I recently invited security expert Andy Malone to join me and co-host Ami Casto for an episode of the Enterprise Endpoint Experts (E3) podcast. Andy is a Microsoft MCT and MVP, popular security author, consultant, and speaker. He’s also a sci-fi author, which you can learn more about by listening to the podcast here. In this blog, I pick out 10 of the important security configuration management best practices he shared with us.
1. Keep Windows Up to Date
The most important thing for any company to do to stay secure is to apply OS updates to all systems as quickly as possible. Andy puts it this way, “Patch, patch, patch. And when you finish patching, patch some more.”
While some companies force users to update, some give them more leeway. Microsoft used to make this a lot easier, with less frequent updates on Patch Tuesdays. Now, it’s more of a drip, drip, drip. Part of the issue is that updates can require a reboot, which users tend to disable. Microsoft is helping by allowing users to schedule their updates and delivering other enhancements to the process.
Delivering updates to all users quickly also challenges businesses. In a recent survey of IT pros by Adaptiva, over half of respondents indicated it can take a month or more for IT teams to execute Windows OS updates. That ultimately leaves systems vulnerable, and companies should work to patch much more quickly.
2. Switch Off Any Services You’re Not Using
This seems like a no-brainer, but a number of companies don’t fully lock this down. Do you know which services your company is allowing and disallowing? Are you monitoring endpoints for rogue services and cracking down on it? If not, you should be.
3. Disable Any Ports That You Don’t Need
Open ports are a red carpet welcome for a variety of cyberattacks. Every company knows this. Yet many companies still don’t lock ports carefully. Or they do it once and then don’t verify compliance on an ongoing basis. Every Windows endpoint should be port-restricted to use only what’s needed—at all times.
4. Don’t Forget Your VMs!
Andy says it’s amazing how many people do their physical systems and overlook the VMs when it comes to applying updates and other security configuration management policies. Your virtual machines are just as vulnerable a target as physical computers. Cyberattackers don’t discriminate.
5. Stay on Top of Third-Party Patching
In the cybersecurity industry, the focus has moved away from attacking operating systems. It’s shifted to applications and mobile as well. So, application updates are no longer about functionality, they’re also about security. Antivirus is critical, but it’s just one of many third-party applications.
With tools like Configuration Manager or Intune, you can actually download the updates from the vendors and then push them out to your users. However, both products are limited to specific software vendors in different ways. That means administrators have to do a lot of heavy lifting or find some other solution to keep third-party patching current. You can learn more about the challenges in the E3 third-party patching podcast with Duncan McAlynn.
6. Office 365 Shops Should Check Their Secure Score
In a corporate environment, companies really are paying more attention to how they lock down Office 365. They need to make sure data isn’t leaked and that business units aren’t sharing data to other business units. Microsoft data loss prevention can help, but it’s just another tool to configure. The question is: are your systems configured correctly?
To this end, Microsoft has a piece of software called Secure Score. It analyzes the security of Office 365 across your entire organization. The solution analyzes things like users’ regular activities and security settings. Then it gives you a sort of “credit score for security.”
You as an administrator can run Secure Score on your Office 365 portal. The higher the score, the more secure you are. Microsoft gives you all of the security tools but doesn’t necessarily configure them for you. You might go in and find that you have a horrible score. At least you’ll know what to do to fix it!
7. Make Sure You Have a Documented Desktop Configuration Policy
Make sure you’ve got a good security policy for dealing with access to your common desktop. Is the user allowed to do anything they like? Or is it cut down? Do you have a VPN access policy, and what is it? What is your policy for identity and authentication?
There’s a whole world of things that you could do—far too many to mention here. However, if you don’t document the policy as a starting point, you will almost certainly have vulnerabilities.
8. Use Multi-Factor Authentication
Definitely consider multi-factor authentication (MFA). MFA is very practical now, with fingerprints, facial scans, etc. Biometrics really has changed the game, though other forms of secondary authentication are fine. The main thing is don’t rely exclusively on usernames and passwords anymore.
9. Have an Incident Response Plan in Place
Your company should have a set of procedures in place for the “what if” scenario. This way, you are prepared if you get hit with malware, if there’s a disaster, or if there’s some kind of data breach. If you have a plan already, “you don’t run around like a headless chicken,” as Andy puts it. You need to flip over to “Okay, right, there’s a procedure for that; let’s deal with it.”
Remember that you might need to restore data. When talking about security, we often talk about computer security. For a company, however, the topic of information security looms large. A company needs to be prepared to bring back data if and when an incident occurs.
10. Have Employees Sign a Security Awareness Agreement
Social engineering is the biggest hammer cyberattackers have. Over 80 percent of breaches come from within a company. It’s not that employees are evil, they don’t usually mean harm. Andy jokes, “Stupidity. There’s never a patch for stupidity.” But, really, he knows all the people at your company are smart—just lacking training.
Training an entire company on cybersecurity is a massive undertaking but will make a huge difference. Your company should conduct security awareness training and take users through it. Once they have passed, have them sign an awareness agreement. The agreement should say, more or less, “Okay, we have a web access policy, and I know what it is. Same for our email access policy, VPN policy, etc.” Then, there really is no excuse.
The podcast goes into more detail about MDM, the cloud, and other security topics. Plus, Andy answers the question, “Would you rather be able to see 10 minutes into your own future or 10 minutes into the future of everybody else?” You can also follow Andy at andymalone.org and on Twitter @andymalone.
If you’d like to learn more about automating verification of security policy and all the items we’ve mentioned here, visit insights.adaptiva.com/client-health.