Free C3 Protect - Getting started with Windows Security and BigFix

Hello!

The free C3 Protect offering has been growing steadily over the last couple of weeks and we now have a breadth of content that covers a great range of security mitigations available in Windows. To learn more about C3 please see the original announcement.

  • AppLocker Management and Audit
  • BitLocker Management and Audit (Including Trusted Platform Module Management)
  • Antivirus Management and Audit
  • Windows Firewall Audit
  • Windows Cached Credential Auditing

C3 currently has alpha content for Windows 10 Virtualization Based Security with Credential Guard and Device Guard – feel free to contact to get early access to this content.

AppLocker Management and Audit

The common elevator pitch for AppLocker these days generally goes something along the lines of, “This is how you stop Cryptolocker.” AppLocker is the native way to manage Application Whitelisting on the Windows platform (assuming you’re licensed for Ultimate or Enterprise). Documentation regarding Applocker is available here.

C3 Protect provides some fantastic content for managing AppLocker including the ability to introduce audit rules to survey the landscape in your organization in preparation for Application Whitelisting. In minutes you can deploy Applocker with a very minimal yet effective policy

C3 Protect provides:

  • Sane default rules to build your first policies
  • Audit and Enforcement rules to facilitate initial implementation
  • Aggregation of audit information to assist building rules and exceptions
  • Implementation of Applocker with or without Active Directory allowing easy management in workgroups or across Active Directory environments
  • Compatibility with Applocker that is managed with Active Directory (C3 Protect rules merge with AD rules)
  • C3 Protect Applocker analyses can be used to audit Active Directory pushed rules
  • Analyses to audit enforced rules on endpoints to assist with troubleshooting
  • Ability to disable all local Applocker rules with a single Fixlet

Take a look at the quick start guide here: https://github.com/strawgate/C3-Protect/wiki/Applocker

Bitlocker Management and Audit

Bitlocker is the most common Disk Encryption solution for Windows. With a working TPM in the system Bitlocker can quickly provide disk encryption security with zero end-user impact. Additional features like Pin and USB unlock render Bitlocker an incredibly secure disk encryption technology for Windows.

C3 Protect provides content for enabling Bitlocker on system volumes, auditing Bitlocker, and escrowing the recovery key to the BigFix server allowing the BigFix architecture to provide delegated administration to recovery keys.

C3 Protect provides:

  • Simple process for enabling Bitlocker
  • Single fixlet probe for escrowing the Bitlocker recovery key to the BigFix server
  • Analyses for Bitlocker configuration
  • Discover other protectors currently configured (pin, usb, etc)
  • Decrypt volume

Take a look at the quick start guide here: https://github.com/strawgate/C3-Protect/wiki/Bitlocker

If you run a Dell environment make sure to check out the Dell Bios and TPM provisioning and management content available in C3 Inventory

Antivirus Management and Audit

C3 Protect provides content for auditing all Anti-Virus products through the Windows Security API. In addition C3 Protect provides content for managing Avast for Business (Cloud), Avast’s free enterprise Anti-Virus tool. In addition, as it is a community solution, C3 Protect provides content for auditing and reporting on various third-party Anti-virus tools including McAfee, ClamAV, and ClamSentinel. Support for additional Anti-Virus suites depends on community support.

Windows Firewall Audit

C3 Content provides an analysis called, “Firewall - Configuration - Windows” which provides information on the current Windows Firewall configuration including state, authorized applications, rules, global exceptions and modification permissions.

Windows Cached Credentials Audit

C3 Protect includes content that probes LSASS for the current cached user credentials. It stops short of dumping the passwords, instead just dumping the user names of currently cached users. This allows administrators to know exactly whose credentials may have been compromised by a stolen or infected device.

Take a look at the quick start guide here: https://github.com/strawgate/C3-Protect/wiki/Windows-Credentials

Summary

Thanks for reading this far – to summarize… C3 Protect has a lot of cool stuff and it’s free!

To learn more about C3 please see the original announcement

3 Likes

Just wanted to drop a note!

We have added the ability to export Applocker configurations from running systems into BigFix Fixlets for easy rule creation and management within BigFix :smile:

Learn more about C3 Protect here!

Grab the Applocker Fixlet Generator and start playing here!

4 Likes

Hi Strawgate,

I am interested in the Bitlocker Management, but whenever I try to access one to the Bitlocker modules in Bigfixme, I get an error NullReferenceException. Also, the site is very slow.

You can get the C3 code from @strawgate GitHub account.

1 Like