Contents
Introduction
Product
About GYTPOL
GYTPOL stands as a comprehensive and versatile cybersecurity solution meticulously engineered to safeguard and optimize your digital assets. Its robust functionality extends across various operating systems, encompassing Windows, Linux, and macOS. Whether your devices are desktops, laptops, servers, virtual or physical, domain or non-joined, GYTPOL seamlessly integrates to provide protection.
This solution automates a range of critical cybersecurity use cases:
Continuous Detection of Misconfigurations: GYTPOL's automated system consistently identifies security misconfigurations stemming from operating systems, human errors, and third-party applications. It facilitates auto-remediation while ensuring zero adverse effects on your environment.
Revert Remediation Actions: When necessary, GYTPOL can reverse previously executed remediation actions.
Harden Devices: The product provides recommendations for enhancing device security configurations, helping you to further harden your systems.
Policy Validation: GYTPOL validates that computer and user Group Policies are accurately applied to all endpoints. (Intune policy support is forthcoming.)
Configuration Benchmarking: The solution benchmarks your configurations against recognized industry security standards such as CIS and NIST.
Enhanced Active Directory and Group Policy Security: GYTPOL enhances the security of your Active Directory and Group Policy configurations.
Optimized Group Policy Definitions: GYTPOL aids in optimizing Group Policy definitions, flagging issues like duplicated or conflicting GPOs.
Startup and Login Time Optimization: GYTPOL identifies Group Policies that may contribute to sluggish computer startup and user login times.
In summary, GYTPOL streamlines security and optimization efforts across diverse environments, automating key processes to ensure robust cybersecurity.
Audience
This User Guide is primarily intended for individuals and teams responsible for implementing, managing, and maintaining the cyber security infrastructure within their organizations. It caters to both technical and non-technical users, providing clear instructions and explanations for all levels of expertise.
How to Use This User Guide
To help you navigate through this User Guide effectively, it is divided into various sections corresponding to different aspects of GYTPOL. Each section provides step-by-step instructions, best practices, and tips to maximize GYTPOLs potential.
Additionally, we have included screenshots and examples throughout the document to assist you in visualizing the interface and functionalities. Where applicable, we have also provided troubleshooting tips and frequently asked questions to address common concerns. The complete troubleshooting document is accessible both on our official website and through our dedicated support mailbox. If you encounter any challenges or require assistance, please refer to these resources for detailed guidance and solutions.
Contact Information
Should you have any questions, encounter difficulties, or require further assistance while using GYTPOL, please contact support@gytpol.com . Our dedicated support team is available to help you with any queries or concerns you may have.
We hope this User Guide serves as a valuable resource in understanding and leveraging GYTPOL to enhance your organization's security defenses.
Thank you for choosing GYTPOL, and we look forward to your success in safeguarding your digital assets.
How GYTPOL Validator works
The primary data flow process within GYTPOL Validator unfolds through the following sequential stages:
Installation and License Activation:
Install the GYTPOL Server and activate the associated license to set up the core infrastructure.
Client Deployment and Execution:
Deploy the GYTPOL Client on each endpoint device.
The GYTPOL Client executes once daily, at randomly chosen times, following a predefined sequence of actions.
The scanning process typically completes within 5-7 minutes.
Data Collection during Scan:
The GYTPOL Client collects data on misconfigurations and unpatched zero-day vulnerabilities during its scanning routine.
For Microsoft devices, it also gathers Group Policy data (Resultant Set of Policy - RSOP).
(Note: Support for Intune configurations for all devices is slated to be added in the near future.)
Data Compression and Encryption:
Subsequent to data collection, the GYTPOL Client compresses the gathered data.
It then encrypts the compressed data using a public key.
Data Transmission Attempt:
The GYTPOL Client endeavors to establish a connection with the GYTPOL Server to transmit the encrypted and compressed data.
The initial data transmission attempt is conducted using the local network or a VPN connection, utilizing port 9093 for communication. This approach ensures that the encrypted and compressed data collected by the GYTPOL Client is securely transferred to the GYTPOL Server within the local network or through a VPN connection, enhancing data privacy and protection during transit.
If the device encounters difficulties like DNS resolution problems, network issues, or connectivity issues that prevent it from reaching the GYTPOL Server, and if the relevant feature is activated, it will transmit the data to GYTPOL's Cloud-based Remote-Employee component located in the agreed-upon region for the organization. Subsequently, the GYTPOL Server retrieves the data from this location. It's possible to choose whether to enable this feature, and you can find more comprehensive information in our High-Level Design (HLD) document.
Once data is received from a GYTPOL Client, the GYTPOL Server undertakes an analysis using our exclusive GYTPOL Analyzer. This Analyzer not only examines the data thoroughly but also stores the results in a designated database. This proactive approach ensures that you are promptly informed about any possible security threats, helping to keep you well-informed about potential risks.
After the GYTPOL Client completes its scan and data is transmitted to the GYTPOL Server, the IT and Security teams access the findings through the Web User Interface (UI). This interface is compatible with Chromium-based web browsers such as Google Chrome or the new Microsoft Edge.
The GYTPOL Server is equipped with several integrations to enhance its functionality and facilitate seamless operations:
It interfaces with various public APIs to support data exchange and integration with external systems.
Integration with Ticketing Systems like ServiceNow is established, streamlining the process of generating and managing tickets based on GYTPOL's findings.
Notably, the GYTPOL Server also integrates with Security Information and Event Management (SIEM) systems. Selected events and data are sent from GYTPOL to SIEM platforms, such as MicroFocus ArcSight, IBM QRadar, Sentinel, or Splunk. This integration enhances the security ecosystem by aggregating GYTPOL's insights into the broader context of security events and monitoring.
Client Server Communication
The interaction between the client and the server operates in a one-way manner: the client initiates its scheduled task either on a daily or hourly basis (the client's tasks are elaborated upon in the client section). Following the task execution, the gathered data is transmitted to the GYTPOL server, where it undergoes analysis and subsequently appears in the user interface for review.
Should a GYTPOL operator execute a remediation action or any other task from the console, the client conducts periodic checks for new tasks every hour through its hourly task execution. Upon initiating the task locally, the client provides feedback to the server regarding the outcome, indicating either success or failure.
Client
GYTPOL provides support for Windows, Linux, and macOS operating systems. For a comprehensive overview of the supported platforms, please refer to the client installation guide available at this link: GYTPOL Client Installation Guide
The GYTPOL Client operates on a daily basis for a brief duration. Within this operational window, it accumulates data related to misconfigurations, unattended zero-day vulnerabilities, and outdated third-party software. This information is collected during the run and subsequently processed for further analysis.
GYTPOL Client for Windows
Language-Code: GYTPOL is developed using a combination of C# and signed PowerShell.
Post-Install: Following installation, GYTPOL uses the Task Scheduler functionality for its scheduled tasks.
Permissions: The scheduled tasks within GYTPOL are configured to run under the SYSTEM account. This account type doesn't require a username and password for execution.
Size: The GYTPOL installation size is less than 5MB.
Network Traffic: GYTPOL generates network traffic of up to 30KB per day. The data is transmitted in compressed (gzip format) form.
Scheduled Runs:
GYTPOL executes its tasks on a daily basis with a duration of 5-7 minutes.
The timing of the daily task varies based on the type of device:
End-User Devices: Random execution time between 10 am and 5 pm.
Servers: Random execution time between 10 pm and 4 am.
Additionally, GYTPOL sends a "keep-alive" message every hour to ensure continued connectivity. This message also serves to retrieve new tasks for maintaining security posture, including tasks related to remediation, reversion, updates, and upgrades.
Communication Protocol: GYTPOL employs the latest Transport Layer Security (TLS) version supported by the device for secure communication. All communication occurs over HTTPS to ensure data privacy and integrity.
GYTPOL Client for Linux/macOS
Language-Code: GYTPOL is implemented using the Go programming language (Go-lang).
Post-Install:
On Linux, GYTPOL utilizes systemd for post-installation task management.
On macOS, GYTPOL employs launchd for post-installation tasks.
Permissions: GYTPOL runs with root user permissions, which provide the necessary access for its functionalities.
Size: The installation size of GYTPOL is less than 3MB.
Network Traffic: GYTPOL generates network traffic of up to 30KB per day, with data transmission in compressed (gzip format) form.
Scheduled Runs:
GYTPOL executes its tasks once a day, with a random start time and a duration of up to 5 minutes.
Additionally, GYTPOL sends a "keep-alive" message every hour to ensure continuous connectivity. This message also prompts the retrieval of new tasks to ensure up-to-date security measures, encompassing tasks related to remediation, reversion, updates, and upgrades.
Communication Protocol: GYTPOL employs the most recent Transport Layer Security (TLS) version supported by the device. All communication occurs over HTTPS, ensuring data confidentiality and integrity.
Product overview
This section provides a quick overview of the GYTPOL Validator key capabilities and provides references to sections covering these capabilities in detail.
User Interface
From an end user's viewpoint, GYTPOL Validator is a role-based web application that simplifies cybersecurity management. Here's a walkthrough of how users navigate the UI and some notable visual notations and instructions provided in the corresponding documentation section:
Navigation:
Users access GYTPOL through a role-based web interface tailored to their responsibilities.
The UI seamlessly guides users to different sections, tools, and insights.
Visual Notations:
Export: Look for options to export data, facilitating data sharing and analysis.
Refresh: A common icon to refresh or update displayed information in real time.
Know How: This symbol typically offers contextual help, guiding users on specific actions.
User Roles:
GYTPOL's UI adapts to user roles, displaying relevant features and data.
Different users interact with tools suited to their tasks, ensuring focused functionality.
Comprehensive Views:
The UI presents various dashboards and sections tailored for specific needs like policy validation, maintenance, and benchmarking.
Effortless Navigation:
GYTPOL's user-friendly design ensures intuitive navigation across functionalities.
Users can swiftly move between sections for effective management.
Consistent Experience:
Visual elements like buttons, icons, and labels maintain a consistent design, enhancing user familiarity.
Helpful Guidance:
In-app assistance guides users on performing specific tasks, maximizing usability.
By offering a role-based interface with intuitive navigation and helpful notations, GYTPOL empowers users to efficiently manage their cybersecurity tasks. This groundwork prepares users for a deeper exploration of specific functional use cases within the application.
Misconfigurations
Misconfiguration encompasses the mistakes made when setting up IT systems or security measures, which can result in vulnerabilities and potential security breaches. These errors often stem from insecure default settings, human oversights, incorrect application of Group Policy Objects (GPOs), and other factors.
Misconfigurations can manifest across various domains, including network devices, web applications, cloud services, servers and operating systems, encryption and key management, security tools, and access controls. To mitigate misconfigurations, it's essential to adhere to industry best practices. This entails conducting regular audits, implementing secure configuration settings, rigorously managing changes, and offering training and awareness initiatives.
GYTPOL provides a rapid solution to address misconfigurations, achieving this in a matter of minutes. For a comprehensive understanding of how to effectively manage misconfigurations, refer to the detailed guidance provided in the corresponding documentation section.
Group Policy Validation
The Policy Validation module within GYTPOL focuses on identifying and resolving gaps and issues associated with the implementation of Group Policy Objects (GPOs). This encompasses a range of concerns, such as failures in applying Group Policy Preferences (GPPs), disparities in settings, occurrences of local GPOs, orphaned GPO instances, and settings that don't match as intended.
The user interface offers a structured view that presents these errors and discrepancies in a clear manner. The screen's layout is organized, with computers listed on the left side and users displayed on the right. This layout facilitates efficient navigation and understanding.
Key features of the Policy Validation UI:
Error Display: The interface presents errors and issues in a way that is easy to comprehend and navigate.
Categorization: Errors are categorized based on different criteria like devices, users, specific GPOs, organizational units (OUs), or operating systems (OS). This categorization streamlines the identification and resolution process.
Visual Representation: The UI's intuitive design visually represents GPO-related issues, making it easier to spot discrepancies and errors.
By structuring the information in this manner, GYTPOL enables users to swiftly grasp and address GPO-related problems. For a more comprehensive understanding of utilizing the Policy Validation module, refer to the detailed instructions provided in the corresponding documentation section.
Login Profiler
The module serves to identify potential causes of slow startup or login times resulting from applied policies across the domain. This assessment can be performed according to various parameters, including device or user, specific policy extension, or organizational unit (OU). This module equips you with the capability to delve deeper into the analysis, pinpointing both the problematic policy and the specific settings or set of settings responsible for the observed latency.
Much like the Policy Validation screen, the graphical layout mirrors that of the computer on the left-hand side and the corresponding user on the right-hand side. This design facilitates a clear view of the relationships between policies and their effects on startup and login times.
For a comprehensive guide on utilizing the Login Profiler module effectively, refer to the the corresponding documentation section.
CIS/NIST Benchmarks
The CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) Benchmarks serve as comprehensive guidelines for configuring a range of software, operating systems, and devices. These benchmarks provide specific instructions to secure these systems against well-known vulnerabilities.
CIS 8 refers to the latest version of the CIS Controls, a prioritized list of actionable security measures designed by the Center for Internet Security. These controls encompass a diverse range of cybersecurity aspects, offering organizations a clear roadmap to enhance their cybersecurity practices. The CIS Controls are updated regularly to address emerging threats and incorporate industry best practices. By adhering to these controls, organizations can establish a robust cybersecurity foundation and mitigate various cyber risks.
NIST 800-53, on the other hand, is a comprehensive collection of security controls and guidelines tailored for U.S. federal information systems. This publication furnishes organizations with a framework to evaluate and enhance the security of their systems, safeguarding sensitive information. Covering multiple security domains, NIST 800-53 holds widespread recognition as a cybersecurity standard. Its adoption extends beyond the U.S. federal government, gaining prominence in various sectors and organizations worldwide. Abiding by NIST 800-53 assists organizations in elevating their security posture and aligning their practices with established industry standards.
For detailed guidance on utilizing the CIS/NIST Dashboards effectively, refer to the corresponding documentation section.
Active Directory / Group Policy Enhanced Security
The Active Directory / Group Policy Enhanced Security module provides visibility into public data accessible via a basic domain user's access rights. This information can be queried directly from domain controllers. The module offers insights into various aspects, including administrator groups, vulnerable file paths within GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, customized group change queries, and more.
The objective of presenting this data is to underscore the information that can be gathered using plain domain user access rights. By highlighting these findings, the module aims to demonstrate what an attacker could potentially access before progressing to lateral movement or elevating their permissions within the network.
For a comprehensive understanding of how to effectively utilize the Active Directory / Group Policy Enhanced Security module, refer to the corresponding documentation section.
Maintenance
The Maintenance section of GYTPOL offers valuable recommendations to enhance the administration of Active Directory (AD) and Group Policy Objects (GPOs). This includes suggestions for optimizing the management of these crucial components. GYTPOL aids in identifying various issues for more effective administration:
Unlinked GPOs: GYTPOL helps locate GPOs that are not linked to any organizational unit, enabling you to streamline your GPO structure.
Duplicated GPO Settings: The platform identifies duplicated settings within GPOs, allowing you to eliminate redundancy and ensure consistency.
AD Accounts Cleanup: GYTPOL assists in identifying and managing obsolete or unused Active Directory accounts, enhancing overall security.
Legacy OS: The system flags legacy operating systems that might pose security risks due to outdated support.
Multiple Loopbacks: GYTPOL highlights instances of multiple loopbacks processing settings, aiding in maintaining an organized and predictable GPO environment.
These recommendations empower you to proactively enhance the administration of AD and GPOs. For a comprehensive guide on effectively using the Maintenance features, consult the detailed instructions provided in the corresponding documentation section.
Administration
The Settings menu within GYTPOL offers a hub for various administrative tasks that you can perform to manage and customize your GYTPOL environment. This includes activities like group management, API access configuration, filters setup, and managing muted alerts.
Group Management: The Settings menu allows you to manage user groups, enabling efficient collaboration and access control within your organization.
API Access: You can configure API access settings, granting authorized applications or services the ability to interact with GYTPOL's functionalities.
Filters and Mutes Management: GYTPOL facilitates the customization of filters and mutes, helping you tailor your experience by controlling the alerts and data you receive.
For a comprehensive guide on navigating and effectively utilizing the Settings menu, refer to the detailed instructions provided in the corresponding documentation section. This resource will offer step-by-step guidance on performing administrative tasks and optimizing your GYTPOL configuration.
UI Navigation
The GYTPOL Validator Homepage offers a user-friendly gateway to different perspectives tailored for Windows, Linux, and macOS environments. Each perspective presents the top five alerts pertinent to its corresponding scope, providing a rapid overview of critical issues.
This homepage boasts a user-centric feature – the UI filtering option. By leveraging computer groups established by GYTPOL operators, you can effectively categorize devices based on specific attributes like operating systems, naming patterns, and organizational units (OUs). Detailed guidelines for creating and utilizing these groups are available in the Customization and Settings > Computer Groups section.
The homepage's top menus are designed for intuitive navigation across various sections, including:
Active Directory Security Page: This section addresses Active Directory security concerns.
AD and GPO Maintenance Page: Here, you can manage and optimize your Active Directory and Group Policy Objects.
CIS/NIST Benchmark Dashboards: Access detailed benchmark insights to enhance security posture.
Upon selecting the Windows dashboard, the top bar presents key information such as the number of reporting servers, endpoints, Domain Controllers, and Virtual Desktop Infrastructures (VDIs) – indicating the distribution of monitored assets. Additionally, the top bar showcases metrics regarding users validated through GYTPOL's Policy Validation module and the count of missing devices. Further explanation about these metrics can be found in the Customization and Settings > Health Screen section.
Drill downs
Every element within the user interface is interactive, allowing you to navigate to more advanced levels of UI management effortlessly.
Clicking on the top bar and the corresponding numbers triggers a transition to a detailed list of devices situated within the same scope. This list furnishes basic device information, encompassing attributes like device name, IP address, client version, timestamp of the last scan, operating system (OS), organizational unit (OU), and domain.
For every device listed, a further drill-down option is available. Activating this drill-down leads you to specific findings associated with that particular device. This in-depth exploration provides granular insights into the security and configuration status of the chosen device.
Selecting any of the misconfiguration scopes, such as Servers or Endpoints, triggers the opening of the misconfiguration page, where all pertinent alerts relevant to that specific scope are presented. These alerts are systematically categorized according to the MITRE ATT&CK framework, enhancing their organization and clarity. Each alert possesses the capability to be further expanded, revealing the list of devices implicated in that misconfiguration.
For streamlined management, a green wrench icon is available. Clicking this icon initiates actions that apply across all impacted devices, providing a unified solution for resolving the issue at hand. Additionally, by clicking on the individual alert button, actions can be executed at the device level, allowing for tailored remediation.
For a comprehensive guide on navigating the Misconfigurations and Alerts section effectively, refer to the detailed instructions provided in the corresponding documentation.
Export
You have the capability to export either a single metric or a set of metrics to a CSV file. For instance, you can export all metrics related to Legacy Protocols by following these steps:
Navigate to the relevant screen that displays the Legacy Protocols metrics.
Locate the "Export" or "Download" button within that screen.
Click on the button to initiate the export process.
A CSV file containing the Legacy Protocols metrics will be generated and downloaded to your device.
This CSV file will provide you with a structured record of the metrics related to Legacy Protocols, which you can then use for reporting or analysis purposes.
Another example, is an export of a single finding:
Refresh
Within the user interface of GYTPOL, you have the flexibility to update information in two ways:
Refresh Entire Screen: If needed, you can refresh the entire screen to ensure that all displayed data is up-to-date. This option is useful when you want to refresh the entirety of your view.
Targeted Refresh: Alternatively, for more focused updates, you can click on the refresh icon situated adjacent to the Export button in the user interface. This approach is particularly beneficial when you specifically wish to update particular metrics or swiftly review results.
In opting for the targeted refresh, only the relevant metrics section that you select will be updated, aligning with your specific requirements. This feature enhances your ability to efficiently access the most recent information without refreshing the entire interface.
Getting Help - Know How
GYTPOL's Knowledge Base serves as a valuable resource, covering a wide range of topics, including security risks and manual/alternative methods to address identified findings. The primary goal of our Knowledge Base, often referred to as "Know How," is to offer swift access to information related to specific topics or alerts.
Here's how you can access and leverage the Know How feature:
Access Points:
The Knowledge Base can be accessed by clicking on the "academic hat" icon located on the top bar of the interface.
Alternatively, you can directly access Know How by clicking on the relevant icon within a specific topic.
Information Enrichment:
The Know How section provides comprehensive insights into various topics and alerts, enhancing your understanding of security risks and potential solutions.
Quick Reference:
By providing quick access to information, Know How allows you to swiftly retrieve relevant details, ensuring effective decision-making and problem-solving.
The Knowledge Base empowers users with in-depth information, enabling them to tackle security challenges with informed solutions. Whether you access it through the top bar or directly within specific topics, the Know How feature is designed to enrich your experience within GYTPOL and enhance your ability to address security concerns.
Search - find a computer or user
Locating specific computers belonging to users is a seamless process within GYTPOL:
Search Functionality:
Utilize the search box situated in the top right corner of the interface.
Input relevant information such as device name, user, or any identifying details to initiate the search.
Results Display:
Once the desired device is located, GYTPOL will promptly display the pertinent information associated with the device.
Misconfiguration Information:
GYTPOL will showcase the relevant misconfigurations that have been identified for the selected device.
This insight into misconfigurations empowers you to take targeted actions to address and rectify any issues.
Achievements
The Achievements screen provides valuable insights into the time saved and potential time savings achieved by using GYTPOL for remediation compared to traditional methods involving 3rd party tools, scripts, and Group Policy Objects (GPOs).
Key Features of the Achievements Screen:
Estimated Time Saved:
GYTPOL's automated approach significantly reduces the time needed for remediation.
You can view the estimated time saved, showcasing the efficiency gained by using GYTPOL's streamlined processes.
Potential Time Savings:
GYTPOL offers substantial potential time savings when compared to manual methods.
The Achievements screen highlights the comparative advantage of GYTPOL in terms of time efficiency.
Remediation Status Tracking:
Clicking on color-coded bars allows you to access the real-time status of the remediation process.
This feature offers transparency and visibility into the progress of resolving findings.
Focused Issue Resolution:
The Achievements screen also enables you to access the computers that still require remediation within specific topics.
Clicking on a desired topic directs you to the leftover computers, facilitating targeted efforts.
Getting started
Logging in
After installing the GYTPOL server, a desktop shortcut is automatically added for all users on the server, ensuring easy access. Additionally, you have the option to log in from any device within the network by using the following format: https://<gytpol-server-name>:9093
In case you're unsure about your GYTPOL server name, you can discover it using the Command Prompt (CMD) by pinging _gytpol. This command will reveal the server’s FQDN.
The login process is facilitated by Kerberos Single Sign-On (SSO), enhancing user convenience and security. To manage user access levels, navigate to the Roles and Permissions screen, where you can define and adjust user roles and permissions.
What you see when you first logged in
Upon successful login, you will be directed to the main homepage of GYTPOL. Here, you will immediately access a view showcasing devices that are actively reporting to GYTPOL. Additionally, you'll receive initial findings related to the Active Directory and Group Policy aspects.
For more comprehensive details and explanations about the user interface and its various features, please refer to the dedicated UI overview section within GYTPOL's documentation. This section will provide an in-depth understanding of how to navigate and utilize the interface effectively. It's a valuable resource to make the most of GYTPOL's capabilities and insights.
Verify that GYTPOL clients were successfully deployed
You can confirm a successful GYTPOL client deployment in two ways:
Local Device Check: Verify on the device where the client is installed to ensure proper functioning.
Health Screen: Use the Health screen to get an overview of deployment status and device health.
For more information, refer to the Health Screen overview section in the documentation.
Misconfigurations
What is a Misconfiguration?
Misconfiguration refers to errors in configuring IT systems or security controls, leading to vulnerabilities and potential breaches. Errors can come due to wrong or insecure default settings, human errors, GPO that wasn’t applied correctly and more.
It can occur in network devices, web applications, cloud services, servers/operating systems, encryption/key management, security tools, and access controls. Preventing misconfigurations requires following best practices, conducting audits, implementing secure configurations, enforcing change management, and providing training and awareness. GYTPOL can help you achieve this in minutes.
Working with Misconfiguration Alerts
The GYTPOL Validator Homepage offers instant access to Windows, Linux, and macOS perspectives, each highlighting the top 5 alerts relevant to their respective scopes. It also facilitates UI customization through computer groups created by GYTPOL operators based on OS, name patterns, OUs, and more, as detailed in the Customization and Settings > Computer Groups section.
The Homepage's top menu provides direct links to essential areas, including the Active Directory security page, AD and GPO maintenance page, and CIS/NIST benchmarks dashboards.
When selecting the Windows dashboard, the top bar provides a snapshot of critical metrics:
Reporting Servers
Endpoints
Domain Controllers
Virtual Desktop Infrastructures (VDIs) if applicable
Validated users from the Policy Validation module
Number of missing devices, as covered in the Customization and Settings > Health Screen section.
This comprehensive overview on the Homepage ensures swift access to key insights, customization options, and essential pages for effective management within GYTPOL.
Types of Misconfigurations
Our Misconfigurations module categorizes findings into topics aligned with the MITRE ATT&CK framework. These categories include:
Remote Code Execution: Addressing vulnerabilities that could potentially lead to unauthorized remote code execution.
Lateral Movement: Identifying misconfigurations that could be exploited for lateral movement within your network.
Legacy Protocols: Highlighting issues related to outdated or risky protocols.
Privilege Escalation: Detecting misconfigurations that may enable unauthorized elevation of privileges.
SMB and Sharing: Focusing on misconfigurations associated with SMB protocols and sharing settings.
Credentials: Addressing issues related to improper handling and storage of credentials.
Obsolete Software: Identifying vulnerabilities due to outdated software and unpatched applications.
By organizing misconfigurations into these topics based on the MITRE ATT&CK framework, GYTPOL offers a structured approach to addressing security risks, making it easier to prioritize and remediate issues effectively.
In GYTPOL, all misconfigurations and metrics are visually represented with specific severity colors to provide quick insights into their urgency:
Red (High): Represents high-severity misconfigurations that require immediate attention due to their critical impact on security.
Orange (Medium): Indicates medium-severity misconfigurations that should be addressed promptly to mitigate potential risks.
Yellow (Low): Denotes low-severity misconfigurations that may not pose an immediate threat but should still be resolved to enhance overall security posture.
Green (Complied): Signifies items that are in compliance and meet the expected security standards, resulting in no alerts generated.
This color-coded approach offers a visual way to prioritize and address misconfigurations based on their severity levels, aiding efficient decision-making and remediation efforts.
The severity of alerts within GYTPOL is determined by considering multiple factors to accurately gauge the potential risk:
Common Attack Vector: The prevalence of the attack vector in real-world scenarios is considered. More common vectors may receive higher severity ratings.
CVSS Score: If available, the Common Vulnerability Scoring System (CVSS) score is factored in. This numerical score assesses the vulnerability's severity and impact.
CISA/CIS/NIST Recommendations: Alignment with recommendations from cybersecurity frameworks such as CISA, CIS, and NIST contributes to the overall assessment of severity.
GYTPOL Research Team Expertise: The knowledge and insights of GYTPOL's research team play a crucial role in understanding how easily a misconfiguration can be exploited and the potential consequences.
For each metric within GYTPOL, the following key information is provided:
Topic: Metrics are categorized into specific topics, aligning with the MITRE ATT&CK framework, to offer a structured overview of security concerns.
Subject: This highlights the specific aspect of the metric being assessed, pinpointing the area of concern.
Scope: Users can select the scope in the user interface to specify the context or range within which the metric is being evaluated.
Description: A detailed explanation of the metric's nature, implications, and potential security risks is provided to ensure a clear understanding.
Suggestion: Practical recommendations and steps for addressing and mitigating the identified issues are offered, guiding users toward effective remediation.
Navigating through Alerts (drill downs, pinning, etc.)
When you click on any of the scopes displayed on the main dashboard (such as Servers or Domain Controllers), it will lead you to the misconfiguration screen, designed as follows:
Metric Collection Boxes: Each box corresponds to a specific scope (e.g., Servers) and contains a collection of metrics grouped under their relevant topics (e.g., Remote Code Execution, Privilege Escalation).
Severity-Color Bars: Within each box, metrics are represented by colored bars indicating the severity level (Red = High, Orange = Medium, Yellow = Low). The number of devices affected by the alert is displayed alongside the bar, as well as the number of compliant devices. Alerts that weren't found at all won't be shown.
Drill-Down Functionality: Clicking on the colored bar provides a drill-down view, showing the list of devices associated with that alert's severity. This helps you pinpoint affected devices for focused remediation.
Actions: By clicking the wrench icon associated with a specific metric or alert, you can take actions at various levels. This allows you to address issues and apply remediation strategies based on your requirements.
Related Topics
In GYTPOL, topics are interconnected to enhance correlation and provide a more comprehensive understanding of security issues. This is achieved through the implementation of "Related Topics" for many alerts:
Interlinked Topics: Alerts within different topics are interlinked to establish connections between related security concerns. These connections help users comprehend the broader context of potential vulnerabilities.
Enhanced Correlation: By exploring related topics, users gain a deeper insight into how various misconfigurations might impact each other and contribute to potential security risks.
Clicking on any related topic takes you to a dedicated section that displays alerts related to that topic.
Remediable vs non-Remediable alerts
In GYTPOL, alerts are visually differentiated by the presence of a spanner icon, which conveys specific information about the remediation process:
Green Spanner: Alerts accompanied by a green spanner icon indicate that you can swiftly remediate the finding using the GYTPOL user interface. This streamlined process enables you to fix the identified misconfiguration in a matter of seconds. For more detailed guidance on the remediation process, refer to the provided resources.
Gray Spanner: If an alert is associated with a gray spanner icon, it signifies that the finding cannot be remediated through the user interface due to certain limitations or conditions. These limitations could include factors such as unsupported PowerShell versions or informational nature of the alert. This may also indicate that the item fully complied with GYTPOL standards or was already fixed.
Revertible vs non-Revertible
In GYTPOL, alerts are categorized into two types based on their remediation and revertability options:
Remediable Alerts (Green Spanner): Alerts accompanied by a green spanner icon indicate that you can promptly address and remediate the finding using the GYTPOL user interface. This intuitive process enables you to fix the identified misconfiguration quickly and effortlessly.
Remediable with Manual Revert (Green Spanner + Exclamation Mark): Alerts displayed with a green spanner and an exclamation mark (!) signify that the finding can be remediated through the UI. However, the revert (undo) action cannot be performed using the UI. If a revert is required, it needs to be executed manually, either through Group Policy Objects (GPOs) or by utilizing third-party tools.
This distinction helps users understand the level of remediation and revertability associated with each alert, allowing them to make informed decisions on how to address and potentially revert misconfigurations.
Spanner - Colors and Meaning
Color | Meaning |
Green – alert remediable and revertible | |
Green with (!) – alert remediable but non-revertible | |
Red – remediation failed (timeout, access) | |
Orange – no error was reported during remediation, but the scanner found the same alert again | |
Gray – action cannot be applied, either because the Powershell version is too old or there is no remediation action available for this finding | |
Gray with a spinning icon – remediation is pending and ready to run on devices |
Export found misconfigurations to CSV
GYTPOL offers a convenient feature that allows you to export data from the dashboard to a CSV file, facilitating reporting and efficient tracking of information. Here's how it works:
Topic Level Export: To export data related to an entire topic, click the "download" button located on the topic box. This action will generate a CSV file containing data pertinent to the selected topic.
Metric Level Export: Within a specific metric or alert, you can also export data by clicking the "download" button associated with that metric. This will export information about all devices affected by the same finding within that metric.
Single Device Level Export: If needed, you can even export data about an individual device. Simply navigate to the specific device and use the available export option.
By utilizing these export functionalities, GYTPOL empowers users to generate reports, gather insights, and maintain efficient records of misconfigurations and remediation efforts for better security management and documentation.
Remediation Action types
Remediation Process for Misconfigurations
Within GYTPOL Validator, users have the capability to rectify misconfigurations found on endpoints and servers by defining Remediation Actions. These actions facilitate the implementation of fixes across various devices, groups, or even individual machines. Here's how the process works:
Defining Remediation Actions: Remediation Actions outline the corrective measures to be applied based on parameters like OU, Domain, or specified computer groups. The actions are grouped into topics, such as the SMB and Sharing topic including SMBv1 removal.
Pending Status and Acknowledgment: After a GYTPOL admin initiates an action, it remains in a pending status until the client device checks in (hourly) and confirms the task for local application.
Client Acknowledgment and Feedback: Once the client applies the task locally, it sends feedback to GYTPOL regarding the outcome. This feedback includes information on success, failure, and the reason for failure (e.g., timeout or access denial).
Revert Capability: Numerous remediation actions can be reverted to the original state directly from the GYTPOL UI. This streamlines the process and eliminates the need for third-party tools or scripts. All reverts are executed on the device within an hour, maintaining consistency with the hourly check-in schedule.
Remediation Action
A "Single Remediation Action" in GYTPOL Validator involves applying a corrective action to resolve a specific finding. Here's an overview of the process:
Identify the Finding: Start by identifying a particular misconfiguration or security finding that needs to be addressed.
Choose the Target Group: Select the group of devices on which you want to apply the remediation action. This can include specific devices, a group based on OU, Domain, or custom computer groups.
Initiate the Remediation Action: Define the specific action or fix that needs to be implemented to address the finding. This action can involve changes to configurations, settings, or other relevant parameters.
Pending Status and Client Check-In: After initiating the action, it enters a pending status. The respective client devices periodically check in (hourly) to receive and acknowledge the action.
Client Acknowledgment and Feedback: Once the client applies the action locally, it sends feedback to GYTPOL indicating the success or failure of the task, along with reasons for any failures.
Revert Capability (if applicable): If the action supports reversion to the original state, GYTPOL allows you to revert changes directly from the UI.
Auto-remediation
An "Automatic Remediation Action" in GYTPOL Validator is designed to automatically apply fixes to any future alerts that match predefined criteria on selected devices within the Target group.
By utilizing the Automatic Remediation Action feature, GYTPOL empowers users to proactively respond to emerging security challenges, ensuring that devices remain aligned with organizational policies and security standards as new alerts are detected. This automated approach enhances the overall security posture of the organization.
Mute
In GYTPOL Validator, users have the option to mute or "remove" alerts from the user interface and misconfiguration list. This feature is useful when an alert is acknowledged as a known risk and no further action is required. Here's how it works:
Alert Muting: When you identify an alert that you consider a known risk and want to temporarily remove from view, you can choose to mute it.
Selecting the Target Group: Decide on the target devices or groups for which you want to mute the alert. This could involve specific devices, device groups, OUs, or other designated segments.
Muting Action: Utilize the "Mute Alert" action to initiate the muting process. This action essentially removes the alert from the UI and the misconfiguration list for the selected devices within the designated target group.
Muting alerts is a strategic way to focus attention on critical alerts while acknowledging and managing known risks. This functionality allows users to maintain a clear and prioritized view of active alerts, ensuring efficient security management within GYTPOL Validator.
Generic
In GYTPOL Validator, you have the ability to execute a set of actions on selected devices within the Target group. These actions can be accessed from the Generic drop-down menu and offer various functionalities for managing devices and policies. Here are the available actions:
Group Policy update Computer + user without restart: This operation triggers a gpupdate for both computer and user configurations without requiring a restart or logoff.
Group Policy update Computer + user with restart: This operation performs a gpupdate for both computer and user settings, followed by a computer restart upon successful completion.
Rescan Computer / User: This operation initiates a rescan of the computer or user ahead of the regular schedule, ensuring that the alert information is up to date.
Remove Local Policy Settings: This operation removes locally defined policy settings on the computer, ensuring that no administrative changes have altered the local configuration.
Sync Intune: This operation forces devices to retrieve updates from InTune, ensuring that the information remains current.
Remediation Action
The remediation of findings in GYTPOL Validator can be initiated through the use of the green spanner icon. Once this icon is clicked, it opens an Action screen that facilitates the remediation process. Here's an explanation of the components within this screen using an example scenario of remediating the "SMB Everyone Shares" issue under the "SMB and Sharing" topic on non-DC servers:
After the spanner is clicked, please apply an action as needed:
Here's a concise breakdown of the key elements within the "Remediate" section of GYTPOL Validator, using the example of remediating "SMB Everyone Shares":
Remediate Topic: This section provides an explanation of the topic you're remediating. For instance, in our case, we're addressing "SMB Everyone Shares."
Share Selection: You can specify individual shares you want to remediate or select "Any" to remediate all shares within the chosen scope of devices.
Auto Re-apply: This option ensures that the same remediation is automatically applied to new GYTPOL clients reporting for the first time or meeting the defined criteria.
Mute Alert: Suppresses the alert if you're aware of the finding and want to hide it from the UI.
Computer Group: Create custom groups based on naming patterns, OUs, and more. These groups are distinct from the OU structure and can be modified as needed. Groups can be static or dynamic.
OS / Type: Choose the specific operating system (e.g., Windows non-DC servers) on which you want to perform the remediation.
Domain: If multiple domains report to the UI, select the domain where you want to apply the remediation.
Org. Unit: Specify the organizational unit on which you want to perform the remediation. Choosing "Any" will apply it to any organizational unit.
Computer: Target a specific device for remediation. Choosing "Any" applies the remediation to all devices within the same organizational unit.
Schedule: Decide whether to perform the remediation ASAP (based on the hourly trigger) or schedule it for a more convenient time.
Remark: Add a comment to provide context or additional information about the change being made.
Apply / Cancel: Confirm and execute the remediation action by clicking "Apply" or cancel the operation by clicking "Cancel."
Actions Screen
The screen provides a comprehensive view of both ongoing and completed tasks, categorized into specific tabs for efficient management:
Active Tab: This tab displays tasks that are currently in progress. It includes running one-time remediations, auto-remediations, as well as tasks related to muted alerts. These tabs represent ongoing actions that are actively being executed.
Inactive Tab: In this tab, you can access tasks that have been successfully completed or canceled/stopped. This includes one-time remediations, auto-remediations, and other types of tasks that have concluded.
The "Actions" screen also offers the flexibility to filter tasks based on their nature:
Remediations: Filter tasks to exclusively display one-time remediations that have been initiated and are currently active.
Auto-Remediations: Filter tasks to show auto-remediations that are ongoing as part of the automated remediation process.
Muted Alerts: View tasks related to muted alerts, which are tasks that suppress alerts from being displayed in the UI.
Generic Tasks: Access other types of tasks that fall under the "generic" category, providing a more encompassing overview of all ongoing tasks.
By offering these filters and categorized tabs, the "Tasks" screen empowers you to effectively track, manage, and monitor the various tasks being executed within GYTPOL Validator.
Activate / Edit / Deactivate Remediation Rule
After creating a task using the Action/Remediation screen, you can manage and modify it through the Actions screen. This screen offers the following options:
Stop Action: This option halts any ongoing remediation actions that have not yet been completed on devices. As a result, the task status will change, and it will be moved to the inactive tab to signify that it has been stopped.
View / Replace Action: By selecting this option, you can access the remediation action screen associated with the task. This allows you to make modifications to the action, such as changing the target devices, adjusting auto-remediation settings, and more.
Export: You have the ability to export key information related to the task. This includes the results of the task (status and initiator), as well as the list of devices encompassed by the task's scope. This data can be exported to a CSV file, as detailed in the Export section of the GYTPOL Validator.
Revert Action
The "Revert Action" functionality is accessed through the Actions screen. To perform a revert action, you have the following options:
Revert All: This option enables you to revert the remediation action on all devices within the defined scope. By selecting this option, the remediation changes will be undone on all applicable devices.
Revert on Selected Device(s): If you wish to revert the remediation action on specific devices within the scope, you can do so by clicking the "undo" icon for the respective device(s). This allows you to selectively revert changes on chosen devices.
Quick Wins
"Quick-Wins" in GYTPOL Validator refer to misconfiguration topics that can be swiftly and easily remediated or auto-remediated without causing any adverse effects on the devices. These topics encompass low-hanging fruit in terms of security improvements.
For optimal results, it's advisable to follow these steps:
Create a Device Group: Begin by forming a group of devices within GYTPOL Validator. This group will serve as the initial target for remediation efforts.
Initiate Remediation: Start by launching the remediation process, focusing solely on one-time remediation for the selected device group. This allows you to tackle the identified misconfigurations efficiently.
Validate Impact: Monitor the devices in the group after the remediations have been applied. Ensure that there are no negative impacts on the devices' performance, functionality, or user experience. This validation step is crucial to confirm that the remediations indeed have the intended outcome.
Expand Remediation: After confirming the success of the Quick-Win remediations on the initial group of devices, you can gradually expand the remediation efforts to larger groups or even across your entire environment. This approach allows you to implement changes incrementally while ensuring that any unforeseen issues are identified and addressed promptly.
Continuous Monitoring: Even after applying Quick-Win remediations across your environment, continue to monitor the devices and their performance. GYTPOL's monitoring capabilities provide ongoing visibility into the status of devices and their compliance with the applied fixes.
Detailed information about Quick-Wins and the specific misconfiguration topics that fall under this category can be found in the dedicated section provided. By leveraging Quick-Wins, you can swiftly enhance the security posture of your environment while minimizing disruptions to devices.
Group Policy Validation (available to On-Prem customers)
From the Homepage, specifically under the Windows section, you can easily navigate to the policy validation screen.
These screens are purposefully designed to highlight discrepancies and gaps within the applied Group Policy Objects (GPOs). Common issues include failed applications of Group Policy Preferences (GPPs), mismatched settings, presence of local GPOs, orphaned GPOs, and related settings.
The presentation of errors is organized according to various criteria, encompassing device/user, GPO, organizational unit (OU), and operating system (OS). The layout features computers on the left-hand side and users on the right-hand side.
In the specific example displayed below, it is evident that a total of 482 computers underwent scanning. Of these, 69 computers were flagged with at least one issue, while the same applies to 27 users. This visual representation aids in quickly identifying the extent of issues within the environment.
Example for a setting mismatch on a Default Domain Controllers Policy:
Another example: GPP drive-map that wasn’t applied due to “Access Denied”:
Login Profiler (available to On-Prem customers)
In this interface, you can readily assess whether any domain-wide policies might lead to sluggish startup or login durations. This evaluation is conducted based on factors such as the device/user, extension, or organizational unit (OU) impacted.
The layout of this screen mirrors the Policy Validation screen, where devices are positioned on the left-hand side and users on the right-hand side. This arrangement simplifies the identification of potential issues affecting either devices or users due to policy configurations.
You have the capability to delve deeper into the details and pinpoint the policy that is causing the latency issues. Moreover, you can identify the specific settings or a group of settings within that policy that are contributing to the performance delays. This granular level of analysis empowers you to precisely identify and address the root causes of latency within your policy configurations.
Active Directory / Group Policy Enhanced Security
This section showcases public data that can be queried from domain controllers using basic domain user access rights. The displayed information encompasses details like administrator groups, susceptible file paths within your GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, and the ability to query custom group changes, among other elements.
Clicking on a box within this interface provides a detailed list of the examined items. You can also navigate through a drill-down process from the specific topic to access more comprehensive insights into the data.
Maintenance
The Active Directory and Group Policy module offers recommendations for enhancing cleanliness and optimizing performance. These insights and suggestions are presented at the organizational level, highlighting areas where adjustments can be implemented to enhance the organization of your Group Policy Objects (GPOs) and Active Directory (AD).
By drilling down into a specific box or topic, you can access a detailed list of identified items. Within the same topic, you'll encounter our "Know-How" feature represented by a hat icon. This resource provides comprehensive explanations about the findings and offers guidance on rectifying or modifying the identified issues, facilitating informed decision-making and proactive improvements.
CIS / NIST benchmarks
The platform provides hardening recommendations aligned with the Center for Internet Security (CIS-8) and the National Institute of Standards and Technology (NIST 800-53) guidelines. These recommendations are detailed in the overview.
Accessible from the homepage, you can access the corresponding dashboard by selecting the relevant standard. Once clicked, the CIS or NIST dashboard will be displayed, presenting the benchmark results. Here's a breakdown of the color codes used:
Green: Indicates that the settings within your organization are compliant.
Red: Denotes that the settings within your organization are not compliant.
Orange: Indicates that the settings are not managed in your organization, and there is no detectable Group Policy Object (GPO) containing the relevant setting.
These color-coded indicators offer a quick overview of compliance status and the need for corrective actions.
You can retrieve the list of computers to determine whether the specific setting you've chosen is applied or not. This allows you to quickly identify which computers are in compliance with the chosen setting and which ones are not.
Customization and Settings
Health screen
This screen provides a comprehensive overview of reporting clients, including their status, the timestamp of their last successful scan, version information, operating systems, and the client scope (Endpoint, Server, or VDI).
Devices that are missing from reporting are color-coded as follows:
Blue: Devices reported within the last 24 hours.
Yellow: Devices that have not reported in the last 3 days.
Orange: Devices that have not reported in the last week.
Red: Devices that have not reported in 7-14 days.
Devices that have been removed from the organization or have missed reporting for over 14 days are moved to the "Missing over 14 days" section. If a device has not reported for over 30 days but was registered in Active Directory within the last 30 days, it will be moved to the "Never Reported" section. This helps to keep track of the reporting status of devices accurately.
What’s new
The "What's New" page is a dedicated section that showcases the updates, enhancements, bug fixes, and new features introduced in various versions and releases of GYTPOL. This page serves as a valuable resource for users to stay informed about the changes that have been implemented in the software. It includes information about the addition of new functionalities, improvements to existing features, resolutions for known issues, deprecation of certain elements, and any security updates that have been applied.
By referring to the "What's New" page, users can quickly understand the evolution of GYTPOL and make the most of the latest enhancements.
License
The license page is a section that outlines the terms and conditions under which the software application or system is licensed to users. The page will include details such as the license type, User/Computer limitations, the license expiration dates, disclaimers or any applicable liabilities.
The page is also used to generate a new license ID (when changes need to be made to the existing license) or upload a new license when purchased or updated.
About
Information about the builds and versions for different system components. This data might be requested by the support team during troubleshooting or update processes.
Group Policy and Active Directory Filters
If any findings or recommendations related to Active Directory, Group Policy, or CIS/NIST benchmarks have been muted from the user interface, they will be categorized and displayed under the respective filters. This allows users to easily identify the items that have been muted and provides the option to unmute them if needed.
Unmuting an item would mean that it will again appear in the regular alerts or recommendations list, ensuring that no critical issues are overlooked and that the organization's security posture remains strong.
Managing User Accounts
GYTPOL features a Role-Based Access Control (RBAC) system that enables administrators to define precise permissions levels within the user interface. To configure RBAC in GYTPOL, follow these steps:
Enter the desired role name (e.g., Full Admin, Security Team Admins, Windows Server Team) and click "Add Scope."
Choose the appropriate scope for the role, such as Admin for Full Admin access, Windows endpoints, servers, Linux, etc.
Once the scope is added, you have the option to include additional permission scopes as required.
Click on "Add member" and input the relevant username associated with the selected scope, then click "Add." The username should follow the DOMAIN\USERNAME syntax.
It's important to note that the user added in this step should continue to be a member of the groups used for GYTPOL management, as it was prior to this change. You can verify the groups in the c:\gytpol\data\webSRV\websrv_config.json file.
You can repeat the process to add additional users to the same role.
Once all user memberships have been configured, click "Apply" to save the changes.
This RBAC feature in GYTPOL helps organizations tailor access permissions to different teams or individuals, enhancing security and ensuring that users have the appropriate level of control and visibility within the system.
Computer Groups
GYTPOL allows you to create custom computer groups, whether static or dynamic, based on various criteria such as name patterns, operating systems, organizational units (OUs), domains, or custom lists.
Here's how you can create a custom computer group:
Click on the "+" icon to initiate the creation of a new group.
Provide a name for the group that represents its purpose or criteria.
Select the devices you want to include in the group based on the available options on the screen. These options could include name patterns, operating systems, OUs, domains, or even arbitrary lists of devices.
After specifying the criteria and devices, click "Add" or a similar confirmation button to create the custom group.
By creating custom computer groups, you can efficiently manage and categorize your devices, allowing for easier organization, targeting of actions, and monitoring of specific sets of devices that meet certain criteria. This feature can enhance the flexibility and customization of your GYTPOL deployment.
References
GYTPOL High Level Architecture
GYTPOL System Requirements
GYTPOL On-Prem Server Installation, Administration and Upgrade Guide
GYTPOL Client Installation , Client GPO deployment and Upgrade Guide
GYTPOL API documentation
GYTPOL Splunk Integration documentation
Quick-Wins
As mentioned earlier – "Quick-Wins" in GYTPOL Validator refer to misconfiguration topics that can be swiftly and easily remediated or auto-remediated without causing any adverse effects on the devices. These topics encompass low-hanging fruit in terms of security improvements.
To make the most of Quick-Win remediations:
Create a device group for testing.
Apply Quick-Win fixes to this group.
Verify fixes' impact and success.
Gradually expand fixes to more devices.
Monitor ongoing compliance and performance.
The examples below show some Quick-Wins items (Windows, Linux, macOS).
Remote Code Execution
Log4J (CVE-2021-44228, CVE-2021-45046)
LOG4J is pertinent for various operating systems, including Windows, Linux, and macOS. In GYTPOL, we have adopted the strategy of abstaining from software updates due to potential repercussions. Instead, we opted to modify two lines of code within the JNDI Lookup java class. These changes encompass:
Validation of the input parameter (dataTime parameter) within the class, ensuring its accuracy and reliability.
Elimination of the execution of the parameter, as it holds no relevance within this particular function. The execution served no purpose and was deemed redundant.
Topic: | log4j2 Vulnerability |
Subject: | log4j2 Vulnerability in JndiLookup |
Description: | Remote Code Execution 0-Day Vulnerability (CVE-2021-44228, CVE-2021-45046). |
Suggestion: | It is highly recommended to use Gytpol to secure the current version (ZERO-IMPACT!) – no software upgrade needed. |
Reason: | Correcting the function to work as it should by validating the input parameter to be a DateTime and removing the execution which wasn't relevant to this function. Adopted by APACHE to 2.17.1 (Gytpol are not upgrading the Log4J, we just correcting the zero-day vulnerability in the code) |
Office Follina Attack (CVE-2022-30190)
Follina pertains to devices equipped with any version of Microsoft Office. Once again, Microsoft's response to the zero-day vulnerability was found lacking, prompting our discovery of two additional registry keys that necessitated removal from the devices. These registry keys, which were last utilized in 2013, were identified as contributing factors to the issue.
Topic: | Office Follina Attack |
Subject: | Follina Attack (CVE-2022-30190) |
Description: | A zero-day allowing code execution in Office products: Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View. |
Suggestion: | Remediate urgently with Gytpol (ZERO-IMPACT!). |
Reason: | Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in System Settings as other or additional troubleshooters. |
MS Word RTF (CVE-2023-21716)
MS Word RTF exploits are applicable to devices equipped with any version of Microsoft Office. This instance involves another inadequately patched zero-day vulnerability. At GYTPOL, we took proactive measures by disallowing the opening of RTF files from unverified or untrusted sources. This action helps mitigate the risk associated with this vulnerability and enhances the security of the system.
Topic: | MS Word RTF Document |
Subject: | MS Word RTF (CVE-2023-21716) |
Description: | CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document. |
Suggestion: | Remediate urgently with Gytpol (ZERO-IMPACT!), or: use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources. |
Dell Driver (CVE-2021-21551)
Dell Driver concerns are relevant exclusively to Dell devices. In our approach at GYTPOL, we opted to align with Dell's guidance. This involved the removal of the driver situated within the Temp folder on the device. By adhering to Dell's recommendations, we aimed to enhance the security and functionality of Dell devices under our purview.
Topic: | Dell Driver |
Subject: | BIOS Driver Privilege Escalation Flaws |
Description: | (CVE-2021-21551): A security vulnerability affecting the dbutil_2_3.sys driver packaged. Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges. |
Suggestion: | According to dell, it is highly recommended to remove the driver or update it using Dell System Inventory Agent. See more: https://www.dell.com/support/kbdoc/en-il/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability. |
Reason: | The file located in c:\Windows\Temp and it is not needed for any Dell software or application |
Privilege Escalation
Print Spooler Log
Print Spooler Log pertains to Windows systems, enabling the monitoring of printer usage activity. This proactive approach helps to avert potential issues, such as the unaddressed print nightmare vulnerability. By scrutinizing the print spooler log, we can implement measures to prevent any such vulnerabilities from materializing, thereby enhancing the security and stability of the Windows environment.
Topic: | Print Spooler Log |
Subject: | Print Spooler Log |
Description: | The Print Spooler Operational Log is disabled. By enabling the log - you create a visibility of active printing and attacks. |
Reason: | Activating a log will give extra visibility prior to stopping the Print Spooler. The log size is limited to 1MB and will not consume much of disk space |
Print Spooler Service
Print Spooler functionality is applicable to Windows systems. When the printer log is enabled, it not only provides insights into mapped printers but also logs printing activities. This visibility underscores the simplicity of determining whether the service is necessary. If deemed unnecessary, the service can be disabled with ease. This approach aids in enhancing security and efficiency by preventing potential risks associated with the service when it's not in active use.
Topic: | Print Spooler |
Subject: | Print Spooler service status |
Description: | Many attackers use this service as their back door to the servers. It is recommended to disable this service via GYTPOL or group policy on all servers. |
Reason: | The Spooler service is being disabled after we show that there are no Printing events, and no Printers are attached to the server/endpoint (spooler log must be enabled). |
Local Admins
Local Admins status pertains to Windows, Linux, and macOS systems. Our current capability encompasses not only identifying individuals designated as local administrators but also tracking recent usage patterns. This enhanced visibility allows us to make informed decisions. For instance, if there has been no logon activity within the last 90 days, it becomes straightforward to determine the need for remediation actions. This strategic approach aids in maintaining system security by promptly addressing potential risks associated with unused or unnecessary admin privileges.
Topic: | Local Admins |
Subject: | Local administrator on computer |
Description: | Detected a local administrator on the computer. In most cases users should not have the Local Administrator privilege, as it grants them total control over the computer and exposes the computer and the organization to malware risks. |
Suggestion: | You should verify that these privileges are legitimate, and either Filter Out this warning or privilege from the user. |
Reason: | Login events are shown, and the user is removed from the Local Admins after 90 days of inactivity. |
Local Users
Local Users management is applicable across Windows, Linux, and macOS platforms. Our current capabilities extend beyond identifying local user accounts and their group memberships. We now also possess the ability to track recent usage patterns. This enhanced visibility allows us to make informed decisions. For example, if there has been no logon activity within the last 90 days, it becomes a straightforward decision to initiate remediation actions. This approach contributes to bolstering system security by promptly addressing potential risks associated with underutilized or unneeded local user accounts.
Topic: | Local Users |
Subject: | Local user activity |
Description: | Detected active local user on the computer. Local users should not be created and must be removed unless it is the local Administrator account. |
Suggestion: | Verify those accounts are correct and ignore if needed. Remediate in case the users are irrelevant. |
Reason: | Login events are shown, and the user is removed from the Local Users after 90 days of inactivity. |
Guest Users
Guest User management pertains to Windows and macOS environments. Our capabilities now encompass the ability to identify instances where Guest Users have been overlooked or not properly disabled. This feature allows us to locate areas where these accounts may have been inadvertently left active. By detecting and rectifying these oversights, we enhance security measures and ensure that potential vulnerabilities associated with active Guest Users are promptly addressed in both Windows and macOS systems.
Topic: | Guests Users |
Subject: | Local Guests Accounts Status |
Description: | A guest account allows unauthenticated network users to gain access to the system. According to Microsoft, this can lead to the exposure or corruption of data. |
Suggestion: | It is highly recommended to disable all Guests users. |
Reason: | By default, Guest account should be prevented for login locally and access from the network. |
Batch Privilege (Log on as a Batch)
Batch Privilege management applies to both Windows and Linux environments. Our capabilities extend to the identification of users with the ability to run batches, encompassing various mechanisms such as task scheduler, crontab, and IIS App Pool. Similar to our approach with local admin privileges, we aim to provide a clear correlation by showcasing the associated group and its members. The identification of empty groups simplifies decision-making. This comprehensive view aids in promptly addressing security concerns, making it straightforward to take action in instances where unauthorized or unneeded batch privileges exist within both Windows and Linux systems.
Topic: | Batch Privilege |
Subject: | Dangerous privilege granted: Log on as a Batch |
Description: | SeBatchLogonRight accounts can log on by using a batch-queue tool such as the Task Scheduler service. |
Suggestion: | Change this setting to <Service Accounts> under 'Default Domain Policy' and under 'Default Domain Controller Policy': Go to Computer configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a Batch |
Reason: | The group is empty and isn’t used. Once used, it will have the same access level for Batch and Tasks execution as the Local Admins group (usually will have Domain Admins in it). |
Lateral Movement
Exchange WebShell
Exchange WebShell vulnerabilities are pertinent to Windows environments. This massive zero-day vulnerability often poses challenges for organizations utilizing on-premises Exchange servers in terms of consistent patching. At GYTPOL, we have devised a strategy to detect and combat this threat. Our approach involves identifying malicious DLL files that are created as part of the attack and subsequently removing them. By proactively addressing the issue, we contribute to safeguarding the security and integrity of Windows systems impacted by Exchange WebShell vulnerabilities.
Topic: | Exchange IIS WebShell |
Subject: | Exchange Malicious IIS WebShells |
Description: | HAFNIUM's attack tools found on host: IIS WebShell. |
Suggestion: | Immediate action required: your server has been compromised! (1) Remove the file(s) immediately from the computer(s) and start an investigation. (2) Sometimes it is also recommended to restore the server before the attack date and to full patch it. (3) Check other servers for lateral movement. |
Topic: | Exchange Temp WebShell |
Subject: | Exchange Malicious Temp WebShells |
Description: | HAFNIUM's attack tools found on host: Temp WebShell. |
Suggestion: | Immediate action required: your server has been compromised! (1) Remove the file(s) immediately from the computer(s) and start an investigation. (2) Sometimes it is also recommended to restore the server before the attack date and to full patch it. (3) Check other servers for lateral movement. |
Credentials
Credential Manager
Credential Manager concerns are relevant to Windows environments. In scenarios where accessing network paths or Remote Desktop Protocol (RDP) requires entering credentials, these credentials are often stored on the device, posing a security risk. GYTPOL's approach to remediation involves the permanent removal of these stored credentials from the user's profile. By implementing this measure, we mitigate the exposure of sensitive credentials, enhancing the overall security of Windows systems by preventing unauthorized access to stored credentials.
Topic: | Credential Manager |
Subject: | User credentials stored on computer |
Description: | The Windows Credential Manager is providing easy password management to the user, but exposes his account to security threats. Any process running in the user's account can get elevated access to the vault and steal the stored passwords. |
Suggestion: | It is highly recommended to disable the Credential Manager and prevent local storage of user credentials via Group Policy: User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > Do not allow passwords to be saved > Enabled. Instead, you should opt to use the Windows Defender Credential Guard via the Group Policy. |
Unattended File
Unattended File concerns are specific to Windows environments. When generating a new system image and configuring fresh settings, an "unattended file" is often created. This file functions as an answer file, streamlining the deployment of the new image and its associated operating system settings to other devices. Occasionally, network configurations necessitate leaving credentials, typically administrative credentials, which can be exposed in plain text. Once the image has been established, the file becomes obsolete.
At GYTPOL, our approach involves removing this unattended file post-image creation. By doing so, we eliminate the potential exposure of sensitive credentials in clear text, ensuring that the security of Windows systems is upheld and unnecessary security risks are mitigated.
Topic: | Unattended File |
Subject: | Unattended Configuration File is Exposed |
Description: | Unattended files are configuration files that save the organization configuration in a simple XML that anyone can read and has access to. |
Suggestion: | It is highly recommended to remove this file via GYTPOL remediation and remove it permanently from any given Windows image. |
Reason: | It is not used after the device is installed, added to domain and all settings are done. Safe to delete. |
SMB and Sharing
SMBv1
SMBv1 (Server Message Block version 1) pertains to Windows, Linux, and macOS platforms. Our capabilities extend beyond identifying whether SMBv1 is enabled; we also provide insights into its recent usage. This information aids in making informed decisions regarding remediation, particularly in cases where SMBv1 has not been actively utilized. This approach simplifies the remediation process by facilitating the identification of opportunities to disable SMBv1 without causing any adverse impacts, as it has not been in use. This proactive strategy helps enhance the security and overall health of Windows, Linux, and macOS systems.
Topic: | SMB Version 1 |
Subject: | Vulnerable SMB v1 Network File Sharing |
Description: | The computer has SMB v1 installed, which lacks important protection mechanisms offered by later SMB protocol versions. It is a well-known security risk, exploited by various ransomware worms, Denial-of-Service and Remote Code Execution attacks. Bear in mind that some legacy software and network printers require SMB v1 to function. |
Suggestion: | It is highly recommended to remove SMB v1 via GYTPOL. Do verify that there's no legacy software or network printers that requires SMB v1. If there are computers with legacy software (that demands admins browse via the so-called network aka network neighborhood master browser list) or computers running run old multi-function printers with old firmware in order to “scan to share” then do not remove until you upgrade that software. |
Reason: | SMBv1 wasn’t used on the last 90 days (we can also show if ever used) and it is safely to disable by removing the feature from the device. |
Access to Shares Anonymously
Access to Shares Anonymously is a concern specific to Windows environments. Default values can often present challenges, requiring significant effort to track down and address all settings. This particular setting grants permission to anonymous users for access, a permission that most organizations do not require or desire.
At GYTPOL, our approach is to rectify this by modifying the settings to ensure that anonymous users are not granted access. By implementing this security measure, we enhance the overall security posture of Windows systems, mitigating the risk of unauthorized access and aligning the system configuration with organizational security requirements.
| Accessing Shares Anonymously |
Subject: | Accessing Shares Anonymously |
Description: | When this setting is not set - sessions or pipes might have attributes and permissions that allow anonymous access. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. |
Suggestion: | It is highly recommended to not allowing accessing device shares anonymously. |
Reason: | Anonymous access should be limited and prevented in a corporate network – access should be allowed for Authenticated users only. |
Everyone to Anonymous
Granting "Everyone" additional access to Anonymous is a Windows-specific concern. Default values can indeed present challenges, necessitating significant efforts to address various settings. This particular setting extends permissions to Anonymous users by including them in the "Everyone" group, potentially providing them with unauthorized access.
At GYTPOL, our approach involves modifying these settings to prevent Anonymous users from being included in the "Everyone" group, thereby mitigating the potential for unauthorized access. By implementing this security measure, we contribute to bolstering the security stance of Windows systems, aligning them with organizational security standards and minimizing the risk of unauthorized access.
Topic: | Everyone to Anonymous |
Subject: | Everyone to Anonymous Permissions |
Description: | This policy setting determines what additional permissions are granted for anonymous connections to the device. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. |
Suggestion: | It is highly recommended to not allowing everyone group permissions apply to accessing device shares. |
Reason: | Anonymous access should be limited and prevented in a corporate network – access should be allowed for Authenticated users only. |
General
LLMNR
LLMNR (Link-Local Multicast Name Resolution) is a Windows-specific protocol that has been deemed risky and obsolete in modern operating systems. Organizations have largely ceased using this protocol due to security concerns. It's important to note that LLMNR is enabled by default in some systems.
At GYTPOL, our approach is to disable LLMNR to enhance the security posture of Windows systems. By deactivating this protocol, we minimize potential risks associated with its use and align the system configuration with modern security standards. This proactive measure contributes to the overall security and stability of Windows environments.
Topic: | LLMNR |
Subject: | LLMNR protocol allowing impersonation attacks |
Description: | The Link-Local Multicast Name Resolution (LLMNR) protocol allows name resolution without the requirement of a DNS server, by enabling a special multicast UDP packet on port 5355, to be sent across the network, asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query. The problem is the protocol doesn't have effective protections, and an attacker can fabricate a response and steal user credentials. more |
Suggestion: | This is legacy protocol with high risks and should be disabled via an Active Directory GPO. Using GPMC, create a GPO, and under Computer Configuration - Policies - Administrative Templates - Network - DNS Client - Turn Off Multicast Name Resolution - set to Enabled. |
Reason: | In modern networks, the DNS should be the one responsible for managing the PC/Servers names and not rely on multicast or broadcast name resolution. |
Obsolete Software
Powershell 2
PSv2 (PowerShell version 2) is relevant to Windows systems. In default configurations, both PSv2 and PSv5 are installed on Windows 10, Server 2016, and subsequent versions. However, PSv2 is not commonly utilized by organizations using these operating systems, as all commands supported by PSv2 are also available in PSv5.
At GYTPOL, we recommend removing PSv2 to streamline system configurations. By removing PSv2, organizations can enhance security by reducing the attack surface and potential vulnerabilities associated with unused components. This proactive approach aligns with modern security standards and contributes to the overall security and efficiency of Windows environments.
Topic: | PowerShell Version |
Subject: | PowerShell v2.0 installed and vulnerable |
Description: | PowerShell v2.0 engine contains known vulnerabilities and is susceptible to downgrade attacks. PowerShell v5 introduced important security capabilities which are lacking in v2. Having v2 on a computer enables attackers to revert the execution to the older engine, thereby circumventing the added security. |
Suggestion: | It is highly recommended to upgrade PowerShell to v5.1 or above and uninstall PowerShell v2.0. Use the Add/Remove Windows Features on a Windows workstation computer, or Server Manager to remove the feature on a Server computer. |
Reason: | By default, Windows will use the latest version installed and will use ver. 5.1 instead of ver. 2 – once ver. 2 is removed, PS5.1 will still remain the default version. |
Legacy Protocols
DES
DES (Data Encryption Standard) and triple DES (3DES) relevance pertains to Windows systems. DES is a legacy cipher within the context of Kerberos authentication. Modern operating systems typically do not utilize DES unless specifically mandated by an organization.
At GYTPOL, our approach involves disabling DES, especially if it is not actively used within an organization. By disabling DES, organizations can align their security posture with modern encryption standards, reducing the potential vulnerabilities associated with legacy ciphers. This proactive measure enhances the security and integrity of Windows environments by adhering to contemporary security practices and standards.
Topic: | DES Authentication |
Subject: | An authentication was made using DES |
Description: | DES does not provide authentication. It is vulnerable to a variety of attacks including man in the middle (MITM). |
Suggestion: | It is highly recommended to disable DES via the Group Policy. Follow the steps: https://www.tbs-certificates.co.uk/FAQ/en/desactiver_rc4_windows.html. |
Reason: | We show if DES authentication was used in the last 30 days, and it can be disabled only on a non-used device. |
RC4
RC4 (Rivest Cipher 4) is relevant to Windows systems. Similar to DES, RC4 is considered a legacy cipher within the context of Kerberos authentication. Modern operating systems typically do not employ RC4 unless specifically required by an organization.
At GYTPOL, our recommended approach involves disabling RC4, especially if it is not actively utilized within the organization. Disabling RC4 aligns security practices with modern encryption standards, reducing the potential vulnerabilities associated with outdated ciphers. This proactive measure contributes to bolstering the security and overall robustness of Windows environments by adhering to contemporary security norms and best practices.
Topic: | RC4 Authentication |
Subject: | An authentication was made using RC4 |
Description: | RC4 does not provide authentication. It is vulnerable to a variety of attacks including man in the middle (MITM). |
Suggestion: | It is highly recommended to disable RC4 via the Group Policy. Follow MS steps: https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-disabling-rc4-479fd6f0-c7b5-0671-975b-c45c3f2c0540. |
Reason: | We show if RC4 authentication was used in the last 30 days, and it can be disabled only on a non-used device. |