Just Do the Basics to Protect the EndPoint

Over the past few years, as part of my current role, I have had the pleasure of engaging in security conversations with customers.  These discussions have ranged from protecting the identity to securing the endpoint and sensitive data in the enterprise.  What has been consistent in these conversations is that individuals and organizations are chasing the next shiny object to solve their security problem.

Shiny ObjectWhile the latest and greatest security technologies are amazing and should be explored to help protect a company’s assets, the reality is that most enterprises aren’t even doing the basics when it comes to endpoint security.

Jessica Payne

The quote above is good guidance that everyone in enterprise IT Operations and Security should be following.  In most cases, a few tools that are either free or already licensed by most enterprises can improve the security posture overnight once implemented.

Security Tweet

So let’s take a look at the basics the enterprises should be leveraging in their environment.

Implement LAPs yesterday, It’s Been Free Since 2015

Microsoft LAPS (Local Administrator Password Solution) is a free tool from Microsoft that randomizes the local administrator password on workstations which in turn makes it more difficult for attackers to move laterally using the same admin password.

laps

Do Not Turn Off Windows Firewall….Yes, this is still occurring in 2019

Most IT professionals know that the Windows Firewall comes as part of the Windows OS yet some enterprises turn it off because they believe it is impacting applications in their environment.  Instead of turning it completely off take the time to tune it to your needs and help the workstation stay protected.  To better understand how the Windows Firewall works please take a look at Jessica Payne‘s session on “Demystifying the Windows Firewall“.

windows firewall

It’s Not 1990….Turn Off SMB1

SMB (Server Message Block) is a remote file protocol commonly used by Microsoft Windows clients and servers that dates back to 1980’s and heavily used by enterprise applications in 90’s.  However, in the 25-30 years security attacks have become more commonplace such as man-in-the-middle attack which takes advantage of SMB1.  Most recently, SMB1 was used in the Petya outbreak which impacted systems worldwide.

smb

While this protocol is disabled in newer versions of Windows, enterprises are enabling it so that legacy applications can work.  Please work with these vendors to move onto a new version of SMB to minimize the risk to your organization. Ned Pyle with Microsoft maintains a list (link below) of companies that still require SMB1 for their applications.  Highly suggest reviewing this list to see if these applications are in use in your organization.

Get Started on the right foot…with Windows 10 Security Baselines

Historically, enterprises, especially regulated ones, have leveraged STIG (Security Technical Implementation Guide) to deploy a set of recommended security policies on Windows workstations.

stig

Beginning with Windows 10, Microsoft began delivering Security Baselines for each build they deliver twice a year.  These baselines are a set recommended security policies that should be considered/implemented as enterprises deploy Windows 10.

baseline

Windows 10 SmartScreen

Smartscreen is yet another free tool within Windows 10 that helps protect the endpoint by:

SmartScreen determines whether a site is potentially malicious by:

  • Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
  • Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.

SmartScreen determines whether a downloaded app or app installer is potentially malicious by:

  • Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
  • Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn’t on that list, SmartScreen shows a warning, advising caution.

SmartScreen

Leverage Cloud-Based AV…Consider Windows Defender

Given today’s threat landscape enterprises should be leveraging an anti-virus(AV) solution on the endpoint the leverages the cloud for faster analysis versus waiting on traditional definitions to be delivered.

Cloud AV

In addition, as AV solutions become more of a commodity for today’s IT operations companies should consider utilizing Windows Defender solution that comes with Windows 10.  Their solution continues to achieve perfect scores in the industry accepted AV testing scores.

Industry Tests

Windows BitLocker

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.  This native Windows solution does not require an additional agent and makes OS upgrades for the enterprise a whole less complex than using a 3rd party tool.

Let’s Say it 3 Times…Patch, Patch, Patch

Per NIST guidance, and in an ideal world, enterprises would patch vulnerable systems when the updates are released.  However, with most organizations, this poses a challenge as they need to test the impact that the updates will have on their environment.  This issue is that a lot of companies either do not have a formal patching process or pick and choose patches (example below) neither of which are good for the overall security posture.

windows patching

A quick example of a Windows patching for enterprises to consider:

  • Microsoft Patch Tuesday updates are released on the second Tuesday of the month and these are tested on local devices by IT and if no issues then sent out to a group of workstations that are a good sampling in productions that are tested for the next 5-10 business days before rolling out to overall production.
  • The exception to the above is if there’s an out-of-band update or one severe enough that the vendor recommends patching immediately due to the potential impact.

Too Much to Sift Through

Most large organizations have adopted a SIEM to collect event logs but the reality this results in their SOC analysts in drinking from a:

firehouse.png

and then trying to find a “Needle” in a:

haystack

Customers should consider keeping it simple by leveraging “Weffles” (https://aka.ms/weffles) or streamlining the event logs from Windows endpoints to the following:

  • Security Event Logs being cleared (1102)
  • New Local User Created (4720)
  • High-value groups, ie Domain Admins, being changed (4728)
  • Local administrator groups being changed (4732)
  • New Services being installed, particularly on Domain Controllers (4697)
  • Scheduled Task was registered or executed (106/200)
  • Successful Logon (4624)
  • Unsuccessful Logon (4625)
  • Logon was Attempted with Explicit Credentials (4648)

eventlogs

 

 

 

 

 

 

 

 

  • Windows Version:  Pro & Enterprise

AppLocker

AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.  It’s ideal to use AppLocker in the following scenarios:

  • Your organization’s security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
  • An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
  • The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
  • The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
  • A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
  • Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
  • A single user or small group of users needs to use a specific app that is denied for all others.
  • Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
  • In addition to other measures, you need to control the access to sensitive data through app usage.
  • Additional AppLocker details:  https://aka.ms/applicationlocker

applocker

Aaron Margosis at Microsoft recently created a solution called “Aaron Locker” that makes it easier for enterprises to implement and maintain AppLocker.  Details on this solution can be found in the following links.

This Will be Living Guide

My hope is to keep this a living guide that will get updates as new recommended best practices or technologies come out about for Windows endpoints.  If there are other items that you feel need to be included or have general comments please let me know.

In addition, there will be a Part 2 to this post called “Up Your Game” so stay tuned for that coming out in the near future.