I’m sure you’re probably tired of the bombardment of Info-Sec (Information Technology Security) articles and posts telling you that you need something more to fight lateral movement. Do this, do that, buy this, trial that, use this freeware. It is exhausting if you are an IT Pro trying to do the best thing without impacting your budget or users too much. Ransomware and other exploits target lateral movement as a way to get to the privileged accounts on your network. I am not going to list changes that have a big impact on your users like removing local admin rights. You should never allow users to have local admin rights in any production environment and, if you are allowing it, you’re going to spend a lot of time implementing the removal of those rights. Passwords should be long and complex and if you aren’t protecting your log in accounts with lock out policies then you have bigger problems than Ransomware. Patching shouldn’t be talked about because patching isn’t negotiable any more. Do it and don’t ask questions. You shouldn’t be more than 30 days (14 days is better) behind in patching and you should be patching ALL of your third party software in that time frame as well. Instead, I will be talking about things that IT Pros can do that cost very little or nothing at all and have little impact on your users. Most of this will consist of minor configuration changes in Microsoft software including Windows and Office as well as other infrastructure changes related to networking that can yield decent protection rewards. So let’s get to it.
- Enforce Windows Firewall via GPO: This one seems like a no brainer but you would be surprised how many organizations think that all they need is a perimeter firewall. These days you should assume that the bad guys are already inside your network. The perimeter is gone. If you can reach the internet, the internet is inside your network. Gather(and minimize!) the ports you need to allow on your PCs, put them in your inbound policy and shut down everything else. Enforce it via GPO and don’t look back. This is the first line of defense against lateral movement. User Impact=Low Security Value=HIGH
- Using LAPS to randomize local admins: I am shocked that Microsoft hasn’t made the requirement for this to be only available in the Enterprise licensing world. Use this asap to shutdown lateral movement on your network. Setting it up has zero impact on your users and it is free. Where this can impact your network is with your desktop support staff that needs to use local admin accounts to support your users. It can be an adjustment, but well worth it. This can shutdown lateral movement as compromising one local admin account does not mean ALL your computers are compromised. User Impact=None Security Value=HIGH
- Limiting your users only to be able to log in to computer they need to use: This one is really easy to implement for new users but can be difficult for several hundred existing users. Simply open the Active Directory user account and click Account tab, then Log On To button. Add the computer(s) that user can log on to locally(Powershell = Set-User -LogonWorkstations <string>). The users can then access network resources from the authorized computer(s) they are allowed to log on to. This may not shutdown lateral movement as a compromised account could still access resources on the network but this would prevent a compromised account from using RDP or other remote console sessions across your network. User Impact=Medium to Low Security Value=HIGH
Those are 3 fairly simple and low impact things that can implemented to be to really tighten up lateral movement in your network. Hope this helps you!