Having examined the effect of the WannaCry and Petya viruses and how the attacks affected our customers, we would like to share our findings and give general cybersecurity recommendations. These tips will be especially helpful for Windows system administrators as we know they have suffered due to these viruses.
- The Active Directory forest must be at least 2012 R2, and users must be in a protected user group. This prevents passwords from being intercepted using Mimikatz;
- Shared file access must be implemented through a versioning system or snapshots, e.g. Sharepoint + OneDrive for Business;
- Secure Boot must be enabled on hypervisors, so cryptolockers will fail to start instead of the native OS;
- Email server settings must prohibit receiving executable files and corrupted archives. As an extreme measure, you could change the email format to plain text to eliminate links in the message body;
- Updates must regularly be installed at least once every two weeks. Regularly update the servers’ OS, drivers, and firmware. This is one of the most important information security measures that will considerably strengthen your protection. You must have a clear update plan with the date of the latest update and who performed it;
- Locate the backup system outside of the current environment. Configure replication to the backup site.
- Client computers must run Windows 10 LTSB. The LTSB version has fewer potentially dangerous components and, theoretically, does not spy on users, though disabling telemetry is still a good practice;
- Enable UEFI and Secure Boot. Like with the servers, these precautions will prevent ransomware from running instead of blocking the native OS. The Petya virus reboots the machine to start encryption. The two settings will prevent this. There is a large chance that future cryptolockers will use this strategy;
- Automatically update not only the operating system, but also all applications, especially MS Office. It does not matter if you use WSUS or update directly from Microsoft servers. This paragraph requires no explanations. The servers should be updated manually with proper supervision to avoid downtime, while workstations should be updated automatically;
- System administrators should not work on workstations using domain administrator rights;
- Separate the working environment from web surfing, and separate different company’s departments into isolated environments, for example, as demonstrated here;
- Separate the infrastructure environments using VLANs with traffic filtering in between. In this case, blocking access to certain ports can stop malware from spreading through the network. In the case of Petya, to prevent the ransomware from spreading, outside access to TCP ports 135, 139, and 445 (the ports used for SMB and WMI services) must be blocked;
- It is advisable not to use server software that requires network access to shared folders. Business software, such as 1C must be on SQL Server;
- Workstations and servers must have a network filter configured to block outbound access to any applications except those required. Detailed information on how and why to do this may be found here;
- Disable SMBv1 and, if possible, SMBv2 on workstations and servers;
- Specialized and rare programs like M.E.doc Internet banking (especially Java applications), should run on a separate virtual machine with a strong firewall;
- Don’t rely on antivirus software, which creates a false sense of security. Consider the latest viruses and how the leading manufacturers responded: even the standard Windows Defender was one of the first to be updated.
- Help your IT personnel get technical certifications. Choose an outsourcer with valid certifications in the professional areas you need;
- Conduct training and other activities to increase the level of IT awareness among all your employees; provide examples of real-life security breaches and demonstrate potential consequences.