| Control | @@ -220,6 +222,7 @@ The section below provides guidance tailored to the assessment method. When sele
|---|
| Control | @@ -272,7 +275,11 @@ Finally, in addition to identifying assets for follow-on vulnerability scanningAlternatively, PowerShell can be used to identify applications with registered uninstall functionality. However, this method alone will not always cover all applications that are installed on a system. As a result, it should be combined with the list of installed applications within ‘Programs and Features’. While this approach can be used for assessments, the limitations in coverage should be noted. For key applications though, it will likely be sufficient. If any key applications appear to be missing in reports provided, this should be raised for clarification. Below is a PowerShell script to output a list of installed applications with registered uninstall functionality. This list should be reviewed in conjunction with the list of installed applications within ‘Control Panel – Programs – Programs and Features’ to ensure no applications are missed. function Analyze( $p, $f) { Get-ItemProperty $p |foreach { if (($_.DisplayName) -or ($_.version)) { [PSCustomObject]@{ From = $f; Name = $_.DisplayName; Version = $_.DisplayVersion; Install = $_.InstallDate } } } } $s = @() $s += Analyze ‘HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*’ 64 $s += Analyze ‘HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*’ 32 $s | Sort-Object -Property Name The combined list of installed applications must be reviewed alongside the date of release for each application patch to determine whether the timeframe has been met. |
|---|---|
| If tools cannot be used, request a demonstration that shows the versions of installed applications and their install date. This allows for manual checking against the latest versions available from vendors. | - +|
| Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. | +A vulnerability scanner can be used to assess applications and whether they are end of life. + |
| Request a demonstration that shows the versions of the referenced applications and services. This allows for manual checking against the list of supported versions. In addition, check if hotfix KB4577586 has been applied to demonstrate that Adobe Flash Player is no longer supported. Note, this hotfix will only remove Adobe Flash Player if it was installed by Windows. If Adobe Flash Player was installed manually from another source, it will not be removed by this hotfix. |
| Control | @@ -665,7 +672,7 @@ patch release date. There are several free tools available to support the assess this control, including ASD’s E8MVT, Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. There are also several paid tools available. In choosing a tool to use, make sure that it has been thoroughly tested beforehand to -ensure it is fit-for-purpose. +ensure it is fit-for-purpose.
|---|
| Control | @@ -872,6 +882,7 @@ Malicious actors will also often seek to compromise user accounts. If successful The guidance below outlines the requirements to be assessed in addition to the requirements of the previous maturity level. In doing so, assessments against Maturity Level Two should focus on the delta between Maturity Level One and Maturity Level Two. + #### Application control #### Context @@ -883,7 +894,6 @@ The majority of application control solutions will have a form of logging or aud #### Assessment Guidance The section below provides guidance tailored to the assessment method. When selecting a method, the quality of the evidence provided by each method should be strongly considered. -
|---|
| Control | @@ -934,7 +944,6 @@ increase in associated vulnerability scanning frequencies and scope. The section below provides guidance tailored to the assessment method. When selecting a method, the quality of the evidence provided by each method should be strongly considered. -
|---|
| Control | @@ -983,6 +992,7 @@ applications using the identified timeframes.
|---|
| Control | @@ -1045,7 +1054,6 @@ mitigated. #### Assessment guidance The section below provides guidance tailored to the assessment method. When selecting a method, the quality of the evidence provided by each method should be strongly considered. -
|---|
| Control | @@ -1066,9 +1074,6 @@ Google hardening guidance for Google Chrome is available within their Microsoft Office is blocked from creating child processes. @@ -1202,7 +1207,7 @@ For Maturity Level Two, privileged operating environments must not be virtualise - physically separate operating environments - an unprivileged operating environment virtualised within a privileged operating environment - both a privileged and unprivileged operating environment virtualised within a physical host’s hardened operating - environment. +environment. Jump servers play an important role as a centralised logging and tool enforcement point for administrative activities, even when privileged operating environments are used. @@ -1233,7 +1238,7 @@ an expiration date that exceeds 12 months: Get-ADUser -Filter {(admincount -eq 1) -and (enabled -eq $true)} -Properties AccountExpirationDate | Where-Object {$_.AccountExpirationDate -like “” | Select @{n=‘Username’; e={$_.SamAccountName}}, @{n=‘Account Expiration Date’; -e={$_.AccountExpirationDate}}, @{n=‘Enabled’; e={$_.Enabled}} +e={$_.AccountExpirationDate}}, @{n=‘Enabled’; e={$_.Enabled}} Microsoft provides guidance on the use of PowerShell to identify inactive accounts
based on when they were last used to logon to a system. Ask for a screenshot of the
output of the following PowerShell command that checks for inactive accounts to
-demonstrate that this activity takes place on a daily basis:
+demonstrate that this activity takes place on a daily basis: Get-ADUser -Filter {(admincount -eq 1) -and (enabled -eq $true)} -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-45) - and$_.LastLogonDate -ne $null} | Select @{n=‘Username’; e={$_.samaccountname}}, @@ -1338,6 +1343,7 @@ At this maturity level, the timeframe for patching vulnerabilities in operating The section below provides guidance tailored to the assessment method. When selecting a method, the quality of the evidence provided by each method should be strongly considered. +
|
At this maturity level, an additional requirement for all privileged users logging onto systems, both locally and remotely, to use multi-factor authentication is introduced. In addition, the authentication methods that can be used, and in what combination, are restricted to avoid weaker implementations. Specifically, acceptable multi-factor authentication implementations include:
- something users have (i.e. look-up secret, out-of-band device, single-factor one-time PIN (OTP) devices, single-
- factor cryptographic software or single factor cryptographic device) in addition to something users know (i.e. a
- memorised secret)
+factor cryptographic software or single factor cryptographic device) in addition to something users know (i.e. a
+memorised secret)
- something users have that is unlocked by something users know or are (i.e. multi-factor OTP device, multi-factor
- cryptographic software or multi-factor cryptographic device).
+cryptographic software or multi-factor cryptographic device).
Biometrics are not acceptable at this maturity level. This is due to biometric characteristics not being secrets, biometric matching being probabilistic rather than deterministic and there being a reliance on the security of biometric capture software installed on devices. However, biometrics can be used to unlock another authentication factor (e.g. a certificate stored in a Trusted Platform Module or an OTP generator app on a smartphone). [Trusted Signals](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/multifactor-unlock?tabs=intune) are also not acceptable at this maturity level. This is due to issues associated with placing trust in the signal itself, which can be targeted and spoofed by malicious actors.
@@ -1389,7 +1397,6 @@ Note, at this maturity level organisations may choose to implement multi-factor
#### Assessment guidance
The section below provides guidance tailored to the assessment method. When selecting a method, the quality of the evidence provided by each method should be strongly considered.
-
|---|
| Control | @@ -1432,7 +1439,7 @@ value of ‘Success and Failure’.|
|---|---|
| For certain MFA implementations the above guidance may not be applicable. In these
instances discuss whether logging is available for all systems that users authenticate to
-and seek evidence that such logging is in place.
+and seek evidence that such logging is in place. If an administrator logon was observed (per the first control in this table), request recent event logs to check that there is a corresponding event log entry. |
Use the guidance provided in Maturity Level One of this guide and apply the Maturity
Level Two access control requirements. Specifically, privileged accounts should only be
-able to access their own backups (except for backup administrator accounts).
+able to access their own backups (except for backup administrator accounts). Active Directory queries and tools such as BloodHound can help to identify privileged accounts including backup administrator accounts. |
| Use the guidance provided in Maturity Level One of this guide and apply the Maturity
Level Two access control requirements. Specifically, privileged accounts should no
longer be able to modify and delete backups. Such activities should be restricted to
-backup administrator accounts.
+backup administrator accounts. Active Directory queries and tools such as BloodHound can help to identify privileged accounts including backup administrator accounts. |
| Control | @@ -1621,6 +1627,7 @@ all applications.
|---|
| Control | @@ -1663,7 +1669,7 @@ Office macros are used then Trusted Locations should be disabled. Within each Microsoft Office application, request a screenshot showing Trust Center
macro settings (File – Options – Trust Center – Trust Center Settings – Macro Settings).
In addition, request a screenshot showing Trust Center trusted publisher settings (File –
-Options – Trust Center – Trust Center Settings – Trusted Publishers).
+Options – Trust Center – Trust Center Settings – Trusted Publishers). For the assessment of Microsoft Office macro security, identify what setting is selected for ‘macro settings’. The setting should either be set to ‘Disable all macros without notification’ (if Trusted Locations are used) or ‘Disable all macros except digitally signed @@ -1741,7 +1747,7 @@ logs for signs of compromise and respond when any signs of compromise are detect At this maturity level, Internet Explorer 11 must be disabled or removed from operating systems rather than just blocked from accessing the internet or opening files from the internet. .NET Framework 3.5 (including .NET 2.0 and 3.0) is often targeted by malicious actors due to its lack of security functionality when compared to newer versions of the .NET Framework, as well as due to its linkages to PowerShell 2.0. -Within Microsoft Windows there are two separate features relating to the .NET Framework, ‘.NET Framework 3.5 (includes .NET 2.0 and .NET 3.0)’ and ‘.NET Framework 4.8 Advanced Services’. +Within Microsoft Windows there are two separate features relating to the .NET Framework, ‘.NET Framework 3.5 (includes .NET 2.0 and .NET 3.0)’ and ‘.NET Framework 4.8 Advanced Services’. Microsoft ended support for Windows PowerShell 2.0 in late 2017. At that time, Microsoft noted that Windows PowerShell 2.0 lacked the security functionality of Windows PowerShell 5.0 and higher. Constrained Language Mode for PowerShell is designed to prevent PowerShell users (which may include malicious actors) from running tools that exploit PowerShell or load Component Object Model objects, libraries and classes into a PowerShell session. @@ -1822,6 +1828,7 @@ logs for signs of compromise and respond when any signs of compromise are detect |
|---|