While it is likely that you are still using legacy apps, hackers can take advantage of them as vulnerable targets. Here are some tips that will help you strengthen legacy applications against these threats.
A standard corporate network has at least one or even more than administrators want to admit: a legacy server or workstation running old management software that you simply cannot do without . With any luck, it is installed on a virtual machine that you can move at any time. If so, this is old hardware which you hope will continue to operate.
As Aaron Margosis of Microsoft notes on his blog, the ideal would be to replace the old applications by new compatible and secure versions. in practice, companies use existing systems for as long as possible. In a recent security summit Organized by Microsoft, Jessica Payne addressed the issue of protecting these legacy systems on a Windows network. Here are some of the tips that are offered by these two experts:
Check login credentials
Check if you are logging into this system with the domain administrator credentials. Legacy systems often keep hash values of identifiers. These can be easily retrieved using widely available tools such as mimikatz. Make sure that you do not connect to these systems with privileged identification parameters.
Check network connections
Check how legacy systems connect to your Windows network and which ports and protocols the legacy application needs. Use tools such as Wireshark and Process Monitor to determine the TCP ports and protocols that are used by the existing system. Then use the windows firewall to limit access from the old system to these ports only. Block the network perimeter of legacy systems to ensure that they cannot be used by hackers who try to break into your network.
Identify keys and folders in the application registry
To better protect applications, especially if they require administrator rights, use LUA Buglight to identify the registry keys and folders that an application must open to operate without administrator rights. LUA Buglight is an effective tool to help determine the necessary adjustments to an operating system to run legacy applications on modern systems.
Put in place the appropriate authorizations
As Aaron Margosis points out, to use applications without administrator rights, you can have the installer “modified via transformations or post-installation scripts (for” run-once “problems when the application should not run with administrator rights only on first launch.) Another option is to add junctions or symbolic directory links. You could let file and UAC virtualization take care of this. applications where file / registry virtualization would work, but which have been rebuilt with newer versions of Visual Studio which adds a built-in manifest to declare compatibility with UAC and disables virtualization.) To write to .ini files in protected directories, use an IniFileMapping redirect. And for HKCR writes, create equivalent keys beforehand under HKCU Software Class s “.
The last option, for which you can use LUA Buglight, is to “surgically change permissions on files, directories, registry keys or any other object”. Unlike the other options, this one introduces a risk of unauthorized elevation of privileges, which requires the greatest caution.
Examine your network like a hacker would
It is important to assess your network from the point of view of a hacker, especially if an old server is part of your infrastructure. The tool BloodHound will search Active Directory for unusual connections that can be used against you. BloodHound is compiled on several platforms, including Linux, MacOS and Windows. As indicated on this blog, you will need to install the Neo4J database to use Bloodhound. The easiest way to start using BloodHound is to opt for the desktop version from Neo4J. This will install the necessary Java environment. Once you have installed NeoJ, launch the program to set the database password. The latter will contain essential information about your network and it is therefore essential to set a strong password.
Then download and install the BloodHound software. When extracting the software, set the root folder with a file name short enough to avoid problems with long file paths when using the default settings. Thereafter you will also need to remember your Neo4j password. Finally, and this is certainly the most difficult step of the step by step, download the tool SharpHound3 who will perform the analysis of your network. It may need to be downloaded to a computer with Windows 7 because the advanced threat protection in Windows 10 stops the installation and does not allow me to run it over the network. Antivirus software can have the same behavior. You may need to “run as administrator” or “unblock” the file as it is marked with web attributes and it will not collect data until these parameters are implemented.
Once you have launched SharpHound, it will prepare a zip file that contains an analysis of your network. Launch BloodHound which will tell you that the database is blank. Click the upload button on the right and select your SharpHound zip file. In the queries section, you can review the ones that are most commonly used by hackers. Common queries include “Find the shortest paths to domain administrators”, “Find the main users with DCSync rights”, “Map Domain Trusts”, “The shortest paths for Kerberoastable users”, etc.
Additional resources exist for further analysis of your network such as the Commando virtual machine. FireEye which is predefined for penetration testing. Downloading Github gives you native support for Windows and Active Directory using a virtual machine, which makes it much safer to use and analyze your network. Since the Linux subsystem for Windows has been improved in Windows 10 2004, you can even run Linux directly in Windows. You can also use Docker (a set of platform-as-a-service products that use operating system virtualization to distribute software in containers) to also test platforms.
Take the time to observe your attackers. Determine the flaws that hackers can easily use on these old systems. We know for example that it will be necessary to stop RDP authentication on old systems to ensure that attackers cannot recover permissions.