Securing Remote Windows Hosts (Windows Vista/Server 2K8 and Above)

--- tags: ccdc --- # Securing Remote Windows Hosts (Windows Vista/Server 2K8 and Above) > Note: Everything is strategically orchestrated in this document. Do not skip lines or start later portions first. ## Remote Desktop Protocol (RDP) - 3389 TCP/UDP ![](https://i.imgur.com/UDHv2vx.png =300x) >* Remote hosts are machines that **DO NOT** have web console access. >* They are typically on an entirely different subnet. >* Accessing these machines require outbound firewall rules on remote port 3389. ### Locking Down RDP: 1. As soon as you have access to the remote machine, open the Windows Advanced Firewall (`wf.msc`). * If the firewall service is not running or is disabled, enable the "Windows Firewall" service in `services.msc` 2. Manually create two custom inbound rules for **TCP and UDP** * Specify Local Port `3389` * Under the Scope Tab, add the permissible remote IP's or subnets to the list of addresses that can talk to the host. 3. Ensure the firewall is turned on and not being overridden by Group Policy * Windows Firewall should be on for all three profiles (Public, Private, and Domain) * Inbound should be Default Deny on all three profiles. * Outbound can be set to default to deny to prevent reverse shells from escaping. * However, you must create an outbound firewall rule for the CCS Client. 4. Manually delete all other present rules in the firewall for both inbound and outbound. * If on Windows 7 or Sever 2008 R2 and later, highlight all rules (`CTRL + A`), uncheck your RDP rules (while holding `CTRL`), and click delete. * If on Vista or Server 2008, delete rules manually or run the following in a **batch script**: >Note: Running these rules manually in command prompt will 100% disconnect you and your team. Also, the slightest mistake will terminate your team's access. ```cmd netsh advfirewall firewall delete rule name=all netsh advfirewall firewall add rule name="rdptcp" protocol=tcp dir=in action=allow localport=3389 remoteip=<Permissable Subnets> netsh advfirewall firewall add rule name="rdpudp" protocol=udp dir=in action=allow localport=3389 remoteip=<Permissable Subnets> ``` ### Securing the Machine Even Further: Run the following commands in an **administrative** command prompt: ```shell= sc config mpssvc start= auto sc start mpssvc gpresult /h %windir%\gpresult.html rd /s /q %windir%\System32\GroupPolicy type %windir%\inf\defltbase.inf | findstr /v “__Members” >> default.inf secedit /configure /db leedles.sdb /cfg default.inf gpupdate /force ``` > At this point, it is appropriate to change user's passwords. ### Modified Firewall Script (Level 2): base1.bat: ```shell= auditpol.exe /set /category:* /failure:enable /success:enable wmic share delete sc config mpssvc start= auto sc start mpssvc sc config WinDefend start= auto sc start WinDefend sc config EventLog start= auto sc start EventLog ``` base2.bat: ```shell= netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound netsh advfirewall set allprofiles logging allowedconnections enable netsh advfirewall set allprofiles logging droppedconnections enable netsh advfirewall set allprofiles logging filename "%windir%\shortcut.lnk" netsh advfirewall set allprofiles logging maxfilesize 16384 ``` base3.bat: > Note: Everything else should run fine if rules were written earlier somewhere else. ```shell= for /f "tokens=14" %%i in ('ipconfig ^| findstr IPv4') do ( set ip=%%i ) netsh advfirewall firewall add rule name="dnsOUT" dir=out action=allow protocol=udp localip=%ip% remoteip=<DNS Server> remoteport=53 netsh advfirewall firewall add rule name="icmpv4out" dir=out action=allow protocol=icmpv4 localip=%ip% remoteip=1.1.1.1 netsh advfirewall firewall add rule name="icmpv4in" dir=in action=allow protocol=icmpv4 localip=%ip% remoteip=10.120.0.0/16,10.110.0.0/16 netsh advfirewall firewall add rule name="adOUT" dir=out action=allow localip=%ip% remoteip=<AD Server> netsh advfirewall firewall add rule name="CCSOUT" dir=out action=allow protocol=tcp localip=%ip% remoteport=80 program="C:\CCS\CCSClient.exe" ``` ### Inspect Firewall and Import into Group Policy 1. Refresh the advanced firewall or reopen `wf.msc` 2. Ensure all firewall profiles are on and both inbound/outbound are blocked. 3. Look for any unusual rules that you did not add yourself. If anything seems off, your machine may have been compromised. >Remember to block locally applied rules in group policy (`gpedit.msc`) in the Windows Firewall Settings.