How to do remote deployments of Windows systems securely

Windows 10 provides a few options including Autopilot and AppLocker to securely and remotely deploy Windows devices and harden them against attack.

A heavy vault-like door / security mechanism secures a laptop amid glowing blue circuits.
Bet Noire / Vchal / Getty Images

Remote deployment needs to be done securely. Not long ago, the key to a firm’s secure architecture was a server in a locked room. Now secure architecture is virtual and distributed, and it’s becoming more so as firms move to lengthen work-from-home mandates. You need to trust the endpoints and firmware of the computer technology you deploy.  

Secure remote deployment with Autopilot

You can use several methodologies to deploy secure computing resources. With Windows 10 a new deployment tool called Autopilot allows firms to perform several steps to securely deploy machines.

With autopilot you can: 

  • Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join).
  • Auto-enroll devices into mobile device management (MDM) services, such as Microsoft Intune (requires an Azure AD Premium subscription for configuration).
  • Restrict administrator account creation.
  • Create and auto-assign devices to configuration groups based on a device's profile.
  • Customize Windows out-of-box experience content specific to the organization.

Microsoft recently released for public preview the ability to use Windows Autopilot to deploy user-driven Hybrid Azure AD Join over the internet using a VPN. Deploying this solution requires the following: 

  • A supported version of Windows 10:
    • Windows 10 1903 + December 10th Cumulative update (KB4530684, OS build 18362.535) or higher
    • Windows 10 1909 + December 10th Cumulative update (KB4530684, OS build 18363.535) or higher
    • Windows 10 2004 or later
  • The new “Skip domain connectivity check” enabled in the Hybrid Azure AD Join Autopilot profile.
  • A VPN configuration that can be deployed via Intune that enables the user to manually establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed.

You can do an Autopilot deployment remotely without physical access to a machine.  Alternatively, you can work with vendors that supply machines that are ready to be configured remotely. You can purchase Autopilot-ready machines and have them shipped to your employees. They just need an Azure AD Premium (P1 or P2) subscription, Microsoft Intune, VMware Workspace ONE, or another Autopilot-compatible MDM solution, and a connection to the internet to access to the appropriate Microsoft Azure AD infrastructure.

Use software restrictions and AppLocker

Even if you have previously deployed machines, you can still remotely lock them down. One recommended method is to use software restriction policies and AppLocker. In the Windows 10 era, AppLocker requires Windows 10 Enterprise or Education, so it might not be feasible for all organizations.  You can use the AppLocker CSP to configure AppLocker policies on any Windows 10 edition supported by MDM. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016.

The goal of AppLocker is to ensure an additional layer in a defense-in-depth strategy. The NSA has provided guidance to prevent users from unknowingly or accidentally executing malicious code or unauthorized software. Using AppLocker for application whitelisting enforcement will not stop all malicious software. The NSA provides additional AppLocker guidance on its GitHub page. Alternatively, you can review the customized AppLocker guidance called Aaronlocker on GitHub.

If your organization uses Windows 10 Professional rather than Enterprise or Education, third-party solutions such as PolicyPak allow you to send out restrictions to machines that are either domain joined or connected via Intune.  

Windows 10 workstation hardening guidance

The Australian Cyber Security Centre recently released its workstation hardening guide for Windows 10 1909, including recommendations for application hardening. For example, with Office 2013 and Office 2016/2019/Office 365, they recommend group policy settings to block Office macros, to block Office from calling Flash, among other advice. The hardening guide goes beyond the operating system hardening to recommend multi-factor authentication (MFA) for users as they perform a privileged action or access any important or sensitive data repositories. Anytime you add MFA it moves you out of the category of low-hanging fruit and makes it harder for the attackers. 

Recently, more vulnerabilities have been coming through hardware. These firmware and Unified Extensible Firmware Interface (UEFI) vulnerabilities need additional mitigation and patching. You can review the resources provided by the NSA.

Firmware updates are often not provided through Microsoft update. Instead you must rely on a vendor’s application to monitor for and install firmware updates, so standardizing on a hardware configuration is wise. Even though it may impact performance, consider disabling hyper-threading on systems that handle sensitive information. If you have not deployed application whitelisting, you may want to disable hyper-threading as well. Finally, if you have Intel systems that are 9th generation or older, you need to consider disabling hyper-threading.

Just recently a new GRUB2 BootHole Vulnerability was found and disclosed. If you work in an industry that needs to be aware of sensitive data, take the time to review how to keep your firmware up to date. Keeping these systems up to date is key to protecting this data. 

As you move to a permanent distributed workforce, review what tools you have and what options you have to control, patch and confirm deployment. You may need more tools and options in your security toolkit going forward.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.