Chapter 14: Top 10 Recommendations and the Future – Mastering Windows Security and Hardening

Chapter 14: Top 10 Recommendations and the Future

You made it to the final chapter! We hope that, up to this point, you have been able to gain a much better understanding of not just the tools needed to protect your Windows operating systems, but of everything involved in an overall security program to ensure your users and devices are secure. The primary focus of this book has been on the cloud technology that is at your disposal today. We often hear of the challenges of keeping up to date with today's fast-growing technology and cloud environments. Hopefully, we have been able to provide you with the necessary knowledge to better understand the fundamentals of shifting to a cloud-managed environment and, more importantly, the security tools to support and maintain that transition.

In this chapter, we will provide an overview of what we believe to be the 10 most important topics that were covered in this book. We hope these top 10 recommendations will provide you with an actionable list and that you will ensure these specific recommendations are in place. If they aren't, this book contains the knowledge that you require to plan and implement the appropriate protection for your organization and its users. Following our 10 recommendations, we will also provide a few additional recommendations that we feel are of importance and should be considered to strengthen your security program even further.

At the end of this chapter, we will provide an overview of our thoughts as they relate to the future of security and device management, and how the shift toward an anywhere-at-any-time access model is forcing enterprises to modernize their access strategies with cloud technologies. We will then finish the chapter with our thoughts on security in the future in an increasingly connected world. We will discuss how everyday interactions need well-defined security models, and a more autonomous world will require the right governance and security put in place.

In this chapter, we will cover the following topics:

  • The 10 most important to-dos
  • The future of device security and management
  • Security and the future

The 10 most important to-dos

To finish the book, we wanted to highlight what we believe to be 10 of the most important areas covered within this book. These items are not listed in any priority order, but we feel they should be the focus of attention for your security program.

Implementing identity protection and privileged access

In a world that has shifted to the internet for an anywhere-at-any-time access model, identities have become the target of attention and are fundamental for gaining access to your environment. Because of this, it is critical that your identity protection program has multiple layers of protection and preventative measures in place.

Proper identity protection will require implementing account and access management tools and enforcing the principle of least privilege. A user must only be provided access to the specific data, applications, and systems that are necessary for their job role. Use role-based access control (RBAC) to streamline access and enforce strong passwords. Require multi-factor authentication (MFA) for all users, and implement conditional access controls that allow MFA to be bypassed if on a compliant company device for a better user experience. Enable biometric authentication when available, and consider an end goal of working toward a passwordless-authentication world.

Tip

Of all the recommendations, if you don't have MFA for your users enabled, ensure this is your highest priority. According to Microsoft, enabling MFA can prevent over 99.9% of account compromise attacks: https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/.

To access more information, we covered identity protection in detail in Chapter 7, Identity and Access Management.

Additionally, we covered privileged access models in both Chapter 3, Server Infrastructure Management, and Chapter 7, Identity and Access Management. The important areas to focus on include adopting a tiered model for privileged access in your Active Directory environment. Additionally, implement a Bastion or enhanced security administrative environment to administer your production workloads if applicable. Always enforce the principle of least privileged when assigning permissions to users. This includes Active Directory's built-in roles as well as Azure Active Directory roles. To manage access to resources in Azure, use Azure RBAC. Furthermore, enhance access security for your privileged users by deploying the following solutions:

  • Privileged Access Management (PAM)
  • Just-in-Time Access (JIT)
  • Privileged Identity Management (PIM)

These solutions will provide a well-rounded privileged access administration program for both your traditional on-premises environment and cloud environment. If you don't have any privileged management tools available, create a secondary account for these purposes and ensure you educate your users not to use the same passwords between accounts.

Enact a Zero Trust access model

Ensure you adopt a Zero Trust access architecture for your systems, identities, applications, and infrastructure where applicable. In Chapter 1, Fundamentals of Windows Security, we touched on Zero Trust access and its value in securing your environment. This is a model where we trust no one until we can validate who they are, where they are coming from, and whether they have authorization. This approach will require an access model that consists of multiple layers and can evaluate several facets in the authentication and authorization chain from the network and firewall to the physical devices, down to the user's identity. Implementing cloud-based security technologies will significantly help if you are looking to adopt a Zero Trust access model. You can read more about the Zero Trust access model at Microsoft here:

https://www.microsoft.com/en-us/itshowcase/implementing-a-zero-trust-security-model-at-microsoft

Define a security framework

In Chapter 2, Building a Baseline, we covered the adoption of a security framework to serve as the foundation of your organization's security program. It should consist of recommendations from widely adopted frameworks such as the following:

We also covered the importance of including well-documented policies, standards, procedures, and guidelines as part of your security program. The framework should also consist of one or more security baselines that outline a minimum set of configurations for your devices. The security program should be sponsored by leadership and promoted throughout the organization to help educate users about the importance of security and the part they play.

Get current and stay current

Get current and stay current with the latest feature builds and security updates for your Windows 10 and Server operating systems. In Chapter 3, Server Infrastructure Management, and Chapter 4, End User Device Management, we cover infrastructure and end user device management tools that assist with keeping your devices up to date. In Chapter 8, Administration and Remote Management, we review how to administer your devices to ensure they remain current and compliant. For example, enforcing a compliance evaluation to ensure your devices meet a minimum operating system build version is helpful for flagging non-updated devices that might be at risk. You can even enforce additional security controls such as the requirement of MFA based on this compliance evaluation using a conditional access policy. Configure Windows Update for Business (WufB) on Windows 10 devices and Windows Server Update Services (WSUS) or Azure Update Management for Windows servers to keep your devices patched. This will help ensure that your devices are as secure as possible against ongoing threats. In addition to updating the Windows operating system, other business applications such as Google Chrome, Microsoft Office, and Adobe products need to be kept up to date as well. Incorporate third-party applications into your update strategy.

Make use of modern management tools

Use modern management tools to enforce security configurations and for the overall administration of devices. Enterprise-grade solutions such as Microsoft Endpoint Configuration Manager and Intune can enforce security baselines, perform compliance evaluations, deploy applications, apply device configurations, and manage software updates. Use tools such as the Microsoft Deployment Toolkit (MDT) and Configuration Manager to build hardened images and deploy task sequences for in-place upgrades or migrations. Reduce the number of tools, if applicable, to avoid complexities in your environment. Simplicity with a reduced footprint will also helps to reduce the number of vulnerabilities. We primarily covered the management of your server infrastructure and end user devices in Chapter 3, Server Infrastructure Management, and Chapter 4, End User Device Management.

Certify your physical hardware devices

For end user physical devices and any physical servers within your environment, ensure the hardware specifications pass a hardware certification program and can support virtualization-based security features. In addition to this, ensure a process to securely update hardware and device firmware is built into your documented baseline procedures. In Chapter 5, Hardware and Virtualization, we covered hardware certification in more detail. As a reminder, make sure you review the Windows Server Catalog and Windows Hardware Compatibility List before procuring any hardware for your Windows operating systems from the following links:

Administer network security

In Chapter 6, Network Fundamentals for Hardening Windows, we covered network security for your Windows environment. Although there has been a shift in the focus of security towards the user device and identity, network security still plays a pivotal role. The function of network security is not just for your network devices, offices, and data centers. Ensure network-specific security configurations are included in the security baselines for end user devices and servers. Communications to devices can be locked down by configuring Windows Defender Firewall with Group Policy, Intune, or Configuration Manager. For additional protection against connections to risky hosts, deploy a proxy server or service or use Windows Defender Exploit Guard network protection. For servers running in Azure, apply a network security group to the subnet or network interface resource, and only allow the necessary communications to pass through. As your users become more decentralized, ensure you implement a reliable and secure VPN service, such as Microsoft's Always On VPN, which we covered in Chapter 6, Network Fundamentals for Hardening Windows.

Always encrypt your devices

The use of encryption should always be enabled for end user workstations and servers. In the past, encryption was a challenge to deploy and manage. Fortunately, the process has become much easier with Microsoft's encryption technology, BitLocker. Enforce BitLocker encryption on workstations and servers using Group Policy or Intune and leverage Azure Active Directory or Configuration Manager to store and manage encryption keys. For virtual machines in Azure, leverage Azure Disk Encryption and Key Vault for key storage. Additionally, ensure that you configure backups when necessary. We covered encryption in detail for both end user devices and servers in Chapter 9, Keeping Your Windows Client Secure, and Chapter 10, Keeping Your Windows Server Secure.

Enable endpoint protection

Endpoint protection has typically been a standard over the years. Deploying solutions such as Microsoft Defender enhanced with the Advanced Threat Protection (ATP) service extends the antivirus to the cloud and provides next-generation endpoint protection with behavioral detection, native cloud-based analytics, and threat intelligence. Ensure you onboard workstations and servers to Microsoft Defender ATP for real-time protection and monitoring. In Chapter 9, Keeping Your Windows Client Secure, and Chapter 10, Keeping Your Windows Server Secure, we covered the onboarding process. In Chapter 11, Security Monitoring and Reporting, and Chapter 12, Security Operations, we discussed, in more detail, the monitoring and security operations aspects of Microsoft Defender ATP and how to review and investigate alerts and incidents.

Deploy security monitoring solutions

Having the right security tools in place is a critical part of your security program. But if you don't have a well-implemented operations and monitoring security program, the value of your security tools diminishes. Being a Microsoft customer means taking advantage of the security operations and monitoring products to allow instant reaction and remediation on any detected incidents within your environment. Ensure you deploy enterprise-class security monitoring and reporting solutions that include Log Analytics, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Security Center, and Azure Sentinel. Many of these solutions allow integration with a third-party SIEM solution if you are outsourcing your security operations center. In Chapter 11, Security Monitoring and Reporting, and Chapter 12, Security Operations, we covered security operations and security monitoring and reporting in detail.

Other important items

Although we have compiled a top 10 list to consider when building a plan for hardening Windows devices, we want to highlight a few additional and important items of the overall security program.

Stay educated

Stay current on the ever-evolving threat landscape of today's world. It is important as a security professional that you are aware of and understand the current threats to ensure you are applying any remediations that will help to reduce the risk of a compromise. The following is a list of the resources referenced in Chapter 1, Fundamentals of Windows Security, and are great places to visit for up-to-date cybersecurity trends and new and emerging threats:

  1. DarkReading: https://www.darkreading.com/
  2. Microsoft Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/
  3. Common Vulnerabilities and Exposures (CVE) List: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Windows

Validate controls

In Chapter 13, Testing and Auditing, we covered, in detail, the testing and auditing of your environment. It is critical to validate that your controls are in place by regularly scheduling audits. Additionally, schedule yearly vulnerability assessments and penetration tests to help find and mitigate any new risks discovered in your environment. Don't exclude validating controls from your security program, as it could be a fatal mistake.

Application controls

Ensure you are only allowing access to applications you trust within your environment. Plan for and deploy Windows Defender Application Control (WDAC) policies for full fine-grained control over what applications can run on your systems for your users. We covered WDAC in more detail in Chapter 9, Keeping Your Windows Client Secure.

Security baselines and hardening

Ensure you harden your end user devices and servers by configuring Microsoft's recommended security baselines or by referencing the CIS Benchmarks. You don't need to build your own baselines from the ground up. The hard work has already been done by Microsoft and a community of others, providing the recommended controls that you should be deploying within your environment. Security baselines can be enforced using Group Policy, Intune, and/or Configuration Manager. Leverage reporting and auditing features with device compliance policies and configuration profiles in Intune or by deploying configuration baselines in Configuration Manager. Don't forget to include security baseline policies for other enterprise-based apps such as Microsoft Office, Google Chrome, Edge, and other web browsers. We covered the fundamentals of security baselines and hardening in Chapter 2, Building a Baseline. In Chapter 9, Keeping Your Windows Client Secure, and Chapter 10, Keeping Your Windows Server Secure, we reviewed how to implement these baselines and hardening controls into your workstations and servers.

Business continuity and disaster recovery

Having a well-defined business continuity plan and disaster recovery plan for your organization is critical. This is not only from a business operations perspective but also because of the ongoing and evolving security threats that can have catastrophic ramifications. Threats such as ransomware can prevent organizations from being able to operate normally and have the potential for large amounts of data loss. We briefly covered business continuity and disaster recovery in Chapter 12, Security Operations.

We have provided an overview summarizing the important takeaways from this book. Hopefully, this guide will help to provide you with insights into the critical components that you should focus on to best protect your Windows workstations and servers. Next, we will provide some personal insight into the future of security and device management.

The future of device security and management

As the technology we consume continues to evolve, and the access model continues to become more internet-centric, the better our security posture and defense must be. Not only does our security need to be better, but a complete shift needs to occur in the way security has been implemented in the past. Protecting our users within a traditional network is no longer the norm, as our users are far more dynamic today than they were in the past. With accessibility to the internet available from almost anywhere, we are being forced to change our security strategies from within the four walls of the office towards an anywhere at anytime access model. Not only are we challenged with users accessing data from corporate devices, but also from personally owned mobile devices in addition to a bring-your-own (BYO) laptop/tablet model. Ensuring that your corporate data is protected and is not exfiltrating from your environment requires many security tools and a well-defined security program. At the same time, it's important to ensure we don't inhibit end user productivity; otherwise, they will look to circumvent the controls put in place and create a more vulnerable environment.

In order to be more successful with your overall security strategy, you need to start by simplifying where you can. Traditionally, it takes numerous tools to secure your environment. This is to a point where maintaining and keeping all of these tools and services becomes unsustainable and, in certain instances, can open you up to more vulnerabilities because of their complexity. Because of this, you need to review what you have in place and understand where you can reduce products and services to consolidate your security footprint. Simplicity is key to a successful program, and Microsoft has done a great job in this regard, having evolved its security presence over the years.

Another direction you should be striving for is that of next-generation security tools. Traditional security tools will no longer suffice in today's modernized world. Next-generation security tools are those that can drive the security portfolio around that of the cloud data centers with unlimited scale, limited or zero infrastructure required, and always up-to-date apps, services, and platforms. You need to ensure that the tools and services you are deploying support a level of automation, can leverage artificial intelligence, analyze big data, and incorporate behavioral analytics. Without these features of next-generation protection, organizations will miss out on valuable security insights that can help to mitigate risk as opposed to reacting to a breach.

As we have mentioned throughout this book, your protection strategy needs to continue to shift toward identity- and device-based protection. As ATP tools continue to improve, it is critical that you continue to assess and enable these tools. They will be able to provide intelligent security insights such as cloud telemetry to analyze your users and devices based on their location along with any atypical travel, and identify anomalies based on user activity. Layering automation to automatically remediate incidents based on these anomalies is also a huge step in the right direction for security operations and to better secure your organization. In addition, devices are becoming biometric-enabled and can leverage finger scans and face recognition. These technologies are pivotal in creating a path to a passwordless world for your users and devices. If you haven't already heard of FIDO2, you should quickly become familiar with it, as this specification is currently driving the passwordless initiative.

Tip

Windows Hello also promotes the use of PINs for Windows 10 devices. Read more about why a PIN is better than a password here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.

In addition to the focus on identity- and device-based protection is the protection of your data. To protect data in an available-anywhere-from-any-device strategy, additional protection needs to be considered to prevent leakages. To do this, continue to evolve your Data Loss Prevention (DLP) strategy into cloud-based technologies and enhance your protection with information rights management and data classification tools such as Azure Information Protection and Windows Information Protection. Your organization's data should be automatically labeled and classified based on industry-standard privacy regulations along with custom rules used to identify sensitive data. Depending on the classification applied, there should be auto-protection features that include the ability to enforce encryption, require authentication, restrict the data from leaving your devices, and block copy and paste to non-protected apps.

Moving beyond the classic Windows and server operating system is the Internet of Things (IoT). IoT has grown exponentially over recent years and continues to grow as devices are now being built for anything imaginable. Microsoft also has a presence in this space with its Windows for IoT platform, which includes multiple versions for building out your IoT infrastructure:

As IoT continues to grow, the conversation of both standard device management and security continues to surface as a serious concern as we depend more and more on IoT devices. As we look ahead to develop and deploy more IoT within the enterprise, we need a unified standard to govern, manage, and secure these devices. In an ideal world, we would want to be able to unify the management of all our devices to allow for unified governance and a standard security approach. Currently, we are not aware of a true unified model. However, hopefully, this is something we can see become available as the adoption of IoT continues to grow. The following is a diagram of the ideal future unified management model:

Figure 14.1 – The ideal unified management model in the future

So, we have provided some insights regarding the direction of device security and management along with the ideal future of better-unified management to simplify security for all devices within your organization. Next, we will discuss security and the future.

Security and the future

In this section, we will provide some thoughts on the growth and future of security and the role it will play in a world that becomes more connected every day. Technology continues to evolve at a significant pace and, as this technology grows, we need to get ahead of security, not only within the enterprise but also within the consumer space. Devices, gadgets, household items, entertainment, automobiles, accessories, and drones are all examples of the types of internet-connected "things" we are able to consume today. Unfortunately, security has been an afterthought for a lot of these items as usability becomes the focus and exposes a significant gap. Hopefully, as we continue to evolve in this space, we will see the creation of a more universal standardization that can be followed with some form of certification showing whether a device meets the minimum-security specifications for both enterprise and consumer usage. A few standardized examples include that of a PIN number for debit cards, fingerprint/face ID to unlock your phone, and the adoption of MFA across many services.

As highlighted several times throughout this book, your security strategy needs to shift toward leveraging cloud technologies in order to be more efficient in the future. By adopting next-generation cloud-based security technologies, you will be gaining the benefit of an environment that has little-to-zero self-managed infrastructure, is scalable, allows for automation, leverages the power of big data, makes use of artificial intelligence, and incorporates behavioral analytics. This model aligns better to companies going through a digital transformation to cloud-based infrastructure and offers greater support for a decentralized user base that requires work access from both corporate and personally owned devices.

As we move into the future, no matter the size of your organization or business, it is strongly recommended that you incorporate some form of a security presence. For a smaller business, security in the form of an outsourced model that leverages a Managed Security Service Provider (MSSP) may make more sense over hiring in house. Having an MSSP available will give you the necessary resources to provide the expertise needed to handle security-related incidents. Larger organizations may opt for an in-house security team, but many MSSPs can cater to larger organizations as well. There will be an increase in demand for security and services such as MSSPs as we continue to be challenged by more threats.

As we mentioned in the previous section, almost every powered device around us is becoming internet-connected. If we look in our homes alone, everything including alarm systems, video cameras, home entertainment systems, thermostats, light bulbs/switches, phones, smart TVs, doorbells, power outlets, appliances, and much more are becoming internet-enabled. The same also applies to the business world. As this trend continues to grow, we need to ensure our security standards are solidified and that a mature foundation is being provided in order to protect these items.

Critical infrastructure is one area that should be at the forefront of adopting and spearheading the development of security-based technologies. Examples include the energy sector, emergency services, chemical and nuclear factories, the transportation sector, and the government sector. These are essential services that support our daily lives and even a minor disruption in these services can be catastrophic. We need to ensure a secure future around these critical components of everyday life.

Cars, planes, trains, drones, autonomous vehicles, and even space travel all involve technology and have some form of external connectivity. These services are used by millions of people daily, and a compromise that can diminish the safe operation of these vehicles can result in severe damage or loss of life. We have already heard of cars being breached over the years as they continue to become more dependent on technology; one example is that of the Jeep hack incident: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. We are also seeing a massive increase in drone usage by consumers and its adoption for military purposes. We cannot afford security to be an afterthought in these technologies.

Although discussed several times, the personal "digital" identity continues to evolve and be enhanced. As FIDO2 usage continues to grow and we continue into a passwordless world, where do we go beyond this? Do we get to a place where an item we carry represents our entire identity without the need to carry car keys, a wallet, a license, or even a passport? Although considered a controversial topic, where will the future go with microchip implants? Will this ever become a reality or requirement for humans? Perhaps we will live in a world where a microchip can be considered mandatory, such as requiring an inoculation to enroll kids into certain schools or to board an airplane. As with all conversations around identity, we are faced with the ongoing concern with privacy and how it is handled and protected. Maintaining this balance with future technological opportunities will be interesting as this exciting space continues to evolve.

The final topic of discussion is that of robots and autonomy, what the future holds, and where do we draw the line in terms of how far and intelligent robots can become? We have all most likely watched some kind of futuristic movie that entails robots becoming smarter than humans, with the strength to overpower humanity. Could this ever become a reality? And could robots become programmed to do more harm than good? These are conversations that will continue and it's critical that we build a solid, core security model that includes protection against these threats as robotic technology continues to evolve. There should be no failure of security in this space.

From our discussion, the importance of security from a holistic approach should be clear; that is, one that does not overlook any area of the infrastructure, the physical device, or the underlying software down to the user identity. Security should be at the forefront when designing any solution and should be natively embedded into the product from the beginning. Nothing should be built without security, and failure to do this can result in a negative outcome.

Summary

In this chapter, we provided an overview of the 10 most important to-do's and takeaways from this book. In addition to the 10 most important to-do's, we covered some additional items to remind you of as you continue to harden and secure your Windows workstations and servers. Each of these items includes a reference back to the original chapter where you can review the material to gain more understanding.

We then provided an overview, using our personal insights, of the future of device security and management. Here, we covered a few essential areas that relate to device security along with a brief overview of IoT and the importance of security management as this space evolves. We finished the chapter with more personal insights on security and the future, especially as they relate to the ever-evolving innovation of new and futuristic technologies.

This chapter concludes the content of this book and Windows security and hardening. We hope you enjoyed the content provided and that you were able to take away the necessary knowledge to help secure and strengthen your environment.