Skip to content

M1028 Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

  • Turn off SMBv1, LLMNR, and NetBIOS where not needed.
  • Disable remote registry and unnecessary services.

Enforce OS-level Protections:

  • Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
  • Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

  • Enable User Account Control (UAC) for Windows.
  • Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

  • Implement least-privilege access for critical files and system directories.
  • Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

  • Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
  • Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

  • Enable Secure Boot and enforce UEFI/BIOS password protection.
  • Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

  • Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

Tools for Implementation

Windows:

  • Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
  • Windows Defender Exploit Guard: Built-in OS protection against exploits.
  • CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

  • AppArmor/SELinux: Enforce mandatory access controls.
  • Lynis: Perform comprehensive security audits.
  • SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

  • Ansible or Chef/Puppet: Automate configuration hardening at scale.
  • OpenSCAP: Perform compliance and configuration checks.
Item Value
ID M1028
Version 1.3
Created 06 June 2019
Last Modified 18 December 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. Ensuring that the sudo tty_tickets setting is enabled will prevent this leakage across tty sessions.
enterprise T1548.001 Setuid and Setgid Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.
enterprise T1548.003 Sudo and Sudo Caching Ensuring that the tty_tickets setting is enabled will prevent this leakage across tty sessions.
enterprise T1087 Account Discovery Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. 2
enterprise T1087.001 Local Account Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.2
enterprise T1087.002 Domain Account Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.2
enterprise T1098 Account Manipulation Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing.
enterprise T1197 BITS Jobs
Consider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout and MaxDownloadTime Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS.8
enterprise T1092 Communication Through Removable Media Disallow or restrict removable media at an organizational policy level if they are not required for business operations.13
enterprise T1136 Create Account Protect domain controllers by ensuring proper security configuration for critical servers.
enterprise T1136.002 Domain Account Protect domain controllers by ensuring proper security configuration for critical servers.
enterprise T1543 Create or Modify System Process Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.
enterprise T1543.003 Windows Service Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.17
enterprise T1011 Exfiltration Over Other Network Medium Prevent the creation of new network adapters where possible.910
enterprise T1011.001 Exfiltration Over Bluetooth Prevent the creation of new network adapters where possible.
enterprise T1564 Hide Artifacts -
enterprise T1564.002 Hidden Users If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.
enterprise T1574 Hijack Execution Flow -
enterprise T1574.006 Dynamic Linker Hijacking When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions.1 Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.
enterprise T1562 Impair Defenses -
enterprise T1562.003 Impair Command History Logging Make sure that the HISTCONTROL environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
enterprise T1490 Inhibit System Recovery Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: reagentc /enable.14
enterprise T1036 Masquerading -
enterprise T1036.007 Double File Extension Disable the default to “hide file extensions for known file types” in Windows OS.1516
enterprise T1556 Modify Authentication Process Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.
enterprise T1556.002 Password Filter DLL Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.
enterprise T1556.008 Network Provider DLL Starting in Windows 11 22H2, the EnableMPRNotifications policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.18
enterprise T1135 Network Share Discovery Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.12
enterprise T1003 OS Credential Dumping
Consider disabling or restricting NTLM.6 Consider disabling WDigest authentication.7
enterprise T1003.001 LSASS Memory Consider disabling or restricting NTLM.6 Consider disabling WDigest authentication.7
enterprise T1003.002 Security Account Manager Consider disabling or restricting NTLM.6
enterprise T1003.005 Cached Domain Credentials Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)11
enterprise T1542 Pre-OS Boot -
enterprise T1542.005 TFTP Boot Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection.
enterprise T1563 Remote Service Session Hijacking -
enterprise T1563.002 RDP Hijacking Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.5
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.5
enterprise T1053 Scheduled Task/Job Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. 4
enterprise T1053.002 At Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. 4
enterprise T1053.005 Scheduled Task Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. 4
enterprise T1553 Subvert Trust Controls Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. 3
enterprise T1553.004 Install Root Certificate Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. 3
enterprise T1552 Unsecured Credentials There are multiple methods of preventing a user’s command history from being flushed to their .bash_history file, including use of the following commands:
set +o history and set -o history to start logging again;
unset HISTFILE being added to a user’s .bash_rc file; and
ln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.
enterprise T1552.003 Shell History There are multiple methods of preventing a user’s command history from being flushed to their .bash_history file, including use of the following commands:
set +o history and set -o history to start logging again;
unset HISTFILE being added to a user’s .bash_rc file; and
ln -s /dev/null ~/.bash_history to write commands to /dev/null instead.

References

  1. Apple Inc.. (2021, January 1). Hardened Runtime: Manage security protections and resource access for your macOS apps.. Retrieved March 24, 2021. 

  2. UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017. 

  3. Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. 

  4. Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017. 

  5. Microsoft. (n.d.). Configure Timeout and Reconnection Settings for Remote Desktop Services Sessions. Retrieved December 11, 2017. 

  6. Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017. 

  7. Microsoft. (2014, May 13). Microsoft Security Advisory: Update to improve credentials protection and management. Retrieved June 8, 2020. 

  8. Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018. 

  9. Microsoft. (2009, February 9). Disabling Bluetooth and Infrared Beaming. Retrieved July 26, 2018. 

  10. Schauland, D. (2009, February 24). Configuring Wireless settings via Group Policy. Retrieved July 26, 2018. 

  11. Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020. 

  12. Microsoft. (2017, April 19). Network access: Do not allow anonymous enumeration of SAM accounts and shares. Retrieved May 20, 2020. 

  13. Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016. 

  14. Microsoft, EliotSeattle, et al. (2022, August 18). REAgentC command-line options. Retrieved October 19, 2022. 

  15. Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021. 

  16. Chris Hoffman. (2017, March 8). How to Make Windows Show File Extensions. Retrieved August 4, 2021. 

  17. Microsoft. (n.d.). Configure Network Level Authentication for Remote Desktop Services Connections. Retrieved June 6, 2016. 

  18. Microsoft. (2023, January 26). Policy CSP - WindowsLogon. Retrieved March 30, 2023.