Setup Idea Stop Lateral Movement on a Home LAN

Last updated
Jul 10, 2023
How it's used?
For home and private use
Operating system
Windows 11
Other operating system
Windows 10
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
    • Basic account password (insecure)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
Real-time security
n/a
Firewall security
Microsoft Defender Firewall with Advanced Security
About custom security
n/a
Periodic malware scanners
n/a
Malware sample testing
I do not participate in malware testing
Environment for malware testing
n/a
Browser(s) and extensions
n/a
Secure DNS
n/a
Desktop VPN
n/a
Password manager
n/a
File and Photo backup
n/a
System recovery
n/a
Risk factors
    • Browsing to popular websites
    • Browsing the Internet without an ad-blocker
    • Browsing to unknown / untrusted / shady sites
    • Browsing the dark web
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Downloading software and files from reputable sites
    • Downloading software and files from unknown / untrusted / shady sites
    • Sharing and receiving files and torrents
    • Requesting and accepting remote access
    • Gaming
    • Gaming with third-party mods
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
    • Coding and development
    • Downloading malware samples
Computer specs
n/a
Recommended for
  1. All types of users

Victor M

Level 10
Thread author
Verified
Well-known
Oct 3, 2022
468
Do this for ALL of your PCs.

Open Control Panel > Windows Tools > Local Security Policy.

Go to Security Settings > Local Policies > User Right Assignment >
Deny access to this computer from the network: EVERYONE
Deny logon through Remote Desktop Services: EVERYONE

Go to Security Settings > Local Policies > Security Options >
Network access: Do not allow anonymous enumeration of SAM accounts ...(x2): Enabled
Network Security: Restrict NTLM: Incoming NTLM Traffic: Deny all accounts
Network Security: Restrict NTLM: NTLM authentcation in this domain: Deny all
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers: Deny all
Network Security: Minimum session security for NTLM SSP ... (x2) : Require NTLMv2 session security, Require 128bit encryption

Do NOT setup SSH remote access.

Note: This means that none of your PCs inter communicate. No shared folders either. These settings will stop lateral movement should one of your PC's is compromised. No funny pass-the-hash stuff will work.
 
Last edited:

cartaphilus

Level 8
Verified
Well-known
Mar 17, 2023
357
Thanks! That will finally take care of those pesky teenagers!!!


Edit: ohhh you meant LAN and not LAWN. Sorry. Freaking text to speech failed me again!


On a serious note: I did that before, I buttoned up my home network like fort Knox. It took me half a day to do it but I did it. That lasted about a week before realizing that yeap I can't live without sharing files across the network. I started creating rules to allow specific users etc but then that defeated the whole purpose of this.
I mean it's a great solution if you live with roommates etc but as a home environment I realized that I use my NAS way too much. Plus this killed any and all LAN gaming (although honestly it's been years since wife and I lan gamed .. sigh... miss those days).
 

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
447
Also disallow all unsolicited incoming. Kills network attacks and network exploits. Trust me.

If you have a supported router... flash it pfsense or similar... make vlans for everyone with zero routing. You can further harden the network firewall and IPS with free snort key and tight firewall rules.
 
  • Like
Reactions: cryogent and Jack

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top