Preview Mode Links will not work in preview mode

Aug 20, 2017

This week was one heck of a show. If you are a blueteamer and make use of the "Windows Logging Cheat Sheet", you are no doubt aware of how important it is to log certain events, and to set hostile conditions to make malware/Trojans/virus have a harder time avoiding detection.

What if I told you the same updates we suggested last week to NEVER delay actually undoes all your hardening on your system and leaves your logfiles set to defaults, all file associations for suspect files like pif, bat, scr, bin, are set back to defaults, allow your users to be victims again, even after you've assured them they are safe to update?

After a sequence of tweets from Michael Gough about just this exact thing, we laid out all the information, how and what get reverted that will open you back up to possible infections, as well as how some hardening standards actually make it harder to be secure.

Finally, we discuss the CIS benchmarks, and how many of the settings in them are largely outdated and why they need to be updated.


Direct Download:


Youtube Channel:

#iTunes Store Link: 

#Google Play Store:



Join our #Slack Channel! Sign up at

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast on #Patreon:

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App:




Gough says ‘something is bad about CIS’


CIS benchmarks need revamping -- BrBr

/var, /var/log in separate partitions?

Password to access grub?

Disable root login to serial pty?

Many cloud instances and VMs don’t have serial ports (not in a traditional sense)


What’s the use case for using them? What problem will they solve?


Proper logging?

NTP sources?


So many, dilution possible



STIG (complex as well)



Infosec: how do we get IT past the “that’s good enough”, as many customers and compliance frameworks want to see ‘hardening’ done.

What is a good baseline?

Write your own?


How do we tell them that it’s not going to stop ‘bad guys’ ( or anyone really)? It’s not ‘security’, and it’s technically not even ‘best practices’ anymore (not all of it, anyway)

On windows, they are needlessly complicated and cause more problems

Roles have to be created “backup admin”

Can cause unintended issues


Category            Sub Category                                      7/2008  8.1     2012    Win-7   Win-8.1 WLCS    ThisPC  Notes


Detailed Tracking   Process Termination                       NA      NA      NA      NA      NA      S/F     S

Object Access       File Share                                           NA      NA      NA      NA      NA      S/F     S/F    

Object Access       File System                                         NA      NA      NA      F       NA         S       S/F    

Object Access       Filtering Platform Connection           NA      NA      NA      NA      NA      S       S      

Object Access       Filtering Platform Packet Drop          NA      NA      NA      NA      NA      NA      NA


Log Sizes:


Security - 1 GB

Application – 256MB

System – 256MB

PowerShell/Operational – 512MB – 1 GB v5

Windows PowerShell – 256MB

TaskScheduler – 256MB


Log Process Command Line                                             (5)     (5)     (5)     (5)     (5)     Yes     Yes


PowerShell Logging v5                                                    (5)     (5)     (5)     (5)     (5)     Yes     Yes


TaskScheduler Log                                                          (5)     (5)     (5)     (5)     (5)     (1)     Yes



(5) - CIS Benchmarks, USGCB, and AU ACSC do not cover this critical auditing item