Windows NSA Information Assurance
LOCKLEVEL was a rapidly built prototype that demonstrates a method for scoring how well Windows systems have implemented some of the NSA Information Assurance top 10 mitigation strategies . This prototype is being shared to encourage industry adoption of these ideas into commercial tools. LOCKLEVEL was designed as standalone components that can be deployed using existing systems management tools. These independent components leverage Python/PowerShell code for analysis and PowerShell/C/C++ code for system surveys.
IAD Top 10 Mitigations
LOCKLEVEL implements tests for 7 of the 10 mitigations.
- Application Whitelisting – The LL_AW component implements tests for application whitelisting when implemented with Microsoft’s Software Restriction Policies or AppLocker.
- Control Administrative Privileges – The LL_PtH_And_Credentials component implements tests for auditing high privileged account use across systems.
- Limit Workstation to Workstation Communication – The LL_PtH_And_Credentials component implements tests for testing workstation to workstation communication.
- Use Anti-Virus File Reputation Services – The LL_AV component implements tests for AV software, including file reputation services, when implemented with McAfee Virus Scan Enterprise.
- Enable Anti-Exploitation Features – The LL_AE component implements tests for operating system, hardware, and software anti-exploitation features.
- Implement Host Intrusion Prevent System (HIPS) Rules – The LL_HIPS component implements tests for HIPS software checks when implemented with McAfee HIPS.
- Set a Secure Baseline Configuration – No tests currently implemented.
- Use Web Domain Name System (DNS) Reputation – No tests currently implemented.
- Take Advantage of Software Improvements – The LL_OS, LL_AE, and LL_OSPH components implement tests for ensuring modern OSes are used, modern anti-exploitation features are adopted, and timely OS patching is performed.
- Segregate Networks and Functions – No tests currently implemented.
- GetSystemInfo – Standalone executable that surveys general system information. There is also a PowerShell version.
- LL_AE – Anti-Exploitation components that includes the analyzer (LL_AE.py) and survey component (AntiExploitation.exe)
- LL_AV – Antivirus File Reputation components that includes the analyzer (AVFileReputationAnalyzer.py), penalty file generator (GenerateAVFileReputationPenalties.py), and survey component (GetAVStatus.exe).
- LL_AW – Application Whitelisting components that includes the analyzer (LL_AW_Analyzer.ps1), penalty file generator (New-PenaltyXML.ps1), and survey component (LL_AW_Survey.ps1).
- LL_HIPS – Host Intrusion Prevention System components that includes the analyzer (LL_HIPS_Analyzer.ps1), penalty file generator (New-PenaltyXML.ps1), and survey component (LL_HIPS_Survey.ps1).
- LL_OS – Host Operating System components that includes the analyzer (LL_OS_Analyzer.ps1), penalty file generator (New-PenaltyXML.ps1). LL_OS uses GetSystemInfo as the survey component.
- LL_OSPH – Operating System (Security) Patch Heath components that includes the analyzer (LL_OSPH_Analyzer.ps1), penalty file generator (New-PenaltyXML.ps1), and survey component (LL_OSPH_Survey.ps1).
- LL_PtH_And_Credentials – LOCKLEVEL Pass the Hash scoring components.
- presentation – HTML UI for displaying results generated by scoremaster.
- scoremaster – Component that takes all the results from the analyzers, generates network and host scores, and then creates results used by the presentation component.
- tools – Miscellaneous tools/utilities.
- .cmake files – Files for building the project.