Introduction
Product
About GYTPOL
GYTPOL stands as a comprehensive and versatile cybersecurity solution meticulously engineered to safeguard and optimize your digital assets. Its robust functionality extends across various operating systems, encompassing Windows, Linux, and macOS. Whether your devices are desktops, laptops, servers, virtual or physical, domain or non-joined, GYTPOL seamlessly integrates to provide protection.
This solution automates a range of critical cybersecurity use cases:
Continuous Detection of Misconfigurations: GYTPOL's automated system consistently identifies security misconfigurations stemming from operating systems, human errors, and third-party applications. It facilitates auto-remediation while ensuring zero adverse effects on your environment.
Remediation and Auto-Remediation Actions: GYTPOL enables users to fix misconfigurations on endpoints and servers through Remediation Actions. These actions are defined based on parameters like OU, Domain, or specified computer groups, and are grouped into topics.
Revert Remediation Actions: When necessary, GYTPOL can reverse previously executed remediation actions.
Harden Devices: The product provides recommendations for enhancing device security configurations, helping you to further harden your systems.
Policy Validation: GYTPOL validates that computer and user Group Policies are accurately applied to all endpoints. (Intune policy support is forthcoming.)
Configuration Benchmarking: The solution benchmarks your configurations against recognized industry security standards such as CIS and NIST.
Enhanced Active Directory and Group Policy Security: GYTPOL enhances the security of your Active Directory and Group Policy configurations.
Optimized Group Policy Definitions: GYTPOL aids in optimizing Group Policy definitions, flagging issues like duplicated or conflicting GPOs.
Startup and Login Time Optimization: GYTPOL identifies Group Policies that may contribute to sluggish computer startup and user login times.
Intune Validation: GYTPOL assists organizations in ensuring that their Intune settings adhere to security best practices and are appropriately hardened. This includes validating conditional access, compliance, and configuration settings to ensure they meet expected standards.
In summary, GYTPOL streamlines security and optimization efforts across diverse environments, automating key processes to ensure robust cybersecurity.
Audience
This User Guide is primarily intended for individuals and teams responsible for implementing, managing, and maintaining the cyber security infrastructure within their organizations. It caters to both technical and non-technical users, providing clear instructions and explanations for all levels of expertise.
How to Use This User Guide
To help you navigate through this User Guide effectively, it is divided into various sections corresponding to different aspects of GYTPOL. Each section provides step-by-step instructions, best practices, and tips to maximize GYTPOLs potential.
Additionally, we have included screenshots and examples throughout the document to assist you in visualizing the interface and functionalities. Where applicable, we have also provided troubleshooting tips and frequently asked questions to address common concerns. The complete troubleshooting document is accessible both on our official knowledge base and through our dedicated support mailbox. If you encounter any challenges or require assistance, please refer to these resources for detailed guidance and solutions.
Contact Information
Should you have any questions, encounter difficulties, or require further assistance while using GYTPOL, please contact support@gytpol.com. Our dedicated support team is available to help you with any queries or concerns you may have.
We hope this User Guide serves as a valuable resource in understanding and leveraging GYTPOL to enhance your organization's security defenses.
Thank you for choosing GYTPOL, and we look forward to your success in safeguarding your digital assets.
How GYTPOL Validator works
The primary data flow process within GYTPOL Validator unfolds through the following sequential stages:
Tenant and License Activation:
The GYTPOL team will setup the SaaS infrastructure and the tenant. The relevant license, including device count and modules, will be allocated as per the agreed terms between the parties involved.
Client Deployment and Execution:
Deploy the GYTPOL Client on each endpoint/server device.
The GYTPOL Client executes once daily, at randomly chosen times, following a predefined sequence of actions.
The scanning process typically completes within 5-7 minutes.
Data Collection during Scan:
The GYTPOL Client collects data on misconfigurations and unpatched zero-day vulnerabilities during its scanning routine.
For Microsoft devices, it also gathers Group Policy data (Resultant Set of Policy - RSOP) and Intune data
Data Compression and Encryption:
Subsequent to data collection, the GYTPOL Client compresses and encrypts the gathered data.
Data Transmission Attempt:
The GYTPOL Client creates a connection with the GYTPOL Server to transmit the encrypted and compressed data.
The data transmission is conducted using port 443 for communication. This approach ensures that the encrypted and compressed data collected by the GYTPOL Client is securely transferred to the GYTPOL application, enhancing data privacy and protection during transit.
Once data is received from a GYTPOL Client, the GYTPOL application undertakes an analysis using our exclusive GYTPOL Analyzer. This Analyzer not only examines the data thoroughly but also stores the results in a designated database. To ensure data privacy and security, customers are segregated within the database. This proactive approach ensures that you are promptly informed about any possible security threats, helping to keep you well-informed about potential risks.
After the GYTPOL Client completes its scan and data is transmitted to the GYTPOL application, the IT and Security teams access the findings through the Web User Interface (UI). This interface is compatible with Chromium-based web browsers such as Google Chrome or the new Microsoft Edge.
The GYTPOL application is equipped with several integrations to enhance its functionality and facilitate seamless operations:
It interfaces with various public APIs to support data exchange and integration with external systems.
Integration with Ticketing Systems like ServiceNow is established, streamlining the process of generating and managing tickets based on GYTPOL's findings.
Notably, the GYTPOL Server also integrates with Security Information and Event Management (SIEM) systems. Selected events and data are sent from GYTPOL to SIEM platforms, such as MS Sentinel, or Splunk. This integration enhances the security ecosystem by aggregating GYTPOL's insights into the broader context of security events and monitoring.
Client Server Communication
The interaction between the client and the server operates in a one-way manner: the client initiates its task either on a daily or hourly basis (the client's tasks are elaborated upon in the client section). Following the task execution, the gathered data is transmitted to the GYTPOL server, where it undergoes analysis and subsequently appears in the user interface for review.
Should a GYTPOL operator execute a remediation action or any other task from the console, the client conducts periodic checks for new tasks every hour through its hourly task execution. Upon initiating the task locally, the client provides feedback to the server regarding the outcome, indicating either success or failure.
Client
GYTPOL provides support for Windows, Linux, and macOS operating systems. For a comprehensive overview of the supported platforms, please refer to the client installation guide available at this link: GYTPOL Client Installation Guide
The GYTPOL Client operates on a daily basis for a brief duration. Within this operational window, it accumulates data related to misconfigurations, unattended zero-day vulnerabilities, and outdated third-party software. This information is collected during the run and subsequently processed for further analysis.
GYTPOL Client for Windows
Language-Code: GYTPOL is developed using a combination of C# and signed PowerShell.
Post-Install: Following installation, GYTPOL uses the Task Scheduler functionality for its scheduled tasks.
Permissions: The scheduled tasks within GYTPOL are configured to run under the SYSTEM account. This account type doesn't require a username and password for execution.
Size: The GYTPOL installation size is less than 5MB.
Network Traffic: GYTPOL generates network traffic of up to 30KB per day. The data is transmitted in compressed (gzip format) form.
Scheduled Runs:
GYTPOL executes its tasks on a daily basis with a duration of 5-7 minutes.
The timing of the daily task varies based on the type of device:
End-User Devices: Random execution time between 10 am and 5 pm.
Servers: Random execution time between 10 pm and 4 am.
Additionally, GYTPOL sends a "keep-alive" message every hour to ensure continued connectivity. This message also serves to retrieve new tasks for maintaining security posture, including tasks related to remediation, reversion, updates, and upgrades.
Communication Protocol: GYTPOL employs the latest Transport Layer Security (TLS) version supported by the device for secure communication. All communication occurs over HTTPS to ensure data privacy and integrity.
GYTPOL Client for Linux/macOS
Language-Code: GYTPOL is implemented using the Go programming language (Go-lang).
Post-Install:
On Linux, GYTPOL utilizes systemd for post-installation task management.
On macOS, GYTPOL employs launchd for post-installation tasks.
Permissions: GYTPOL runs with root user permissions, which provide the necessary access for its functionalities.
Size: The installation size of GYTPOL is less than 5MB.
Network Traffic: GYTPOL generates network traffic of up to 30KB per day, with data transmission in compressed (gzip format) form.
Scheduled Runs:
GYTPOL executes its tasks with a random start time and a duration of up to 5 minutes.
Additionally, GYTPOL sends a "keep-alive" message every hour to ensure continuous connectivity. This message also prompts the retrieval of new tasks to ensure up-to-date security measures, encompassing tasks related to remediation, reversion, updates, and upgrades.
Communication Protocol: GYTPOL employs the most recent Transport Layer Security (TLS) version supported by the device. All communication occurs over HTTPS, ensuring data confidentiality and integrity.
Product overview
This section provides a quick overview of the GYTPOL Validator key capabilities and provides references to sections covering these capabilities in detail.
User Interface
From an end user's viewpoint, GYTPOL Validator is a role-based web application that simplifies cybersecurity management. Here's a walkthrough of how users navigate the UI and some notable visual notations and instructions provided in the corresponding documentation section:
Navigation:
Users access GYTPOL through a role-based web interface tailored to their responsibilities.
The UI seamlessly guides users to different sections, tools, and insights.
Visual Notations:
Export: Look for options to export data, facilitating data sharing and analysis.
Refresh: A common icon to refresh or update displayed information in real time.
Know How: This symbol typically offers contextual help, guiding users on specific actions.
User Roles:
GYTPOL's UI adapts to user roles, displaying relevant features and data.
Different users interact with tools suited to their tasks, ensuring focused functionality.
Comprehensive Views:
The UI presents various dashboards and sections tailored for specific needs like Misconfigurations, AD and GPO maintenance and security, CIS compliance benchmarking and Intune.
Effortless Navigation:
GYTPOL's user-friendly design ensures intuitive navigation across functionalities.
Users can swiftly move between sections for effective management.
Consistent Experience:
Visual elements like buttons, icons, and labels maintain a consistent design, enhancing user familiarity.
Helpful Guidance:
In-app assistance guides users on performing specific tasks, maximizing usability.
By offering a role-based access interface with intuitive navigation and helpful notations, GYTPOL empowers users to efficiently manage their cybersecurity tasks.
Misconfigurations
Misconfiguration encompasses the mistakes made when setting up IT systems or security measures, which can result in vulnerabilities and potential security breaches. These errors often stem from insecure default settings, human oversights, incorrect application of Group Policy Objects (GPOs), and other factors.
Misconfigurations can manifest across various domains, including network devices, web applications, cloud services, servers and operating systems, encryption and key management, security tools, and access controls. To mitigate misconfigurations, it's essential to adhere to industry best practices. This entails conducting regular audits, implementing secure configuration settings, rigorously managing changes, and offering training and awareness initiatives.
GYTPOL provides a rapid solution to address misconfigurations, achieving this in a matter of minutes. For a comprehensive understanding of how to effectively manage misconfigurations, refer to the detailed guidance provided in the corresponding documentation section.
CIS/NIST and other Security Compliance Benchmarks
Industry benchmarks serve as comprehensive guidelines for configuring a range of software, operating systems, and devices. These benchmarks provide specific instructions to secure these systems against well-known vulnerabilities.
CIS 8 refers to the latest version of the CIS Controls, a prioritized list of actionable security measures designed by the Center for Internet Security. These controls encompass a diverse range of cybersecurity aspects, offering organizations a clear roadmap to enhance their cybersecurity practices. Additionally, CIS Level 1 and Level 2 benchmarks provide specific configuration guidelines to secure systems against common vulnerabilities, with Level 1 offering basic security measures and Level 2 offering more stringent requirements. The Security Technical Implementation Guide (STIG) provides further detailed guidance for securing systems and applications. The CIS Controls, along with these benchmarks, are updated regularly to address emerging threats and incorporate industry best practices. By adhering to these controls and benchmarks, organizations can establish a robust cybersecurity foundation and mitigate various cyber risks.
NIST 800-53 is a comprehensive collection of security controls and guidelines tailored for U.S. federal information systems. This publication furnishes organizations with a framework to evaluate and enhance the security of their systems, safeguarding sensitive information. Covering multiple security domains, NIST 800-53 holds widespread recognition as a cybersecurity standard. Its adoption extends beyond the U.S. federal government, gaining prominence in various sectors and organizations worldwide. Abiding by NIST 800-53 assists organizations in elevating their security posture and aligning their practices with established industry standards.
Cyber Essentials is a UK government-backed cybersecurity certification scheme that aims to help organizations implement basic cybersecurity practices and protect against common cyber threats. It provides a set of criteria and guidelines for organizations to follow in order to secure their systems and data. The Cyber Essentials certification is awarded to organizations that demonstrate compliance with these standards, indicating that they have implemented measures to safeguard against a range of common cyber-attacks. The scheme is designed to be accessible and affordable for organizations of all sizes, helping them improve their cybersecurity posture and build trust with customers, partners, and stakeholders.
For detailed guidance on utilizing the CIS/NIST Dashboards effectively, refer to the corresponding documentation section.
Active Directory / Group Policy Security
The Active Directory / Group Policy Security module provides visibility into data accessible via a basic domain user's access rights. This information can be queried directly from domain controllers. The module offers insights into various aspects, including administrator groups, vulnerable file paths within GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, customized group change queries, and more.
The objective of presenting this data is to underscore the information that can be gathered using plain domain user access rights. By highlighting these findings, the module aims to demonstrate what an attacker could potentially access before progressing to lateral movement or elevating their permissions within the network.
For a comprehensive understanding of how to effectively utilize the Active Directory / Group Policy Enhanced Security module, refer to the corresponding documentation section.
AD / GPO Security and Maintenance
The Maintenance section of GYTPOL offers valuable recommendations to enhance the administration of Active Directory (AD) and Group Policy Objects (GPOs). This includes suggestions for optimizing the management of these crucial components. GYTPOL aids in identifying various issues for more effective administration:
Unlinked GPOs: GYTPOL helps locate GPOs that are not linked to any organizational unit, enabling you to streamline your GPO structure.
Duplicated GPO Settings: The platform identifies duplicated settings within GPOs, allowing you to eliminate redundancy and ensure consistency.
AD Accounts Cleanup: GYTPOL assists in identifying and managing obsolete or unused Active Directory accounts, enhancing overall security.
Legacy OS: The system flags legacy operating systems that might pose security risks due to outdated support.
Multiple Loopbacks: GYTPOL highlights instances of multiple loopbacks processing settings, aiding in maintaining an organized and predictable GPO environment.
These recommendations empower you to proactively enhance the administration of AD and GPOs. For a comprehensive guide on effectively using the Maintenance features, consult the detailed instructions provided in the corresponding documentation section.
Settings and Administration
The Settings menu within GYTPOL offers a hub for various administrative tasks that you can perform to manage and customize your GYTPOL environment. This includes activities like device groups management, integrations, permissions setup and more.
For a comprehensive guide on navigating and effectively utilizing the Settings menu, refer to the detailed instructions provided in the corresponding documentation section. This resource will offer step-by-step guidance on performing administrative tasks and optimizing your GYTPOL configuration.
UI Navigation
The GYTPOL Homepage is divided into several sections to streamline navigation and provide comprehensive insights. In addition to the described below "Manage" and "Settings" sections, users can access the "Organizational Device Coverage” per Device Type, which offers an overview of device distribution across different platforms. The homepage also features "Top 5 Alerts” based on Device Type, highlighting critical issues specific to each device category. For a broader perspective, users can view "Trending Global” or “Pinned Items" of their choice.
The homepage also includes an "Achievements" Board, showcasing key metrics such as Full-Time Equivalent (FTE) savings and Return on Investment (ROI) figures. Users can review their license information for clarity on usage and entitlements. The homepage also provides a space for "News and Updates", ensuring users stay informed about the latest developments and enhancements within the GYTPOL ecosystem. Additionally, users can utilize the Global Search feature to quickly find relevant information across the platform. For any assistance, users can easily ask for support through the dedicated support section. The platform also offers dark and light modes, allowing users to customize their viewing experience according to their preferences.
The homepage's left side menus are designed for intuitive navigation across various sections, including:
The "Manage" section encompasses essential features such as Misconfiguration and Security Compliance boards, Active Directory (AD) and Group Policy Object (GPO) security and maintenance screens, Microsoft Intune settings, an Action Log, and Executive Summary.
The "Settings" section provides access to foundational aspects such as System Health monitoring, Device Groups, Permissions management, Integrations, and Licensing management.
Drill downs
Every element within the user interface is interactive, allowing you to navigate to more advanced levels of UI management effortlessly.
Clicking on the device type will direct you to the Misconfiguration section specific to that group. Here, you'll find the total number of identified attack vectors, which can be viewed either as a comprehensive list or filtered by categories displayed on the left side. Additionally, the list can be searched for a specific vector, enabling users to pinpoint and address vulnerabilities efficiently.
After clicking on any of the misconfigurations on that page, it will open a screen displaying detailed attack vector information. This includes a description of the issue, suggestions for remediation, the severity of the finding, and its Common Vulnerability Scoring System (CVSS) score. Additionally, users can easily navigate related issues from this page, facilitating seamless exploration of other findings within the console. This comprehensive view empowers users to understand, prioritize, and address security vulnerabilities effectively.
In the bottom half of the screen, users will find filtering options on the left, including device groups, domain/OU filter, OS type, and device selection. To the right, there are two main sections: the list of alerts and the list of all devices with the identified alert.
Within the alerts list, users can select any alert to filter the device list accordingly, providing a more focused view per finding. Alongside each alert, users will see the device count of affected devices, as well as the number of compliant devices, remediated devices, and the total count per alert. These metrics offer valuable insights into the impact of each alert and the progress of remediation efforts.
For streamlined management, a Remediate button is available. Clicking this button initiates actions that apply across all impacted devices, providing a unified solution for resolving the issue at hand. Additionally, by clicking on the individual device, actions can be executed at the device level, allowing for tailored remediation.
For a comprehensive guide on navigating the Misconfigurations and Alerts section effectively, refer to the detailed instructions provided in the corresponding documentation.
Export
You have the capability to export a single metric to a CSV file. For instance, you can export all alerts related to SMB Version 1 alert, by following these steps:
Navigate to the relevant screen that displays the metrics.
Locate the metric and click it. In our example we will use SMBv1 not Used.
Select the desired alert/devices to export.
Locate the "Export" button within that screen.
Click on the button to initiate the export process.
A CSV file containing the SMBv1 not Used devices will be generated and downloaded to your device.
This CSV file will provide you with a structured record of the metrics related to Legacy Protocols, which you can then use for reporting or analysis purposes.
Refresh
Within the GYTPOL user interface, you have the flexibility to update the information presented on the screen. If necessary, you can refresh the entire screen to ensure that all displayed data is up-to-date. This option is particularly useful when you want to refresh your entire view and ensure you're working with the most current information.
Getting Help - Know How
GYTPOL's Knowledge Base serves as a valuable resource, covering a wide range of topics, including security risks and manual/alternative methods to address identified findings. The primary goal of our Knowledge Base, often referred to as "Know How," is to offer swift access to information related to specific topics or alerts.
To access the Knowledge Base, simply click on the "academic hat" icon or "Learn More" located within the Attack Vector information. This feature ensures users can readily delve into additional insights and resources to enhance their understanding and response to security challenges.
Information Enrichment:
The Know How section provides comprehensive insights into various topics and alerts, enhancing your understanding of security risks and potential solutions.
Quick Reference:
By providing quick access to information, Know How allows you to swiftly retrieve relevant details, ensuring effective decision-making and problem-solving.
The Knowledge Base empowers users with in-depth information, enabling them to tackle security challenges with informed solutions. Whether you access it through the top bar or directly within specific topics, the Know How feature is designed to enrich your experience within GYTPOL and enhance your ability to address security concerns.
Global Search - find a computer, misconfiguration or security standard
Search Functionality:
You can access the Global Search box located in the top right corner of the interface to open a search pane.
Select your search criteria, such as Device Name, Miscon topic, or Security standard.
You can filter your search by group or search across all devices.
Enter the relevant information into the search box located in the lower part of the search pane.
Results Display:
Once the desired device is located, GYTPOL will promptly display the pertinent information associated with the search criteria.
GYTPOL will showcase the device information, relevant misconfigurations, compliance and remediations that have been identified for the selected device.
This insight into misconfigurations empowers you to take targeted actions to address and rectify any issues.
Perform a Generic Action
In GYTPOL Validator, you have the ability to execute a set of actions on selected devices within the Target group. These actions can be accessed from the Generic drop-down menu and offer various functionalities for managing devices and policies. Here are the available actions:
Group Policy update Computer + user without restart: This operation triggers a gpupdate for both computer and user configurations without requiring a restart or logoff.
Group Policy update Computer + user with restart: This operation performs a gpupdate for both computer and user settings, followed by a computer restart upon successful completion.
Rescan Computer / User: This operation initiates a rescan of the computer or user ahead of the regular schedule, ensuring that the alert information is up to date.
Remove Local Policy Settings: This operation removes locally defined policy settings on the computer, ensuring that no administrative changes have altered the local configuration.
Sync Intune: This operation forces devices to retrieve updates from Intune, ensuring that the information remains current.
Request Agent Logs
By selecting this option, you can request logs from GYTPOL's client on the device. This can be useful when further analysis of the device is required by GYTPOL to resolve a problem with GYTPOL's Agent on the device. The target agent will submit its logs, and when finished, a notification will appear in the System Notifications panel, under System Health. These logs can then be downloaded and submitted to GYTPOL for analysis.
Achievements
The Achievements screen offers valuable insights into the time and cost saved, as well as the potential time and cost savings achieved by utilizing GYTPOL for remediation, as opposed to traditional methods involving 3rd party tools, scripts, and Group Policy Objects (GPOs). The Full-Time Equivalent (FTE) can be adjusted to accurately reflect the actual cost of a cybersecurity or IT and Infrastructure employee. Using this FTE cost, the screen will provide estimations of monetary savings.
Key Features of the Achievements Screen:
Estimated Time and Money saved:
GYTPOL's automated approach significantly reduces the time needed for remediations.
You can view the estimated time/money saved, showcasing the efficiency gained by using GYTPOL's streamlined processes.
Potential Time and Money savings:
GYTPOL offers substantial potential time savings when compared to manual methods.
The Achievements screen highlights the comparative advantage of GYTPOL in terms of time efficiency and ROI.
Getting started
Logging in
Once your GYTPOL tenant has been created, you will receive an email from Welcome@gytpol.com containing your username and temporary password. This email will also provide the link to access the user interface (UI) and guide you through the password change process. Upon changing your password, you will be redirected to your GYTPOL console.
Additionally, the primary technical contact will receive an email containing a list of firewall (FW) rules and URLs to be whitelisted, along with several links to guides and manuals.
To manage user access levels, navigate to the Roles and Permissions screen, where you can define and adjust user roles and permissions.
If SAML authentication is required, please follow this link to set it up: SaaS IdP (SAML) Integration Manual
What you see when you first logged in
Upon successful login, you will be directed to the main homepage of GYTPOL. Here, you will immediately access a view showcasing devices that are actively reporting to GYTPOL.
For more comprehensive details and explanations about the user interface and its various features, please refer to the dedicated UI overview section within GYTPOL's documentation. This section will provide an in-depth understanding of how to navigate and utilize the interface effectively. It's a valuable resource to make the most of GYTPOL's capabilities and insights.
Verify that GYTPOL clients were successfully deployed
You can confirm a successful GYTPOL client deployment in two ways:
Local Device Check: Verify on the device where the client is installed to ensure proper functioning. For more details, you can refer to the Client Installation Guide here: Client Installation Guide
System Health Screen: Use the System Health screen to get an overview of deployment status and device health. You can access this screen by locating it in the Settings menu on the left.
For more information, refer to the Health Screen overview section in the documentation.
Misconfigurations
What is a Misconfiguration?
Misconfiguration refers to errors in configuring IT systems or security controls, leading to vulnerabilities and potential breaches. Errors can come due to wrong or insecure default settings, human errors, GPO that wasn’t applied correctly and more.
It can occur in network devices, web applications, cloud services, servers/operating systems, encryption/key management, security tools, and access controls. Preventing misconfigurations requires following best practices, conducting audits, implementing secure configurations, enforcing change management, and providing training and awareness. GYTPOL can help you achieve this in minutes.
Working with Misconfiguration Alerts
The GYTPOL Validator Homepage offers instant access to Windows, Linux, and macOS perspectives, each highlighting the top 5 alerts relevant to their respective scopes. It also facilitates UI customization through computer groups which can be either built-in or created by GYTPOL operators based on OS, name patterns, OUs, and more, as detailed in the Device Groups section.
The top section of the Homepage offers direct links to device groups and their respective misconfigurations. Meanwhile, the bottom section displays the Top 5 Attack Vectors, which can be tailored for Trending Global, Pinned Items, Quick-Wins, and more. These insights can be viewed either for all devices or specific device groups.
The Homepage serves as a gateway to various sections within the product, including:
Reporting on Devices and their misconfigurations
Security compliance dashboards
AD (Active Directory), GPO (Group Policy Objects), and Intune screens
Action Log and Executive Summary
Settings menu, featuring System Health, Device Groups, Permissions, Integrations, and Licensing
This comprehensive overview on the Homepage ensures swift access to key insights and essential pages for effective management within GYTPOL.
Types of Misconfigurations
Our Misconfigurations module categorizes findings into topics aligned with the MITRE ATT&CK framework. These categories include:
App and Internet Features: Misconfigurations here involve settings that could lead to unauthorized access or vulnerabilities in applications and internet usage.
Browsers: Misconfigurations relate to browser settings that may expose users to security risks, such as outdated protocols or insecure extensions.
Databases: Misconfigurations involve security settings or access controls within databases, potentially leading to unauthorized access or data breaches.
Remote Code Execution: Addressing vulnerabilities that could potentially lead to unauthorized remote code execution.
Lateral Movement: Identifying misconfigurations that could be exploited for lateral movement within your network.
Legacy Protocols: Highlighting issues related to outdated or risky protocols.
Privilege Escalation: Detecting misconfigurations that may enable unauthorized elevation of privileges.
SMB and Sharing: Focusing on misconfigurations associated with SMB protocols and sharing settings.
Credentials: Addressing issues related to improper handling and storage of credentials.
Obsolete Software: Identifying vulnerabilities due to outdated software and unpatched applications.
By organizing misconfigurations into these topics based on the MITRE ATT&CK framework, GYTPOL offers a structured approach to addressing security risks, making it easier to prioritize and remediate issues effectively.
In GYTPOL, all misconfigurations and metrics are visually represented with specific severity colors to provide quick insights into their urgency:
Red (High): Represents high-severity misconfigurations that require immediate attention due to their critical impact on security.
Orange (Medium): Indicates medium-severity misconfigurations that should be addressed promptly to mitigate potential risks.
Yellow (Low): Denotes low-severity misconfigurations that may not pose an immediate threat but should still be resolved to enhance overall security posture.
Green (Complied): Signifies items that are in compliance and meet the expected security standards, resulting in no alerts generated.
This color-coded approach offers a visual way to prioritize and address misconfigurations based on their severity levels, aiding efficient decision-making and remediation efforts.
The severity of alerts within GYTPOL is determined by considering multiple factors to accurately gauge the potential risk:
Common Attack Vector: The prevalence of the attack vector in real-world scenarios is considered. More common vectors may receive higher severity ratings.
CVSS Score: If available, the Common Vulnerability Scoring System (CVSS) score is factored in. This numerical score assesses the vulnerability's severity and impact.
CISA/CIS/NIST Recommendations: Alignment with recommendations from cybersecurity frameworks such as CISA, CIS, and NIST contributes to the overall assessment of severity.
GYTPOL Research Team Expertise: The knowledge and insights of GYTPOL's research team play a crucial role in understanding how easily a misconfiguration can be exploited and the potential consequences.
For each metric within GYTPOL, the following key information is provided:
Topic Name: The attack vector name, as displayed in the console screens and available for searching purposes.
Category: Aligned with the MITRE ATT&CK framework categories as previously explained.
Description: Offers a detailed explanation of the metric's nature, implications, and potential security risks to ensure clarity.
Suggestion: Provides practical recommendations and steps for addressing and mitigating the identified issues, guiding users toward effective remediation strategies.
General Severity and CVSS score: Provides an assessment of the severity of the issue along with the Common Vulnerability Scoring System (CVSS) score for further context.
Related Issues: Identifies any related security issues or vulnerabilities that may be impacted by the metric and offers a link to the relevant screen for further investigation and action.
Alert Status: Displays the number of Active and Remediated alerts, along with the time saved through remediation efforts.
Potential Achievement: Indicates the potential time and cost savings achievable through addressing the identified security concerns.
Navigating through Alerts (drill downs, pinning, etc.)
When you click on any of the scopes displayed on the main dashboard (such as Windows Servers or Debian Linux), it will lead you to the misconfiguration screen, designed as follows:
Top Bar: The number displayed represents the total count of related metrics, critical metrics, and Quick-Wins available.
Metric / Attack Vectors list: The list corresponds to a specified scope (e.g., Servers) and comprises a set of metrics relevant to the scope. The content of the list can differ based on the selected device scope.
Filter/Sorting: Users can filter the list based on Device Groups and sort it using various criteria.
Category Filter: Each box pertains to a specific scope (e.g., Servers) and presents a compilation of metrics categorized under relevant topics (e.g., Remote Code Execution, Privilege Escalation).
Severity-Color Indicators: Next to each metric, a color indicator with define the severity level (Red = High, Orange = Medium, Yellow = Low). The number of devices affected by the alert is displayed alongside the metric. Alerts that weren't found at all won't be shown.
Drill-Down Functionality: Clicking on the metric provides a drill-down view, showing the alerts and the list of devices associated with that alert's severity. This helps you pinpoint affected devices for focused remediation.
Actions: By clicking a specific metric or alert, you can take actions at various levels. This allows you to address issues and apply remediation strategies based on your requirements.
Related Issues
In GYTPOL, metrics are interconnected to enhance correlation and provide a more comprehensive understanding of security issues. This is achieved through the implementation of "Related Issues" for many alerts:
Interlinked Topics: Alerts within different topics are interlinked to establish connections between related security concerns. These connections help users comprehend the broader context of potential vulnerabilities.
Enhanced Correlation: By exploring related topics, users gain a deeper insight into how various misconfigurations might impact each other and contribute to potential security risks.
Clicking on any related issues takes you to a dedicated section that displays alerts related to that metric.
Export found misconfigurations to CSV
GYTPOL offers a convenient feature that allows you to export data from the dashboard to a CSV file, facilitating reporting and efficient tracking of information. Here's how it works:
Topic Level Export: To export data related to an entire topic, click the "download" button located on the topic box. This action will generate a CSV file containing data pertinent to the selected topic.
Metric Level Export: Within a specific metric or alert, you can also export data by clicking the "download" button associated with that metric. This will export information about all devices affected by the same finding within that metric.
Single Device Level Export: If needed, you can even export data about an individual device. Simply navigate to the specific device and use the available export option.
By utilizing these export functionalities, GYTPOL empowers users to generate reports, gather insights, and maintain efficient records of misconfigurations and remediation efforts for better security management and documentation.
Remediation Action types
Remediation Process for Misconfigurations
Within GYTPOL Validator, users have the capability to rectify misconfigurations found on endpoints and servers by defining Remediation Actions. These actions facilitate the implementation of fixes across various devices, groups, or even individual machines. Here's how the process works:
Defining Remediation Actions: Remediation Actions outline the corrective measures to be applied based on parameters like OU, Domain, or specified computer groups. The actions are grouped into topics, such as the SMB and Sharing topic including SMBv1 removal.
Pending Status and Acknowledgment: After a GYTPOL admin initiates an action, it remains in a pending status until the client device checks in (hourly) and confirms the task for local application.
Client Acknowledgment and Feedback: Once the client applies the task locally, it sends feedback to GYTPOL regarding the outcome. This feedback includes information on success, failure, and the reason for failure (e.g., timeout or access denial).
Revert Capability: Numerous remediation actions can be reverted to the original state directly from the GYTPOL UI. This streamlines the process and eliminates the need for third-party tools or scripts. All reverts are executed on the device within an hour, maintaining consistency with the hourly check-in schedule.
Remediation Action
A "Single Remediation Action" in GYTPOL Validator involves applying a corrective action to resolve a specific finding. Here's an overview of the process:
Identify the Finding: Start by identifying a particular misconfiguration or security finding that needs to be addressed.
Choose the Target Group: Select the group of devices on which you want to apply the remediation action. This can include specific devices, a group based on OU, Domain, or custom computer groups.
Initiate the Remediation Action: Define the specific action or fix that needs to be implemented to address the finding. This action can involve changes to configurations, settings, or other relevant parameters.
Pending Status and Client Check-In: After initiating the action, it enters a pending status. The respective client devices periodically check in (hourly) to receive and acknowledge the action.
Client Acknowledgment and Feedback: Once the client applies the action locally, it sends feedback to GYTPOL indicating the success or failure of the task, along with reasons for any failures.
Revert Capability (if applicable): If the action supports reversion to the original state, GYTPOL allows you to revert changes directly from the UI.
Auto-remediation
An "Automatic Remediation Action" (Auto Re-Apply) in GYTPOL Validator is designed to automatically apply fixes to any future alerts that match predefined criteria on selected devices within the Target group.
By utilizing the Automatic Remediation Action feature, GYTPOL empowers users to proactively respond to emerging security challenges, ensuring that devices remain aligned with organizational policies and security standards as new alerts are detected. This automated approach enhances the overall security posture of the organization.
Mute
In GYTPOL Validator, users have the option to mute or "remove" alerts from the user interface and misconfiguration list. This feature is useful when an alert is acknowledged as a known risk and no further action is required. Here's how it works:
Alert Muting: When you identify an alert that you consider a known risk and want to temporarily remove from view, you can choose to mute it.
Selecting the Target Group: Decide on the target devices or groups for which you want to mute the alert. This could involve specific devices, device groups, OUs, or other designated segments.
Muting Action: Utilize the "Mute Alert" action to initiate the muting process. This action essentially removes the alert from the UI and the misconfiguration list for the selected devices within the designated target group.
Muting alerts is a strategic way to focus attention on critical alerts while acknowledging and managing known risks. This functionality allows users to maintain a clear and prioritized view of active alerts, ensuring efficient security management within GYTPOL Validator.
Remediation Process
The remediation of findings in GYTPOL Validator can be initiated through the use of the Remediate button in every metric. Once this button is clicked, it opens an Action screen that facilitates the remediation process. Here's an explanation of the components within this screen using an example scenario of remediating the "SMB Shares" issue on Windows non-DC servers:
Here's a concise breakdown of the key elements within the "Remediate" section and the Attack Vector screen, using the example of remediating "SMB Shares".
Filter pane:
Group: Utilize predefined groups or craft custom ones based on naming conventions, Organizational Units (OUs), etc. These groups are distinct from the OU structure and can be adjusted as necessary, offering both static and dynamic options.
Domain: If multiple domains report to the UI, select the domain where you want to apply the remediation. Choosing "Any" will apply it to any domain.
Operating System: Choose the specific OS pertinent to the selected metric and alert, targeting the desired OS for remediation actions. Choosing "Any" will apply it to any OS.
Org. Unit: Specify the organizational unit on which you want to perform the remediation. Choosing "Any" will apply it to any organizational unit.
Device: Target a specific device for remediation. Choosing "Any" applies the remediation to all devices within the same organizational unit.
Share Selection: You can specify individual shares you want to remediate or select "Any" to remediate all shares within the chosen scope of devices.
Remediation Action:
Remediation: This section provides an explanation of the topic you're remediating. For instance, in our case, we're addressing "SMB Shares”. Clicking the question mark icon provides additional details about the remediation action.
Any irreversible actions are noted near the Cancel/Apply buttons.
Auto Re-apply: This option ensures that the same remediation is automatically applied to new GYTPOL clients reporting for the first time or meeting the defined criteria.
Schedule: Decide whether to perform the remediation ASAP (based on the hourly trigger) or schedule it for a more convenient time.
Add Note: Add a comment to provide context or additional information about the change being made.
Apply / Cancel: Confirm and execute the remediation action by clicking "Apply" or cancel the operation by clicking "Cancel."
By Alert / By Device:
In the "By Alert" tab, you have the option to select the alert(s) you wish to remediate, with multi-select functionality available to address multiple alerts simultaneously.
In the "By Device" tab, you can select or multi-select the devices to which the identified alerts apply.
Actions Log
The screen offers a comprehensive overview of both ongoing and completed tasks, categorized into specific topics for efficient management.
Filter:
States: Filter the actions list based on the selected state, such as Pending, Cancelled, Success, Failure etc.
Group: Display actions relevant to the selected device group.
Topic: Show actions applicable to the selected topic.
OS/Type: Display actions relevant to the selected OS or device type.
Domain/OU/Device: Narrow down actions based on the selection from any device to a specific one.
User Name: Show any actions performed by the selected user.
Object Alert: Display actions applicable to the selected Alert only.
Actions:
The screen presents a list of actions, which can be narrowed down by choosing filters as explained above.
Action Buttons:
Stop: This option halts the ongoing remediation process. Fixed devices will remain fixed, while the remaining (yet unfixed) devices will not undergo remediation.
Restart: Use this option to restart the action in case of a failure or previous stoppage. You can restart the task on the same target group (the target group remains the same as initially selected).
Revert: The revert functionality is accessed through the Actions screen. To perform a revert action, you have the following options:
Revert All: This option enables you to revert the remediation action on all devices within the defined scope. By selecting this option, the remediation changes will be undone on all applicable devices.
Revert on Selected Device(s): If you wish to revert the remediation action on specific devices within the scope, you can do so by clicking the "revert” for the respective device(s) once you click the task and drill down. This allows you to selectively revert changes on chosen devices.
The "Action Log" screen also offers the flexibility to filter tasks based on their nature:
Remediate: Filter tasks to exclusively display one-time remediations that have been initiated and are currently active.
Auto-Remediate: Filter tasks to show auto-remediations that are ongoing as part of the automated remediation process.
Generic: Access other types of tasks that fall under the "generic" category, providing a more encompassing overview of all ongoing tasks.
Mute Alerts: View tasks related to muted alerts, which are tasks that suppress alerts from being displayed in the UI.
Revert: Displays the revert tasks that will undo any changes made as part of a remediation process.
By offering these filters and categorized tabs, the "Action Log" screen empowers you to effectively track, manage, and monitor the various tasks being executed within GYTPOL Validator.
Refresh: Updates the console with the most recent information regarding the tasks that have been run.
Export: You have the ability to export key information related to the task (or all Tasks). This includes the results of the task (status and initiator), as well as the list of devices encompassed by the task's scope. This data can be exported to a CSV file, as detailed in the Export section of the GYTPOL Validator.
Activate / Restart / Deactivate Remediation Rule
After creating a task using the Action/Remediation screen, you can manage and modify it through the Action Log screen. This screen offers the following options:
Stop Action: This option halts any ongoing remediation actions that have not yet been completed on devices. As a result, the task status will change, and it will be moved to the inactive tab to signify that it has been stopped.
Restart Action: By selecting this option, you can restart the remediation action associated with the task. This allows you to rerun the action again on the same target group, for example, to restart the action on failed devices.
Revert Action: By selecting this option, you can revert the remediation action associated with the task. This allows you to undo the action taken on the same target group and return the device to its previous misconfigured state.
Export: You have the ability to export key information related to the task. This includes the results of the task (status and initiator), as well as the list of devices encompassed by the task's scope. This data can be exported to a CSV file, as detailed in the Export section of the GYTPOL Validator.
Quick Wins
"Quick-Wins" in GYTPOL Validator refer to misconfiguration topics that can be swiftly and easily remediated or auto-remediated without causing any adverse effects on the devices. These topics encompass low-hanging fruit in terms of security improvements.
For optimal results, it's advisable to follow these steps:
Create a Device Group: Begin by forming a group of devices within GYTPOL Validator. This group will serve as the initial target for remediation efforts.
Initiate Remediation: Start by launching the remediation process, focusing solely on one-time remediation for the selected device group. This allows you to tackle the identified misconfigurations efficiently.
Validate Impact: Monitor the devices in the group after the remediations have been applied. Ensure that there are no negative impacts on the devices' performance, functionality, or user experience. This validation step is crucial to confirm that the remediations indeed have the intended outcome.
Expand Remediation: After confirming the success of the Quick-Win remediations on the initial group of devices, you can gradually expand the remediation efforts to larger groups or even across your entire environment. This approach allows you to implement changes incrementally while ensuring that any unforeseen issues are identified and addressed promptly.
Continuous Monitoring: Even after applying Quick-Win remediations across your environment, continue to monitor the devices and their performance. GYTPOL's monitoring capabilities provide ongoing visibility into the status of devices and their compliance with the applied fixes.
Detailed information about Quick-Wins and the specific misconfiguration topics that fall under this category can be found in the dedicated section provided. By leveraging Quick-Wins, you can swiftly enhance the security posture of your environment while minimizing disruptions to devices.
Active Directory & Group Policy Security
This section showcases public data that can be queried from domain controllers using basic domain user access rights. The displayed information encompasses details like administrator groups, susceptible file paths within your GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, and the ability to query custom group changes, among other elements.
Clicking on a Category within this interface provides a detailed list of the examined items. You can also navigate through a drill-down process from the specific topic to access more comprehensive insights into the data.
Active Directory & Group Policy Maintenance
The Active Directory and Group Policy module offers recommendations for enhancing cleanliness and optimizing performance. These insights and suggestions are presented at the organizational level, highlighting areas where adjustments can be implemented to enhance the organization of your Group Policy Objects (GPOs) and Active Directory (AD).
By drilling down into a specific category, you can access a detailed list of identified items. Within the same topic, you'll encounter our "Know-How" feature represented by a hat icon. This resource provides comprehensive explanations about the findings and offers guidance on rectifying or modifying the identified issues, facilitating informed decision-making and proactive improvements.
Security Complience
The platform provides hardening recommendations aligned with the Center for Internet Security (CIS-8) and the National Institute of Standards and Technology (NIST 800-53) guidelines. The console will soon incorporate additional standards, including Cyber Essentials, in the upcoming months.
These recommendations are detailed in the overview.
Accessible from the homepage, you can access the corresponding dashboard on the left pane, by selecting the relevant standard. Once clicked, the CIS or NIST dashboard will be displayed, presenting the benchmark results. Here's a breakdown of the color codes used:
Green: Indicates that the settings within your organization are compliant.
Red: Denotes that the settings within your organization are not compliant.
Orange: Indicates that the settings are not managed in your organization, and there is no detectable Group Policy Object (GPO) containing the relevant setting.
These color-coded indicators offer a quick overview of compliance status and the need for corrective actions.
You can retrieve the list of computers to determine whether the specific setting you've chosen is applied or not. This allows you to quickly identify which computers are in compliance with the chosen setting and which ones are not.
Customization and Settings
System Health screen
This screen provides a comprehensive overview of reporting clients, including their status, the timestamp of their last successful scan, version information, operating systems, and the client scope (Endpoint, Server, or VDI).
Devices that are missing from reporting are color-coded as follows:
Light Blue: Devices reported within the last 24 hours.
Navy Blue: Devices that have not reported in the last 3 days.
Purple: Devices that have not reported in the last week.
Dark Blue: Devices that have not reported in 7-14 days.
Devices that have been removed from the organization or have missed reporting for over 14 days are moved to the "Missing over 14 days" section. If a device has not reported for over 30 days but was registered in Active Directory within the last 30 days, it will be moved to the "Never Reported" section. This helps to keep track of the reporting status of devices accurately.
What’s new
The "What's New" section is a dedicated section that showcases the updates, enhancements, bug fixes, and new features introduced in various versions and releases of GYTPOL. This page serves as a valuable resource for users to stay informed about the changes that have been implemented in the software. It includes information about the addition of new functionalities, improvements to existing features, resolutions for known issues, deprecation of certain elements, and any security updates that have been applied.
By referring to the "What's New" page, users can quickly understand the evolution of GYTPOL and make the most of the latest enhancements.
License
The license page is a section that outlines the terms and conditions under which the software application or system is licensed to users. The page will include details such as the License type, Device Limitations and Utilization, the License Start and Expiration Dates, Available modules, Disclaimers or any applicable liabilities.
About
Information about the builds and versions for different system components. This data might be requested by the support team during troubleshooting or update processes.
Group Policy and Active Directory Filters
If any findings or recommendations related to Active Directory, Group Policy, or CIS/NIST benchmarks have been muted from the user interface, they will be categorized and displayed under the respective filters. This allows users to easily identify the items that have been muted and provides the option to unmute them if needed.
Unmuting an item would mean that it will again appear in the regular alerts or recommendations list, ensuring that no critical issues are overlooked and that the organization's security posture remains strong.
Permissions: Managing User Accounts
GYTPOL features a Role-Based Access Control (RBAC) system that enables administrators to define precise permissions levels within the user interface. To configure RBAC in GYTPOL, follow the steps provided it this guide: UI2 - Role Based Access Control and Permissions management
This RBAC feature in GYTPOL helps organizations tailor access permissions to different teams or individuals, enhancing security and ensuring that users have the appropriate level of control and visibility within the system.
Computer Groups
GYTPOL allows you to create custom computer groups, whether static or dynamic, based on various criteria such as name patterns, operating systems, organizational units (OUs), domains, or custom lists.
To configure Device Groups is GYTPOL, follow the steps provided it this guide: UI2 - Creating Computer Groups
By creating custom computer groups, you can efficiently manage and categorize your devices, allowing for easier organization, targeting of actions, and monitoring of specific sets of devices that meet certain criteria. This feature can enhance the flexibility and customization of your GYTPOL deployment.
References
GYTPOL High Level Architecture and Design - To access the GYTPOL HLD documentation, please get in touch with your GYTPOL Account Manager.
GYTPOL Client Installation, Client GPO deployment and Upgrade Guide
GYTPOL API documentation
GYTPOL Splunk Integration documentation (soon)
GYTPOL ServiceNow Integration documentation (soon)
Quick-Wins
As mentioned earlier – "Quick-Wins" in GYTPOL Validator refer to misconfiguration topics that can be swiftly and easily remediated or auto-remediated without causing any adverse effects on the devices. These topics encompass low-hanging fruit in terms of security improvements.
To make the most of Quick-Win remediations:
Create a device group for testing.
Apply Quick-Win fixes to this group.
Verify fixes' impact and success.
Gradually expand fixes to more devices.
Monitor ongoing compliance and performance.
The examples below show some Quick-Wins items (Windows, Linux, macOS).
Remote Code Execution
Log4J (CVE-2021-44228, CVE-2021-45046)
LOG4J is pertinent for various operating systems, including Windows, Linux, and macOS. In GYTPOL, we have adopted the strategy of abstaining from software updates due to potential repercussions. Instead, we opted to modify two lines of code within the JNDI Lookup java class. These changes encompass:
Validation of the input parameter (dataTime parameter) within the class, ensuring its accuracy and reliability.
Elimination of the execution of the parameter, as it holds no relevance within this particular function. The execution served no purpose and was deemed redundant.
Topic: | log4j2 Vulnerability |
Subject: | log4j2 Vulnerability in JndiLookup |
Description: | Remote Code Execution 0-Day Vulnerability (CVE-2021-44228, CVE-2021-45046). |
Suggestion: | It is highly recommended to use Gytpol to secure the current version (ZERO-IMPACT!) – no software upgrade needed. |
Reason: | Correcting the function to work as it should by validating the input parameter to be a DateTime and removing the execution which wasn't relevant to this function. Adopted by APACHE to 2.17.1 (Gytpol are not upgrading the Log4J, we just correcting the zero-day vulnerability in the code) |
Office Follina Attack (CVE-2022-30190)
Follina pertains to devices equipped with any version of Microsoft Office. Once again, Microsoft's response to the zero-day vulnerability was found lacking, prompting our discovery of two additional registry keys that necessitated removal from the devices. These registry keys, which were last utilized in 2013, were identified as contributing factors to the issue.
Topic: | Office Follina Attack |
Subject: | Follina Attack (CVE-2022-30190) |
Description: | A zero-day allowing code execution in Office products: Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View. |
Suggestion: | Remediate urgently with Gytpol (ZERO-IMPACT!). |
Reason: | Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in System Settings as other or additional troubleshooters. |
MS Word RTF (CVE-2023-21716)
MS Word RTF exploits are applicable to devices equipped with any version of Microsoft Office. This instance involves another inadequately patched zero-day vulnerability. At GYTPOL, we took proactive measures by disallowing the opening of RTF files from unverified or untrusted sources. This action helps mitigate the risk associated with this vulnerability and enhances the security of the system.
Topic: | MS Word RTF Document |
Subject: | MS Word RTF (CVE-2023-21716) |
Description: | CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document. |
Suggestion: | Remediate urgently with Gytpol (ZERO-IMPACT!), or: use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources. |
Dell Driver (CVE-2021-21551)
Dell Driver concerns are relevant exclusively to Dell devices. In our approach at GYTPOL, we opted to align with Dell's guidance. This involved the removal of the driver situated within the Temp folder on the device. By adhering to Dell's recommendations, we aimed to enhance the security and functionality of Dell devices under our purview.
Topic: | Dell Driver |
Subject: | BIOS Driver Privilege Escalation Flaws |
Description: | (CVE-2021-21551): A security vulnerability affecting the dbutil_2_3.sys driver packaged. Attackers may exploit these vulnerabilities to locally escalate to kernel-mode privileges. |
Suggestion: | According to dell, it is highly recommended to remove the driver or update it using Dell System Inventory Agent. See more: https://www.dell.com/support/kbdoc/en-il/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability. |
Reason: | The file located in c:\Windows\Temp and it is not needed for any Dell software or application |
Privilege Escalation
Print Spooler Log
Print Spooler Log pertains to Windows systems, enabling the monitoring of printer usage activity. This proactive approach helps to avert potential issues, such as the unaddressed print nightmare vulnerability. By scrutinizing the print spooler log, we can implement measures to prevent any such vulnerabilities from materializing, thereby enhancing the security and stability of the Windows environment.
Topic: | Print Spooler Log |
Subject: | Print Spooler Log |
Description: | The Print Spooler Operational Log is disabled. By enabling the log - you create a visibility of active printing and attacks. |
Reason: | Activating a log will give extra visibility prior to stopping the Print Spooler. The log size is limited to 1MB and will not consume much of disk space |
Print Spooler Service
Print Spooler functionality is applicable to Windows systems. When the printer log is enabled, it not only provides insights into mapped printers but also logs printing activities. This visibility underscores the simplicity of determining whether the service is necessary. If deemed unnecessary, the service can be disabled with ease. This approach aids in enhancing security and efficiency by preventing potential risks associated with the service when it's not in active use.
Topic: | Print Spooler |
Subject: | Print Spooler service status |
Description: | Many attackers use this service as their back door to the servers. It is recommended to disable this service via GYTPOL or group policy on all servers. |
Reason: | The Spooler service is being disabled after we show that there are no Printing events, and no Printers are attached to the server/endpoint (spooler log must be enabled). |
Local Admins
Local Admins status pertains to Windows, Linux, and macOS systems. Our current capability encompasses not only identifying individuals designated as local administrators but also tracking recent usage patterns. This enhanced visibility allows us to make informed decisions. For instance, if there has been no logon activity within the last 90 days, it becomes straightforward to determine the need for remediation actions. This strategic approach aids in maintaining system security by promptly addressing potential risks associated with unused or unnecessary admin privileges.
Topic: | Local Admins |
Subject: | Local administrator on computer |
Description: | Detected a local administrator on the computer. In most cases users should not have the Local Administrator privilege, as it grants them total control over the computer and exposes the computer and the organization to malware risks. |
Suggestion: | You should verify that these privileges are legitimate, and either Filter Out this warning or privilege from the user. |
Reason: | Login events are shown, and the user is removed from the Local Admins after 90 days of inactivity. |
Local Users
Local Users management is applicable across Windows, Linux, and macOS platforms. Our current capabilities extend beyond identifying local user accounts and their group memberships. We now also possess the ability to track recent usage patterns. This enhanced visibility allows us to make informed decisions. For example, if there has been no logon activity within the last 90 days, it becomes a straightforward decision to initiate remediation actions. This approach contributes to bolstering system security by promptly addressing potential risks associated with underutilized or unneeded local user accounts.
Topic: | Local Users |
Subject: | Local user activity |
Description: | Detected active local user on the computer. Local users should not be created and must be removed unless it is the local Administrator account. |
Suggestion: | Verify those accounts are correct and ignore if needed. Remediate in case the users are irrelevant. |
Reason: | Login events are shown, and the user is removed from the Local Users after 90 days of inactivity. |
Guest Users
Guest User management pertains to Windows and macOS environments. Our capabilities now encompass the ability to identify instances where Guest Users have been overlooked or not properly disabled. This feature allows us to locate areas where these accounts may have been inadvertently left active. By detecting and rectifying these oversights, we enhance security measures and ensure that potential vulnerabilities associated with active Guest Users are promptly addressed in both Windows and macOS systems.
Topic: | Guests Users |
Subject: | Local Guests Accounts Status |
Description: | A guest account allows unauthenticated network users to gain access to the system. According to Microsoft, this can lead to the exposure or corruption of data. |
Suggestion: | It is highly recommended to disable all Guests users. |
Reason: | By default, Guest account should be prevented for login locally and access from the network. |
Batch Privilege (Log on as a Batch)
Batch Privilege management applies to both Windows and Linux environments. Our capabilities extend to the identification of users with the ability to run batches, encompassing various mechanisms such as task scheduler, crontab, and IIS App Pool. Similar to our approach with local admin privileges, we aim to provide a clear correlation by showcasing the associated group and its members. The identification of empty groups simplifies decision-making. This comprehensive view aids in promptly addressing security concerns, making it straightforward to take action in instances where unauthorized or unneeded batch privileges exist within both Windows and Linux systems.
Topic: | Batch Privilege |
Subject: | Dangerous privilege granted: Log on as a Batch |
Description: | SeBatchLogonRight accounts can log on by using a batch-queue tool such as the Task Scheduler service. |
Suggestion: | Change this setting to <Service Accounts> under 'Default Domain Policy' and under 'Default Domain Controller Policy': Go to Computer configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a Batch |
Reason: | The group is empty and isn’t used. Once used, it will have the same access level for Batch and Tasks execution as the Local Admins group (usually will have Domain Admins in it). |
Lateral Movement
Exchange WebShell
Exchange WebShell vulnerabilities are pertinent to Windows environments. This massive zero-day vulnerability often poses challenges for organizations utilizing on-premises Exchange servers in terms of consistent patching. At GYTPOL, we have devised a strategy to detect and combat this threat. Our approach involves identifying malicious DLL files that are created as part of the attack and subsequently removing them. By proactively addressing the issue, we contribute to safeguarding the security and integrity of Windows systems impacted by Exchange WebShell vulnerabilities.
Topic: | Exchange IIS WebShell |
Subject: | Exchange Malicious IIS WebShells |
Description: | HAFNIUM's attack tools found on host: IIS WebShell. |
Suggestion: | Immediate action required: your server has been compromised! (1) Remove the file(s) immediately from the computer(s) and start an investigation. (2) Sometimes it is also recommended to restore the server before the attack date and to full patch it. (3) Check other servers for lateral movement. |
Topic: | Exchange Temp WebShell |
Subject: | Exchange Malicious Temp WebShells |
Description: | HAFNIUM's attack tools found on host: Temp WebShell. |
Suggestion: | Immediate action required: your server has been compromised! (1) Remove the file(s) immediately from the computer(s) and start an investigation. (2) Sometimes it is also recommended to restore the server before the attack date and to full patch it. (3) Check other servers for lateral movement. |
Credentials
Credential Manager
Credential Manager concerns are relevant to Windows environments. In scenarios where accessing network paths or Remote Desktop Protocol (RDP) requires entering credentials, these credentials are often stored on the device, posing a security risk. GYTPOL's approach to remediation involves the permanent removal of these stored credentials from the user's profile. By implementing this measure, we mitigate the exposure of sensitive credentials, enhancing the overall security of Windows systems by preventing unauthorized access to stored credentials.
Topic: | Credential Manager |
Subject: | User credentials stored on computer |
Description: | The Windows Credential Manager is providing easy password management to the user, but exposes his account to security threats. Any process running in the user's account can get elevated access to the vault and steal the stored passwords. |
Suggestion: | It is highly recommended to disable the Credential Manager and prevent local storage of user credentials via Group Policy: User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > Do not allow passwords to be saved > Enabled. Instead, you should opt to use the Windows Defender Credential Guard via the Group Policy. |
Unattended File
Unattended File concerns are specific to Windows environments. When generating a new system image and configuring fresh settings, an "unattended file" is often created. This file functions as an answer file, streamlining the deployment of the new image and its associated operating system settings to other devices. Occasionally, network configurations necessitate leaving credentials, typically administrative credentials, which can be exposed in plain text. Once the image has been established, the file becomes obsolete.
At GYTPOL, our approach involves removing this unattended file post-image creation. By doing so, we eliminate the potential exposure of sensitive credentials in clear text, ensuring that the security of Windows systems is upheld and unnecessary security risks are mitigated.
Topic: | Unattended File |
Subject: | Unattended Configuration File is Exposed |
Description: | Unattended files are configuration files that save the organization configuration in a simple XML that anyone can read and has access to. |
Suggestion: | It is highly recommended to remove this file via GYTPOL remediation and remove it permanently from any given Windows image. |
Reason: | It is not used after the device is installed, added to domain and all settings are done. Safe to delete. |
SMB and Sharing
SMBv1
SMBv1 (Server Message Block version 1) pertains to Windows, Linux, and macOS platforms. Our capabilities extend beyond identifying whether SMBv1 is enabled; we also provide insights into its recent usage. This information aids in making informed decisions regarding remediation, particularly in cases where SMBv1 has not been actively utilized. This approach simplifies the remediation process by facilitating the identification of opportunities to disable SMBv1 without causing any adverse impacts, as it has not been in use. This proactive strategy helps enhance the security and overall health of Windows, Linux, and macOS systems.
Topic: | SMB Version 1 |
Subject: | Vulnerable SMB v1 Network File Sharing |
Description: | The computer has SMB v1 installed, which lacks important protection mechanisms offered by later SMB protocol versions. It is a well-known security risk, exploited by various ransomware worms, Denial-of-Service and Remote Code Execution attacks. Bear in mind that some legacy software and network printers require SMB v1 to function. |
Suggestion: | It is highly recommended to remove SMB v1 via GYTPOL. Do verify that there's no legacy software or network printers that requires SMB v1. If there are computers with legacy software (that demands admins browse via the so-called network aka network neighborhood master browser list) or computers running run old multi-function printers with old firmware in order to “scan to share” then do not remove until you upgrade that software. |
Reason: | SMBv1 wasn’t used on the last 90 days (we can also show if ever used) and it is safely to disable by removing the feature from the device. |
Access to Shares Anonymously
Access to Shares Anonymously is a concern specific to Windows environments. Default values can often present challenges, requiring significant effort to track down and address all settings. This particular setting grants permission to anonymous users for access, a permission that most organizations do not require or desire.
At GYTPOL, our approach is to rectify this by modifying the settings to ensure that anonymous users are not granted access. By implementing this security measure, we enhance the overall security posture of Windows systems, mitigating the risk of unauthorized access and aligning the system configuration with organizational security requirements.
| Accessing Shares Anonymously |
Subject: | Accessing Shares Anonymously |
Description: | When this setting is not set - sessions or pipes might have attributes and permissions that allow anonymous access. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. |
Suggestion: | It is highly recommended to not allowing accessing device shares anonymously. |
Reason: | Anonymous access should be limited and prevented in a corporate network – access should be allowed for Authenticated users only. |
Everyone to Anonymous
Granting "Everyone" additional access to Anonymous is a Windows-specific concern. Default values can indeed present challenges, necessitating significant efforts to address various settings. This particular setting extends permissions to Anonymous users by including them in the "Everyone" group, potentially providing them with unauthorized access.
At GYTPOL, our approach involves modifying these settings to prevent Anonymous users from being included in the "Everyone" group, thereby mitigating the potential for unauthorized access. By implementing this security measure, we contribute to bolstering the security stance of Windows systems, aligning them with organizational security standards and minimizing the risk of unauthorized access.
Topic: | Everyone to Anonymous |
Subject: | Everyone to Anonymous Permissions |
Description: | This policy setting determines what additional permissions are granted for anonymous connections to the device. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. |
Suggestion: | It is highly recommended to not allowing everyone group permissions apply to accessing device shares. |
Reason: | Anonymous access should be limited and prevented in a corporate network – access should be allowed for Authenticated users only. |
General
LLMNR
LLMNR (Link-Local Multicast Name Resolution) is a Windows-specific protocol that has been deemed risky and obsolete in modern operating systems. Organizations have largely ceased using this protocol due to security concerns. It's important to note that LLMNR is enabled by default in some systems.
At GYTPOL, our approach is to disable LLMNR to enhance the security posture of Windows systems. By deactivating this protocol, we minimize potential risks associated with its use and align the system configuration with modern security standards. This proactive measure contributes to the overall security and stability of Windows environments.
Topic: | LLMNR |
Subject: | LLMNR protocol allowing impersonation attacks |
Description: | The Link-Local Multicast Name Resolution (LLMNR) protocol allows name resolution without the requirement of a DNS server, by enabling a special multicast UDP packet on port 5355, to be sent across the network, asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query. The problem is the protocol doesn't have effective protections, and an attacker can fabricate a response and steal user credentials. more |
Suggestion: | This is legacy protocol with high risks and should be disabled via an Active Directory GPO. Using GPMC, create a GPO, and under Computer Configuration - Policies - Administrative Templates - Network - DNS Client - Turn Off Multicast Name Resolution - set to Enabled. |
Reason: | In modern networks, the DNS should be the one responsible for managing the PC/Servers names and not rely on multicast or broadcast name resolution. |
Obsolete Software
Powershell v2
PSv2 (PowerShell version 2) is relevant to Windows systems. In default configurations, both PSv2 and PSv5 are installed on Windows 10, Server 2016, and subsequent versions. However, PSv2 is not commonly utilized by organizations using these operating systems, as all commands supported by PSv2 are also available in PSv5.
At GYTPOL, we recommend removing PSv2 to streamline system configurations. By removing PSv2, organizations can enhance security by reducing the attack surface and potential vulnerabilities associated with unused components. This proactive approach aligns with modern security standards and contributes to the overall security and efficiency of Windows environments.
Topic: | PowerShell Version |
Subject: | PowerShell v2.0 installed and vulnerable |
Description: | PowerShell v2.0 engine contains known vulnerabilities and is susceptible to downgrade attacks. PowerShell v5 introduced important security capabilities which are lacking in v2. Having v2 on a computer enables attackers to revert the execution to the older engine, thereby circumventing the added security. |
Suggestion: | It is highly recommended to upgrade PowerShell to v5.1 or above and uninstall PowerShell v2.0. Use the Add/Remove Windows Features on a Windows workstation computer, or Server Manager to remove the feature on a Server computer. |
Reason: | By default, Windows will use the latest version installed and will use ver. 5.1 instead of ver. 2 – once ver. 2 is removed, PS5.1 will still remain the default version. |
Legacy Protocols
DES
DES (Data Encryption Standard) and triple DES (3DES) relevance pertains to Windows systems. DES is a legacy cipher within the context of Kerberos authentication. Modern operating systems typically do not utilize DES unless specifically mandated by an organization.
At GYTPOL, our approach involves disabling DES, especially if it is not actively used within an organization. By disabling DES, organizations can align their security posture with modern encryption standards, reducing the potential vulnerabilities associated with legacy ciphers. This proactive measure enhances the security and integrity of Windows environments by adhering to contemporary security practices and standards.
Topic: | DES Authentication |
Subject: | An authentication was made using DES |
Description: | DES does not provide authentication. It is vulnerable to a variety of attacks including man in the middle (MITM). |
Suggestion: | It is highly recommended to disable DES via the Group Policy. Follow the steps: https://www.tbs-certificates.co.uk/FAQ/en/desactiver_rc4_windows.html. |
Reason: | We show if DES authentication was used in the last 30 days, and it can be disabled only on a non-used device. |
RC4
RC4 (Rivest Cipher 4) is relevant to Windows systems. Similar to DES, RC4 is considered a legacy cipher within the context of Kerberos authentication. Modern operating systems typically do not employ RC4 unless specifically required by an organization.
At GYTPOL, our recommended approach involves disabling RC4, especially if it is not actively utilized within the organization. Disabling RC4 aligns security practices with modern encryption standards, reducing the potential vulnerabilities associated with outdated ciphers. This proactive measure contributes to bolstering the security and overall robustness of Windows environments by adhering to contemporary security norms and best practices.
Topic: | RC4 Authentication |
Subject: | An authentication was made using RC4 |
Description: | RC4 does not provide authentication. It is vulnerable to a variety of attacks including man in the middle (MITM). |
Suggestion: | It is highly recommended to disable RC4 via the Group Policy. Follow MS steps: https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-disabling-rc4-479fd6f0-c7b5-0671-975b-c45c3f2c0540. |
Reason: | We show if RC4 authentication was used in the last 30 days, and it can be disabled only on a non-used device. |