...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Anchor | ||||
---|---|---|---|---|
|
Easy heading | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
GYTPOL stands as a comprehensive and versatile cybersecurity solution meticulously engineered to safeguard and optimize your digital assets. Its robust functionality extends across various operating systems, encompassing Windows, Linux, and macOS. Whether your devices are desktops, laptops, servers, virtual or physical, domain or non-joined, GYTPOL seamlessly integrates to provide protection.
...
In summary, GYTPOL streamlines security and optimization efforts across diverse environments, automating key processes to ensure robust cybersecurity.
Anchor | ||||
---|---|---|---|---|
|
This User Guide is primarily intended for individuals and teams responsible for implementing, managing, and maintaining the cyber security infrastructure within their organizations. It caters to both technical and non-technical users, providing clear instructions and explanations for all levels of expertise.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
To help you navigate through this User Guide effectively, it is divided into various sections corresponding to different aspects of GYTPOL. Each section provides step-by-step instructions, best practices, and tips to maximize GYTPOLs potential.
Additionally, we have included screenshots and examples throughout the document to assist you in visualizing the interface and functionalities. Where applicable, we have also provided troubleshooting tips and frequently asked questions to address common concerns. The complete troubleshooting document is accessible both on our official website and through our dedicated support mailbox. If you encounter any challenges or require assistance, please refer to these resources for detailed guidance and solutions.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Should you have any questions, encounter difficulties, or require further assistance while using GYTPOL, please contact support@gytpol.com . Our dedicated support team is available to help you with any queries or concerns you may have.
...
Thank you for choosing GYTPOL, and we look forward to your success in safeguarding your digital assets.
Anchor | ||||
---|---|---|---|---|
|
The primary data flow process within GYTPOL Validator unfolds through the following sequential stages:
...
It interfaces with various public APIs to support data exchange and integration with external systems.
Integration with Ticketing Systems like ServiceNow is established, streamlining the process of generating and managing tickets based on GYTPOL's findings.
Notably, the GYTPOL Server also integrates with Security Information and Event Management (SIEM) systems. Selected events and data are sent from GYTPOL to SIEM platforms, such as MicroFocus ArcSight, IBM QRadar, Sentinel, or Splunk. This integration enhances the security ecosystem by aggregating GYTPOL's insights into the broader context of security events and monitoring.
Anchor | ||||
---|---|---|---|---|
|
The interaction between the client and the server operates in a one-way manner: the client initiates its scheduled task either on a daily or hourly basis (the client's tasks are elaborated upon in the client section). Following the task execution, the gathered data is transmitted to the GYTPOL server, where it undergoes analysis and subsequently appears in the user interface for review.
...
Should a GYTPOL operator execute a remediation action or any other task from the console, the client conducts periodic checks for new tasks every hour through its hourly task execution. Upon initiating the task locally, the client provides feedback to the server regarding the outcome, indicating either success or failure.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The GYTPOL Client operates on a daily basis for a brief duration. Within this operational window, it accumulates data related to misconfigurations, unattended zero-day vulnerabilities, and outdated third-party software. This information is collected during the run and subsequently processed for further analysis.
Anchor | ||||
---|---|---|---|---|
|
Language-Code: GYTPOL is developed using a combination of C# and signed PowerShell.
...
Communication Protocol: GYTPOL employs the latest Transport Layer Security (TLS) version supported by the device for secure communication. All communication occurs over HTTPS to ensure data privacy and integrity.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Language-Code: GYTPOL is implemented using the Go programming language (Go-lang).
...
Communication Protocol: GYTPOL employs the most recent Transport Layer Security (TLS) version supported by the device. All communication occurs over HTTPS, ensuring data confidentiality and integrity.
Anchor | ||||
---|---|---|---|---|
|
This section provides a quick overview of the GYTPOL Validator key capabilities and provides references to sections covering these capabilities in detail.
Anchor | ||||
---|---|---|---|---|
|
From an end user's viewpoint, GYTPOL Validator is a role-based web application that simplifies cybersecurity management. Here's a walkthrough of how users navigate the UI and some notable visual notations and instructions provided in the corresponding documentation section:
...
By offering a role-based interface with intuitive navigation and helpful notations, GYTPOL empowers users to efficiently manage their cybersecurity tasks. This groundwork prepares users for a deeper exploration of specific functional use cases within the application.
Anchor | ||||
---|---|---|---|---|
|
Misconfiguration encompasses the mistakes made when setting up IT systems or security measures, which can result in vulnerabilities and potential security breaches. These errors often stem from insecure default settings, human oversights, incorrect application of Group Policy Objects (GPOs), and other factors.
...
GYTPOL provides a rapid solution to address misconfigurations, achieving this in a matter of minutes. For a comprehensive understanding of how to effectively manage misconfigurations, refer to the detailed guidance provided in the corresponding documentation section.
Anchor | ||||
---|---|---|---|---|
|
The Policy Validation module within GYTPOL focuses on identifying and resolving gaps and issues associated with the implementation of Group Policy Objects (GPOs). This encompasses a range of concerns, such as failures in applying Group Policy Preferences (GPPs), disparities in settings, occurrences of local GPOs, orphaned GPO instances, and settings that don't match as intended.
...
By structuring the information in this manner, GYTPOL enables users to swiftly grasp and address GPO-related problems. For a more comprehensive understanding of utilizing the Policy Validation module, refer to the detailed instructions provided in the corresponding documentation section.
Anchor | ||||
---|---|---|---|---|
|
The module serves to identify potential causes of slow startup or login times resulting from applied policies across the domain. This assessment can be performed according to various parameters, including device or user, specific policy extension, or organizational unit (OU). This module equips you with the capability to delve deeper into the analysis, pinpointing both the problematic policy and the specific settings or set of settings responsible for the observed latency.
...
For a comprehensive guide on utilizing the Login Profiler module effectively, refer to the the corresponding documentation section.
Anchor | ||||
---|---|---|---|---|
|
The CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) Benchmarks serve as comprehensive guidelines for configuring a range of software, operating systems, and devices. These benchmarks provide specific instructions to secure these systems against well-known vulnerabilities.
...
For detailed guidance on utilizing the CIS/NIST Dashboards effectively, refer to the corresponding documentation section.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The Active Directory / Group Policy Enhanced Security module provides visibility into public data accessible via a basic domain user's access rights. This information can be queried directly from domain controllers. The module offers insights into various aspects, including administrator groups, vulnerable file paths within GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, customized group change queries, and more.
...
For a comprehensive understanding of how to effectively utilize the Active Directory / Group Policy Enhanced Security module, refer to the corresponding documentation section.
Anchor | ||||
---|---|---|---|---|
|
The Maintenance section of GYTPOL offers valuable recommendations to enhance the administration of Active Directory (AD) and Group Policy Objects (GPOs). This includes suggestions for optimizing the management of these crucial components. GYTPOL aids in identifying various issues for more effective administration:
...
These recommendations empower you to proactively enhance the administration of AD and GPOs. For a comprehensive guide on effectively using the Maintenance features, consult the detailed instructions provided in the corresponding documentation section.
Anchor | ||||
---|---|---|---|---|
|
The Settings menu within GYTPOL offers a hub for various administrative tasks that you can perform to manage and customize your GYTPOL environment. This includes activities like group management, API access configuration, filters setup, and managing muted alerts.
...
For a comprehensive guide on navigating and effectively utilizing the Settings menu, refer to the detailed instructions provided in the corresponding documentation section. This resource will offer step-by-step guidance on performing administrative tasks and optimizing your GYTPOL configuration.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The GYTPOL Validator Homepage offers a user-friendly gateway to different perspectives tailored for Windows, Linux, and macOS environments. Each perspective presents the top five alerts pertinent to its corresponding scope, providing a rapid overview of critical issues.
...
Upon selecting the Windows dashboard, the top bar presents key information such as the number of reporting servers, endpoints, Domain Controllers, and Virtual Desktop Infrastructures (VDIs) – indicating the distribution of monitored assets. Additionally, the top bar showcases metrics regarding users validated through GYTPOL's Policy Validation module and the count of missing devices. Further explanation about these metrics can be found in the Customization and Settings > Health Screen section.
Anchor | ||||
---|---|---|---|---|
|
Every element within the user interface is interactive, allowing you to navigate to more advanced levels of UI management effortlessly.
...
For every device listed, a further drill-down option is available. Activating this drill-down leads you to specific findings associated with that particular device. This in-depth exploration provides granular insights into the security and configuration status of the chosen device.
Selecting any of the misconfiguration scopes, such as Servers or Endpoints, triggers the opening of the misconfiguration page, where all pertinent alerts relevant to that specific scope are presented. These alerts are systematically categorized according to the MITRE ATT&CK framework, enhancing their organization and clarity. Each alert possesses the capability to be further expanded, revealing the list of devices implicated in that misconfiguration.
...
For a comprehensive guide on navigating the Misconfigurations and Alerts section effectively, refer to the detailed instructions provided in the corresponding documentation.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
You have the capability to export either a single metric or a set of metrics to a CSV file. For instance, you can export all metrics related to Legacy Protocols by following these steps:
...
This CSV file will provide you with a structured record of the metrics related to Legacy Protocols, which you can then use for reporting or analysis purposes.
Another example, is an export of a single finding:
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Within the user interface of GYTPOL, you have the flexibility to update information in two ways:
...
In opting for the targeted refresh, only the relevant metrics section that you select will be updated, aligning with your specific requirements. This feature enhances your ability to efficiently access the most recent information without refreshing the entire interface.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
GYTPOL's Knowledge Base serves as a valuable resource, covering a wide range of topics, including security risks and manual/alternative methods to address identified findings. The primary goal of our Knowledge Base, often referred to as "Know How," is to offer swift access to information related to specific topics or alerts.
...
The Knowledge Base empowers users with in-depth information, enabling them to tackle security challenges with informed solutions. Whether you access it through the top bar or directly within specific topics, the Know How feature is designed to enrich your experience within GYTPOL and enhance your ability to address security concerns.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Locating specific computers belonging to users is a seamless process within GYTPOL:
...
GYTPOL will showcase the relevant misconfigurations that have been identified for the selected device.
This insight into misconfigurations empowers you to take targeted actions to address and rectify any issues.
...
Anchor | ||||
---|---|---|---|---|
|
The Achievements screen provides valuable insights into the time saved and potential time savings achieved by using GYTPOL for remediation compared to traditional methods involving 3rd party tools, scripts, and Group Policy Objects (GPOs).
...
The Achievements screen also enables you to access the computers that still require remediation within specific topics.
Clicking on a desired topic directs you to the leftover computers, facilitating targeted efforts.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
After installing the GYTPOL server, a desktop shortcut is automatically added for all users on the server, ensuring easy access. Additionally, you have the option to log in from any device within the network by using the following format: https://<gytpol-server-name>:9093
...
The login process is facilitated by Kerberos Single Sign-On (SSO), enhancing user convenience and security. To manage user access levels, navigate to the Roles and Permissions screen, where you can define and adjust user roles and permissions.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Upon successful login, you will be directed to the main homepage of GYTPOL. Here, you will immediately access a view showcasing devices that are actively reporting to GYTPOL. Additionally, you'll receive initial findings related to the Active Directory and Group Policy aspects.
...
For more comprehensive details and explanations about the user interface and its various features, please refer to the dedicated UI overview section within GYTPOL's documentation. This section will provide an in-depth understanding of how to navigate and utilize the interface effectively. It's a valuable resource to make the most of GYTPOL's capabilities and insights.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
You can confirm a successful GYTPOL client deployment in two ways:
...
For more information, refer to the Health Screen overview section in the documentation.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
It can occur in network devices, web applications, cloud services, servers/operating systems, encryption/key management, security tools, and access controls. Preventing misconfigurations requires following best practices, conducting audits, implementing secure configurations, enforcing change management, and providing training and awareness. GYTPOL can help you achieve this in minutes.
Anchor | ||||
---|---|---|---|---|
|
The GYTPOL Validator Homepage offers instant access to Windows, Linux, and macOS perspectives, each highlighting the top 5 alerts relevant to their respective scopes. It also facilitates UI customization through computer groups created by GYTPOL operators based on OS, name patterns, OUs, and more, as detailed in the Customization and Settings > Computer Groups section.
...
This comprehensive overview on the Homepage ensures swift access to key insights, customization options, and essential pages for effective management within GYTPOL.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Our Misconfigurations module categorizes findings into topics aligned with the MITRE ATT&CK framework. These categories include:
...
Red (High): Represents high-severity misconfigurations that require immediate attention due to their critical impact on security.
Orange (Medium): Indicates medium-severity misconfigurations that should be addressed promptly to mitigate potential risks.
Yellow (Low): Denotes low-severity misconfigurations that may not pose an immediate threat but should still be resolved to enhance overall security posture.
Green (Complied): Signifies items that are in compliance and meet the expected security standards, resulting in no alerts generated.
...
Topic: Metrics are categorized into specific topics, aligning with the MITRE ATT&CK framework, to offer a structured overview of security concerns.
Subject: This highlights the specific aspect of the metric being assessed, pinpointing the area of concern.
Scope: Users can select the scope in the user interface to specify the context or range within which the metric is being evaluated.
Description: A detailed explanation of the metric's nature, implications, and potential security risks is provided to ensure a clear understanding.
Suggestion: Practical recommendations and steps for addressing and mitigating the identified issues are offered, guiding users toward effective remediation.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
When you click on any of the scopes displayed on the main dashboard (such as Servers or Domain Controllers), it will lead you to the misconfiguration screen, designed as follows:
Metric Collection Boxes: Each box corresponds to a specific scope (e.g., Servers) and contains a collection of metrics grouped under their relevant topics (e.g., Remote Code Execution, Privilege Escalation).
Severity-Color Bars: Within each box, metrics are represented by colored bars indicating the severity level (Red = High, Orange = Medium, Yellow = Low). The number of devices affected by the alert is displayed alongside the bar, as well as the number of compliant devices. Alerts that weren't found at all won't be shown.
Drill-Down Functionality: Clicking on the colored bar provides a drill-down view, showing the list of devices associated with that alert's severity. This helps you pinpoint affected devices for focused remediation.
Actions: By clicking the wrench icon associated with a specific metric or alert, you can take actions at various levels. This allows you to address issues and apply remediation strategies based on your requirements.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
In GYTPOL, topics are interconnected to enhance correlation and provide a more comprehensive understanding of security issues. This is achieved through the implementation of "Related Topics" for many alerts:
...
Clicking on any related topic takes you to a dedicated section that displays alerts related to that topic.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
In GYTPOL, alerts are visually differentiated by the presence of a spanner icon, which conveys specific information about the remediation process:
Green Spanner: Alerts accompanied by a green spanner icon indicate that you can swiftly remediate the finding using the GYTPOL user interface. This streamlined process enables you to fix the identified misconfiguration in a matter of seconds. For more detailed guidance on the remediation process, refer to the provided resources.
Gray Spanner: If an alert is associated with a gray spanner icon, it signifies that the finding cannot be remediated through the user interface due to certain limitations or conditions. These limitations could include factors such as unsupported PowerShell versions or informational nature of the alert. This may also indicate that the item fully complied with GYTPOL standards or was already fixed.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
In GYTPOL, alerts are categorized into two types based on their remediation and revertability options:
...
This distinction helps users understand the level of remediation and revertability associated with each alert, allowing them to make informed decisions on how to address and potentially revert misconfigurations.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Color | Meaning |
Green – alert remediable and revertible | |
Green with (!) – alert remediable but non-revertible | |
Red – remediation failed (timeout, access) | |
Orange – no error was reported during remediation, but the scanner found the same alert again | |
Gray – action cannot be applied, either because the Powershell version is too old or there is no remediation action available for this finding | |
Gray with a spinning icon – remediation is pending and ready to run on devices |
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
GYTPOL offers a convenient feature that allows you to export data from the dashboard to a CSV file, facilitating reporting and efficient tracking of information. Here's how it works:
...
By utilizing these export functionalities, GYTPOL empowers users to generate reports, gather insights, and maintain efficient records of misconfigurations and remediation efforts for better security management and documentation.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Within GYTPOL Validator, users have the capability to rectify misconfigurations found on endpoints and servers by defining Remediation Actions. These actions facilitate the implementation of fixes across various devices, groups, or even individual machines. Here's how the process works:
Defining Remediation Actions: Remediation Actions outline the corrective measures to be applied based on parameters like OU, Domain, or specified computer groups. The actions are grouped into topics, such as the SMB and Sharing topic including SMBv1 removal.
Pending Status and Acknowledgment: After a GYTPOL admin initiates an action, it remains in a pending status until the client device checks in (hourly) and confirms the task for local application.
Client Acknowledgment and Feedback: Once the client applies the task locally, it sends feedback to GYTPOL regarding the outcome. This feedback includes information on success, failure, and the reason for failure (e.g., timeout or access denial).
Revert Capability: Numerous remediation actions can be reverted to the original state directly from the GYTPOL UI. This streamlines the process and eliminates the need for third-party tools or scripts. All reverts are executed on the device within an hour, maintaining consistency with the hourly check-in schedule.
Anchor | ||||
---|---|---|---|---|
|
A "Single Remediation Action" in GYTPOL Validator involves applying a corrective action to resolve a specific finding. Here's an overview of the process:
Identify the Finding: Start by identifying a particular misconfiguration or security finding that needs to be addressed.
Choose the Target Group: Select the group of devices on which you want to apply the remediation action. This can include specific devices, a group based on OU, Domain, or custom computer groups.
Initiate the Remediation Action: Define the specific action or fix that needs to be implemented to address the finding. This action can involve changes to configurations, settings, or other relevant parameters.
Pending Status and Client Check-In: After initiating the action, it enters a pending status. The respective client devices periodically check in (hourly) to receive and acknowledge the action.
Client Acknowledgment and Feedback: Once the client applies the action locally, it sends feedback to GYTPOL indicating the success or failure of the task, along with reasons for any failures.
Revert Capability (if applicable): If the action supports reversion to the original state, GYTPOL allows you to revert changes directly from the UI.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
An "Automatic Remediation Action" in GYTPOL Validator is designed to automatically apply fixes to any future alerts that match predefined criteria on selected devices within the Target group.
By utilizing the Automatic Remediation Action feature, GYTPOL empowers users to proactively respond to emerging security challenges, ensuring that devices remain aligned with organizational policies and security standards as new alerts are detected. This automated approach enhances the overall security posture of the organization.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
In GYTPOL Validator, users have the option to mute or "remove" alerts from the user interface and misconfiguration list. This feature is useful when an alert is acknowledged as a known risk and no further action is required. Here's how it works:
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
In GYTPOL Validator, you have the ability to execute a set of actions on selected devices within the Target group. These actions can be accessed from the Generic drop-down menu and offer various functionalities for managing devices and policies. Here are the available actions:
Group Policy update Computer + user without restart: This operation triggers a gpupdate for both computer and user configurations without requiring a restart or logoff.
Group Policy update Computer + user with restart: This operation performs a gpupdate for both computer and user settings, followed by a computer restart upon successful completion.
Rescan Computer / User: This operation initiates a rescan of the computer or user ahead of the regular schedule, ensuring that the alert information is up to date.
Remove Local Policy Settings: This operation removes locally defined policy settings on the computer, ensuring that no administrative changes have altered the local configuration.
Sync Intune: This operation forces devices to retrieve updates from InTune, ensuring that the information remains current.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The remediation of findings in GYTPOL Validator can be initiated through the use of the green spanner icon. Once this icon is clicked, it opens an Action screen that facilitates the remediation process. Here's an explanation of the components within this screen using an example scenario of remediating the "SMB Everyone Shares" issue under the "SMB and Sharing" topic on non-DC servers:
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The screen provides a comprehensive view of both ongoing and completed tasks, categorized into specific tabs for efficient management:
...
By offering these filters and categorized tabs, the "Tasks" screen empowers you to effectively track, manage, and monitor the various tasks being executed within GYTPOL Validator.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
After creating a task using the Action/Remediation screen, you can manage and modify it through the Actions screen. This screen offers the following options:
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The "Revert Action" functionality is accessed through the Actions screen. To perform a revert action, you have the following options:
Revert All: This option enables you to revert the remediation action on all devices within the defined scope. By selecting this option, the remediation changes will be undone on all applicable devices.
Revert on Selected Device(s): If you wish to revert the remediation action on specific devices within the scope, you can do so by clicking the "undo" icon for the respective device(s). This allows you to selectively revert changes on chosen devices.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
From the Homepage, specifically under the Windows section, you can easily navigate to the policy validation screen.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
...
You have the capability to delve deeper into the details and pinpoint the policy that is causing the latency issues. Moreover, you can identify the specific settings or a group of settings within that policy that are contributing to the performance delays. This granular level of analysis empowers you to precisely identify and address the root causes of latency within your policy configurations.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
This section showcases public data that can be queried from domain controllers using basic domain user access rights. The displayed information encompasses details like administrator groups, susceptible file paths within your GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, and the ability to query custom group changes, among other elements.
...
Clicking on a box within this interface provides a detailed list of the examined items. You can also navigate through a drill-down process from the specific topic to access more comprehensive insights into the data.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The Active Directory and Group Policy module offers recommendations for enhancing cleanliness and optimizing performance. These insights and suggestions are presented at the organizational level, highlighting areas where adjustments can be implemented to enhance the organization of your Group Policy Objects (GPOs) and Active Directory (AD).
...
By drilling down into a specific box or topic, you can access a detailed list of identified items. Within the same topic, you'll encounter our "Know-How" feature represented by a hat icon. This resource provides comprehensive explanations about the findings and offers guidance on rectifying or modifying the identified issues, facilitating informed decision-making and proactive improvements.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The platform provides hardening recommendations aligned with the Center for Internet Security (CIS-8) and the National Institute of Standards and Technology (NIST 800-53) guidelines. These recommendations are detailed in the overview.
...
Accessible from the homepage, you can access the corresponding dashboard by selecting the relevant standard. Once clicked, the CIS or NIST dashboard will be displayed, presenting the benchmark results. Here's a breakdown of the color codes used:
Green: Indicates that the settings within your organization are compliant.
Red: Denotes that the settings within your organization are not compliant.
Orange: Indicates that the settings are not managed in your organization, and there is no detectable Group Policy Object (GPO) containing the relevant setting.
...
You can retrieve the list of computers to determine whether the specific setting you've chosen is applied or not. This allows you to quickly identify which computers are in compliance with the chosen setting and which ones are not.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
This screen provides a comprehensive overview of reporting clients, including their status, the timestamp of their last successful scan, version information, operating systems, and the client scope (Endpoint, Server, or VDI).
...
Devices that are missing from reporting are color-coded as follows:
Blue: Devices reported within the last 24 hours.
Yellow: Devices that have not reported in the last 3 days.
Orange: Devices that have not reported in the last week.
Red: Devices that have not reported in 7-14 days.
...
Devices that have been removed from the organization or have missed reporting for over 14 days are moved to the "Missing over 14 days" section. If a device has not reported for over 30 days but was registered in Active Directory within the last 30 days, it will be moved to the "Never Reported" section. This helps to keep track of the reporting status of devices accurately.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The "What's New" page is a dedicated section that showcases the updates, enhancements, bug fixes, and new features introduced in various versions and releases of GYTPOL. This page serves as a valuable resource for users to stay informed about the changes that have been implemented in the software. It includes information about the addition of new functionalities, improvements to existing features, resolutions for known issues, deprecation of certain elements, and any security updates that have been applied.
By referring to the "What's New" page, users can quickly understand the evolution of GYTPOL and make the most of the latest enhancements.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The license page is a section that outlines the terms and conditions under which the software application or system is licensed to users. The page will include details such as the license type, User/Computer limitations, the license expiration dates, disclaimers or any applicable liabilities.
The page is also used to generate a new license ID (when changes need to be made to the existing license) or upload a new license when purchased or updated.
...
Anchor | ||||
---|---|---|---|---|
|
Information about the builds and versions for different system components. This data might be requested by the support team during troubleshooting or update processes.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
If any findings or recommendations related to Active Directory, Group Policy, or CIS/NIST benchmarks have been muted from the user interface, they will be categorized and displayed under the respective filters. This allows users to easily identify the items that have been muted and provides the option to unmute them if needed.
Unmuting an item would mean that it will again appear in the regular alerts or recommendations list, ensuring that no critical issues are overlooked and that the organization's security posture remains strong.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
GYTPOL features a Role-Based Access Control (RBAC) system that enables administrators to define precise permissions levels within the user interface. To configure RBAC in GYTPOL, follow these steps:
...
This RBAC feature in GYTPOL helps organizations tailor access permissions to different teams or individuals, enhancing security and ensuring that users have the appropriate level of control and visibility within the system.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
GYTPOL allows you to create custom computer groups, whether static or dynamic, based on various criteria such as name patterns, operating systems, organizational units (OUs), domains, or custom lists.
...
Click on the "+" icon to initiate the creation of a new group.
Provide a name for the group that represents its purpose or criteria.
Select the devices you want to include in the group based on the available options on the screen. These options could include name patterns, operating systems, OUs, domains, or even arbitrary lists of devices.
After specifying the criteria and devices, click "Add" or a similar confirmation button to create the custom group.
By creating custom computer groups, you can efficiently manage and categorize your devices, allowing for easier organization, targeting of actions, and monitoring of specific sets of devices that meet certain criteria. This feature can enhance the flexibility and customization of your GYTPOL deployment.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
GYTPOL High Level Architecture
GYTPOL System Requirements
GYTPOL On-Prem Server Installation, Administration and Upgrade Guide
GYTPOL Client Installation , Client GPO deployment and Upgrade Guide
GYTPOL API documentation
GYTPOL Splunk Integration documentation
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
As mentioned earlier – "Quick-Wins" in GYTPOL Validator refer to misconfiguration topics that can be swiftly and easily remediated or auto-remediated without causing any adverse effects on the devices. These topics encompass low-hanging fruit in terms of security improvements.
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
LOG4J is pertinent for various operating systems, including Windows, Linux, and macOS. In GYTPOL, we have adopted the strategy of abstaining from software updates due to potential repercussions. Instead, we opted to modify two lines of code within the JNDI Lookup java class. These changes encompass:
...
Topic: | log4j2 Vulnerability |
Subject: | log4j2 Vulnerability in JndiLookup |
Description: | Remote Code Execution 0-Day Vulnerability (CVE-2021-44228, CVE-2021-45046). |
Suggestion: | It is highly recommended to use Gytpol to secure the current version (ZERO-IMPACT!) – no software upgrade needed. |
Reason: | Correcting the function to work as it should by validating the input parameter to be a DateTime and removing the execution which wasn't relevant to this function. Adopted by APACHE to 2.17.1 (Gytpol are not upgrading the Log4J, we just correcting the zero-day vulnerability in the code) |
...
Anchor | ||||
---|---|---|---|---|
|
Follina pertains to devices equipped with any version of Microsoft Office. Once again, Microsoft's response to the zero-day vulnerability was found lacking, prompting our discovery of two additional registry keys that necessitated removal from the devices. These registry keys, which were last utilized in 2013, were identified as contributing factors to the issue.
...
Topic: | Office Follina Attack |
Subject: | Follina Attack (CVE-2022-30190) |
Description: | A zero-day allowing code execution in Office products: Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View. |
Suggestion: | Remediate urgently with Gytpol (ZERO-IMPACT!). |
Reason: | Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in System Settings as other or additional troubleshooters. |
...
Anchor | ||||
---|---|---|---|---|
|
MS Word RTF exploits are applicable to devices equipped with any version of Microsoft Office. This instance involves another inadequately patched zero-day vulnerability. At GYTPOL, we took proactive measures by disallowing the opening of RTF files from unverified or untrusted sources. This action helps mitigate the risk associated with this vulnerability and enhances the security of the system.
...
Topic: | MS Word RTF Document |
Subject: | MS Word RTF (CVE-2023-21716) |
Description: | CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document. |
Suggestion: | Remediate urgently with Gytpol (ZERO-IMPACT!), or: use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources. |
...
Anchor | ||||
---|---|---|---|---|
|
Dell Driver concerns are relevant exclusively to Dell devices. In our approach at GYTPOL, we opted to align with Dell's guidance. This involved the removal of the driver situated within the Temp folder on the device. By adhering to Dell's recommendations, we aimed to enhance the security and functionality of Dell devices under our purview.
...
Topic: | Dell Driver |
Subject: | BIOS Driver Privilege Escalation Flaws |
Description: | (CVE-2021-21551): A security vulnerability affecting the dbutil_2_3.sys driver packaged. Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges. |
Suggestion: | According to dell, it is highly recommended to remove the driver or update it using Dell System Inventory Agent. See more: https://www.dell.com/support/kbdoc/en-il/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability. |
Reason: | The file located in c:\Windows\Temp and it is not needed for any Dell software or application |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Print Spooler Log pertains to Windows systems, enabling the monitoring of printer usage activity. This proactive approach helps to avert potential issues, such as the unaddressed print nightmare vulnerability. By scrutinizing the print spooler log, we can implement measures to prevent any such vulnerabilities from materializing, thereby enhancing the security and stability of the Windows environment.
...
Topic: | Print Spooler Log |
Subject: | Print Spooler Log |
Description: | The Print Spooler Operational Log is disabled. By enabling the log - you create a visibility of active printing and attacks. |
Reason: | Activating a log will give extra visibility prior to stopping the Print Spooler. The log size is limited to 1MB and will not consume much of disk space |
...
Anchor | ||||
---|---|---|---|---|
|
Print Spooler functionality is applicable to Windows systems. When the printer log is enabled, it not only provides insights into mapped printers but also logs printing activities. This visibility underscores the simplicity of determining whether the service is necessary. If deemed unnecessary, the service can be disabled with ease. This approach aids in enhancing security and efficiency by preventing potential risks associated with the service when it's not in active use.
...
Topic: | Print Spooler |
Subject: | Print Spooler service status |
Description: | Many attackers use this service as their back door to the servers. It is recommended to disable this service via GYTPOL or group policy on all servers. |
Reason: | The Spooler service is being disabled after we show that there are no Printing events, and no Printers are attached to the server/endpoint (spooler log must be enabled). |
...
Anchor | ||||
---|---|---|---|---|
|
Local Admins status pertains to Windows, Linux, and macOS systems. Our current capability encompasses not only identifying individuals designated as local administrators but also tracking recent usage patterns. This enhanced visibility allows us to make informed decisions. For instance, if there has been no logon activity within the last 90 days, it becomes straightforward to determine the need for remediation actions. This strategic approach aids in maintaining system security by promptly addressing potential risks associated with unused or unnecessary admin privileges.
...
Topic: | Local Admins |
Subject: | Local administrator on computer |
Description: | Detected a local administrator on the computer. In most cases users should not have the Local Administrator privilege, as it grants them total control over the computer and exposes the computer and the organization to malware risks. |
Suggestion: | You should verify that these privileges are legitimate, and either Filter Out this warning or privilege from the user. |
Reason: | Login events are shown, and the user is removed from the Local Admins after 90 days of inactivity. |
...
Anchor | ||||
---|---|---|---|---|
|
Local Users management is applicable across Windows, Linux, and macOS platforms. Our current capabilities extend beyond identifying local user accounts and their group memberships. We now also possess the ability to track recent usage patterns. This enhanced visibility allows us to make informed decisions. For example, if there has been no logon activity within the last 90 days, it becomes a straightforward decision to initiate remediation actions. This approach contributes to bolstering system security by promptly addressing potential risks associated with underutilized or unneeded local user accounts.
...
Topic: | Local Users |
Subject: | Local user activity |
Description: | Detected active local user on the computer. Local users should not be created and must be removed unless it is the local Administrator account. |
Suggestion: | Verify those accounts are correct and ignore if needed. Remediate in case the users are irrelevant. |
Reason: | Login events are shown, and the user is removed from the Local Users after 90 days of inactivity. |
...
Anchor | ||||
---|---|---|---|---|
|
Guest User management pertains to Windows and macOS environments. Our capabilities now encompass the ability to identify instances where Guest Users have been overlooked or not properly disabled. This feature allows us to locate areas where these accounts may have been inadvertently left active. By detecting and rectifying these oversights, we enhance security measures and ensure that potential vulnerabilities associated with active Guest Users are promptly addressed in both Windows and macOS systems.
...
Topic: | Guests Users |
Subject: | Local Guests Accounts Status |
Description: | A guest account allows unauthenticated network users to gain access to the system. According to Microsoft, this can lead to the exposure or corruption of data. |
Suggestion: | It is highly recommended to disable all Guests users. |
Reason: | By default, Guest account should be prevented for login locally and access from the network. |
...
Anchor | ||||
---|---|---|---|---|
|
Batch Privilege management applies to both Windows and Linux environments. Our capabilities extend to the identification of users with the ability to run batches, encompassing various mechanisms such as task scheduler, crontab, and IIS App Pool. Similar to our approach with local admin privileges, we aim to provide a clear correlation by showcasing the associated group and its members. The identification of empty groups simplifies decision-making. This comprehensive view aids in promptly addressing security concerns, making it straightforward to take action in instances where unauthorized or unneeded batch privileges exist within both Windows and Linux systems.
...
Topic: | Batch Privilege |
Subject: | Dangerous privilege granted: Log on as a Batch |
Description: | SeBatchLogonRight accounts can log on by using a batch-queue tool such as the Task Scheduler service. |
Suggestion: | Change this setting to <Service Accounts> under 'Default Domain Policy' and under 'Default Domain Controller Policy': Go to Computer configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a Batch |
Reason: | The group is empty and isn’t used. Once used, it will have the same access level for Batch and Tasks execution as the Local Admins group (usually will have Domain Admins in it). |
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Exchange WebShell vulnerabilities are pertinent to Windows environments. This massive zero-day vulnerability often poses challenges for organizations utilizing on-premises Exchange servers in terms of consistent patching. At GYTPOL, we have devised a strategy to detect and combat this threat. Our approach involves identifying malicious DLL files that are created as part of the attack and subsequently removing them. By proactively addressing the issue, we contribute to safeguarding the security and integrity of Windows systems impacted by Exchange WebShell vulnerabilities.
...
Topic: | Exchange Temp WebShell |
Subject: | Exchange Malicious Temp WebShells |
Description: | HAFNIUM's attack tools found on host: Temp WebShell. |
Suggestion: | Immediate action required: your server has been compromised! (1) Remove the file(s) immediately from the computer(s) and start an investigation. (2) Sometimes it is also recommended to restore the server before the attack date and to full patch it. (3) Check other servers for lateral movement. |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Credential Manager concerns are relevant to Windows environments. In scenarios where accessing network paths or Remote Desktop Protocol (RDP) requires entering credentials, these credentials are often stored on the device, posing a security risk. GYTPOL's approach to remediation involves the permanent removal of these stored credentials from the user's profile. By implementing this measure, we mitigate the exposure of sensitive credentials, enhancing the overall security of Windows systems by preventing unauthorized access to stored credentials.
...
Topic: | Credential Manager |
Subject: | User credentials stored on computer |
Description: | The Windows Credential Manager is providing easy password management to the user, but exposes his account to security threats. Any process running in the user's account can get elevated access to the vault and steal the stored passwords. |
Suggestion: | It is highly recommended to disable the Credential Manager and prevent local storage of user credentials via Group Policy: User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > Do not allow passwords to be saved > Enabled. Instead, you should opt to use the Windows Defender Credential Guard via the Group Policy. |
...
Anchor | ||||
---|---|---|---|---|
|
Unattended File concerns are specific to Windows environments. When generating a new system image and configuring fresh settings, an "unattended file" is often created. This file functions as an answer file, streamlining the deployment of the new image and its associated operating system settings to other devices. Occasionally, network configurations necessitate leaving credentials, typically administrative credentials, which can be exposed in plain text. Once the image has been established, the file becomes obsolete.
...
Topic: | Unattended File |
Subject: | Unattended Configuration File is Exposed |
Description: | Unattended files are configuration files that save the organization configuration in a simple XML that anyone can read and has access to. |
Suggestion: | It is highly recommended to remove this file via GYTPOL remediation and remove it permanently from any given Windows image. |
Reason: | It is not used after the device is installed, added to domain and all settings are done. Safe to delete. |
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
SMBv1 (Server Message Block version 1) pertains to Windows, Linux, and macOS platforms. Our capabilities extend beyond identifying whether SMBv1 is enabled; we also provide insights into its recent usage. This information aids in making informed decisions regarding remediation, particularly in cases where SMBv1 has not been actively utilized. This approach simplifies the remediation process by facilitating the identification of opportunities to disable SMBv1 without causing any adverse impacts, as it has not been in use. This proactive strategy helps enhance the security and overall health of Windows, Linux, and macOS systems.
...
Topic: | SMB Version 1 |
Subject: | Vulnerable SMB v1 Network File Sharing |
Description: | The computer has SMB v1 installed, which lacks important protection mechanisms offered by later SMB protocol versions. It is a well-known security risk, exploited by various ransomware worms, Denial-of-Service and Remote Code Execution attacks. Bear in mind that some legacy software and network printers require SMB v1 to function. |
Suggestion: | It is highly recommended to remove SMB v1 via GYTPOL. Do verify that there's no legacy software or network printers that requires SMB v1. If there are computers with legacy software (that demands admins browse via the so-called network aka network neighborhood master browser list) or computers running run old multi-function printers with old firmware in order to “scan to share” then do not remove until you upgrade that software. |
Reason: | SMBv1 wasn’t used on the last 90 days (we can also show if ever used) and it is safely to disable by removing the feature from the device. |
...
Anchor | ||||
---|---|---|---|---|
|
Access to Shares Anonymously is a concern specific to Windows environments. Default values can often present challenges, requiring significant effort to track down and address all settings. This particular setting grants permission to anonymous users for access, a permission that most organizations do not require or desire.
...
| Accessing Shares Anonymously |
Subject: | Accessing Shares Anonymously |
Description: | When this setting is not set - sessions or pipes might have attributes and permissions that allow anonymous access. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. |
Suggestion: | It is highly recommended to not allowing accessing device shares anonymously. |
Reason: | Anonymous access should be limited and prevented in a corporate network – access should be allowed for Authenticated users only. |
...
Anchor | ||||
---|---|---|---|---|
|
Granting "Everyone" additional access to Anonymous is a Windows-specific concern. Default values can indeed present challenges, necessitating significant efforts to address various settings. This particular setting extends permissions to Anonymous users by including them in the "Everyone" group, potentially providing them with unauthorized access.
...
Topic: | Everyone to Anonymous |
Subject: | Everyone to Anonymous Permissions |
Description: | This policy setting determines what additional permissions are granted for anonymous connections to the device. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. |
Suggestion: | It is highly recommended to not allowing everyone group permissions apply to accessing device shares. |
Reason: | Anonymous access should be limited and prevented in a corporate network – access should be allowed for Authenticated users only. |
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
LLMNR (Link-Local Multicast Name Resolution) is a Windows-specific protocol that has been deemed risky and obsolete in modern operating systems. Organizations have largely ceased using this protocol due to security concerns. It's important to note that LLMNR is enabled by default in some systems.
...
Topic: | LLMNR |
Subject: | LLMNR protocol allowing impersonation attacks |
Description: | The Link-Local Multicast Name Resolution (LLMNR) protocol allows name resolution without the requirement of a DNS server, by enabling a special multicast UDP packet on port 5355, to be sent across the network, asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query. The problem is the protocol doesn't have effective protections, and an attacker can fabricate a response and steal user credentials. more |
Suggestion: | This is legacy protocol with high risks and should be disabled via an Active Directory GPO. Using GPMC, create a GPO, and under Computer Configuration - Policies - Administrative Templates - Network - DNS Client - Turn Off Multicast Name Resolution - set to Enabled. |
Reason: | In modern networks, the DNS should be the one responsible for managing the PC/Servers names and not rely on multicast or broadcast name resolution. |
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
PSv2 (PowerShell version 2) is relevant to Windows systems. In default configurations, both PSv2 and PSv5 are installed on Windows 10, Server 2016, and subsequent versions. However, PSv2 is not commonly utilized by organizations using these operating systems, as all commands supported by PSv2 are also available in PSv5.
...
Topic: | PowerShell Version |
Subject: | PowerShell v2.0 installed and vulnerable |
Description: | PowerShell v2.0 engine contains known vulnerabilities and is susceptible to downgrade attacks. PowerShell v5 introduced important security capabilities which are lacking in v2. Having v2 on a computer enables attackers to revert the execution to the older engine, thereby circumventing the added security. |
Suggestion: | It is highly recommended to upgrade PowerShell to v5.1 or above and uninstall PowerShell v2.0. Use the Add/Remove Windows Features on a Windows workstation computer, or Server Manager to remove the feature on a Server computer. |
Reason: | By default, Windows will use the latest version installed and will use ver. 5.1 instead of ver. 2 – once ver. 2 is removed, PS5.1 will still remain the default version. |
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
DES (Data Encryption Standard) and triple DES (3DES) relevance pertains to Windows systems. DES is a legacy cipher within the context of Kerberos authentication. Modern operating systems typically do not utilize DES unless specifically mandated by an organization.
...
Topic: | DES Authentication |
Subject: | An authentication was made using DES |
Description: | DES does not provide authentication. It is vulnerable to a variety of attacks including man in the middle (MITM). |
Suggestion: | It is highly recommended to disable DES via the Group Policy. Follow the steps: https://www.tbs-certificates.co.uk/FAQ/en/desactiver_rc4_windows.html. |
Reason: | We show if DES authentication was used in the last 30 days, and it can be disabled only on a non-used device. |
...
Anchor | ||||
---|---|---|---|---|
|
RC4 (Rivest Cipher 4) is relevant to Windows systems. Similar to DES, RC4 is considered a legacy cipher within the context of Kerberos authentication. Modern operating systems typically do not employ RC4 unless specifically required by an organization.
...