CYBER SECURITY LAB

1. Audit security policy implementation in windows environment.

What is Windows Auditing?

Windows auditing is an important component of Active Directory security and helps to monitor network
activity.

A Windows audit policy defines what type of events you want to keep track of in a Windows
environment. For example, when a user account gets locked out or a user enters a bad password these
events will generate a log entry when auditing is turned on. An auditing policy is important for
maintaining security, detecting security incidents, and meeting compliance requirements.

Use the Advanced Audit Policy Configuration

When you look at the audit policies you will notice two sections, the basic audit policy, and the
advanced audit policy. When possible you should only use the Advanced Audit Policy settings located
under Security Settings\Advanced Audit Policy Configuration.

The advanced audit policy settings were introduced in Windows Server 2008, it expanded the audit
policy settings from 9 to 53. The advanced policy settings allow you to define a more granular audit
policy and log only the events you need. This is helpful because some auditing settings will generate a
massive amount of logs.

Important: Don’t use both the basic audit policy settings and the advanced settings located under
Security Settings\Advanced Audit Policy Configuration. Using both can cause issues and is not
recommended.

Microsoft provides the following information.

The advanced audit policy has the following categories. Each category contains a set of policies.

 Account Logon
 Account Management
 Detailed Tracking
  DS Access
 Logon/Logoff
 Object Access
 Policy Change
 Privilege Use
 System
 Global Object Access Auditing

Configure Audit Policy for Active Directory (For all Domain Controllers)

By default, there is a bare minimum audit policy configured for Active Directory. You will need to modify
the default domain controller policy or create a new one.

Follow these steps to enable an audit policy for Active Directory.

Step 1: Open the Group Policy Management Console

Step 2: Edit the Default Domain Controllers Policy

Right click the policy and select edit

Step 3: Browse to the Advanced Audit Policy Configuration

Now browse to the Advanced Audit Policy Configuration

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy
Configuration

Step 4: Define Audit Settings

Now you just need to go through each audit policy category and define the events you want to audit.
See the recommended audit policy section for the recommended settings.
 2. Create a Demilitarized zone creation in Network environment for information security.

In computer security, common setups used for small and medium networks include a firewall that
processes all the requests from the internal network (LAN) to the Internet, and from the Internet to the
LAN.

This firewall is the only protection the internal network has in these setups; it handles any NAT (Network
Address Translation), by forwarding and filtering requests as it sees fit.

For small companies, this is usually a good setup. But for large corporations, putting all servers behind a
firewall is not as effective.

That’s why perimeter security networks (also called demilitarized zone networks or DMZs) are used to
separate the internal network from the outside world. This way, outsiders can access the public
information in the DMZ, while the private, proprietary information is kept safely behind the DMZ, into
the internal network.

This way, in case of a security breach, the attackers will only be able to access the servers in the DMZ
network. This can be annoying and can lead to downtime, but at least the sensitive information is kept
safe.

Here are a few examples of services that you can keep in the Demilitarized Zone Network:

 webservers with public information;

 the front-end of your application (the back-end should be kept safely behind the DMZ);
 mail servers;
 authentication services;
 services like HTTP for general public usage, secure SMTP, secure FTP, and secure Telnet;
 VoIP servers;
 VPN endpoints;
 application gateways;
 test and staging servers.

Why Use a Demilitarized Zone Network?

A DMZ server will secure your internal network from external access. It does so by isolating
the public services (requiring any entity from the Internet to connect to your servers) from
the local, private LAN machines in your network.

The most common method of implementing such a divider is by setting up a firewall with 3
network interfaces installed. The first one is used for the Internet connection, the second for
the DMZ network, and the third for the private LAN.

Any inbound connections are automatically forwarded to the DMZ server because the
private LAN doesn’t run any services and is not connectible. That’s how configuring a
demilitarized zone network helps isolate the LAN from any Internet attacks.

Here’s a diagram of the final DMZ network architecture setup:

 To set up a default DMZ server:

1. Launch a web browser from a computer or mobile device that is connected to your router’s network.
2. Enter http://www.routerlogin.com.
A login window opens.
3. Enter the router user name and password. The user name is admin. The default password is
password. The user name and password are case-sensitive. The BASIC Home page displays.
4. Select ADVANCED>Setup>WANSetup.
The WAN Setup page displays.
5. Select the Default DMZ Server check box.
6. Type the IP address.
7. Click the Apply button. Your settings are saved.
 3. Implement Resource harvesting attack and mitigation.

A credential harvesting attack can take any number of forms. Think of any cyberattack vector and
chances are it has been used to access valuable usernames and passwords. Attackers may use a phishing
attack, sending victims an email with links to bogus websites where users will be fooled into entering
their username or password. Alternatively, they can email users a malicious attachment to launch
credential stealer malware widely available on the black market

Other harvesting techniques include:

 Man-in-the-middle attacks.
 Zero day attacks and other software vulnerability exploits.
 Malicious insider misconduct.
 Remote desktop protocol (RDP) attacks.
 DNS spoofing.
 Social engineering.

Once inside an organization, threat actors can take advantage of their stealth access to hunt for and
harvest credentials. They can root around in private key files, registries, and system administrators’
notes and files, or they can look for credentials that are hardcoded within scripts or applications.

Some cybercriminals will also place what’s called a web shell in an organization’s environment. These
web-based applications provide them with the ability to interact with a system longer term, giving them
the opportunity to collect additional information.

Prevent Credential Harvesting Attacks

Organizations can protect themselves against this multifaceted threat using a layered approach:

The human element is a vulnerability exploited by credential harvesters. Employees may click on a link
and inadvertently enter their username and password on a dubious site, or trusted partners could
unknowingly install credential stealing malware on your network. So, awareness initiatives and user
behavior training are critical. Leading programs will enable organizations to test employees’ readiness
using de-weaponized versions of real-world attacks.

Because credential harvesting attacks are often initiated via email (with malicious links and attachments
or using VIP impersonation, for example), fortifying this digital communication channel is paramount.

Insiders can also be an avenue for threat actors to gain access to databases of credentials. An insider
threat program can automate protection against malicious, compromised, or even careless insiders.

Cyber security risk mitigation

Cybersecurity risk mitigation involves the use of security policies and processes to reduce the overall risk
or impact of a cybersecurity threat. In regard to cybersecurity, risk mitigation can be separated into
three elements: prevention, detection, and remediation. As cybercriminals’ techniques rise in
sophistication, your organization’s cybersecurity risk mitigation strategies will have to adapt to maintain
the upper hand.

1.Conduct a cyber security risk assessment

2. Establish network access controls
3. Implement firewalls and antivirus software
4. Create a patch management schedule
5. Continuously monitor network traffic
6. Build an incident response plan
7. Examine the physical security of your business
8. Minimize your attack surface
 4. Implement Window Patch management policy.

What is a patch management policy?

A patch management policy is an IT strategy document that outlines the processes and methodology
used to ensure hardware and software on a corporate network are regularly maintained. The policy is a
framework to help administrators identify and categorize systems and applications on the network that
require structured and unstructured updates, find the source of where the patch code can be retrieved
and outline the process of determining what devices must be updated, why and by whom. A patch
management policy also provides details on how to roll back in the event of a conflict and document the
post-patching process for future reference.

Why is a patch management policy important?

Software and firmware must be patched on various IT/OT systems for one of three reasons:

 adding new features and functionality;

 fixing code that has inadvertently caused performance and operability problems; or
 remediating one or more information security vulnerabilities that could be exploited via code
modification.

How to create a patch management policy

Take the following actions when formulating a patch management policy:

 Outline the procedure for determining how software and devices will be identified and
categorized.
 Identify who's responsible for patching the various categories of software and devices.
 Document how tools, processes and external resources will be used to find relevant
vulnerabilities and bug and feature updates.
 Formulate a patch change request template along with approval process and rollback
procedures.
 Create a patch lifecycle timeline for various system patches that specify how quickly a patch
must be deployed based on various business and cybersecurity factors.
 Detail a process to monitor the effects of a patch and what negative side effects would
constitute the triggering of a rollback.
 Formulate a patch results documentation template for use after every patch maintenance
window.
 5. Knowing the Behavior of Trojans and mitigation strategies.

What is a Trojan Horse? (Trojan Malware)

A Trojan Horse (Trojan) is a type of malware that disguises itself as legitimate code or software. Once
inside the network, attackers are able to carry out any action that a legitimate user could perform, such
as exporting files, modifying data, deleting files or otherwise altering the contents of the device. Trojans
may be packaged in downloads for games, tools, apps or even software patches. Many Trojan attacks
also leverage social engineering tactics, as well as spoofing and phishing, to prompt the desired action in
the user.

Trojan: Virus or Malware?

A Trojan is sometimes called a Trojan virus or Trojan horse virus, but those terms are technically
incorrect. Unlike a virus or worm, Trojan malware cannot replicate itself or self-execute. It requires
specific and deliberate action from the user.

Trojans are malware, and like most forms of malware, Trojans are designed to damage files, redirect
internet traffic, monitor the user’s activity, steal sensitive data or set up backdoor access points to the
system. Trojans may delete, block, modify, leak or copy data, which can then be sold back to the user for
ransom or on the dark web.

10 Types of Trojan Malware

Trojans are a very common and versatile attack vehicle for cybercriminals. Here we explore 10 examples
of Trojans and how they work:

1. Exploit Trojan: As the name implies, these Trojans identify and exploit vulnerabilities within
software applications in order to gain access to the system.
2. Downloader Trojan: This type of malware typically targets infected devices and installs a new
version of a malicious program onto the device.
3. Ransom Trojan: Like general ransomware, this Trojan malware extorts users in order to restore
an infected device and its contents.
4. Backdoor Trojan: The attacker uses the malware to set up access points to the network.
5. Distributed Denial of Service (DDoS) attack Trojan: Backdoor Trojans can be deployed to
multiple devices in order to create a botnet, or zombie network, that can then be used to carry
out a DDoS attack. In this type of attack, infected devices can access wireless routers, which can
then be used to redirect traffic or flood a network.
6. Fake AV Trojan: Disguised as antivirus software, this Trojan is actually ransomware that requires
users to pay fees to detect or remove threats. Like the software itself, the issues this program
claims to have found are usually fake.
7. Rootkit Trojan: This program attempts to hide or obscure an object on the infected computer or
device in order to extend the amount of time the program can run undetected on an infected
system.
8. SMS Trojan: A mobile device attack, this Trojan malware can send and intercept text messages.
It can also be used to generate revenue by sending SMS messages to premium-rate numbers.
 9. Banking Trojan or Trojan Banker: This type of Trojan specifically targets financial accounts. It is
designed to steal data related to bank accounts, credit or debit cards or other electronic
payment platforms.
10. Trojan GameThief: This program specifically targets online gamers and attempts to access their
gaming account credentials.

How do Trojans Infect Devices?

Trojans are one of the most common threats on the internet, affecting businesses and individuals alike.
While many attacks focused on Windows or PC users in the past, a surge in Mac users has increased
macOS attacks, making Apple loyalists susceptible to this security risk. In addition, mobile devices, such
as phones and tablets, are also vulnerable to Trojans.

Some of the most common ways for devices to become infected with Trojans can be linked to user
behavior, such as:

 Downloading pirated media, including music, video games, movies, books, software or paid
content
 Downloading any unsolicited material, such as attachments, photos or documents, even from
familiar sources
 Accepting or allowing a pop-up notification without reading the message or understanding the
content
 Failing to read the user agreement when downloading legitimate applications or software
 Failing to stay current with updates and patches for browsers, the OS, applications and software

How to Prevent Trojan Horse Attacks

For everyday users, the best way to protect against Trojan attacks is by practicing responsible online
behavior, as well as implementing some basic preventive measures.

Best practices for responsible online behavior include:

 Never click unsolicited links or download unexpected attachments.

 Use strong, unique passwords for all online accounts, as well as devices.
 Only access URLs that begin with HTTPS.
 Log into your account through a new browser tab or official app — not a link from an email or
text.
 Use a password manager, which will automatically enter a saved password into a recognized site
(but not a spoofed site).
 Use a spam filter to prevent a majority of spoofed emails from reaching your inbox.
 Enable two-way authentication whenever possible, which makes it far more difficult for
attackers to exploit.
 Ensure updates for software programs and the OS are completed immediately.
 Back up files regularly to help restore the computer in the event of an attack.
In addition, consumers should take steps to protect their devices and prevent them from all types of
malware attacks. This means investing in cybersecurity software, which can detect many threats or
block them from infecting the device.
 6. Create a metasploit and make it to implement.

What Is Metasploit, and How Does It Work?

Metasploit is the world’s leading open-source penetrating framework used by security engineers as a
penetration testing system and a development platform that allows to create security tools and exploits.
The framework makes hacking simple for both attackers and defenders.

What Tools Are Used in Metasploit?

Metasploit tools make penetration testing work faster and smoother for security pros and
hackers. Some of the main tools are Aircrack, Metasploit unleashed, Wireshark, Ettercap,
Netsparker, Kali, etc.

How to Download and Install Metasploit?

If you are using Kali Linux for presentation testing, Metasploit is preinstalled in your system. So
you don’t need to download and install it.

The Github repository helps to download and install Metasploit in both Windows and Linux
systems. It is available in the GUI version, but you have to purchase for full access to Metasploit
licensed version.

Metasploit Framework

Following is the filesystem of Metasploit Framework (MSF):

 Data – contains editable files for storing binaries, wordlist, images, templates, logos, etc

 Tools – contains command utilities including plugins, hardware, memdump

 Scripts – contains Meterepreter scripts, resources to run functionalities

 Modules – contains actual MSF modules

 Plugins – additional extensions for automating manual tasks

 Documentation – documents and pdfs concerning Metasploit framework

 Lib – contains libraries required to run Metasploit from start to end

Metasploit Shell Types

There are two types of shells in Metasploit — for attacking or interacting with the target system.
 Bind Shell – here, the target machine opens up a listener on the victim machine, and then the
attacker connects to the listener to get a remote shell. This type of shell is risky because
anyone can connect to the shell and run the command.

 Reverse Shell – here, the headset runs on the attacker, and the target system is connected to
the attacker using a shell. Reverse shells can solve problems that are caused by bind shells.

Metasploit Commands

Some basic commands of Metasploit are msfconsole, banner, search, connect, cd, back, grep,
jobs, kill, load, info, show options, set, check, edit, use, exploit, exit, help, and others.

Hands-on - How to protect a system from cyber attack

Here’s how you can use Metasploit to protect a system from cyber-attack:

1. Open your terminal and start the “Postgres SQL” database.

2. Run msfconsole command to go to Metasploit interface

3. Use the Attacker system where Metaspolit tool is present to hack the Metasploitable system or
victim system.

4. Scan victim system for information gathering.

5. Run nmap tool to scan the victim’s OS

6. Use search command to find exploit to access victim’s system

7. Go inside the exploit and set remote host IP in the exploit

8. Run exploit command and wait to enter victim system

Make sure to maintain legality by using Metasploitable OS for penetration testing.

 7. Access control list creation and content filtering limiting the traffic.

Understanding ACL

Access Control List as the name suggests is a list that grants or denies permissions to the packets trying

to access services attached to that computer hardware. ACLs are usually implemented on the fire-wall

router, that decides about the flow of traffic. If the packet matches the specified paramaters, then it is

allowed to travel inside the network else the packet is dropped there with.
Why ACL?

There are several other purposes for understanding this basic block of networking. ACLs

help in prioritizing the traffic for specific cases (to ensure Quality of Services), limiting or

sometimes restricting remote users from accessing the network, managing and debugging

VPN and many other tricks.

Hierachy

In some cases, there is a set of conditions that the data packet must meet inorder to be

allowed inside the network. While mentioning those requirements, the hierachy of the

conditions is to be kept accounted for. If the packet does meet upto the first set of rules,

the ACL will stop further examining the packet and will be allowed therewith. So make

sure you first lay down a structure in a proper order form or your ACL can be rendered

useless. In case you want to define a new condition/rule, it is appended at the end of the

ACL. Also, you can not delete any specific statement after it has been configured. The

only way to alter it is to delete the access list and reconfigure it to the router.
Standard ACL
The Standard ACLs have the range between 1-99 and 1300-1999. This list was used for

basic filtering i.e the router checks the address of the source IP and makes the decision

whether to allow the traffic or discard it.

Configuring

To configure a standard list, we have the following code:

router(config) # access-list access-list-number {permit | deny} {source [source-

wildcard] | host hostname |any}

Here, access-list-number is a numeric number (in our case ranging between 1-99 or 1300-

1999) as mentioned above. The next parameter, permit|deny speaks for itself. The third

parameter could either be the source addresses that are to be checked or could be a specific

host , or any that means to look out for all traffic.

One thing that needs mentioning here is the source-wildcard. In simple words, it masks

the source address with an inverse mask.

Or you could use the numbered ACL;

router(config)# ip access-list standard {access-list-name}

router(config-std-nacl)# [sequence-number] {permit | deny} {source [source-

wildcard] | host hostname | any}

After the definition, the ACL is to be applied to the interface. In previous software

versions, out was default, but in latest releases, the direction needs to be mentioned.
 router(config-std-nacl)# interface ip access-group number {in|out}

The keyword in will apply the ACL to all the inbound traffic through the interface, whereas

the out will look after the outgoing traffic.

Another working example from Cisco;

R1:

Define an access-list 1 allowing the network 155.1.0.0 and it’s corresponding subnet mask

router(config)# access-list 1 permit 155.1.0.0 0.0.255.255

then, you have to apply this access-list 1 to the interface of your choice, it is ethernet0/100 in

our case;

router(config)# interface GigabitEthernet0.100

router(config-if)# ip access-group 1 in

Standard ACLs only allow you to match source IP addresses based on “base” IP address

and wildcard mask. Because of that “aggregate” behavior, standard ACLs are commonly

configured at network nodes close to the “protected” object. One very common task is

finding a required base IP address and wildcard mask pair based on a set of requirements.

The commands that we commonly use for checking ACLs are;

router# show ip interface GigabitEthernet0.100 | include access [here we have

used the 'pipe | sign'

The output of the above command is below:

 Outgoing Common access list is not set

Outgoing access list is not set

Inbound Common access list is not set Inbound access list is 1

IP access violation accounting is disabled

Let’s us have an example from Juniper networks in which we will deny the ssh and telnet

protocols.;

You first have to go in the [edit] menu and apply the family inet filter named {local_acl} and

define the terminal_access setting:

router# set firewall family inet filter local_acl term terminal_access from

source-address 192.168.1.0/24

router# set firewall family inet filter local_acl term terminal_access from

protocol tcp>

router# set firewall family inet filter local_acl term terminal_access from port

ssh

router# set firewall family inet filter local_acl term terminal_access from port

telnet
router# set firewall family inet filter local_acl term terminal_access then accept

router# set firewall family inet filter local_acl term terminal_access_denied

from protocol tcp

router# set firewall family inet filter local_acl term terminal_access_denied

from port ssh

router# set firewall family inet filter local_acl term terminal_access_denied

from port telnet

router# set firewall family inet filter local_acl term terminal_access_denied

then log

router# set firewall family inet filter local_acl term terminal_access_denied

then reject

router# set firewall family inet filter local_acl term default-term then accept

router# set interfaces lo0 unit 0 family inet filter input local_acl

router# set interfaces lo0 unit 0 family inet address 127.0.0.1/32

 8. Data leakage in a website database and preventive measures.

What Is Data Leakage?

Data leakage is when people get the information they're not supposed to have. This can happen in
different ways, both accidentally and intentionally. It would be best if you were careful with your data
because it could get out, and someone could misuse it.

For example, imagine you have a credit card, and you use it to buy things online. Your credit card
number, expiration date, and security code are all sensitive information. If this data gets released to
someone who shouldn't have it, they could use your credit card to make unauthorized purchases.

Another example is if you're a business, and you have employee records. These records could include
social security numbers, addresses, birth dates, and more. If this information gets released,
cybercriminals could use it to commit identity theft or fraud.

Data leakage is a severe problem because it can lead to a loss of money, damage to reputation, and
more. That's why it's important to be aware of the ways it can happen and take steps to prevent it.

There are a few ways data leakage can transpire:

 Hacking: This is when someone gains unauthorized access to a system or database. They can do
this by using special software or taking advantage of security vulnerabilities.
 Theft: This is when someone physically steals data, like a laptop or hard drive. This can happen if
you leave your device in a public place or someone breaks into your home or office.
 Accidental release: This is when data is released unintentionally. For example, you might
accidentally email the wrong person or post something publicly that should have been private.
 Organization insiders: This is when someone who works for a company, such as an employee or
contractor, deliberately releases data. They might do this for personal gain or to damage the
company's reputation.
 Not following security procedures: Data leakage can also occur when people don't follow proper
security procedures. For example, if an employee prints out sensitive information and leaves it
in public, that's a form of data leakage.
 System misconfiguration: This is when an individual or IT management in an organization does
not configure the system properly, which can expose data. For example, if a website's database
is not adequately protected, hackers could gain access to it.

How to Protect data From Data Leaks

There are a few things you can do to protect yourself from data leakage:

 Keep your software up to date: Outdated software is often the cause of data leaks. Be sure to
keep all your programs updated to patch any security vulnerabilities.
 Use strong passwords: Strong passwords are essential for keeping your data safe. Use a mix of
letters, numbers, and special characters in order to create a strong password.
 Use multi-factor authentication: Multi-factor authentication adds an extra layer of security to
your accounts. This means that even if someone manages to guess your password, they will still
need another piece of information to access your account.
 Use a VPN: A VPN encrypts your internet traffic and makes it harder for third parties to snoop on
your online activity.
 Be careful what you post online: Be mindful of the information you share online. Avoid sharing
sensitive information such as your home address or financial information.
 Keep an eye out for phishing scams: Phishing scams are a common way for hackers to gain
access to your data. Be attentive to be on the lookout for suspicious emails or websites that may
be trying to steal your information.
 Monitor your accounts: Regularly check your bank and credit card statements for unauthorized
transactions
 9. Password policy implementations and verification.

This password policy is configured by group policy and linked to the root of the domain. You can view
the default password policy using one of two ways.

 Using the GPMC

 Using PowerShell Scripts

Using the GPMC

 Go to Start Menu → Administrative Tools → Group Policy Management.

 In the console tree, expand the Forest and then Domains. Select the domain for which the
Account policies have to be set.
 Double-click the domain to reveal the GPOs linked to the domain.
 Right-click Default Domain Policy and select Edit. A Group Policy Editor console will open.
 Now, navigate to Computer Configuration → Policies → Windows Settings → Security Settings
→ Account Policies → Password Policy.
 Double-click Password Policy to reveal the six password settings available in AD. Right-click any
one of these settings and select Properties to define the policy setting
 The Properties dialog box of each policy setting will have two tabs. The Security Policy Setting
tab is where the value for that setting is set. The Explain tab gives a brief description of the
policy setting and its default values.
 In the Security Policy Setting tab, check the Define this Policy Setting check box and enter the
desired value. Click Apply and then OK.

Using PowerShell Script

You can also view the default password policy with Powershell using this command.
Get-ADDefaultDomainPasswordPolicy

Understanding Password Policy Settings

So far, we have seen how to view and change the policy. But you must know what each of these default
settings means, so you can make the required changes. So, let’s take a look at each of the settings.

Enforce Password History

This setting determines the number of new passwords that have to be set before an old password can
be reused. It ensures that old passwords are not used continuously by users which will render the
Minimum Password Age policy setting useless. The value can be set between 0 and 24. The default value
is 24 on domain controllers and 0 on stand-alone servers.

For example, if the Enforce Password History value is set to 10, then the user must set 10 different
passwords when the password expires before setting his/her password to an old value.

If the value is set to 0, then the password history is not remembered, and the user can reuse their old
password when their password expires.

Maximum Password Age

This setting determines the maximum number of days a password can be used. Once the maximum
password age expires, users must change their password. It ensures that users don’t stick with one
password forever. The value can be set between 0 and 999 days. The default value is 42.

For example, if the Maximum Password Age value is set to 60, then the user must change his/her
password after every 60 days.

If the value is set to 0, then the password never expires, and the user is not required to change his/her
password ever.

Minimum Password Age

This setting determines the minimum number of days a password must be in use before it can be
changed. Only when the minimum password age expires, users are allowed to change their password. It
ensures that users don’t change their passwords too often. The value can be set between 0 and 999
days. The default value is 1 for domain controllers and 0 for stand-alone servers.

For example, if the Minimum Password Age is set to 10, then the user cannot change his/her password
for 10 days after the last password change.

This setting is used to ensure the effectiveness of Enforce Password History setting. If the Minimum
Password Age is set to 0, then the user can change his/her password every 2 minutes or so until the
value set for Enforce Password History is reached and reuse his/her favorite old password. By setting the
Minimum Password Age to a certain value, a user cannot change his/her password often enough to
render the Enforce Password History setting ineffective.

The value for Minimum Password Age should always be less than the Maximum Password Age.

Minimum Password Length

This setting determines the minimum number of characters a password should contain. The value can
be set between 0 and 14. The default value is 7 on domain controllers and 0 on stand-alone servers.

For example, if the Minimum Password Length is set to 6, then the password must contain at least 6
characters.

If it is set to 0, then no password is required.

Passwords must meet complexity requirements

This setting determines whether the password must meet the complexity requirements specified. If this
setting is enabled, passwords must meet the following requirements.

Not contain the user’s account name or part of the user’s full name that exceed two consecutive
characters

The password is at least six characters long.

The password contains characters from at least three of the following four categories:

English uppercase characters (A – Z)

English lowercase characters (a – z)

Base 10 digits (0 – 9)

Non-alphanumeric (For example: $, #, or %)

By default, this setting is enabled on domain controllers and disabled on stand-alone servers.

Store Passwords using reversible encryption

This security setting determines whether the password is stored using reversible encryption. If a
password is stored using reversible encryption, then it becomes easier to decrypt the password. This
setting is useful in certain cases, where an application or service requires the username and password of
a user to perform certain functions. This setting should be enabled, only if it is necessary. By default, this
setting is disabled.

Blocking Inheritance on Domain Controllers

If inheritance is blocked on the domain controllers (DCs), password policy settings from policies linked at
the root domain will be ignored. This eventually means that the password policy settings changes in that
GPO will be ignored and whatever the current password policy is will be applied on the domain.
However, linking the GPO directly to the domain controllers has no effect. Administrators have to either
remove the blocked inheritance on the domain controller’s OU or set the link at the root domain to
‘enforced’. As long as the policy appears in the Group Policy Inheritance list, the settings should take
effect.
 10. Patch management implementation using MBSA tool on windows machine

Windows Patch Management

Windows patch management (or Windows patching) is the process of managing patches for
Windows, from scanning for and detecting missing patches to downloading and deploying
them. Using a patch management solution, the entire Windows patch management process can be
automated, so you don't need to go around to every computer and manually check whether all
missing patches were identified and applied. Many Windows patch management tools also generate
reports for you to confirm whether Windows patches have been deployed properly.

The Microsoft Baseline Security Analyzer (MBSA) is a software tool that helps determine the
security of your Windows computer based on Microsoft’s security recommendations. MBSA can
be used to improve your security management process by analyzing a computer or a group of
computers and detecting missing patches/updates and common security misconfigurations.
After you run a MBSA scan, the tool will provide you with specific suggestions for remediating
security vulnerabilities. An MBSA scan can reduce and eliminate possible threats caused by
security configuration problems and missing security updates. This document explains how to
use MBSA from the graphical user interface (GUI).

Before installing MBSA, make sure that your computer meets the following minimum
requirements:

 In order to perform a scan you MUST have administrator privileges.

 Software:
 The latest Windows Update Agent (WUA) client. MBSA automatically updates
computers that need an updated WUA client if Configure computers for
Microsoft Update and scanning prerequisites is selected.
 IIS 5.0, 5.1 or 6.0 (required for IIS vulnerability checks).
 SQL Server 2000 or MSDE 2.0 (required for SQL vulnerability checks).
 For the Operating System and Microsoft Office minimum requirements, please
see the information at http://msdn.microsoft.com/en-us/library/aa302360.aspx.

MBSA performs the following actions during a scan:

 Checks for available updates to the operating system, Microsoft Data Access
Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server.
 Scans a computer for insecure configuration settings. When MBSA checks for Windows
service packs and patches, it includes in its scan Windows components, such as Internet
Information Services (IIS) and COM+.
 Uses Microsoft Update and Windows Server Update Services (WSUS) technologies to
determine what updates are needed.

Installing the MBSA Tool

To download MBSA from the SecureU SharePoint site, complete the following steps.

1. Click the Download Now button on the Run Security Scans page for Windows.
2. You may see a File Download – Security Warning window. If this window displays,
click Run to download MBSA. It is safe to run or save this file.

3. You may see an Internet Explorer – Security Warning window. If this window displays,
click Run to install MBSA. It is safe to run this file.
 4. The MBS Setup window displays. Click Next.

5. Select the button next to I accept the license agreement and click Next.
6. Select a destination for the installation and click Next.
7. Click the Install button to start the installation.
8. A window will display when the installation has been successfully completed. Click OK.

Scanning Your System

1. On the Programs menu, click Microsoft Baseline Security Analyzer.

2. Click Scan a computer.

3. Leave all options set to default and click Start Scan.

4. MBSA will download the list of latest security catalogue from Microsoft and begin the
scan. Once the scan is complete, the scan results are shown in an organized report with
several sections. Each section may require you to take different actions in order to
remediate any problems that have been detected. On the left you will see a column
labeled Score. Scan this list for any Red Xs . A red X represents an item that needs to
be fixed.
Note: Most computers will have results for Security Updates, Windows, and Desktop
Applications. If you are running Windows Server, contact the 24/7 IT Help Desk for more
 information about these services.

How to Interpret the MBSA Scan Reports

MBSA generates a report file in the profile directory of the logged in user (%userprofile%). This
report file is stored on the computer from which you ran the MBSA tool. MBSA displays
different icons in the report score columns depending upon whether a vulnerability was found
on the scanned machine.
For the administrative vulnerability checks, a red X is used when a critical check failed (for
example, a user has a blank password). A yellow X is used when a non-critical check failed
(for example, an account has a password that does not expire). A green checkmark is used
when a check passes (that is, no issue was found for that particular check). A blue asterisk
is used for best practice checks (for example, checking if auditing is enabled). A blue
informational icon is used for checks that simply provide information about the computer
being scanned (for example, the operating system version of the scanned computer).

For the security update checks, a red exclamation mark is used when a security update is
missing or a security check could not be performed from the scanned computer. A yellow X is
used for warning messages (for example, the computer does not have the latest service pack or
update rollup). A blue star is used for informational messages indicating that an update is not
available to the computer because it has not been approved on the Update Services server.
Scores cannot be changed or reassigned for system configuration checks.

MBSA Scan Summary Sections

The MBSA scan summary is organized into sections. It also contains links that provide more
detailed information, such as What was scanned, Result Details, and How to Correct this. The
more often you run the scan, the less often you will be prompted to fix something.

Security Update Checks

The Security Updates section determines which available service packs and security updates for
predetermined MS products match the state of your computer. If it has been a while since you
last updated your computer, this will most likely be marked with a red X . Running updates
on your computer will fix these problems.

Windows Checks

The Windows and Desktop Applications check determines if your current configuration leaves
your computer vulnerable to easy attacks. Potential problems include weak passwords,
Automatic Updates that are not turned on, Firewalls that are not turned on, or applications that
need to be updated. If any of these items are marked with a red X , then a How to correct
this link will display. Click this link to open a page with instructions for correcting the problem.

Additional System Information

The MBSA also provides additional information about the system that was scanned in a
separate section.

Analyzing the Scan

1. For each vulnerability, MBSA provides additional details about the scan via the What
was scanned link, the Result details link, and the How to correct this link.

2. The screen shot below displays the window that appears after you click on the Result
details link. The Result details window contains details about the vulnerability (in this
 case, weak passwords).

3. The screen shot below displays the window that appears after you click on the How to
correct this link. The How to correct this window displays the recommended solution
 with step-by-step instructions.

4. Once you have reviewed the report and corrected all the vulnerabilities, rerun MBSA to
check that there are no more additional vulnerabilities that exist on your system.

Requirements for Performing Remote Scans

System administrators can also run remote scans by selecting either the Check for IIS
vulnerabilities or the Check for SQL vulnerabilities option. If you are not a system
administrator, you should not run these scans. Contact the 24/7 IT Help Desk if you have
questions or need assistance resolving problems uncovered by these scans.
Note: If either of these services is unavailable or disabled, the scan results will indicate this. The
scan will result in an error if these services do not have an exception configured in the Windows
Firewall.
 11. Audit Policy management for users and computers log analysis.

Audit policy settings (Windows 10)

 The advanced audit policy settings available in Windows

 The audit events that these settings generate.

The security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help
your organization audit compliance with important business-related and security-related rules by
tracking precisely defined activities, such as:

 A group administrator has modified settings or data on servers that contain finance information.
 An employee within a defined group has accessed an important file.
 The correct system access control list (SACL) - as a verifiable safeguard against undetected
access - is applied to either of the following: every file and folder,registry key on a computer and
file share.

You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the
local computer or by using Group Policy.

These advanced audit policy settings allow you to select only the behaviors that you want to monitor.
You can exclude audit results for the following types of behaviors:

 That are of little or no concern to you

 That create an excessive number of log entries.

In addition, because security audit policies can be applied by using domain Group Policy Objects, audit
policy settings can be modified, tested, and deployed to selected users and groups with relative
simplicity. Audit policy settings under Security Settings\Advanced Audit Policy Configuration are
available in the following categories:

Account Logon

Configuring policy settings in this category can help you document attempts to authenticate account
data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff
policy settings and events, Account Logon settings and events focus on the account database that is
used. This category includes the following subcategories:

 Audit Credential Validation

 Audit Kerberos Authentication Service
 Audit Kerberos Service Ticket Operations
 Audit Other Account Logon Events
 Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer
accounts and groups. This category includes the following subcategories:

 Audit Application Group Management

 Audit Computer Account Management
 Audit Distribution Group Management
 Audit Other Account Management Events
 Audit Security Group Management
 Audit User Account Management

Detailed Tracking

Detailed Tracking security policy settings and audit events can be used for the following purposes:

To monitor the activities of individual applications and users on that computer

To understand how a computer is being used.

This category includes the following subcategories:

 Audit DPAPI Activity

 Audit PNP activity
 Audit Process Creation
 Audit Process Termination
 Audit RPC Events
 Audit Token Right Adjusted

DS Access

DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify
objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain
controllers. This category includes the following subcategories:

 Audit Detailed Directory Service Replication

 Audit Directory Service Access
 Audit Directory Service Changes
 Audit Directory Service Replication

Logon/Logoff

Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a
computer interactively or over a network. These events are particularly useful for tracking user activity
and identifying potential attacks on network resources. This category includes the following
subcategories:

 Audit Account Lockout

  Audit User/Device Claims
 Audit IPsec Extended Mode
 Audit Group Membership
 Audit IPsec Main Mode
 Audit IPsec Quick Mode
 Audit Logoff
 Audit Logon
 Audit Network Policy Server
 Audit Other Logon/Logoff Events
 Audit Special Logon

Object Access

Object Access policy settings and audit events allow you to track attempts to access specific objects or
types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or
any other object, enable the appropriate Object Access auditing subcategory for success and/or failure
events. For example, the file system subcategory needs to be enabled to audit file operations; the
Registry subcategory needs to be enabled to audit registry accesses.

Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy
way to verify that the proper SACLs are set on all inherited objects. To address this issue, see Global
Object Access Auditing.

This category includes the following subcategories:

 Audit Application Generated

 Audit Certification Services
 Audit Detailed File Share
 Audit File Share
 Audit File System
 Audit Filtering Platform Connection
 Audit Filtering Platform Packet Drop
 Audit Handle Manipulation
 Audit Kernel Object
 Audit Other Object Access Events
 Audit Registry
 Audit Removable Storage
 Audit SAM
 Audit Central Access Policy Staging
Policy Change

Policy Change audit events allow you to track changes to important security policies on a local system or
network. Because policies are typically established by administrators to help secure network resources,
tracking changes (or its attempts) to these policies is an important aspect of security management for a
network. This category includes the following subcategories:

 Audit Audit Policy Change

 Audit Authentication Policy Change
 Audit Authorization Policy Change
 Audit Filtering Platform Policy Change
 Audit MPSSVC Rule-Level Policy Change
 Audit Other Policy Change Events
 12. Media handling policy implementation and event log analysis.

Media handling policy

Media Handling Its objective is to Stop unauthorized release, alteration, deletion, or destruction of
information contained in the media.

Physical Media Transfer

Control- Information media should be protected from unauthorized access, misuse or corruption during
transportation.
Implementation Guidance- For the safety of media containing information transported, the following
guidelines should be considered:
1. Reliable transport or the use of couriers;
2. Management should agree on a list of authorized couriers;
3. procedures should be established for verifying courier identification;
4. Packaging should probably be sufficient to safeguard the content from any physical damage
likely to occur during transit and to protect the content against environmental factors such as
exposure to heat, humidity, or electromagnetic fields which could reduce media recovering
efficiency.
5. Logs should be maintained, the content of the media should be established, the security
applied, and times of transfer to custodians and reception should be reported at the
destination.

Disposal of Media
Control- When not required by specific protocols, media should be disposed of securely.
Implementation Guidance- Formal protocols for the secure disposal of media should be established to
reduce the possibility of leakage of sensitive information to unauthorized persons. The protocols for the
secure processing of sensitive information media should be proportionate to the sensitivity of that
material.
Following should be taken into account:-
1. Confidential media should be processed and disposed of safely through, e.g. by incineration or
shredding, or data erasure for use by another application within an organization.
2. Procedures should be in place to identify the items that could need safe disposal
3. Instead of trying to isolate important objects, it could be better to plan to safely collect and
dispose of all media items;
4. Many organizations offer media collection and disposal services; care must be taken to select a
suitable external party with adequate controls and experience;
5. In order to maintain an audit trail, the disposal of confidential items will be logged.
Management of Removable Media
Control- Procedures shall be implemented for the management of removable media in accordance with
the classification scheme adopted by the organization.
Implementation Guidance- The following guidelines should be considered for the management of
removable media:
1. If not needed, the contents of any reusable media that are to be removed from
the organization should be made unrecoverable;
2. Where applicable and practicable, authorization should be needed for the removal of media
from the company and a record of these removals should be maintained in order to preserve
the audit trail;
3. In compliance with manufacturers’ standards, all media should be kept in a secure and safe
environment;
4. Where confidentiality or integrity of data is important, cryptographic techniques for securing
data on removable media must be used;
5. In order to minimize the possibility of media loss when storage data is still needed, the data
should be moved to fresh media before being unreadable;
6. Multiple copies of important data should be stored in different media to further reduce the
possibility of accidental data damage or loss;
7. Registration of removable media should be taken into account to limit the possibility of data
loss;
8. Removable media drives should only be allowed if there is a business purpose to do so;
9. Where there is a requirement for the use of disposable media, the movement of data to such
media will be supervised.
 13. Installation of Trojan and study of different options.

A Trojan virus, or Trojan malware, is actually malicious code or software that looks legitimate to the
victim but can take full control over the victim’s computer. It is designed to steal, manipulate,
disrupt, damage, or do some other destructive action on your data, network, and computer system.
It seems like legitimate application software and deceives you into loading and executing
the malware on your device. The victim does not get any clue about the installation occurring silently
in the background. Once it is installed, it can start performing the activities it was designed for.

Malicious Activities of Trojan :

Unlike computer viruses and worms, they are not able to self-replicate. They can perform the
following malicious activities while residing inside the host system :
 Steal confidential data and sent it back to the attacker.
 Copy and manipulate data.
 Delete and damage important data.
 It can read passwords.
 Record keyboard strokes.
 Open an undetectable backdoor.

Techniques to Install Trojans :

To install a trojan virus, the following are the primary methods that an attacker might use to install a
trojan virus on computer systems, mobile devices, and network endpoint devices.

1. Social Engineering: Social engineering is the psychological manipulation to deceive someone to

reveal security flaws or give away sensitive information. An attacker first gathers necessary
background information about the victim by using the tools like Maltego and then analyses it to
know about the potential points of entry and security flaws.
An attacker can hide trojans behind deceptive software, email, and advertisements that seem
legitimate. They mislead or fool the user and convince them to install or open it.
2. Spear Phishing: Spear phishing is a “social engineering” cyberattack. In this technique, an attacker
spoofs a person by sending them a fake email that contains a malicious attachment and tricks their
target into revealing their login credentials or installing malware. This kind of attack is target specific,
either for a single person or for a small group of people.
Spear phishing is one of the main causes of trojan malware infections. Attackers research their target
to craft their email according to the interest of the user. This is how we can install trojans through
spear phishing.
3. Phishing URLs: All phishing attacks commonly begin with an email. In Phishing URLs an attacker
creates convincing websites that look just like the real ones but it has malicious codes written in
them. The link to the site is embedded within a phishing email, and the attacker uses its social
engineering skills to convince the user to visit the malicious site. Other than the emails these
malicious website links can also be present in the article, video description, or application
description.
The user starts browsing the website unaware of a trojan malware getting installed sile ntly in their
computer system or mobile device. These malicious websites can also generate a fake login page to
get access to their username and password.
4. Pirated Software: The software for which you did not pay for the service that it provides that’s
normally not free is considered pirated software. An attacker with malicious intent can crack such
software for you and hide malware and trojans behind it. A trojan can hide its malicious nature by
pretending to be legitimate software, such as anti-virus software, or a false software update. If we
try to install and run such software our device will get infected with a Trojan.
Once it gets installed, it hides in a folder that is not easy to detect and it starts altering the security
setting of the computer like disabling the installed antivirus to create a backdoor.
5. Malicious Advertisement: Malicious Advertising OR Malvertising is an attack in which attackers
inject malicious code into legitimate online advertising networks that typically redirect users to
malicious websites. Even on legitimate websites, a malicious ad can be found, which is why it is an
effective method among attackers to install trojans. When the user clicks on it, it either redirects
users to malicious websites or starts installing the malware silently
Malicious advertisement on a website is hard to detect. That’s why a user must have antivirus
software to prevent malicious ads from installing trojans into the system by detecting and blocking
background installation and running of malicious codes.
6. Using Exploit Kits: An exploit kit is a type of toolkit used to find and attack vulnerabilities in
systems so they can spread malware or perform other malicious activities. An exploit kit searches for
targeted application vulnerabilities that make it easier for a cybercriminal to plan and launch an
attack accordingly. Outdated software and unpatched security systems can easily be exploited by
exploit kits to inject Trojans and malware through the vulnerabilities. Trojans can also be installed
using outdated add-ons and plugins.
 14. Network DOS attack and proof of bandwidth utilization and preventive steps.

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it
inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or
sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users
(i.e. employees, members, or account holders) of the service or resource they expected.

Victims of DoS attacks often target web servers of high-profile organizations such as banking,
commerce, and media companies, or government and trade organizations. Though DoS attacks do not
typically result in the theft or loss of significant information or other assets, they can cost the victim a
great deal of time and money to handle.

There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks
occur when the system receives too much traffic for the server to buffer, causing them to slow down
and eventually stop. Popular flood attacks include:

 Buffer overflow attacks – the most common DoS attack. The concept is to send more traffic to a
network address than the programmers have built the system to handle. It includes the attacks
listed below, in addition to others that are designed to exploit bugs specific to certain
applications or networks
 ICMP flood – leverages misconfigured network devices by sending spoofed packets that ping
every computer on the targeted network, instead of just one specific machine. The network is
then triggered to amplify the traffic. This attack is also known as the smurf attack or ping of
death.
 SYN flood – sends a request to connect to a server, but never completes the handshake.
Continues until all open ports are saturated with requests and none are available for legitimate
users to connect to.

Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these
attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely
destabilize the system, so that it can’t be accessed or used.

DDoS attack is taking place:

 Reports from existing mitigation devices (e.g., load balancers, cloud-based services)
 Customers report slow or unavailable service
 Employees utilizing the same connection also experience issues with speed
 Multiple connection requests come in from a specific IP address over a short amount of time
 You receive a 503 service unavailable error when no maintenance is being performed
 Ping requests to technology resources time out due to Time to Live (TTL) timeouts
 Logs show an abnormally huge spike in traffic

Acting on a Threat: 5 Steps for DDoS Attack Response

1. Detection
Early detection is critical for defending against a DDoS attack. Look for warning signs, provided above,
that you may be a target. DDoS detection may involve investigating the content of packets to detect
Layer 7 and protocol-based attacks or utilizing rate-based measures to detect volumetric attacks. Rate-
based detection is usually discussed first when it comes to DDoS attacks, but most effective DDoS
attacks are not blocked using rate-based detection.
2. Filtering
A transparent filtering process helps to drop the unwanted traffic. This is done by installing effective
rules on network devices to eliminate the DDoS traffic.
3. Diversion and redirection:
This step involves diverting traffic so that it doesn’t affect your critical resources. You can redirect DDoS
traffic by sending it into a scrubbing center or other resource that acts as a sinkhole. It is typically
recommended that you transparently communicate what is taking place so that employees and
customers don’t need to change their behavior to accommodate slowness.
4. Forwarding and analysis:
Understanding where the DDoS attack originated is important. This knowledge can help you develop
protocols to proactively protect against future attacks. While it may be tempting to try and kill off the
botnet, it can create logistical problems and may result in legal ramifications. Generally, it is not
recommended.
5. Alternate delivery
It is possible to use alternate resources that can almost instantaneously offer new content or open up
new networking connections in the event of an attack.

Prevent Network Attacks

There are many different ways to defend against network-related threats. Here are five of the most
effective methods.
1. Install antivirus software.

One of the first lines of defense against malware and other viruses is to install antivirus software on all
devices connected to a network (Roach & Watts, 2021). Antivirus software can detect and prevent
malicious files from being installed on a system, and it should be updated regularly to include the latest
definitions.
2. Create strong passwords.

Another essential step in protecting a network is to create strong passwords. Passwords should be at
least eight characters long and include a mix of letters, numbers, and symbols. They should also not be
easy to guess—for instance, the user’s name or the name of the company.
3. Enforce security policies.

A third way to reduce risk of attacks on a network is to enforce security policies. Security policies can
help ensure that all devices on a network are protected against viruses and malware and that users are
using strong passwords. These policies can also restrict access to some network regions and limit user
privileges.
4. Use firewalls.

Firewalls are another essential tool in defending networks against security threats. A firewall can help
prevent unauthorized access to a network by blocking incoming traffic from untrusted sources.
Additionally, firewalls can be configured to allow only certain types of traffic, such as web traffic or
email.
5. Monitor activity.

Finally, it’s important to monitor activity on the network. Tracking logs and other data enables
suspicious activity to be identified quickly, allowing security personnel to take steps to investigate and
mitigate potential threats.