How to take better control of applications running on your network

Can you control the workstations in your network to only run the applications you want them to run? Do you know if their applications are being accessed appropriately? Are you doing everything you can to limit intrusions via illicit consent? Are you monitoring what sensitive information is in your office and should be protected?

If you answered “no” to any of these questions, take the time to review your policies and applications to see if you can better control your network.

Windows 10 S set the stage for restricting applications

A few years ago Microsoft developed a new platform called Windows 10 S that had the potential to simplify application whitelisting. Created as an alternative to Chromebooks, the platform’s concept was to allow only vetted applications to be installed. You might have seen advice online against using Windows 10 S mode and to switch out of it, but that advice does not reflect the vision of Windows 10 S mode: It’s a platform to begin making application restrictions the norm rather than the exception.

When Windows 7 was first released the User Account Control (UAC) setting was derided as being too aggressive. Many IT administrators disabled it to get their applications to work. The setting was not to annoy IT administrators. Rather it was a step toward getting application vendors to stop demanding administrator rights.

Windows 10 S mode is similar, but this will be a much longer journey that might take a few twists and turns in the process. The platform is more limited. Like the iOS platform, all applications can only be installed through the Microsoft store after going through a vetting process. Only Microsoft or domain accounts are allowed on the platform.

The journey has already been bumpy. Microsoft has announced that Windows 10 S mode will be phased out and vendors will no longer ship units using this platform. In the future, vendors can ship Windows 10 in “S mode”. You can flip machines out of S mode, but you can’t them move them back to this restricted version.

Most users found Windows 10 S to be too restrictive, but the concept of the operating system is sound: Install only necessary applications. You can even use Intune to set AppLocker policies and then specify which applications will run in your network.

Unused software an entry point for attackers

Security blogger John Opdenakker recently warned to be aware that when you leave behind software on a computer, you expose the system to risk of attack. In any network in any computer setting, he recommends taking these steps:

Review your computer and your network for user accounts you no longer use. Check the last logon time for all accounts and ensure they are all active and being used. You can use any number of methods to obtain this information but one of the most successful is to use PowerShell. If any account hasn’t been logged in recently, it’s time to disable them and remove them from your network.

Review your computer and network for software you no longer use, especially if the firm is in an industry that is targeted. Unmonitored software can be an entry point as it often leaves behind unpatched software. You can investigate what software is installed with patching software or with PowerShell scripts to inventory installed software.

Review the applications installed on your mobile devices. Especially after the installation of major new software releases, review what supported devices you still wish to support in your network. Often you find that users are happy with older phones and don’t realize that it keeps them from supporting new secure technologies. For example, in my office when we rolled out two-factor authentication, we had to upgrade several iPhones as they would not support the Microsoft authentication application. I have had out-of-date software on my iPhone that I didn’t realize was installed. Android has the same risks. These mobile devices are also the tools you use for third-party authentication, so review them for applications that should no longer be installed on them.

Review your installed application and cloud services that have access to other applications. In the case of Office/Microsoft 365, make sure that you have enabled administrator approval and user consent to third-party applications. These consent phishing attacks have increased during the pandemic. These attacks allow the attacker to gain access to their mail, forwarding rules, files, contacts, notes, profile and other sensitive data and resources. Audit for illicit consent grants by performing the following steps:

• Open the Security and Compliance Center.
• Navigate to “Search” and select “Audit log search”.
• Search (all activities and all users) and enter the start and end dates if required and then select “Search”.
• Click “Filter results” and enter “consent to application” in the “Activity” field.
• Click on the result to see the details of the activity. Click “More Information” to get details of the activity. Check to see if IsAdminContent is set to “True”.

Review for files or documents that contain sensitive information and ensure that they are not being sent outside of your organization or where you don’t want them to be. With Microsoft 365 you will need an Office 365 Enterprise E3 or Office 365 Enterprise E5 license to apply sensitivity labels.