Cyber Security Essential Eight and Microsoft Part 1 here. Continuing on from Part 1, here’s the second half of the Australian Government’s “Essential Eight” recommendations in mitigating Cyber Security Attacks, and where Microsoft fits into meeting them.
FIVE: Restricting Administrative Privileges – to limit powerful access to systems
Why: A user that’s logged onto an account with the rights to do ANYTHING on that system is a dangerous thing. There ‘should’ be no need for this, but some vendors still have software that requires administrator access onto a computer to work. More often than not, it’s due to lazy practises to make things work, rather than actually scoping out what access is required. Of the entire 8 recommendations, this should be first on your list to resolve, as without it a user or software has rights to change most of the hardening you put into place.
On-Premises: Make sure users aren’t a member of the local administrators group on any PC, nor in any group that has been added as an administrator on any PC. There are many ways this can be automated, including PowerShell. This also applies to Azure AD Hybrid computers.
Cloud: Check your Intune policies as per the settings in this blog post once checking the on-premises settings.
SIX: Patching Operating Systems – to remediate known security vulnerabilities
Why: Vulnerabitilies are constantly found in all operating systems – Windows, Linux, Mac, iOS, Android and so on – the quicker they’re patched after being discovered, the smaller the window of opportunity exists for a hacker to exploit them. Vulnerabilities are harder to protect against, because there’s a chance that nothing will detect them, and some can be even triggered by visiting a webpage or reading an email. This is why the Outlook client doesn’t load images in emails by default, as they could potentially deliver a payload to leverage one of these vulnerabilities. There’s always a risk of patching these vulnerabilities leading to breaking other parts of the system, so it can be a tough balance between being as patched as quickly as possible vs system stabilitiy.
On-Premises: Ensure Windows Updates are configured to run regularly. Windows Server Update Services (WSUS) or ConfigMgr can be used to centralize, control and distribute updates with reporting capabilities, and give you some overview into your environment. ConfigMgr is more complex to set up, but gives much more granular controls over update releases.
Cloud: Windows Update for Business gives you some controls over allowing different PCs to get updates at different times – so if a patch breaks something, your entire business isn’t all broken at once. This can also use peer-to-peer updating, so PCs on the same network can distribute updates to each other to reduce internet bandwidth.
7. Multi-factor Authentication – to protect against risky activities
Why: Passwords these days are bad. They’re insecure in that someone could guess them, brute force them, capture them from malware running on something you typed your password into, or obtain them from a 3rd party who has been holding your passwords unencrypted and been attacked themselves. Once someone has your password, they can log in as you – unless you have other systems in place to block this. Multi-factor Authentication is one of these systems, where beyond a password, something you have, or something you are, is an extra step needed to log in to a system. Something you have could be a mobile phone to receive a one time SMS PIN to enter, and something you are could be a fingerprint scan.
On-Premises: There is an MFA Server option for on-premises installs, but does need some outside cloud access to work. The Cloud solution below should be used in most scenarios.
Cloud: Most solutions work best being cloud based or hybrid based, which means on-premises environments can still leverage them too. Windows Hello/Windows Hello for Business can be used in a hybrid setup, which ties in biometrics and PINs to log onto Windows. MFA and Conditional Access are Azure AD features which let you control which MFA methods trigger when, including SMS/Phone auth, as well as the Microsoft Authentication App.
8. Daily Backups – to maintain the availability of critical data.
Why: If you lose data, you need a way to get it back. It could be lost from accidental deletion, a malicious attack, or a hardware/software failure. Having the data in another place that won’t be impacted by any of these scenarios, and a way to restore that data, is a critical requirement to keep any business running if disaster strikes
On-Premises: System Center Data Protection Manager is Microsoft’s solution in backing up environments – raw data, virtual machines etc. A lot of time and effort should be spent on implementing any backup strategy, along with testing the restoration of data.
Cloud: Cloud opens up a lot of options: Azure Backup can be used for VM and Data, but there’s also many different Azure services that can be leveraged for different backup scenarios. SharePoint Online as a backend for most Office 365 services has retention policies and version control for smaller data recovery scenarios.
Final Thoughts
Hopefully the above gives some starting points on seeing where Microsoft can provide solutions on these ‘essential eight’. This is not to say that you must or should use these, but they’re a good starting point to understand what might be required, and I urge you to work towards these recommendations using whichever solutions you deem are the best fit.