How to prepare Microsoft Office and Windows for ransomware and email attacks

You've set up your remote workers during this COVID-19 crisis, but have you made the adjustments to be prepared for a cyber disaster like a ransomware attack?

security risk - phishing / malware / social engineering
Thinkstock

The headlines make it clear that we are in unusual times. Working from home will be the new norm for many of us for the near term at least. As IT and security teams work to meet the challenge of supporting and protecting employees working remotely, the last thing they need is a malware infection from an email message.

You’ve probably had to beef up networking and internet pipelines during this time. You should also think what you might need to do should your infrastructure be even further stressed. You’ve enabled remote access, you’ve got everyone working from home that can work from home, but what else can you do?

Phishing and email attacks

During this time the attackers know that we are clicking on and looking for information. Already there are reports of malicious Coronavirus maps that install malware on systems. Review your email defenses even more closely now to make sure you have the basic email security standards in place and properly configured.

Configure your spam filters to discard any email that fails Sender Policy Framework (SPF), which prevents spoofing of legitimate email return addresses. For Office 365, review your Domain Keys Identified Mail (DKIM) settings, which prevents spoofing of the “display from” email address, by starting at Office 365 Security & Compliance. When you sign in as an admin, you'll see the DKIM option on the right side. You may find that you need to enable DKIM.

bradley disaster 1 Susan Bradley

Select DKIM to make sure it's enabled

Click on the DKIM setting to review the domains set up in your Office 365 tenant.

bradley disaster 2 Susan Bradley

DKIM settings

If your Domain Name System (DNS) settings are not in place, you’ll need to add two CNAME settings as noted in this blog post before you can configure DKIM and Domain-Based Message Authentication, Reporting and Conformance (DMARC), which is explained later.

bradley disaster 3 Susan Bradley

DKIM error sample

You will have to go up to your DNS provider and add the settings.  You will need to go to wherever and whomever provides your DNS – and this may be yourself internally or external to a DNS provider for smaller firms.  Once you have the necessary DNS settings in place, you can enable DKIM.

bradley disaster 4 Susan Bradley

DNS settings examples

Now you set up DMARC, which allows you to set up rules for email messages that fail SPF and DKIM. The DMARC Record Assistant website is a good place to get help setting up the needed information for your domain. Once again these settings are up in your DNS manager settings. 

DMARC record for: smallbusinesssusan.com

Record should be published at _dmarc.smallbusinesssusan.com

v=DMARC1; p=none; rua=mailto:support@smallbusinesssusan.com; ruf=mailto:support@smallbusinesssusan.com; fo=0; adkim=r; aspf=r; rf=afrf

bradley disaster 5 Susan Bradley

DMARC settings

In the example above, I’m not yet ready to set up rejection for email in DMARC. All it takes to change your settings is to change a DNS setting. Once you have the needed settings, go to your DNS provider and enter a text record of the needed settings. Consider this as another tool in your arsenal of settings.

Ransomware: The last thing you need now

I’ve seen reports of ransomware impacting some organizations such as hospitals and other organizations that are trying to deal with the needs of remote users. To mitigate that risk, you can pre-stage a Group Policy setting to allow you to shut off all network connections to all servers and workstations as noted in this FireEye document. Be prepared to block the common ports and protocols that should be blocked between workstations and workstations to non-domain controllers and non-file servers. These ports include:

  • SMB (TCP/445, TCP/135, TCP/139)
  • Remote Desktop Protocol (TCP/3389)
  • Windows Remote Management / Remote PowerShell (TCP/80, TCP/5985, TCP/5986)
  • WMI (dynamic port range assigned through DCOM)

Go to:

  • Computer Configuration
  • Policies
  • Windows Settings
  • Security Settings
  • Windows Firewall with Advanced Security

Set a policy for the centralized Windows Firewall setting of “Block all connections”

bradley disaster 6 Susan Bradley

Block all connections on the firewall

If you set this be aware that it will prevent any inbound connections from being established to a system.  If you enforce this setting on servers, you will impact business operations, but this may be necessary if malware is spreading. You’ll want to do this on workstations and laptops to limit the spread of ransomware should the need arise.

The National Motor Freight Traffic Association put together a ransomware resource page, from which you can download its Ransomware Playbook for further advice.   It’s honestly a concern to me right now that we are enabling remote access from possibly unpatched home machines, so make sure you think and plan on ways to suddenly drop groups of computers off the network should ransomware enter your network from one of these weak endpoints.  While we are all scrambling to allow workers to work from anywhere and from anything, don’t overlook the need for the basics: 

  • Educate users to not click on anything they were not expecting.
  • Continue to deploy Security updates after appropriate testing.
  • While setting up remote access, RDP and VPN review permissions and access.

Technology is allowing many employees to work from home. Don’t let that introduce more risk as a side effect.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.