Internal networks (LAN) security audits

File sharing is commonly used in companies so that users can share documents with each other. However, these are frequently misconfigured, and overexposed. For this, we check, among other things:

• that your network has the minimum of file shares accessible without a user account,
• that the highly vulnerable SMBv1 protocol is no longer used or enabled,
• that no sensitive or confidential data is stored on file shares accessible without a user account,
• that access rights to file shares be granted consistently, and preferably by group rather than by user.

If necessary, our report will include the list of discovered file shares, and the access rights to them.

Windows mechanisms allow a user to authenticate to a server or service by sending an authentication sequence, rather than just a username and a password. However, due to poor configuration, an attacker may be able to eavesdrop on network traffic and retrieve these authentication sequences in order:

• to crack them in order to recover the user's unencrypted password, especially when the password policy is weak or non-existent,
• to relay them to one of the other services, without having to crack them, in order to gain access to those services illegitimately.

For this, we check, among other things:

• that the most recent authentication sequence protocol, NetNTLMv2, is selected,
• that user passwords are not stored in clear text in machines memory, via WDigest for example,
• that Microsoft's name resolution protocols, LLMNR and NetBIOS, are disabled in favor of DNS,
• that hosts on the network check the SMB packet signature,
• that the IPv6 protocol, if enabled on the hosts, is handled correctly,
• that a strong password policy is enabled to make it more difficult to break authentication sequences.

Exchange servers, because of their importance and functionality, are generally installed by default with a configuration that grants them significant rights to Active Directory objects. Through other vulnerabilities, an attacker can manipulate Exchange servers and their high privileges in order to perform sensitive actions, or grant high privileges to an account. For this, we check, among other things:

• that the Exchange servers are up to date and have the latest security patches installed,
• that the privileges granted to Exchange servers are reduced to the minimum necessary to function,
• that the network flows are properly managed so that an Exchange server cannot authenticate to a user workstation,
• that obsolete Windows protocols such as MS-RPRN are disabled.

Active Directory and Windows networks administration is complex, especially due to the strong evolution of these technologies, as well as the need for Microsoft to maintain backward compatibility of these solutions for businesses. However, new protocols, solutions and architectures have emerged to fix the many critical vulnerabilities found in these systems. Unfortunately, many times they are not implemented due to lack of knowledge, time or resources. For this, we check, among other things:

• the attack paths that would allow a standard user to elevate their privileges to domain administration
• the application of patches to protect against recent vulnerabilities such as BlueKeep, EternalBlue, PrivExchange, MIC-Remove, Kerberoasting...
• the implementation of best practices such as LAPS (Local Admin Password Solution) or n-tier administration

Solution integrators rarely take security into account, and installed products generally have neither an upgrade policy nor a password policy. For this, we check, among other things:

• that access to the administration interfaces of the different services is not possible from the standard users networks,
• that access to the administration interfaces is secured with a strong password and that the default passwords are changed.
• that solutions and services are up to date and have no known vulnerabilities and can be easily exploited.