NetCease module

Almost a year ago, Itai Grady released a script on the technet gallery that blocks the reconnaissance done by using the Server Message Block (SMB) Session Enumeration method.

I’ve studied, changed the script and made a module of it. Why?
It’s easier to share and install once it’s uploaded on the PowerShellGallery.
The approach inside the module is a bit different and allows to move more easily from the default state to the hardened state and vice-versa.
Let’s say that the module assumes breach and is somehow “more” idem-potent than the original version πŸ˜€

Let’s see quickly how to use it:

# Download the module
Save-Module -Name NetCease -Repository PSGallery -Path ~/Downloads
# Load the module
Import-Module ~/Downloads/NetCease/1.0.1/NetCease.psd1 -Force -Verbose
# View current NetSessionEnum permissions
Get-NetSessionEnumPermission | 
Select TranslatedSID,SecurityIdentifier,AccessMask,AceType | ft -AutoSize
# Harden permissions
Set-NetSessionEnumPermission -Verbose -Confirm:$false
# Restart the Server service for changes to take effect
Restart-Service LanmanServer -Force -Verbose

How to test if it works?
To quickly test if, I borrowed the pieces of code: the Get-NetSession function from @harmj0y and the PSReflect module from @mattifestation

In the above screenshot, you can see that the Get-NetSession doesn’t return anything after I hardened the configuration of the targeted Domain Controller.

Note that the Server service has some dependencies on other services. Restarting these services could cause a little disruption, so be careful.

The ATA gateway detected my previous attempts:

The module will work on Windows 7, 8.1, 10, Windows Server 2008 R2, 2012 R2 and 2016 and isn’t only for domain controllers. If you want to limit the recon performed by an insider attacker, you’ll want to apply it to every machine.

Bonus: I didn’t immediately realized it but it’s possible to create a Desired State Configuration (DSC) config 😎

Configuration NetCeaseConfig {
Param (
[string[]]$NodeName = 'localhost'
Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
Node $NodeName
Registry NetCease
Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity'
ValueName = 'SrvsvcSessionInfo'
Ensure = 'Present'
Force = $true
ValueData = '010004801400000020000000000000002C00000001010000000000051200000001010000000000051200000002008C000600000000001400FF011F0001010000000000050300000000001400FF011F0001010000000000050400000000001400FF011F000101000000000005060000000000180013000F00010200000000000520000000200200000000180013000F00010200000000000520000000230200000000180013000F0001020000000000052000000025020000'
ValueType = 'Binary'

Here’s the result of applying twice the DSC config and having first restored the default permissions:

Create Adobe GPO templates

Every good IT pro tries to follow best practices by updating and configuring workstations, software installed,…

Let’s consider specifically the PDF reader software provided by Adobe and the fact that the IT pro wants to harden the configuration to have a more resistant endpoint to this attack vector.

Adobe provides some GPO templates that you can find on their FTP website:

Version Reader Acrobat

If you load all these ADMX and ADML files in your policy definitions folder, you’ve got the following in the group policy editor console:

When you start to explore these templates and look for hardening the security settings, you get really disappointed because there’s only between 5 to 7 settings per node 😦

It’s a shame because Adobe took the time to document many registry settings in the Enterprise toolkit pages and for example on these pages:

But they failed to make these settings available in GPO templates 😦

Adobe fails, no problem, PowerShell to the rescue 😎

It appears I’m not the only one who thinks this way. The Information Assurance mission at NSA (iadgov) helps the Department of Defense (DoD) to apply baselines.
They have a huge github repository and even have an Adobe Reader DC template with around 45 settings. It’s not their first attempt. Before that they published recommended Adobe Reader XI settings.

However their single Adobe template has many problems that I won’t detail here when I loaded it on a Windows 7 workstation.
Kudos to iadgov! I’ve used some of their settings when appropriate, their categories but the main difference is that I created a PowerShell module that creates templates on demand for the Reader, Acrobat and their 2005, 2007 or DC versions 😎

I’d like the community to contribute to get more settings,… I’ve uploaded the module on github so that it’s easy to fork, track issues, follow changes.
I’ve also added a documentation of every settings on this page:

I’ve also uploaded the module on the PowerShell Gallery:

Here’s an overview of what you’ll get if you generate all the templates and move them to your local GPO templates folder:

That looks better, isn’t it? And there are more than 40 settings for each version of Adobe Software. πŸ˜€

  • How to start and create these templates?
    • Download the module
    • Find-Module -Name AdobeGPOTemplates -Repository PSGallery
      Save-Module -Name AdobeGPOTemplates -Path ~/Downloads -Repository PSGallery
      $HT = @{
       CatalogFilePath = "~/Downloads/AdobeGPOTemplates/1.0.0/"
       Path = "~/Downloads/AdobeGPOTemplates/1.0.0"
       Detailed = $true
       FilesToSkip = 'PSGetModuleInfo.xml'
      Test-FileCatalog @HT

    • Import the module, create templates and copy them to your local GPO templates folder
    • Import-Module ~/Downloads/AdobeGPOTemplates/1.0.0/AdobeGPOTemplates.psd1 -Force
      Get-Command New-AdobeGPOTemplate -Syntax
      # Get-Help New-AdobeGPOTemplate  -Examples
      New-AdobeGPOTemplate -Product Reader,Acrobat -Version DC,2017,2015
      copy .\*.admx -Destination C:\Windows\PolicyDefinitions\
      copy .\*.adml -Destination C:\Windows\PolicyDefinitions\en-US\

  • What’s the bare minimum config?
  • If you omit the first rule of hygiene that states that you need to update your software and the fact that the Adobe Reader has many “cloud-focused” features, I’d say that the 3 minimum settings to configure are:

    1. Disable JavaScript
    2. Disable the ability to execute any embedded object
    3. Have the protected view turned on for anything

    I know we may not agree and if you’ve an opinion about the bare minimum config, please share it in the comments.

    • Example of minimum config

    Let’s say you just want to change the following default settings at the user level without locking down everything based on the above 3 recommendations:

    After you configured the following GPO settings:

    You get this in the Reader UI: