We get asked a lot of questions about what setup do you need to implement on the Windows desktop side to pass an internal penetration test. This can be a challenging question to answer as there is no real gold standard for this, however out of the thousands of internal penetration tests we have been a part of, below we think represents where the world is on Windows standard penetration testing.
We thought the best way to demonstrate this would be to run through some examples so we can show how valuable Microsoft’s suite of free security tools is and how you can utilise them to ensure your organisation can pass a penetration test.
So, let us re-remind ourselves what the basics of cyber security are from the desktop end and then what needs to be demonstrated by an organisation to pass an “Internal Penetration Test”.
The Windows Firewall has been around for the best part of 2 decades, and now they have had enough time to perfect this tool, they seem to have done a great job of ensuring that there is the right balance of; the operating system allowing the user to do what they need to do, and at the same time not allowing the user to have certain rights it does not need (so they don’t get into trouble). Windows Firewall is now well respected in the cyber testing communities, you need to have a firewall enabled to be able to pass an internal penetration test on a Windows machine.
Always enabled Anti-Virus Tech to stop bad software from executing on your machines (constantly updated) will always be required to pass a penetration test. Windows Defender seems to pass all major checks, coming out on top in most tests I have seen. This should be no surprise though, they have had enough time and more than enough real-world data to master this. Do remember though, with Anti-Malware (as same with all cyber security desktop checks) you need to be able to centrally reconcile the results against some kind of “golden source” list of devices, the easiest way of achieving this is to reconcile all machines that have logged onto Active Directory (either on-prem or Azure AD). Robo Shadow does this as its primary function for free but so too does Microsoft ATP which is a paid for addition.
Proxy Filtration is usually available in our corporate buildings, but not usually from our home router devices. Smart Screen is a not often-discussed little gem from Microsoft, it whirs away in the background and conducts the filtering of URLs daily (stopping command and control type executions updated and reconciled against a central database held by Microsoft). You need to demonstrate you have external Proxy Filtration to pass a Penetration Test we believe Smart Screen is more than enough to tick this box.
Device Encryption with Bitlocker encryption is a wonder tool, any laptop or desktop outside of corporate offices or data centre security, should have their disks encrypted in case they are stolen. This is so that people cannot exfiltrate the data from the disks (and sometimes hold you to ransom). You will need to demonstrate disk encryption capability to pass an internal penetration Test.
There are some outliers (fringe cases if you will) that probably need to be discussed in terms of Anti-Virus tech and what you will need to pass an internal penetration test. In the spirit of fairness, they require a discussion, if not just for completeness.
To pass an internal penetration test every application installed needs to be run against global vulnerability databases to understand; what applications, have what vulnerabilities so you can understand how the bad guys will attack you.
This is a fundamental part of cyber security, and the CVE is the globally known standard and is only available in the enhanced paid-for versions of the Microsoft security space. It is however completely free within the Robo Shadow toolset, please check out the Robo Shadow Windows Agent for more information. The CVE is used in Azure / Amazon / Rapid 7 / Nessus / Nmap (just about every good cyber tool on the planet).
This has not made its way into mainstream penetration testing but is a big sell from brands like Sophos (Intercept X) etc. We have tested Windows Anti-Ransomware protection and we must say that now we think they have nailed their “false positive” nightmares of old (the previous issue we think was holding them back from turning it on by default) it is a really cool tool and defo worth switching on and implementing widely across the whole desktop and laptop space.
The only other element that really comes up in “internal penetration tests” is the management of local authentication. This encompasses everything from, the use of Microsoft Laps (Local admin user tech) to local account management and password complexity on the local machine, all looked at under a microscope during an internal pen test. We are launching tech in Robo Shadow to collate all this data, but we do strongly recommend you use LAPSs to manage all local administration.
Ultimately Windows Defender is the result of nearly 50 years of Microsoft trying to beat the bad guys; not only do I suspect it’s here to stay, I think we will start to see the AV market change and adapt.
What I suspect we will see is some of the old dogs, that have been around since the dawn of PC computing, may have to learn few new tricks to keep some skin in the game. Do not forget the Microsoft Defender brand also goes across Macs and Linux now, so it seems undeniable that Microsoft is an omnipresent force in the Cyber Universe today.
As always we would love to hear from you in the community, so if you have any subjects you would like us to cover in the future, or would just like a conversation around your Cyber Security posture, please do reach out and leave us some comments around anything Cyber related you would like us to discuss.
About the Author: Terry Lewis a 25-year veteran Tech Entrepreneur and Technology Blogger.
“I’m lucky to of worked in technology all over the world for large multi-national organisations, in recent years I have built technology brands and developed products to help make technology that bit easier for people to grasp and manage. By day I run tech businesses, by night (as soon as the kids have gone to bed) I write code and I love building Cyber Security Technology.