/
User Guide for On-Prem installation

User Guide for On-Prem installation

Introduction

Product

About GYTPOL

GYTPOL stands as a comprehensive and versatile cybersecurity solution meticulously engineered to safeguard and optimize your digital assets. Its robust functionality extends across various operating systems, encompassing Windows, Linux, and macOS. Whether your devices are desktops, laptops, servers, virtual or physical, domain or non-joined, GYTPOL seamlessly integrates to provide protection.

This solution automates a range of critical cybersecurity use cases:

  1. Continuous Detection of Misconfigurations: GYTPOL's automated system consistently identifies security misconfigurations stemming from operating systems, human errors, and third-party applications. It facilitates auto-remediation while ensuring zero adverse effects on your environment.

  2. Revert Remediation Actions: When necessary, GYTPOL can reverse previously executed remediation actions.

  3. Harden Devices: The product provides recommendations for enhancing device security configurations, helping you to further harden your systems.

  4. Policy Validation: GYTPOL validates that computer and user Group Policies are accurately applied to all endpoints. (Intune policy support is forthcoming.)

  5. Configuration Benchmarking: The solution benchmarks your configurations against recognized industry security standards such as CIS and NIST.

  6. Enhanced Active Directory and Group Policy Security: GYTPOL enhances the security of your Active Directory and Group Policy configurations.

  7. Optimized Group Policy Definitions: GYTPOL aids in optimizing Group Policy definitions, flagging issues like duplicated or conflicting GPOs.

  8. Startup and Login Time Optimization: GYTPOL identifies Group Policies that may contribute to sluggish computer startup and user login times.

In summary, GYTPOL streamlines security and optimization efforts across diverse environments, automating key processes to ensure robust cybersecurity.

 

Audience

This User Guide is primarily intended for individuals and teams responsible for implementing, managing, and maintaining the cyber security infrastructure within their organizations. It caters to both technical and non-technical users, providing clear instructions and explanations for all levels of expertise.

How to Use This User Guide

To help you navigate through this User Guide effectively, it is divided into various sections corresponding to different aspects of GYTPOL. Each section provides step-by-step instructions, best practices, and tips to maximize GYTPOLs potential.

Additionally, we have included screenshots and examples throughout the document to assist you in visualizing the interface and functionalities. Where applicable, we have also provided troubleshooting tips and frequently asked questions to address common concerns. The complete troubleshooting document is accessible both on our official website and through our dedicated support mailbox. If you encounter any challenges or require assistance, please refer to these resources for detailed guidance and solutions.

Contact Information

Should you have any questions, encounter difficulties, or require further assistance while using GYTPOL, please contact support@gytpol.com . Our dedicated support team is available to help you with any queries or concerns you may have.

We hope this User Guide serves as a valuable resource in understanding and leveraging GYTPOL to enhance your organization's security defenses.

Thank you for choosing GYTPOL, and we look forward to your success in safeguarding your digital assets.



How GYTPOL Validator works

The primary data flow process within GYTPOL Validator unfolds through the following sequential stages:

Installation and License Activation:

Install the GYTPOL Server and activate the associated license to set up the core infrastructure.

Client Deployment and Execution:

  • Deploy the GYTPOL Client on each endpoint device.

  • The GYTPOL Client executes once daily, at randomly chosen times, following a predefined sequence of actions.

  • The scanning process typically completes within 5-7 minutes.

Data Collection during Scan:

  • The GYTPOL Client collects data on misconfigurations and unpatched zero-day vulnerabilities during its scanning routine.

  • For Microsoft devices, it also gathers Group Policy data (Resultant Set of Policy - RSOP).

  • (Note: Support for Intune configurations for all devices is slated to be added in the near future.)

Data Compression and Encryption:

  • Subsequent to data collection, the GYTPOL Client compresses the gathered data.

  • It then encrypts the compressed data using a public key.

Data Transmission Attempt:

  • The GYTPOL Client endeavors to establish a connection with the GYTPOL Server to transmit the encrypted and compressed data.

  • The initial data transmission attempt is conducted using the local network or a VPN connection, utilizing port 9093 for communication. This approach ensures that the encrypted and compressed data collected by the GYTPOL Client is securely transferred to the GYTPOL Server within the local network or through a VPN connection, enhancing data privacy and protection during transit.

  • If the device encounters difficulties like DNS resolution problems, network issues, or connectivity issues that prevent it from reaching the GYTPOL Server, and if the relevant feature is activated, it will transmit the data to GYTPOL's Cloud-based Remote-Employee component located in the agreed-upon region for the organization. Subsequently, the GYTPOL Server retrieves the data from this location. It's possible to choose whether to enable this feature, and you can find more comprehensive information in our High-Level Design (HLD) document.

  1. Once data is received from a GYTPOL Client, the GYTPOL Server undertakes an analysis using our exclusive GYTPOL Analyzer. This Analyzer not only examines the data thoroughly but also stores the results in a designated database. This proactive approach ensures that you are promptly informed about any possible security threats, helping to keep you well-informed about potential risks.

    1. After the GYTPOL Client completes its scan and data is transmitted to the GYTPOL Server, the IT and Security teams access the findings through the Web User Interface (UI). This interface is compatible with Chromium-based web browsers such as Google Chrome or the new Microsoft Edge.

    2. The GYTPOL Server is equipped with several integrations to enhance its functionality and facilitate seamless operations:

  • It interfaces with various public APIs to support data exchange and integration with external systems.

  • Integration with Ticketing Systems like ServiceNow is established, streamlining the process of generating and managing tickets based on GYTPOL's findings.

  • Notably, the GYTPOL Server also integrates with Security Information and Event Management (SIEM) systems. Selected events and data are sent from GYTPOL to SIEM platforms, such as MicroFocus ArcSight, IBM QRadar, Sentinel, or Splunk. This integration enhances the security ecosystem by aggregating GYTPOL's insights into the broader context of security events and monitoring.

Client Server Communication

The interaction between the client and the server operates in a one-way manner: the client initiates its scheduled task either on a daily or hourly basis (the client's tasks are elaborated upon in the client section). Following the task execution, the gathered data is transmitted to the GYTPOL server, where it undergoes analysis and subsequently appears in the user interface for review.

 

Should a GYTPOL operator execute a remediation action or any other task from the console, the client conducts periodic checks for new tasks every hour through its hourly task execution. Upon initiating the task locally, the client provides feedback to the server regarding the outcome, indicating either success or failure.

Client

GYTPOL provides support for Windows, Linux, and macOS operating systems. For a comprehensive overview of the supported platforms, please refer to the client installation guide available at this link: GYTPOL Client Installation Guide

 

The GYTPOL Client operates on a daily basis for a brief duration. Within this operational window, it accumulates data related to misconfigurations, unattended zero-day vulnerabilities, and outdated third-party software. This information is collected during the run and subsequently processed for further analysis.

GYTPOL Client for Windows

Language-Code: GYTPOL is developed using a combination of C# and signed PowerShell.

Post-Install: Following installation, GYTPOL uses the Task Scheduler functionality for its scheduled tasks.

Permissions: The scheduled tasks within GYTPOL are configured to run under the SYSTEM account. This account type doesn't require a username and password for execution.

Size: The GYTPOL installation size is less than 5MB.

Network Traffic: GYTPOL generates network traffic of up to 30KB per day. The data is transmitted in compressed (gzip format) form.

Scheduled Runs:

  • GYTPOL executes its tasks on a daily basis with a duration of 5-7 minutes.

  • The timing of the daily task varies based on the type of device:

    • End-User Devices: Random execution time between 10 am and 5 pm.

    • Servers: Random execution time between 10 pm and 4 am.

  • Additionally, GYTPOL sends a "keep-alive" message every hour to ensure continued connectivity. This message also serves to retrieve new tasks for maintaining security posture, including tasks related to remediation, reversion, updates, and upgrades.

Communication Protocol: GYTPOL employs the latest Transport Layer Security (TLS) version supported by the device for secure communication. All communication occurs over HTTPS to ensure data privacy and integrity.

GYTPOL Client for Linux/macOS

Language-Code: GYTPOL is implemented using the Go programming language (Go-lang).

Post-Install:

  • On Linux, GYTPOL utilizes systemd for post-installation task management.

  • On macOS, GYTPOL employs launchd for post-installation tasks.

Permissions: GYTPOL runs with root user permissions, which provide the necessary access for its functionalities.

Size: The installation size of GYTPOL is less than 3MB.

Network Traffic: GYTPOL generates network traffic of up to 30KB per day, with data transmission in compressed (gzip format) form.

Scheduled Runs:

  • GYTPOL executes its tasks once a day, with a random start time and a duration of up to 5 minutes.

  • Additionally, GYTPOL sends a "keep-alive" message every hour to ensure continuous connectivity. This message also prompts the retrieval of new tasks to ensure up-to-date security measures, encompassing tasks related to remediation, reversion, updates, and upgrades.

Communication Protocol: GYTPOL employs the most recent Transport Layer Security (TLS) version supported by the device. All communication occurs over HTTPS, ensuring data confidentiality and integrity.



Product overview

This section provides a quick overview of the GYTPOL Validator key capabilities and provides references to sections covering these capabilities in detail.

User Interface

From an end user's viewpoint, GYTPOL Validator is a role-based web application that simplifies cybersecurity management. Here's a walkthrough of how users navigate the UI and some notable visual notations and instructions provided in the corresponding documentation section:

Navigation:

  • Users access GYTPOL through a role-based web interface tailored to their responsibilities.

  • The UI seamlessly guides users to different sections, tools, and insights.

Visual Notations:

  • Export: Look for options to export data, facilitating data sharing and analysis.

  • Refresh: A common icon to refresh or update displayed information in real time.

  • Know How: This symbol typically offers contextual help, guiding users on specific actions.

User Roles:

  • GYTPOL's UI adapts to user roles, displaying relevant features and data.

  • Different users interact with tools suited to their tasks, ensuring focused functionality.

Comprehensive Views:

The UI presents various dashboards and sections tailored for specific needs like policy validation, maintenance, and benchmarking.

Effortless Navigation:

  • GYTPOL's user-friendly design ensures intuitive navigation across functionalities.

  • Users can swiftly move between sections for effective management.



Consistent Experience:

Visual elements like buttons, icons, and labels maintain a consistent design, enhancing user familiarity.

Helpful Guidance:

In-app assistance guides users on performing specific tasks, maximizing usability.

By offering a role-based interface with intuitive navigation and helpful notations, GYTPOL empowers users to efficiently manage their cybersecurity tasks. This groundwork prepares users for a deeper exploration of specific functional use cases within the application.

Misconfigurations

Misconfiguration encompasses the mistakes made when setting up IT systems or security measures, which can result in vulnerabilities and potential security breaches. These errors often stem from insecure default settings, human oversights, incorrect application of Group Policy Objects (GPOs), and other factors.

Misconfigurations can manifest across various domains, including network devices, web applications, cloud services, servers and operating systems, encryption and key management, security tools, and access controls. To mitigate misconfigurations, it's essential to adhere to industry best practices. This entails conducting regular audits, implementing secure configuration settings, rigorously managing changes, and offering training and awareness initiatives.

GYTPOL provides a rapid solution to address misconfigurations, achieving this in a matter of minutes. For a comprehensive understanding of how to effectively manage misconfigurations, refer to the detailed guidance provided in the corresponding documentation section.

Group Policy Validation

The Policy Validation module within GYTPOL focuses on identifying and resolving gaps and issues associated with the implementation of Group Policy Objects (GPOs). This encompasses a range of concerns, such as failures in applying Group Policy Preferences (GPPs), disparities in settings, occurrences of local GPOs, orphaned GPO instances, and settings that don't match as intended.

The user interface offers a structured view that presents these errors and discrepancies in a clear manner. The screen's layout is organized, with computers listed on the left side and users displayed on the right. This layout facilitates efficient navigation and understanding.

Key features of the Policy Validation UI:

  1. Error Display: The interface presents errors and issues in a way that is easy to comprehend and navigate.

  2. Categorization: Errors are categorized based on different criteria like devices, users, specific GPOs, organizational units (OUs), or operating systems (OS). This categorization streamlines the identification and resolution process.

  3. Visual Representation: The UI's intuitive design visually represents GPO-related issues, making it easier to spot discrepancies and errors.

By structuring the information in this manner, GYTPOL enables users to swiftly grasp and address GPO-related problems. For a more comprehensive understanding of utilizing the Policy Validation module, refer to the detailed instructions provided in the corresponding documentation section.

Login Profiler

The module serves to identify potential causes of slow startup or login times resulting from applied policies across the domain. This assessment can be performed according to various parameters, including device or user, specific policy extension, or organizational unit (OU). This module equips you with the capability to delve deeper into the analysis, pinpointing both the problematic policy and the specific settings or set of settings responsible for the observed latency.

Much like the Policy Validation screen, the graphical layout mirrors that of the computer on the left-hand side and the corresponding user on the right-hand side. This design facilitates a clear view of the relationships between policies and their effects on startup and login times.

For a comprehensive guide on utilizing the Login Profiler module effectively, refer to the the corresponding documentation section.

CIS/NIST Benchmarks

The CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) Benchmarks serve as comprehensive guidelines for configuring a range of software, operating systems, and devices. These benchmarks provide specific instructions to secure these systems against well-known vulnerabilities.

CIS 8 refers to the latest version of the CIS Controls, a prioritized list of actionable security measures designed by the Center for Internet Security. These controls encompass a diverse range of cybersecurity aspects, offering organizations a clear roadmap to enhance their cybersecurity practices. The CIS Controls are updated regularly to address emerging threats and incorporate industry best practices. By adhering to these controls, organizations can establish a robust cybersecurity foundation and mitigate various cyber risks.

NIST 800-53, on the other hand, is a comprehensive collection of security controls and guidelines tailored for U.S. federal information systems. This publication furnishes organizations with a framework to evaluate and enhance the security of their systems, safeguarding sensitive information. Covering multiple security domains, NIST 800-53 holds widespread recognition as a cybersecurity standard. Its adoption extends beyond the U.S. federal government, gaining prominence in various sectors and organizations worldwide. Abiding by NIST 800-53 assists organizations in elevating their security posture and aligning their practices with established industry standards.

For detailed guidance on utilizing the CIS/NIST Dashboards effectively, refer to the corresponding documentation section.

Active Directory / Group Policy Enhanced Security

The Active Directory / Group Policy Enhanced Security module provides visibility into public data accessible via a basic domain user's access rights. This information can be queried directly from domain controllers. The module offers insights into various aspects, including administrator groups, vulnerable file paths within GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, customized group change queries, and more.

 

The objective of presenting this data is to underscore the information that can be gathered using plain domain user access rights. By highlighting these findings, the module aims to demonstrate what an attacker could potentially access before progressing to lateral movement or elevating their permissions within the network.

 

For a comprehensive understanding of how to effectively utilize the Active Directory / Group Policy Enhanced Security module, refer to the corresponding documentation section.

Maintenance

The Maintenance section of GYTPOL offers valuable recommendations to enhance the administration of Active Directory (AD) and Group Policy Objects (GPOs). This includes suggestions for optimizing the management of these crucial components. GYTPOL aids in identifying various issues for more effective administration:

  • Unlinked GPOs: GYTPOL helps locate GPOs that are not linked to any organizational unit, enabling you to streamline your GPO structure.

  • Duplicated GPO Settings: The platform identifies duplicated settings within GPOs, allowing you to eliminate redundancy and ensure consistency.

  • AD Accounts Cleanup: GYTPOL assists in identifying and managing obsolete or unused Active Directory accounts, enhancing overall security.

  • Legacy OS: The system flags legacy operating systems that might pose security risks due to outdated support.

  • Multiple Loopbacks: GYTPOL highlights instances of multiple loopbacks processing settings, aiding in maintaining an organized and predictable GPO environment.

These recommendations empower you to proactively enhance the administration of AD and GPOs. For a comprehensive guide on effectively using the Maintenance features, consult the detailed instructions provided in the corresponding documentation section.



Administration

The Settings menu within GYTPOL offers a hub for various administrative tasks that you can perform to manage and customize your GYTPOL environment. This includes activities like group management, API access configuration, filters setup, and managing muted alerts.

  • Group Management: The Settings menu allows you to manage user groups, enabling efficient collaboration and access control within your organization.

  • API Access: You can configure API access settings, granting authorized applications or services the ability to interact with GYTPOL's functionalities.

  • Filters and Mutes Management: GYTPOL facilitates the customization of filters and mutes, helping you tailor your experience by controlling the alerts and data you receive.

For a comprehensive guide on navigating and effectively utilizing the Settings menu, refer to the detailed instructions provided in the corresponding documentation section. This resource will offer step-by-step guidance on performing administrative tasks and optimizing your GYTPOL configuration.

UI Navigation

The GYTPOL Validator Homepage offers a user-friendly gateway to different perspectives tailored for Windows, Linux, and macOS environments. Each perspective presents the top five alerts pertinent to its corresponding scope, providing a rapid overview of critical issues.

 

This homepage boasts a user-centric feature – the UI filtering option. By leveraging computer groups established by GYTPOL operators, you can effectively categorize devices based on specific attributes like operating systems, naming patterns, and organizational units (OUs). Detailed guidelines for creating and utilizing these groups are available in the Customization and Settings > Computer Groups section.

 

The homepage's top menus are designed for intuitive navigation across various sections, including:

 

  • Active Directory Security Page: This section addresses Active Directory security concerns.

  • AD and GPO Maintenance Page: Here, you can manage and optimize your Active Directory and Group Policy Objects.

  • CIS/NIST Benchmark Dashboards: Access detailed benchmark insights to enhance security posture.

Upon selecting the Windows dashboard, the top bar presents key information such as the number of reporting servers, endpoints, Domain Controllers, and Virtual Desktop Infrastructures (VDIs) – indicating the distribution of monitored assets. Additionally, the top bar showcases metrics regarding users validated through GYTPOL's Policy Validation module and the count of missing devices. Further explanation about these metrics can be found in the Customization and Settings > Health Screen section.

 

Drill downs

Every element within the user interface is interactive, allowing you to navigate to more advanced levels of UI management effortlessly.

Clicking on the top bar and the corresponding numbers triggers a transition to a detailed list of devices situated within the same scope. This list furnishes basic device information, encompassing attributes like device name, IP address, client version, timestamp of the last scan, operating system (OS), organizational unit (OU), and domain.

For every device listed, a further drill-down option is available. Activating this drill-down leads you to specific findings associated with that particular device. This in-depth exploration provides granular insights into the security and configuration status of the chosen device.

 

 

Selecting any of the misconfiguration scopes, such as Servers or Endpoints, triggers the opening of the misconfiguration page, where all pertinent alerts relevant to that specific scope are presented. These alerts are systematically categorized according to the MITRE ATT&CK framework, enhancing their organization and clarity. Each alert possesses the capability to be further expanded, revealing the list of devices implicated in that misconfiguration.

 

For streamlined management, a green wrench icon is available. Clicking this icon initiates actions that apply across all impacted devices, providing a unified solution for resolving the issue at hand. Additionally, by clicking on the individual alert button, actions can be executed at the device level, allowing for tailored remediation.

 

For a comprehensive guide on navigating the Misconfigurations and Alerts section effectively, refer to the detailed instructions provided in the corresponding documentation.

 

Export

You have the capability to export either a single metric or a set of metrics to a CSV file. For instance, you can export all metrics related to Legacy Protocols by following these steps:

  1. Navigate to the relevant screen that displays the Legacy Protocols metrics.

  2. Locate the "Export" or "Download" button within that screen.

  3. Click on the button to initiate the export process.

  4. A CSV file containing the Legacy Protocols metrics will be generated and downloaded to your device.

This CSV file will provide you with a structured record of the metrics related to Legacy Protocols, which you can then use for reporting or analysis purposes.

 

Another example, is an export of a single finding:

Refresh

Within the user interface of GYTPOL, you have the flexibility to update information in two ways:

  1. Refresh Entire Screen: If needed, you can refresh the entire screen to ensure that all displayed data is up-to-date. This option is useful when you want to refresh the entirety of your view.

  2. Targeted Refresh: Alternatively, for more focused updates, you can click on the refresh icon situated adjacent to the Export button in the user interface. This approach is particularly beneficial when you specifically wish to update particular metrics or swiftly review results.

In opting for the targeted refresh, only the relevant metrics section that you select will be updated, aligning with your specific requirements. This feature enhances your ability to efficiently access the most recent information without refreshing the entire interface.

 

Getting Help - Know How

GYTPOL's Knowledge Base serves as a valuable resource, covering a wide range of topics, including security risks and manual/alternative methods to address identified findings. The primary goal of our Knowledge Base, often referred to as "Know How," is to offer swift access to information related to specific topics or alerts.

 

Here's how you can access and leverage the Know How feature:

Access Points:

  • The Knowledge Base can be accessed by clicking on the "academic hat" icon located on the top bar of the interface.

  • Alternatively, you can directly access Know How by clicking on the relevant icon within a specific topic.

Information Enrichment:

The Know How section provides comprehensive insights into various topics and alerts, enhancing your understanding of security risks and potential solutions.

Quick Reference:

By providing quick access to information, Know How allows you to swiftly retrieve relevant details, ensuring effective decision-making and problem-solving.

The Knowledge Base empowers users with in-depth information, enabling them to tackle security challenges with informed solutions. Whether you access it through the top bar or directly within specific topics, the Know How feature is designed to enrich your experience within GYTPOL and enhance your ability to address security concerns.

 



Search - find a computer or user

Locating specific computers belonging to users is a seamless process within GYTPOL:

Search Functionality:

  • Utilize the search box situated in the top right corner of the interface.

  • Input relevant information such as device name, user, or any identifying details to initiate the search.

Results Display:

Once the desired device is located, GYTPOL will promptly display the pertinent information associated with the device.

Misconfiguration Information:

  • GYTPOL will showcase the relevant misconfigurations that have been identified for the selected device.

  • This insight into misconfigurations empowers you to take targeted actions to address and rectify any issues.



Achievements

The Achievements screen provides valuable insights into the time saved and potential time savings achieved by using GYTPOL for remediation compared to traditional methods involving 3rd party tools, scripts, and Group Policy Objects (GPOs).

Key Features of the Achievements Screen:

Estimated Time Saved:

  • GYTPOL's automated approach significantly reduces the time needed for remediation.

  • You can view the estimated time saved, showcasing the efficiency gained by using GYTPOL's streamlined processes.

Potential Time Savings:

  • GYTPOL offers substantial potential time savings when compared to manual methods.

  • The Achievements screen highlights the comparative advantage of GYTPOL in terms of time efficiency.

Remediation Status Tracking:

  • Clicking on color-coded bars allows you to access the real-time status of the remediation process.

  • This feature offers transparency and visibility into the progress of resolving findings.

Focused Issue Resolution:

  • The Achievements screen also enables you to access the computers that still require remediation within specific topics.

  • Clicking on a desired topic directs you to the leftover computers, facilitating targeted efforts.



Getting started

Logging in

After installing the GYTPOL server, a desktop shortcut is automatically added for all users on the server, ensuring easy access. Additionally, you have the option to log in from any device within the network by using the following format: https://<gytpol-server-name>:9093

In case you're unsure about your GYTPOL server name, you can discover it using the Command Prompt (CMD) by pinging _gytpol. This command will reveal the server’s FQDN.

 

The login process is facilitated by Kerberos Single Sign-On (SSO), enhancing user convenience and security. To manage user access levels, navigate to the Roles and Permissions screen, where you can define and adjust user roles and permissions.

What you see when you first logged in

Upon successful login, you will be directed to the main homepage of GYTPOL. Here, you will immediately access a view showcasing devices that are actively reporting to GYTPOL. Additionally, you'll receive initial findings related to the Active Directory and Group Policy aspects.

 

For more comprehensive details and explanations about the user interface and its various features, please refer to the dedicated UI overview section within GYTPOL's documentation. This section will provide an in-depth understanding of how to navigate and utilize the interface effectively. It's a valuable resource to make the most of GYTPOL's capabilities and insights.

Verify that GYTPOL clients were successfully deployed

You can confirm a successful GYTPOL client deployment in two ways:

Local Device Check: Verify on the device where the client is installed to ensure proper functioning.

Health Screen: Use the Health screen to get an overview of deployment status and device health.

For more information, refer to the Health Screen overview section in the documentation.



Misconfigurations

What is a Misconfiguration?

Misconfiguration refers to errors in configuring IT systems or security controls, leading to vulnerabilities and potential breaches. Errors can come due to wrong or insecure default settings, human errors, GPO that wasn’t applied correctly and more.

It can occur in network devices, web applications, cloud services, servers/operating systems, encryption/key management, security tools, and access controls. Preventing misconfigurations requires following best practices, conducting audits, implementing secure configurations, enforcing change management, and providing training and awareness. GYTPOL can help you achieve this in minutes.

Working with Misconfiguration Alerts

The GYTPOL Validator Homepage offers instant access to Windows, Linux, and macOS perspectives, each highlighting the top 5 alerts relevant to their respective scopes. It also facilitates UI customization through computer groups created by GYTPOL operators based on OS, name patterns, OUs, and more, as detailed in the Customization and Settings > Computer Groups section.

The Homepage's top menu provides direct links to essential areas, including the Active Directory security page, AD and GPO maintenance page, and CIS/NIST benchmarks dashboards.

When selecting the Windows dashboard, the top bar provides a snapshot of critical metrics:

  • Reporting Servers

  • Endpoints

  • Domain Controllers

  • Virtual Desktop Infrastructures (VDIs) if applicable

  • Validated users from the Policy Validation module

  • Number of missing devices, as covered in the Customization and Settings > Health Screen section.

This comprehensive overview on the Homepage ensures swift access to key insights, customization options, and essential pages for effective management within GYTPOL.

Types of Misconfigurations

Our Misconfigurations module categorizes findings into topics aligned with the MITRE ATT&CK framework. These categories include:

  1. Remote Code Execution: Addressing vulnerabilities that could potentially lead to unauthorized remote code execution.

  2. Lateral Movement: Identifying misconfigurations that could be exploited for lateral movement within your network.

  3. Legacy Protocols: Highlighting issues related to outdated or risky protocols.

  4. Privilege Escalation: Detecting misconfigurations that may enable unauthorized elevation of privileges.

  5. SMB and Sharing: Focusing on misconfigurations associated with SMB protocols and sharing settings.

  6. Credentials: Addressing issues related to improper handling and storage of credentials.

  7. Obsolete Software: Identifying vulnerabilities due to outdated software and unpatched applications.

 

By organizing misconfigurations into these topics based on the MITRE ATT&CK framework, GYTPOL offers a structured approach to addressing security risks, making it easier to prioritize and remediate issues effectively.

 

In GYTPOL, all misconfigurations and metrics are visually represented with specific severity colors to provide quick insights into their urgency:

  • Red (High): Represents high-severity misconfigurations that require immediate attention due to their critical impact on security.

  • Orange (Medium): Indicates medium-severity misconfigurations that should be addressed promptly to mitigate potential risks.

  • Yellow (Low): Denotes low-severity misconfigurations that may not pose an immediate threat but should still be resolved to enhance overall security posture.

  • Green (Complied): Signifies items that are in compliance and meet the expected security standards, resulting in no alerts generated.

 

This color-coded approach offers a visual way to prioritize and address misconfigurations based on their severity levels, aiding efficient decision-making and remediation efforts.

 

 

The severity of alerts within GYTPOL is determined by considering multiple factors to accurately gauge the potential risk:

  1. Common Attack Vector: The prevalence of the attack vector in real-world scenarios is considered. More common vectors may receive higher severity ratings.

  2. CVSS Score: If available, the Common Vulnerability Scoring System (CVSS) score is factored in. This numerical score assesses the vulnerability's severity and impact.

  3. CISA/CIS/NIST Recommendations: Alignment with recommendations from cybersecurity frameworks such as CISA, CIS, and NIST contributes to the overall assessment of severity.

  4. GYTPOL Research Team Expertise: The knowledge and insights of GYTPOL's research team play a crucial role in understanding how easily a misconfiguration can be exploited and the potential consequences.

 



For each metric within GYTPOL, the following key information is provided:

  • Topic: Metrics are categorized into specific topics, aligning with the MITRE ATT&CK framework, to offer a structured overview of security concerns.

  • Subject: This highlights the specific aspect of the metric being assessed, pinpointing the area of concern.

  • Scope: Users can select the scope in the user interface to specify the context or range within which the metric is being evaluated.

  • Description: A detailed explanation of the metric's nature, implications, and potential security risks is provided to ensure a clear understanding.

  • Suggestion: Practical recommendations and steps for addressing and mitigating the identified issues are offered, guiding users toward effective remediation.

Navigating through Alerts (drill downs, pinning, etc.)

When you click on any of the scopes displayed on the main dashboard (such as Servers or Domain Controllers), it will lead you to the misconfiguration screen, designed as follows:

  • Metric Collection Boxes: Each box corresponds to a specific scope (e.g., Servers) and contains a collection of metrics grouped under their relevant topics (e.g., Remote Code Execution, Privilege Escalation).

  • Severity-Color Bars: Within each box, metrics are represented by colored bars indicating the severity level (Red = High, Orange = Medium, Yellow = Low). The number of devices affected by the alert is displayed alongside the bar, as well as the number of compliant devices. Alerts that weren't found at all won't be shown.

  • Drill-Down Functionality: Clicking on the colored bar provides a drill-down view, showing the list of devices associated with that alert's severity. This helps you pinpoint affected devices for focused remediation.

  • Actions: By clicking the wrench icon associated with a specific metric or alert, you can take actions at various levels. This allows you to address issues and apply remediation strategies based on your requirements.

 

Related Topics

In GYTPOL, topics are interconnected to enhance correlation and provide a more comprehensive understanding of security issues. This is achieved through the implementation of "Related Topics" for many alerts:

  • Interlinked Topics: Alerts within different topics are interlinked to establish connections between related security concerns. These connections help users comprehend the broader context of potential vulnerabilities.

  • Enhanced Correlation: By exploring related topics, users gain a deeper insight into how various misconfigurations might impact each other and contribute to potential security risks.

Clicking on any related topic takes you to a dedicated section that displays alerts related to that topic.

Remediable vs non-Remediable alerts

In GYTPOL, alerts are visually differentiated by the presence of a spanner icon, which conveys specific information about the remediation process:

  • Green Spanner: Alerts accompanied by a green spanner icon indicate that you can swiftly remediate the finding using the GYTPOL user interface. This streamlined process enables you to fix the identified misconfiguration in a matter of seconds. For more detailed guidance on the remediation process, refer to the provided resources.

  • Gray Spanner: If an alert is associated with a gray spanner icon, it signifies that the finding cannot be remediated through the user interface due to certain limitations or conditions. These limitations could include factors such as unsupported PowerShell versions or informational nature of the alert. This may also indicate that the item fully complied with GYTPOL standards or was already fixed.



Revertible vs non-Revertible

In GYTPOL, alerts are categorized into two types based on their remediation and revertability options:

  1. Remediable Alerts (Green Spanner): Alerts accompanied by a green spanner icon indicate that you can promptly address and remediate the finding using the GYTPOL user interface. This intuitive process enables you to fix the identified misconfiguration quickly and effortlessly.

  2. Remediable with Manual Revert (Green Spanner + Exclamation Mark): Alerts displayed with a green spanner and an exclamation mark (!) signify that the finding can be remediated through the UI. However, the revert (undo) action cannot be performed using the UI. If a revert is required, it needs to be executed manually, either through Group Policy Objects (GPOs) or by utilizing third-party tools.

This distinction helps users understand the level of remediation and revertability associated with each alert, allowing them to make informed decisions on how to address and potentially revert misconfigurations.

Spanner - Colors and Meaning

Color