The 4 pillars of Windows network security

Microsoft's CISO breaks down which four key areas to focus on to secure Windows networks: passwordless identity management, patch management, device control and benchmarks.

Prior to Microsoft’s Ignite conference I was able to talk with the company’s CISO Bret Arsenault about some key elements that we all should be doing to keep Windows networks secure. He talks about four pillars of security: passwordless identity management, patch management, device control and security benchmarks.

1. Passwordless identity management

Arsenault’s recommendations start with using multi-factor authentication (MFA) and moving to passwordless identity management. Based on the 2020 Verizon Data Breach Investigations Report, stolen credentials are behind 80% of cyberattacks. It’s a key reason why Microsoft emphasizes getting rid of normal passwords and focuses on passwordless techniques.

You have three main passwordless options for Windows deployments. The first is using Windows Hello for Business, which includes biometric authentication. To support Windows Hello for Business for cloud-only deployments, you need Windows 10 version 1511 or later, a Microsoft Azure Account, Azure Active Directory (AD), Azure Multi-factor Authentication, Modern Management (Intune or supported third-party MDM). Optionally, you could have an Azure AD Premium subscription for automatic MDM enrollment when the device joins Azure AD. For hybrid deployments, you need Windows 10 version 1511 or later and be Hybrid Azure AD joined or Azure AD joined.

The next option, and one that I use, is the Microsoft Authenticator app. (You can also use the Google Authenticator app for two-factor verification, but you will need Microsoft Authenticator for passwordless implementation.) This may be a viable option for you if your applications support the Authenticator app and your users can use the same platform for multiple cloud applications. As noted in Microsoft’s documentation, the technology used is similar to Windows Hello. To deploy it you need Azure Multi-Factor Authentication with push notifications allowed as a verification method. Then you need the latest version of Microsoft Authenticator installed on devices running iOS 8.0 or greater or Android 6.0 or greater.

Finally, you can implement passwordless solutions with FIDO 2.0 security keys. You need something like Yubikey, which supports a resident key, client PIN, HMAC-secret and multiple accounts per relying party (RP).

2. Patch management

The next key element that Arsenault pointed is ensuring you have a process for patch management. His recommendation is not to delay and to patch, patch, patch! He also advises that you have a system for keeping all software used by employees up to date.

Businesses often do not immediately patch. Rather they immediately test and then decide to roll out the update if no problems arise during testing. Microsoft needs to build back the trust of the enterprise with the quality of their updates. In June, printers with PCL 5 drivers were impacted with a side effect introduced by KB4557957 that caused them to stop printing. Many enterprises held back on rolling out the June updates until they figured out a workaround or received a fix from Microsoft. Most firms ultimately do patch, but clearly not as quickly as Arsenault or Microsoft would like.

Microsoft has several sessions at Ignite on best practices for rolling out updates. These include:

Microsoft also has videos for issues that they’ve heard from customer feedback and from Insider Hub feedback. These videos include:

3. Device control

Arsenault urges security admins to get a handle on device control. Ensure that all devices connecting to your network, including company-owned, personal and edge devices like printers and phone systems, are identified, patched and secured. Especially if you have Microsoft 365, it is recommended to use Intune to identify and manage devices connecting to your network. Due to the pandemic, people are using more consumer devices to connect to company resources. Microsoft Intune can help manage a variety of resources include iOS/iPadOS, Android, Windows and macOS devices.

For enterprises, managing printers is still a work in process. Key needs often dictate certain types and kinds of network printers. As such, they communicate to the internet, have hard drives and run software. Their firmware needs to be updated to be secure, sometimes in ways that aren’t as efficient as patching operating systems. With the move to working from home, there is less of a need for network printers and more for PDF management, but in certain industries printers are still a key need.

I’d add one more element to Arsenault's suggested device control advice: Ensure that your consultants also use secure and up-to-date tools when they connect remotely and provide assistance to your firm. Too many ransomware attacks this year have started with an attacker gaining access to the business through its consultants. The attackers often don’t just harm one business, but all the businesses under the guidance of the managed service provider. Review their security posture as well.

4. Security benchmarks

Reviewing benchmarks tells you how well your security best practices compare to your peers, Arsenault advises. Microsoft 365 includes Microsoft’s secure score. You can also use the Center for Internet Security benchmark documents to check your settings. Then review the information in the Microsoft 365 Security center periodically for changes and revise the settings for Microsoft 365 accordingly.

Keeping up with the changes means keeping track of the products, the product roadmap, and, often, product name changes. For example, the following product name changes were announced at Ignite:

The intent of the new names is to more clearly define what each does. Bookmark each landing site and review each. If you don’t currently have access to the features, sign up for a trial (preferably a trial of Microsoft 365 E5 that brings all the pieces together) to see the unified security vision of Microsoft.

Keeping up with Microsoft’s changes can be daunting. Often the best way to follow Microsoft is to pay close attention to their major conferences. With the pandemic, Microsoft (and many other vendors) have pivoted to online venues and made the conference free or low cost.

Technology is changing rapidly. These four pillars: passwordless identity management, patch management, device control, and comparing yourself to benchmarks are all pillars of good business security. As always stay safe and stay secure.

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations