LOCKLEVEL was a rapidly built prototype that demonstrates a method for scoring how well Windows systems have implemented some of the NSA Information Assurance top 10 mitigation strategies. This prototype is being shared to encourage industry adoption of these ideas into commercial tools.
LOCKLEVEL was designed as standalone components that can be deployed using existing systems management tools. These independent components leverage Python/PowerShell code for analysis and PowerShell/C/C++ code for system surveys.
Splunk Assessment of Mitigation Implementations (SAMI) is a production version of LOCKLEVEL that implements similar ideas (SAMI does not implement an equivalent of the OSPH component from LOCKLEVEL) and similar business logic. SAMI leverages specific LOCKLEVEL components, such as anti-exploitation (LL_AE) and anti-virus (LL_AV), by using them in the SAMI Technical Addon.
IAD Top 10 Mitigations
LOCKLEVEL implements tests for 7 of the 10 mitigations.
- Application Whitelisting - The LL_AW component implements tests for application whitelisting when implemented with Microsoft's Software Restriction Policies or AppLocker.
- Control Administrative Privileges - The LL_PtH_And_Credentials component implements tests for auditing high privileged account use across systems.
- Limit Workstation to Workstation Communication - The LL_PtH_And_Credentials component implements tests for testing workstation to workstation communication.
- Use Anti-Virus File Reputation Services - The LL_AV component implements tests for AV software, including file reputation services, when implemented with McAfee Virus Scan Enterprise.
- Enable Anti-Exploitation Features - The LL_AE component implements tests for operating system, hardware, and software anti-exploitation features.
- Implement Host Intrusion Prevent System (HIPS) Rules - The LL_HIPS component implements tests for HIPS software checks when implemented with McAfee HIPS.
- Set a Secure Baseline Configuration - No tests currently implemented.
- Use Web Domain Name System (DNS) Reputation - No tests currently implemented.
- Take Advantage of Software Improvements - The LL_OS, LL_AE, and LL_OSPH components implement tests for ensuring modern OSes are used, modern anti-exploitation features are adopted, and timely OS patching is performed.
- Segregate Networks and Functions - No tests currently implemented.
- GetSystemInfo - Standalone executable that surveys general system information. There is also a PowerShell version.
- LL_AE - Anti-Exploitation components that includes the analyzer (LL_AE.py) and survey component (AntiExploitation.exe)
- LL_AV - Antivirus File Reputation components that includes the analyzer (AVFileReputationAnalyzer.py), penalty file generator (GenerateAVFileReputationPenalties.py), and survey component (GetAVStatus.exe).
- LL_AW - Application Whitelisting components that includes the analyzer (LL_AW_Analyzer.ps1), penalty file generator (New-PenaltyXML.ps1), and survey component (LL_AW_Survey.ps1).
- LL_HIPS - Host Intrusion Prevention System components that includes the analyzer (LL_HIPS_Analyzer.ps1), penalty file generator (New-PenaltyXML.ps1), and survey component (LL_HIPS_Survey.ps1).
- LL_OS - Host Operating System components that includes the analyzer (LL_OS_Analyzer.ps1), penalty file generator (New-PenaltyXML.ps1). LL_OS uses GetSystemInfo as the survey component.
- LL_OSPH - Operating System (Security) Patch Heath components that includes the analyzer (LL_OSPH_Analyzer.ps1), penalty file generator (New-PenaltyXML.ps1), and survey component (LL_OSPH_Survey.ps1).
- LL_PtH_And_Credentials - LOCKLEVEL Pass the Hash scoring components.
- presentation - HTML UI for displaying results generated by scoremaster.
- scoremaster - Component that takes all the results from the analyzers, generates network and host scores, and then creates results used by the presentation component.
- tools - Miscellaneous tools/utilities.
- .cmake files - Files for building the project. See BUILD.
This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976.
Copyright and Related Rights in the Work worldwide are waived through the CC0 1.0 Universal license.
Disclaimer of Warranty
This Work is provided "as is". Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Work, even if advised of the possibility of such damage.
The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, infringement or other violations of intellectual property or technical data rights.
Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service.
Disclaimer of Endorsement
Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.