The Australian Government has promoted its “Essential Eight” recommendations in mitigating Cyber Security Attacks for quite some time. These recommendations are quite solid, and worth reviewing for any organization.
Let’s have a look at the first half of the list, and see what Microsoft solutions match them:
ONE: Application Whitelisting – to control the execution of unauthorized software
Why: Although it might seem overly strong-handed, only allowing trusted software to run reduces your attack surface drastically. There’s more work than just letting anyone run whatever they want, but this stops unknown scripts, executables and installers running with a relatively small amount of effort.
On-Premises: with Active Directory, Applocker has been around for a while and can do this quite well. Via Group Policy, all applications, scripts and installers can be blocked unless specifically whitelisted by the signer of the file, the hash or the path of the file.
Cloud: Intune can be used to manage Windows Defender Application Control which works in a similar way to Applocker, but has some extra features around automating the management of rules instead of being an entirely manual process.
TWO: Patching Applications – to remediate known security vulnerabilities
Why: An unpatched vulnerability gives an attacker another way in to your systems. Once a patch gets released, people will try to reverse engineer the patch to then work out how they can use it themselves. The longer you wait to patch a system, the riskier it gets – but this needs to be balanced with providing stability, as sometimes patches can introduce new issues.
On–Premises: Apart from just pointing all devices to Windows Updates, Windows Server Update Services (WSUS) has been around for many years to patch Windows, Office, and some 3rd party applications that support this method. A more advanced and granular approach is possible via System Center Configuration Manager (ConfigMgr) to have more detailed reporting, management and deployments. ConfigMgr is still the most popular Windows way of deploying and managing applications, and 3rd party paid plugins are available to help automate common 3rd party applications (Adobe, Java, etc).
Cloud: Windows Updates for Business combined with Intune lets you specify update rings for different devices to patch Windows/Office in a way where issues can be found first via pilot users. 3rd party apps are more expected to be self-updating, such as browser based, click to run and Windows Store. Intune can still be used to deploy more legacy style patches to 3rd party applications.
THREE: Configuring Microsoft Office Macro Settings – to block untrusted macros
Why: Office Macros have been around since the 1990’s and were designed for a very different world. They can be used to do almost anything, and can be embedded into Microsoft Office documents like Word, Excel. Application settings can let these macros run at the time a document opens, which attackers have leveraged many times to gain control of systems.
On-Premises: Although this can be done on a user by user basis, this should be locked down in an Active Directory environment through Group Policy and Office ADMX templates.
Cloud: Intune can be configured to use Windows Defender Exploit Guard to prevent Office apps being able to use Macros. Administrative Templates can also be deployed to block macros.
FOUR: Application Hardening – to protect against vulnerable functionality
Why: Configuring applications to not use certain features reduces the attack surface. Even adverts via browsers are considered a risk, as they can deliver a malicious payload via script. Locking down who has Adobe Flash to only those who need it for business reasons reduces your attack surface greatly for any vulnerabilities that require Flash in the first place. This can take a long time to get right, as each application needs to be investigated separately.
On-Premises: Active Directory and Group Policy can be used to configure most applications, usually by an ADMX template, registry settings, or INI file settings. ConfigMgr can also be leveraged, using Configuration Baselines and Compliance Settings.
Cloud: Intune has several ways of deploying settings, but also Security Baselines can be configured ensure devices are configured the way they should be. Modern apps with a SaaS backend often have configuration available centrally, such as OneDrive for Business blocking the ability to let users share anonymous links, where a malicious file could be dropped by anyone with the URL.
As you can see, there are clear solutions to each mitigation strategy from Microsoft, regardless of your environment being on-premises, cloud, or hybrid.
What’s Next?
Next time we’ll review the remaining 4 recommendations within the “Essential Eight” being promoted by the Australian government. Analyzing why they’re recommended, and how Microsoft meets these in both the on-premises and cloud space.