The 4 pillars of Windows network security

Prior to Microsoft’s Ignite conference I was able to talk with the company’s CISO Bret Arsenault about some key elements that we all should be doing to keep Windows networks secure. He talks about four pillars of security: passwordless identity management, patch management, device control and security benchmarks.

1. Passwordless identity management

Arsenault’s recommendations start with using multi-factor authentication (MFA) and moving to passwordless identity management. Based on the 2020 Verizon Data Breach Investigations Report, stolen credentials are behind 80% of cyberattacks. It’s a key reason why Microsoft emphasizes getting rid of normal passwords and focuses on passwordless techniques.

You have three main passwordless options for Windows deployments. The first is using Windows Hello for Business, which includes biometric authentication. To support Windows Hello for Business for cloud-only deployments, you need Windows 10 version 1511 or later, a Microsoft Azure Account, Azure Active Directory (AD), Azure Multi-factor Authentication, Modern Management (Intune or supported third-party MDM). Optionally, you could have an Azure AD Premium subscription for automatic MDM enrollment when the device joins Azure AD. For hybrid deployments, you need Windows 10 version 1511 or later and be Hybrid Azure AD joined or Azure AD joined.

The next option, and one that I use, is the Microsoft Authenticator app. (You can also use the Google Authenticator app for two-factor verification, but you will need Microsoft Authenticator for passwordless implementation.) This may be a viable option for you if your applications support the Authenticator app and your users can use the same platform for multiple cloud applications. As noted in Microsoft’s documentation, the technology used is similar to Windows Hello. To deploy it you need Azure Multi-Factor Authentication with push notifications allowed as a verification method. Then you need the latest version of Microsoft Authenticator installed on devices running iOS 8.0 or greater or Android 6.0 or greater.

Finally, you can implement passwordless solutions with FIDO 2.0 security keys. You need something like Yubikey, which supports a resident key, client PIN, HMAC-secret and multiple accounts per relying party (RP).

2. Patch management

The next key element that Arsenault pointed is ensuring you have a process for patch management. His recommendation is not to delay and to patch, patch, patch! He also advises that you have a system for keeping all software used by employees up to date.

Businesses often do not immediately patch. Rather they immediately test and then decide to roll out the update if no problems arise during testing. Microsoft needs to build back the trust of the enterprise with the quality of their updates. In June, printers with PCL 5 drivers were impacted with a side effect introduced by KB4557957 that caused them to stop printing. Many enterprises held back on rolling out the June updates until they figured out a workaround or received a fix from Microsoft. Most firms ultimately do patch, but clearly not as quickly as Arsenault or Microsoft would like.

Microsoft has several sessions at Ignite on best practices for rolling out updates. These include:

• Plan to deploy and manage updates for Windows 10 and Office
• Prepare to deploy and manage updates for Windows 10 and Office
• Deploy and manage updates for Windows 10 and Office
• Tips for managing Windows 10 and Office updates for remote devices

Microsoft also has videos for issues that they’ve heard from customer feedback and from Insider Hub feedback. These videos include:

• On-premises Windows update management: what’s changed and what you need to know
• Optimize monthly Windows update delivery for remote work and business continuity
• Modernizing update testing in the cloud
• Windows updates and recovery: smooth + seamless – happy IT and happy users
• Accelerating the journey to modern management
• How to deploy Windows Virtual Desktop and secure your environment
• Eliminate on-premises print servers with Universal Print

3. Device control

Arsenault urges security admins to get a handle on device control. Ensure that all devices connecting to your network, including company-owned, personal and edge devices like printers and phone systems, are identified, patched and secured. Especially if you have Microsoft 365, it is recommended to use Intune to identify and manage devices connecting to your network. Due to the pandemic, people are using more consumer devices to connect to company resources. Microsoft Intune can help manage a variety of resources include iOS/iPadOS, Android, Windows and macOS devices.

For enterprises, managing printers is still a work in process. Key needs often dictate certain types and kinds of network printers. As such, they communicate to the internet, have hard drives and run software. Their firmware needs to be updated to be secure, sometimes in ways that aren’t as efficient as patching operating systems. With the move to working from home, there is less of a need for network printers and more for PDF management, but in certain industries printers are still a key need.

I’d add one more element to Arsenault’s suggested device control advice: Ensure that your consultants also use secure and up-to-date tools when they connect remotely and provide assistance to your firm. Too many ransomware attacks this year have started with an attacker gaining access to the business through its consultants. The attackers often don’t just harm one business, but all the businesses under the guidance of the managed service provider. Review their security posture as well.

4. Security benchmarks

Reviewing benchmarks tells you how well your security best practices compare to your peers, Arsenault advises. Microsoft 365 includes Microsoft’s secure score. You can also use the Center for Internet Security benchmark documents to check your settings. Then review the information in the Microsoft 365 Security center periodically for changes and revise the settings for Microsoft 365 accordingly.

Keeping up with the changes means keeping track of the products, the product roadmap, and, often, product name changes. For example, the following product name changes were announced at Ignite:

• Microsoft Threat Protection is now Microsoft 365 Defender
• Azure Advanced Threat Protection is now Microsoft Defender for Identity
• Microsoft Defender Advanced Threat Protection is now Microsoft Defender for Endpoint
• Office 365 Advanced Threat Protection is now Microsoft Defender for Office 365
• Azure Security Centre Standard Edition is now Azure Defender for Servers
• Azure Security Centre for IoT is now Azure Defender for IoT
• Advanced Threat Protection for SQL is now Azure Defender for SQL

The intent of the new names is to more clearly define what each does. Bookmark each landing site and review each. If you don’t currently have access to the features, sign up for a trial (preferably a trial of Microsoft 365 E5 that brings all the pieces together) to see the unified security vision of Microsoft.

Keeping up with Microsoft’s changes can be daunting. Often the best way to follow Microsoft is to pay close attention to their major conferences. With the pandemic, Microsoft (and many other vendors) have pivoted to online venues and made the conference free or low cost.

Technology is changing rapidly. These four pillars: passwordless identity management, patch management, device control, and comparing yourself to benchmarks are all pillars of good business security. As always stay safe and stay secure.