Cybersecurity | Florian Stosse

exploit-protection-policy

Wed, 22 May 2024 00:00:00 +0000

Exploit-Protection-policy provides a production-hardened Exploit Protection (EP) policy tailored for Windows 10 and Windows 11 systems. It combines multiple industry-standard security baselines with advanced restrictions to maximize security without breaking compatibility with everyday applications.

This policy has been tested in air-gapped systems to protect endpoints from advanced threat vectors while maintaining productivity.

Merged Security Baselines

DISA STIG Exploit Protection v3.
Microsoft Security Baseline Exploit Protection policy (specifically aligned for enterprise systems).
milgradesec’s custom Exploit Protection rule configurations.

Key Protections Enforced

System-Wide Mitigations: Enforces fundamental protections such as Control Flow Guard (CFG), Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Heap Protection by default.
Advanced Payload Controls: Restricts execution vectors using Export Address Filtering (EAF/EAF+), Import Address Filtering (IAF), and Return-Oriented Programming (ROP) mitigations.
Image & Code Integrity Restrictions: Blocks loading of low-integrity or remote images, preventing malicious library injection.
Application-Specific Tuning: Includes pre-configured exceptions and application rules to balance high-security containment with software compatibility.

sudo-check

Tue, 21 May 2024 00:00:00 +0000

sudo-check is a lightweight security auditing utility designed to analyze Linux /etc/sudoers files and /etc/sudoers.d/ directories. It helps security engineers and system administrators quickly identify misconfigurations, overly permissive rules, and potential privilege escalation pathways.

By scanning for common policy weaknesses, this tool provides actionable insights to tighten system access controls.

Key Auditing Features

Rule Analysis: Identifies NOPASSWD directives and wildcard user specifications that could allow unauthorized root access.
Directive Validation: Verifies the presence of key security directives such as env_reset, secure_path, and use_pty.
Permission Checks: Validates the file permissions and ownership of critical configuration files to prevent unauthorized editing.
Alias Resolution: Parsers user, run-as, and command aliases to audit complex, nested rule structures.

ad-hardening

Mon, 20 May 2024 00:00:00 +0000

ad-hardening is a comprehensive guidebook and reference repository dedicated to securing and hardening Active Directory (AD) environments in air-gapped, isolated networks. While physical isolation eliminates many remote threats, it places a heavier security premium on internal access control, endpoint hygiene, and physical media management.

This project outlines step-by-step guidance, configurations, and templates to establish a resilient security posture inside sensitive, non-internet-connected directory environments.

Core Hardening Pillars

Tiered Administrative Model: Isolating Tier 0 (Domain Controllers/Admins) credentials from Tier 1 (Servers) and Tier 2 (Workstations) to eliminate lateral escalation risks.
Offline Authentication & MFA: Strategies for deploying local, offline-capable multi-factor authentication without internet-based validation services.
Service Account Securing: transitioning legacy service accounts to Group Managed Service Accounts (gMSAs) to enforce automatic password rotation.
Audit & Event Analysis: Configuration templates for offline Windows Event Forwarding (WEF) and local security log auditing.
Removable Media Control: Hardening USB and other removable hardware access policies via Group Policy Objects (GPOs) to combat sneakernet malware propagation vectors.

Security-ADMX

Sun, 19 May 2024 00:00:00 +0000

Security-ADMX is a collection of custom Administrative Templates (.admx and .adml) specifically designed for hardening Windows 10 and Windows 11 workstations. It allows system administrators and security engineers to configure advanced security settings via local or domain Group Policy (GPO) that are otherwise difficult or tedious to manage.

Developed out of the need to streamline security compliance across embedded and workstation deployments, this project packages several security controls into easily manageable policies.

Bonnes pratiques de cybersécurité pour le développement logiciel

Tue, 16 Oct 2018 00:00:00 +0000

Presented at the 21e Congrès de Maîtrise des Risques et Sûreté de Fonctionnement (λµ21) in Reims, France, 16-18 October 2018.

English Title & Summary

Guidelines for secure software development

With the emerging concerns about industrial cybersecurity and the ever-growing importance of software development for innovative fields (IoT, smart factory …), Bureau Veritas and its partner CEA-List have developed state of the art guidelines on best practices applied to secure software development for industrial users.

Cyber security of connected vehicles - Best practices

Mon, 03 Oct 2016 00:00:00 +0000

This document outlines cybersecurity best practices for connected and autonomous vehicles. The guidelines are organized into sections covering governance, automotive ecosystems, development lifecycle security objectives, and operations & maintenance security.

Co-written by Bureau Veritas SA and Devoteam.