threatmodel Windows EN - edamametechnologies/threatmodels GitHub Wiki

Windows Threat Model (EN)

Contents

EDAMAME helper inactive

Threat

Dimension : system services / Severity : 5

EDAMAME's Helper software is not running or requires an update. It's required for maximum Security Score analysis.

Implementation

Tested for Action Elevation Script
Windows 12 Command line user helper_check

Remediation

Tested for Action Elevation Script
Windows 12 Command line user https://github.com/edamametechnologies/edamame_helper/releases/download

Rollback

https://www.youtube.com/watch?v=xORy1bFBKCI

Cached logon credentials enabled

Threat

Dimension : credentials / Severity : 4

Tags : ISO 27001/2,Access Control, PCI-DSS,Requirement-8.2.3, SOC 2,CC-Logical Access Controls

Cached logon credentials are a security risk as they can be used by attackers to gain access to your system. They are stored on your system and can be retrieved by attackers who gain access to your computer or network. We recommend disabling cached logon credentials to increase the security of your system.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if(((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' -Name 'DisablePasswordCaching' -ErrorAction SilentlyContinue).DisablePasswordCaching) -ne 1) { 'Password caching is not disabled' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI /v DisablePasswordCaching /t REG_DWORD /d 1 /f

Rollback

Tested for Action Elevation Script
Windows 10 Command line system reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI /v DisablePasswordCaching /t REG_DWORD /d 0 /f

No antivirus enabled

Threat

Dimension : applications / Severity : 5

Tags : CIS Benchmark Level 1,Security Configuration Benchmarks, ISO 27001/2,Malware Protection, PCI-DSS,Requirement-5, SOC 2,CC-Malware Protection

You don't have any antivirus installed (Windows Defender, Sentinel One...). We recommend you to enable one.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user Function Get-AVStatus { [cmdletbinding()] Param() Process { $AV = Get-CimInstance -Namespace 'root/SecurityCenter2' -ClassName 'AntivirusProduct'; $enabledAVs = $AV | Where-Object { $productState = '0x{0:x}' -f $_.ProductState; $enabled = $productState.Substring(3, 2) -match '10|11'; return $enabled }; if (-not $enabledAVs) { Write-Output 'no epp' } } }; Get-AVStatus

Remediation

https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963

Rollback

https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963

Disk encryption disabled

Threat

Dimension : system services / Severity : 4

Tags : CIS Benchmark Level 1,windows_security/bitlocker_enforce, ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-3.4, SOC 2,CC-Data Protection

Your main storage is not encrypted. While there is a little performance impact by enabling it, we really urge you to set it up. Without that anyone physically accessing your computer can access your data.

Implementation

Tested for Action Elevation Script
Windows 10 Command line admin manage-bde -status | findstr 'Protection Off'

Remediation

https://www.youtube.com/watch?v=PtMyu9xrJ_E

Rollback

https://www.youtube.com/watch?v=lY0Iz0NpAoU

User Account Control disabled

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 2,Section: 1.1.1, ISO 27001/2,Control: A.9.4.4, PCI-DSS,Requirement-7.1, SOC 2,CC-User Access

User Account Control (UAC) is a security feature in Windows that helps prevent unauthorized changes to your computer. If UAC is disabled, it's easier for malware to make changes to your system without your knowledge. You should enable UAC to protect your system from such attacks.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if((Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -ErrorAction SilentlyContinue).EnableLUA -eq 0) { 'UAC disabled' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 1 -Type DWord

Rollback

Tested for Action Elevation Script
Windows 10 Command line system Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 0 -Type DWord

Automatic logon enabled

Threat

Dimension : credentials / Severity : 4

Tags : CIS Benchmark Level 2,Section: 2.3.1.1, ISO 27001/2,Control: A.9.3.1, PCI-DSS,Requirement-8.1.5, SOC 2,CC-User Authentication

Automatic logon allows the system to automatically log on a user after booting up. This can be a security risk if the system is not physically secured as anyone can access the system without providing any credentials. It is recommended to disable automatic logon.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -ErrorAction SilentlyContinue).AutoAdminLogon -eq '1') { 'Automatic logon enabled' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoAdminLogon -Value 0

Rollback

Tested for Action Elevation Script
Windows 10 Command line system Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoAdminLogon -Value 1

Potentially compromised email address

Threat

Dimension : credentials / Severity : 1

Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture

Your email address might have recently appeared in a data breach. Please set your email in the Identity tab, review the breaches if any and follow instructions.

Implementation

Tested for Action Elevation Script
Windows 12 Command line user pwned -i 365

Remediation

Tested for Action Elevation Script
Windows 12 Command line digitalidentity_manager

Rollback

https://en.wikipedia.org/wiki/Have_I_Been_Pwned

Unverified network environment

Threat

Dimension : network / Severity : 1

Tags : ISO 27001/2,Information Security Incident Management, PCI-DSS,Requirement-12.10, SOC 2,CC-Incident Response, Personal Posture

The network you are connected to is not a known one. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user lanscan

Remediation

Tested for Action Elevation Script
Windows 10 Command line network_manager

Rollback

https://en.wikipedia.org/wiki/Port_scanner

Windows Script Host enabled

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,Section: 9.1.2, ISO 27001/2,Control: A.12.2.1, PCI-DSS,Requirement-2.2.2, SOC 2,CC-Malicious Code Prevention

Windows Script Host is a built-in Windows scripting environment that allows running of VBScript, JScript, and other scripting languages. Disabling it can help mitigate some types of malware attacks.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings' -Name Enabled -ErrorAction SilentlyContinue).Enabled -eq 1) { 'Windows Script Host enabled' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system reg add HKLM\SOFTWARE\Microsoft'Windows Script Host'\Settings /v Enabled /t REG_DWORD /d 0 /f

Rollback

Tested for Action Elevation Script
Windows 10 Command line system reg add HKLM\SOFTWARE\Microsoft'Windows Script Host'\Settings /v Enabled /t REG_DWORD /d 1 /f

Remote Desktop Protocol (RDP) enabled

Threat

Dimension : network / Severity : 4

Tags : CIS Benchmark Level 1,Section: 8.1.1, ISO 27001/2,Control: A.13.7.1, PCI-DSS,Requirement-2.3, SOC 2,CC-Network Security

RDP allows users to remotely access and control a Windows computer from another location. While this can be convenient, it also presents a significant security risk if left enabled and unprotected. An attacker could potentially gain access to your computer and compromise your sensitive data or even take control of your system.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -ErrorAction SilentlyContinue).fDenyTSConnections -eq 0) { 'Terminal Services connections allowed' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 1

Rollback

Tested for Action Elevation Script
Windows 10 Command line system Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0

Windows Update disabled

Threat

Dimension : system integrity / Severity : 5

Tags : CIS Benchmark Level 1,Section: 2.3.1, ISO 27001/2,Control: A.12.6.1, PCI-DSS,Requirement-6.1, SOC 2,CC-System Monitoring

Disabling Windows Update prevents critical security patches and updates from being installed on your system, leaving your system vulnerable to known exploits and threats. It is highly recommended that you enable Windows Update to ensure your system is up to date with the latest security patches.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user $registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'; $noAutoUpdate = (Get-ItemProperty -Path $registryPath -Name NoAutoUpdate -ErrorAction SilentlyContinue).NoAutoUpdate; $useWUServer = (Get-ItemProperty -Path $registryPath -Name UseWUServer -ErrorAction SilentlyContinue).UseWUServer; Write-Output ($(if ($noAutoUpdate -eq 0 -or $useWUServer -eq 1) { '' } else { $messages = @(); if ($noAutoUpdate -ne 0) {$messages += 'NoAutoUpdate is set.'}; if ($useWUServer -ne 1) {$messages += 'Updates are not managed through GPO.'}; $messages -join ' ' }))

Remediation

Tested for Action Elevation Script
Windows 10 Command line system reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 0 /f

Rollback

Tested for Action Elevation Script
Windows 10 Command line system reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f

Guest account enabled

Threat

Dimension : credentials / Severity : 4

Tags : CIS Benchmark Level 1,Section: 1.1.2, ISO 27001/2,Control: A.9.2.1, PCI-DSS,Requirement-8.1.6, SOC 2,CC-User Access

The Guest account is a default account in Windows, which allows users to access the system with limited privileges. It's recommended to disable this account to prevent unauthorized access to your system and data.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if ($guestAccount.Enabled) {'Guest account is active'} else {''}

Remediation

Tested for Action Elevation Script
Windows 10 Command line system $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if ($guestAccount.Enabled) {Disable-LocalUser -Name $guestAccount.Name}

Rollback

Tested for Action Elevation Script
Windows 10 Command line system $guestAccount = Get-LocalUser | Where-Object {$_.SID -like '*-501'}; if (-not $guestAccount.Enabled) {Enable-LocalUser -Name $guestAccount.Name}

Built-in Administrator account enabled

Threat

Dimension : credentials / Severity : 5

Tags : CIS Benchmark Level 1,Section: 1.1.1, ISO 27001/2,Control: A.9.4.2, PCI-DSS,Requirement-2.3, SOC 2,CC-User Access

The Built-in Administrator account is a powerful account that has full access to the system. Having this account enabled is a security risk as it is a common target for attackers. It should be disabled unless it is absolutely necessary to enable it.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if ($adminAccount.Enabled) {'Built-in Administrator account enabled'} else {''}

Remediation

Tested for Action Elevation Script
Windows 10 Command line system $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if ($adminAccount.Enabled) {Disable-LocalUser -Name $adminAccount.Name}

Rollback

Tested for Action Elevation Script
Windows 10 Command line system $adminAccount = Get-LocalUser | Where-Object {$_.SID -like '*-500'}; if (-not $adminAccount.Enabled) {Enable-LocalUser -Name $adminAccount.Name}

Windows Firewall disabled

Threat

Dimension : network / Severity : 5

Tags : CIS Benchmark Level 1,Section: 9.3.1, ISO 27001/2,Control: A.13.1.1, PCI-DSS,Requirement-1.4, SOC 2,CC-Network Security

Windows Firewall is a built-in feature of Windows that helps to protect your computer from unauthorized access. When it's disabled, your computer is vulnerable to attacks from the network. We recommend that you enable it.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if((Get-NetFirewallProfile -All | Where-Object { $_.Enabled -eq 'False' })) { 'One or more firewall profiles are disabled' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Rollback

Tested for Action Elevation Script
Windows 10 Command line system Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Remote Registry Service enabled

Threat

Dimension : system services / Severity : 3

Tags : CIS Benchmark Level 1,Section: 2.2.4, ISO 27001/2,Control: A.9.4.1, PCI-DSS,Requirement-2.2, SOC 2,CC-System Configuration and Maintenance

The Remote Registry Service allows remote access to the Windows Registry. This can be a security risk if not properly secured.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if((Get-Service -Name RemoteRegistry).Status -eq 'Running') { 'RemoteRegistry service is running' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system (sc.exe config RemoteRegistry start= disabled) -and (sc.exe stop RemoteRegistry)

Rollback

Tested for Action Elevation Script
Windows 10 Command line system (sc.exe config RemoteRegistry start= auto) -and (sc.exe start RemoteRegistry)

LM and NTLMv1 protocols enabled

Threat

Dimension : credentials / Severity : 5

Tags : CIS Benchmark Level 1,Section: 2.3.11.9, ISO 27001/2,Control: A.9.2.3, PCI-DSS,Requirement-8.2.1, SOC 2,CC-User Authentication

The LM and NTLMv1 protocols are outdated and insecure authentication protocols. They should be disabled to prevent potential security threats. Leaving these protocols enabled can allow attackers to potentially crack passwords and gain unauthorized access to sensitive information.

Implementation

Tested for Action Elevation Script
Windows 0 Command line user if(((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -ErrorAction SilentlyContinue).LMCompatibilityLevel -lt 5) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -ErrorAction SilentlyContinue).NtlmMinClientSec -lt 537395200) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -ErrorAction SilentlyContinue).NtlmMinServerSec -lt 537395200)) { 'Weak NTLM settings' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 0 Command line system Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -Name 'LMCompatibilityLevel' -Value '5' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinClientSec' -Value '537395200' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinServerSec' -Value '537395200' -Type DWord

Rollback

Tested for Action Elevation Script
Windows 0 Command line system Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -Name 'LmCompatibilityLevel' -Value '1' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinClientSec' -Value '262144' -Type DWord; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0' -Name 'NtlmMinServerSec' -Value '537395200' -Type DWord

Lsass.exe process protection not enabled

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,Section: 2.2.39, ISO 27001/2,Control: A.12.1.2, PCI-DSS,Requirement-6.2, SOC 2,CC-System Integrity

Lsass.exe is a critical system process that handles user authentication. It contains sensitive information such as passwords and security tokens. If this process is compromised, it could lead to a security breach. Enabling Lsass.exe process protection helps prevent attacks against this process. This content will show you how to enable Lsass.exe process protection.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL -eq 0) { 'RunAsPPL is a REG_DWORD with value 0' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f

Rollback

Tested for Action Elevation Script
Windows 10 Command line system reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f

PowerShell execution policy not securely configured

Threat

Dimension : system integrity / Severity : 4

Tags : CIS Benchmark Level 1,Section: 1.1.3, ISO 27001/2,Control: A.12.4.2, PCI-DSS,Requirement-2.2.4, SOC 2,CC-System Hardening

PowerShell is a powerful command-line tool that is built into Windows, and is often used by attackers to carry out malicious activities. The execution policy determines which scripts are allowed to run on a Windows system. If the execution policy is set to Unrestricted, it could allow an attacker to run malicious scripts on your system.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user $currentUserPolicy= Get-ExecutionPolicy -Scope CurrentUser; if($currentUserPolicy -eq 'Unrestricted') { 'Execution Policy is unrestricted' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system Set-ExecutionPolicy -ExecutionPolicy Default -Scope CurrentUser -Force

Rollback

Tested for Action Elevation Script
Windows 10 Command line system Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force

Chrome browser not up to date

Threat

Dimension : applications / Severity : 3

Tags : ISO 27001/2,Application Security, PCI-DSS,Requirement-6, SOC 2,CC-System Operations

Your Google Chrome browser is not up to date. Running the latest version ensures you have the latest security features and performance improvements.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user $path = 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome'; if (Test-Path $path) { $local_version = (Get-ItemProperty -Path $path).DisplayVersion; $web_content = Invoke-WebRequest -UseBasicParsing 'https://chromiumdash.appspot.com/fetch_releases?channel=Stable&platform=Windows&num=1'; $latest_version = ($web_content.Content | ConvertFrom-Json)[0].version; if ([version]$latest_version -le [version]$local_version) { Write-Output '' } else { Write-Output "Chrome is not up to date (Installed: $local_version, Latest: $latest_version)"; } } else { Write-Output '' }

Remediation

https://support.google.com/chrome/answer/95414?hl=en

Rollback

https://support.google.com/chrome/a/answer/6350036?hl=en

SMBv1 Protocol Enabled

Threat

Dimension : network / Severity : 5

Tags : CIS Benchmark Level 1,windows_security/smb1_protocol_disabled

The SMBv1 protocol is enabled on your system. This protocol is outdated and has known vulnerabilities that can allow attackers to take over your system. It should be disabled to improve your system's security.

Implementation

Tested for Action Elevation Script
Windows 10 Command line user if((Get-SmbServerConfiguration).EnableSMB1Protocol -eq $true) { 'SMBv1 enabled' } else { '' }

Remediation

Tested for Action Elevation Script
Windows 10 Command line system Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart

Rollback

Tested for Action Elevation Script
Windows 10 Command line system Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -norestart