10 tasks for a mid-year Microsoft network security review

It’s the middle of 2022 and it’s a perfect time to review your plans, goals and risks to your network, especially given the changing threat landscape. Ransomware, for example, has become more human targeted. Ransomware operators are now looking for additional methods and payloads as well as using extortion. Ransomware entry points range from targeting email and phishing lures as well as unpatched vulnerabilities to more targeted attacks.

With that in mind, these are the ten tasks you should do for your mid-year security review:

1. Review access and credential policies for third parties

Attackers will scan for Remote Desktop Protocol (RDP) access and use brute-force attacks like credential stuffing. They know that people tend to reuse credentials that the attackers obtain from stolen databases to attempt to gain access in your network.

I look for ways to better handle credentials or other access approvals for outside consultants as I am most concerned about their processes and security procedures. When dealing with outside consultants, write into your contracts the security protection you want them to use. Whether it’s including them in your multi-factor authentication (MFA) plans or at a bare minimum opening the access and firewall rules to restrict access to specific networks, you should have a procedure that you include in your service-level agreements and contracts as to how consultants handle access and credentials. User credentials should never be passed from the firm to the consultant in a manner that would expose them unnecessarily. Storing these credentials should be done in a fashion consistent with the policies and procedures of the hiring company. Review and audit these processes accordingly.

2. Review security scan results

Review the results of scheduled scans and ensure that they are being done on assets that truly showcase the external risk of the firm. I recently had a company perform an external scan on resources on my network. When I reviewed the results of the automated scan, I realized that they scanned a series of computers that didn’t reflect the external edge of my network. The report, while interesting, was not a true evaluation of the external risk to my network. So, when hiring any pen-testing or external scanning firm, ensure that the review and deliverables they provide to you reflect the actual edge of your network. Automatic scans are worthless if they are not providing you with actionable information.

3. Review cloud resources and permissions

If you are moving computing assets to the cloud, don’t merely set up a mirror of what you have on-premises. Review how resources are set up, what permissions are set, and who should have rights to what assets. Then go back to your on-premises deployments and review what security baselines or NIST guidelines can provide additional hardening for your internal network.

4. Deploy attack surface reduction rules

If you have not deployed attack surface reduction rules to your workstations and servers to help block suspicious activity, make this your goal for the second half of 2022. You may need to test and review for impact, but start with this first set of rules and enable as many as you can:

• Block all Office applications from creating child processes.
• Block executable content from email client and webmail.
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
• Block execution of potentially obfuscated scripts.
• Block JavaScript or VBScript from launching downloaded executable content.
• Block Office applications from creating executable content.
• Block Office applications from injecting code into other processes.
• Block Office communication application from creating child processes.
• Block untrusted and unsigned processes that run from USB.
• Block persistence through WMI event subscription (Persistence).
• Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Privilege escalation).
• Block process creations originating from PSExec and WMI commands (Lateral movement).

5. Review network security settings and policies

Review how your network is set up. For too long we have set up networks with less restrictive permissions and even to the point of disabling firewalls inside the network. Review how you set up workstations and move to where your workstation firewalls are set to specific protocols.

Review password security and policies and consider adding Azure AD Identity Protection to your existing Active Directory to better identify weak passwords in your network. Ensure you review options for MFA with Windows Hello or other third-party MFA solutions.

6. Review workstation deployment processes

Review your process for deploying and installing workstations and ensure that you don’t use the same local administrative passwords when deploying workstations. Review your options for managing local administrator password solutions that randomize and encrypt the local administrator password.

7. Review backup policies

Review what processes you use to back up and protect important files. Review backup processes to have multiple backups, two on different storage types, and at least one backup offsite and consider using OneDrive cloud storage for additional backup to protect your files.

8. Use email filtering

Use email filtering and scanning to ensure that your email is reviewed before entering your workstations. Links included in email should be scanned upon clicking and should be removed from your inboxes should those links be later found to be malicious.

9. Review patching policy

When handling patching, review what issues you’ve had historically in your network. If your edge devices have not had issues with patching, you may wish to streamline and time your updates for edge devices faster than devices that have had issues with updating. Review what side effects you have had and what mitigation you needed to take to recover from any issues. Review if there are alternative software or other workarounds that can be implemented to minimize patching side effects.

10. Review ransomware detection capabilities of antivirus and endpoint protection solutions

Ensure that your antivirus and endpoint detection solution can identify the typical symptoms of a ransomware attack. From situations where file backups are suddenly deleted, to Cobalt Strike activity in your network, or other suspicious activities, your solutions should alert you to when attackers are starting to set the items in place for ransomware.