everyone to Anonymous

Granting "Everyone" additional access to Anonymous is a Windows-specific concern. Default values can indeed present challenges, necessitating significant efforts to address various settings. This particular setting extends permissions to Anonymous users by including them in the "Everyone" group, potentially providing them with unauthorized access.

...

Topic:

Everyone to Anonymous

Subject:

Everyone to Anonymous Permissions

Description:

This policy setting determines what additional permissions are granted for anonymous connections to the device. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks.

Suggestion:

It is highly recommended to not allowing everyone group permissions apply to accessing device shares.

Reason:

Anonymous access should be limited and prevented in a corporate network – access should be allowed for Authenticated users only.

...


Anchor
_Toc133237052
_Toc133237052
Anchor
_Toc136106160
_Toc136106160
Anchor
_Toc148340657
_Toc148340657
General

Anchor
_Toc148340658
_Toc148340658
LLMNR

LLMNR (Link-Local Multicast Name Resolution) is a Windows-specific protocol that has been deemed risky and obsolete in modern operating systems. Organizations have largely ceased using this protocol due to security concerns. It's important to note that LLMNR is enabled by default in some systems.

...

Topic:

LLMNR 

Subject:

LLMNR protocol allowing impersonation attacks

Description:

The Link-Local Multicast Name Resolution (LLMNR) protocol allows name resolution without the requirement of a DNS server, by enabling a special multicast UDP packet on port 5355, to be sent across the network, asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query. The problem is the protocol doesn't have effective protections, and an attacker can fabricate a response and steal user credentials.

more

Suggestion:

This is legacy protocol with high risks and should be disabled via an Active Directory GPO. Using GPMC, create a GPO, and under Computer Configuration - Policies - Administrative Templates - Network - DNS Client - Turn Off Multicast Name Resolution - set to Enabled.

Reason:

In modern networks, the DNS should be the one responsible for managing the PC/Servers names and not rely on multicast or broadcast name resolution.

...

Anchor
_Toc133237053
_Toc133237053
Anchor
_Toc136106161
_Toc136106161
Anchor
_Toc148340659
_Toc148340659
Obsolete Software

Anchor
_Toc148340660
_Toc148340660
Powershell 2

PSv2 (PowerShell version 2) is relevant to Windows systems. In default configurations, both PSv2 and PSv5 are installed on Windows 10, Server 2016, and subsequent versions. However, PSv2 is not commonly utilized by organizations using these operating systems, as all commands supported by PSv2 are also available in PSv5.

...

Topic:

PowerShell Version 

Subject:

PowerShell v2.0 installed and vulnerable

Description:

PowerShell v2.0 engine contains known vulnerabilities and is susceptible to downgrade attacks. PowerShell v5 introduced important security capabilities which are lacking in v2. Having v2 on a computer enables attackers to revert the execution to the older engine, thereby circumventing the added security.

Suggestion:

It is highly recommended to upgrade PowerShell to v5.1 or above and uninstall PowerShell v2.0. Use the Add/Remove Windows Features on a Windows workstation computer, or Server Manager to remove the feature on a Server computer.

Reason:

By default, Windows will use the latest version installed and will use ver. 5.1 instead of ver. 2 – once ver. 2 is removed, PS5.1 will still remain the default version.

...

Anchor
_Toc133237054
_Toc133237054
Anchor
_Toc136106162
_Toc136106162
Anchor
_Toc148340661
_Toc148340661
Legacy Protocols

Anchor
_Toc148340662
_Toc148340662
DES

DES (Data Encryption Standard) and triple DES (3DES) relevance pertains to Windows systems. DES is a legacy cipher within the context of Kerberos authentication. Modern operating systems typically do not utilize DES unless specifically mandated by an organization.

...

Topic:

DES Authentication

Subject:

An authentication was made using DES

Description:

DES does not provide authentication. It is vulnerable to a variety of attacks including man in the middle (MITM).

Suggestion:

It is highly recommended to disable DES via the Group Policy. Follow the steps: https://www.tbs-certificates.co.uk/FAQ/en/desactiver_rc4_windows.html.

Reason:

We show if DES authentication was used in the last 30 days, and it can be disabled only on a non-used device.

...

Anchor
_Toc148340663
_Toc148340663
RC4

RC4 (Rivest Cipher 4) is relevant to Windows systems. Similar to DES, RC4 is considered a legacy cipher within the context of Kerberos authentication. Modern operating systems typically do not employ RC4 unless specifically required by an organization.

...