The graduation proposal contains at least the following components:
A cover page with:
The name of the student and the student number
The name of the company
The company/personal data (i.e. name, email address,phone number of phone number). If available for it LinkedIn account of the company supervisor to be listed
· A concise summary of the completed graduation assignment and, if that part of a bigger project, part of a bigger project it bigger project
· The issue (reason for the assignment with: the problem to be solved, of the to want, or the opportunity to seize)
· The objective of the assignment (possibly two smaller problems) must be realized?)
· A description of the innovative in the context of the assignment (why is the assignment innovative?)
· Security past and present: internal security / need to know / least privilege
· Zero Trust model / ZTA
· All layers on system administration
· Securing data (innovative)
· Indicate which professional tasks are required to produce the professional product.
· There must be at least one professional task at level 2 and one professional task level 3 are performed.
“Level 2” likes the student to work independently and methods applies in an unpredictable exploitation context.
“Level 3” love that the student initiative shows and innovative applying methods in an unpredictable context.
· The professional tasks for each specialization are as follows:
· CSC: Analyzing, advising and designing infrastructure
TI: Designing and Realizing Hardware Interfacing
· The production / professional products expected to be supplies
Ethical aspects in relation to the assignment, the context of the work (when relevant)
· A substantiation that the company supervisor(s) is/are able to supervising the content of a student at a minimum of HBO level.
The HBO (Hoger beroepsonderwijs; literally “higher professional education”) is oriented towards higher learning and professional training. HBO is therefore the equivalent of college education in the United States.
Assessment graduation proposal – professional product
Organizational context: insightful
· What kind of organization? (species, size and structure)
· I have already described. It is a health insurance organization
· Within which part of the organization does the assignment take place?
· The assignment takes place within the Infrastructure team. The team consists of two system administrators, a network administrator and three service desk employees.
· Student position within organization?
· Mister IT works as a system administrator / IT consultant at ENO Zorgverzekeraar . He will be involved in conducting the investigation in the coming months. This research concludes with a company product.
Issue: clearly and concisely described
· What’s the matter?
There are currently no established guidelines for hardening services/components/systems within Eno. Systems in this context means: servers such as Microsoft Windows Server 2019, but also think of Firewalls e.d. . In order to have more control over these systems, the demand has arisen to harden / standardize multiple systems.
The temporary main question is:
How can server hardening be applied so that the organization is less susceptible to cyber attacks, vulnerabilities can be monitored and customer data is/is guaranteed?
· Who is it a matter for?
· Not answered yet
· Is the issue a problem or an opportunity?
· In case of problem: possible causes and consequences?
· By opportunity: what must be achieved and how will it be achieved realised?
The problem: too little security / You don’t know what you have in the environment. What exactly is needed and what is not needed?
Opportunity = control, achievable Ensuring an environment that is predictable…etc
Objective of assignment: clear, guiding and delineated
· What is the objective (goal)?
The goal of the organization is to be less prone to cyber attacks/intrusions.
To be in control
In short: customer feeling safe with organization…. Data is also safe (including medical data)
· How is the objective achieved?
· Using standards (CIS controls ?)
· Policy management?
· Keeping a server’s operating system patched and updated
· Regularly updating third-party software essential to the operation of the server and removing third-party software that doesn’t conform to established cybersecurity standards
· Using strong and more complex passwords and developing strong password policies for users
· Locking user accounts if a certain number of failed login attempts are registered and removing needless accounts
· Implementing multi-factor authentication
· Using self-encrypting drives or AES encryption to conceal and protect sensitive information
· Using firmware resilience technology, memory encryption, antivirus and firewall protection, and advanced cybersecurity suites specific to your operating system, such as Titanium Linux
Assignment: relevant, precise and defined at the level of the HBO-ICT specialization
· Problem not solved yet?
· No yet
· Desired result specifically described?
· Complexity level sufficiently high?
· one professional task at level 2
· one professional task at level 3 (within specialization)
Professional product in relation to the ICT professional tasks: clear
· Which professional tasks are in line with the assignment and goals?
Supervisor (study): meets the HBO level criteria Minimum HBO level?
· Michael (supervisor/ IT manager) is a university graduate
· Role student in daily work?
· Role student in the graduation assignment?
· Sufficient time and opportunity to complete an assignment during working hours to work? Concrete agreements with the manager?
· At least two days a week to work on the assignment. This can be extended to three days a week if necessary.
· Plan at least 1 hour a week to discuss the progress of the graduation assignment.
· This can be extended to possibly two hours a week
· The client expects a certain degree of independence
· Space / posibility for independent advice?
· I was hired by the client as an IT consultant. They give me the opportunity to carry out the assignment independently. Where necessary, I get support from colleagues
1) Continue to pay attention to the importance of choosing harder-to-guess passwords across the organization. Consider banning specific words in the password
2) Change the passwords of the service accounts at least every two months and preferably automatically (gMSA) assign very long and random passwords
3) Always run services under the lowest possible privileges (where possible also lower than “local admin”) and never use a domain administrator to run services.
4) Update the HP ILO and Dell DRAC software of the named systems
5) Require all users (especially users of elevated or shared accounts) to adhere to the password expiration policy. In addition, change passwords of generic accounts as soon as someone leaves the company.
6) Review the write permissions on the shares with special attention to the application directories. Strip all users of their write permissions in places they shouldn’t have.
7) Instruct administrators not to store passwords in human-readable form (and to provide all shares with appropriate authorizations)
8) Evaluate the unconstrained delegation rights granted. Revoke unnecessary permissions and use constrained delegation where possible and necessary.
9) Reduce the malware attack surface by hardening the Office products. The hardening recommendations from CIS or Microsoft provide a good basis for this. These also include the topics listed above
10) Tighten the hardening measures on Windows systems.
Microsoft activates a number of outdated protocols on recent Windows versions that are often not needed in modern domains, but that do introduce security vulnerabilities. Newer protocols with security improvements are often already present, but can be activated even more fully at ****.
**** advises to harden the domains in accordance with the most current Microsoft hardening options.
On the systems, limit the attack surface by making at least the following adjustments:
· Disable LLMNR;
· Disable Wdigest;
· If possible, enable “Server SPN target name validation level” (required);
· Enable additional LSA protection (“RunAsPPL”=dword:00000001);
· Enable restricted admin mode;
· Disable Windows Script Host;
· Disable NTLM whenever possible
· Activate SMB and LDAP signing;
· Disable net session enumeration (NetCease);
· Mandatory RPC authentication;
· Enable LDAP channel binding (LdapEnforceChannelBinding);
· Block Remote SAM access;
· Set the MachineAccountQuota (MAQ) to 0 so that users don’t own any machines be able to add the network for a relay attack;
· Require systems to return NTLMv2 responses (Refuse LM; Send NTLMv2 response only)
· Deprive local users of the right to login via the network;
· Follow recommendations from Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf;
· Activate Windows CredentialGuard;
In addition, consider running a wider base hardening template on each system. Organizations such as NIST or CIS offer good examples.
Note: Since the recommended hardening measures only stop attacks that work in combination with other vulnerabilities, this recommendation has been given a low impact (which affects the priority). However, due to the protective value of the measures in relation to modern domain attacks, implementation of the measures is strongly recommended