Can you control the workstations in your network to only run the applications you want them to run? Do you know if their applications are being accessed appropriately? Are you doing everything you can to limit intrusions via illicit consent? Are you monitoring what sensitive information is in your office and should be protected?If you answered \u201cno\u201d to any of these questions, take the time to review your policies and applications to see if you can better control your network.Windows 10 S set the stage for restricting applicationsA few years ago Microsoft developed a new platform called Windows 10 S that had the potential to simplify application whitelisting. Created as an alternative to Chromebooks, the platform\u2019s concept was to allow only vetted applications to be installed. You might have seen advice online against using Windows 10 S mode and to switch out of it, but that advice does not reflect the vision of Windows 10 S mode: It\u2019s a platform to begin making application restrictions the norm rather than the exception.When Windows 7 was first released the User Account Control (UAC) setting was derided as being too aggressive. Many IT administrators disabled it to get their applications to work. The setting was not to annoy IT administrators. Rather it was a step toward getting application vendors to stop demanding administrator rights. Windows 10 S mode is similar, but this will be a much longer journey that might take a few twists and turns in the process. The platform is more limited. Like the iOS platform, all applications can only be installed through the Microsoft store after going through a vetting process. Only Microsoft or domain accounts are allowed on the platform.The journey has already been bumpy. Microsoft has announced that Windows 10 S mode will be phased out and vendors will no longer ship units using this platform. In the future, vendors can ship Windows 10 in \u201cS mode\u201d. You can flip machines out of S mode, but you can\u2019t them move them back to this restricted version.Most users found Windows 10 S to be too restrictive, but the concept of the operating system is sound: Install only necessary applications. You can even use Intune to set AppLocker policies and then specify which applications will run in your network.Unused software an entry point for attackersSecurity blogger John Opdenakker recently warned to be aware that when you leave behind software on a computer, you expose the system to risk of attack. In any network in any computer setting, he recommends taking these steps:Review your computer and your network for user accounts you no longer use. Check the last logon time for all accounts and ensure they are all active and being used. You can use any number of methods to obtain this information but one of the most successful is to use PowerShell. If any account hasn\u2019t been logged in recently, it\u2019s time to disable them and remove them from your network.Review your computer and network for software you no longer use, especially if the firm is in an industry that is targeted. Unmonitored software can be an entry point as it often leaves behind unpatched software. You can investigate what software is installed with patching software or with PowerShell scripts to inventory installed software.Review the applications installed on your mobile devices. Especially after the installation of major new software releases, review what supported devices you still wish to support in your network. Often you find that users are happy with older phones and don\u2019t realize that it keeps them from supporting new secure technologies. For example, in my office when we rolled out two-factor authentication, we had to upgrade several iPhones as they would not support the Microsoft authentication application. I have had out-of-date software on my iPhone that I didn\u2019t realize was installed. Android has the same risks. These mobile devices are also the tools you use for third-party authentication, so review them for applications that should no longer be installed on them.Review your installed application and cloud services that have access to other applications. In the case of Office\/Microsoft 365, make sure that you have enabled administrator approval and user consent to third-party applications. These consent phishing attacks have increased during the pandemic. These attacks allow the attacker to gain access to their mail, forwarding rules, files, contacts, notes, profile and other sensitive data and resources. Audit for illicit consent grants by performing the following steps:Open the Security and Compliance Center.Navigate to \u201cSearch\u201d and select \u201cAudit log search\u201d.Search (all activities and all users) and enter the start and end dates if required and then select \u201cSearch\u201d.Click \u201cFilter results\u201d and enter \u201cconsent to application\u201d in the \u201cActivity\u201d field.Click on the result to see the details of the activity. Click \u201cMore Information\u201d to get details of the activity. Check to see if IsAdminContent is set to \u201cTrue\u201d.Review for files or documents that contain sensitive information and ensure that they are not being sent outside of your organization or where you don\u2019t want them to be. With Microsoft 365 you will need an Office 365 Enterprise E3 or Office 365 Enterprise E5 license to apply sensitivity labels.