Todays blog is from Chase Carpenter who is a Principal Product Unit Manager with the Microsoft Security & Compliance team and builds upon our SCM 2.5 post from April 3rd.
Updated November 8, 2014 1:49 am -
This week, I was reading through Verizon’s 2012 Data Breach Investigations Report. Last year, they recorded a dramatic increase in the number of security incidents that exposed more than 174 million user records. What I found most disappointing was the fact that 97 percent of these breaches could have been prevented by using rather basic security controls. Malware played a role in 95% of the stolen data last year and hacking (obtaining access illegally) was an issue with 81% of all breaches and 99% of the records. There is also direct evidence that, while important, anti-malware alone isn’t as effective as it once was. Obviously, addressing these attack vectors with a defense in depth approach reduces an enormous amount of risk to your organization.
If we look at the data from the most recent Microsoft Security Intelligence Report, we see that more than 93 percent of malware required user interaction, the ability to abuse AutoRun, or leveraged known, but patched vulnerabilities. These are items that can be mitigated solely by configuring your systems correctly. Additionally, the Australian Government’s Defence Signals Directorate released it’s top 35 mitigation strategies, the top 4 of which are configuration items that would have prevented more than 85 percent of the intrusions they observed, and the Center for Internet Security has shared it’s top 10 tips to help secure your information.
There is a ton of great information in these three resources, but it can seem overwhelming. To help, we’ve boiled the information down and combined it with our own experience, as well as what we’ve heard from many of you. To address these and other security concerns, we have come up with four controls that you can use to significantly reduce your risk. It’s important to note that configuring these controls is a great first step, but on-going assurance is critical to keeping the computers in your organization protected. The great news is that now you can deploy these controls and monitor them for on-going compliance using System Center 2012 Configuration Manager and our free Security Compliance Manager Solution Accelerator.
Patch your OS
The computers in your organization are only as secure as your least-patched system. I am sure that you are tired of hearing how important patching is. I remember how painful it was when I managed thousands of desktops and servers. That doesn’t eliminate the fact that it’s one of the most significant things that you can do to successfully reduce attacks on your clients and servers.
Luckily, Configuration Manager makes this easier than ever before, taking advantage of features like Automatic Deployment Rules to automate the monthly process as well as the new Software Center interface that lets users better control their update experience. For a detailed walkthrough of these features, check out Jason Githens blog on managing updates with Configuration Manager 2012.
Update your applications & 3rd party add-ons
Secunia reports that in 2011 79 percent of all vulnerabilities reported were identified in non-Microsoft products. Amazingly patches were available for 72 percent of these vulnerabilities at the time they were disclosed. The 50 most common applications deployed are from 12 different vendors. To effectively patch them, you need to learn a variety of additional technologies.
System Center 2012 Configuration Manager provides several mechanisms to help here. The free System Center Updates Publisher tool provides a streamlined way to inject patch catalogs from other vendors (such as Adobe) into Configuration Manager and it also allows for you to create your own. There are also a variety of other add-on tools which provide even deeper application patching for other applications. One example is System Center Alliance partner- Eminentware, which delivers a terrific set of capabilities on top of Configuration Manager.
When we talk about patching and updating, don’t forget to update your anti-malware signatures. System Center 2012 Endpoint Protection is now deeply integrated into Configuration Manager as part of our evolving management and security strategy. Endpoint Protection in Configuration Manager provides deep protection through signature-based scans, behavior monitoring, vulnerability shielding, Windows Firewall management, and event-driven malware analysis and signature delivery through the Microsoft Active Protection Service.
Restrict the use of administrator accounts
According to BeyondTrust, running without admin rights would have eliminated 81 percent of critical vulnerabilities in 2010. I don’t want to oversimplify this challenge, but we’ve worked hard to eliminate some of the more common issues blocking the use of least privileged user accounts. There are still some edge cases that require administrative rights like installing some local devices or installing new software. However, Windows 7 and Windows Server 2008 R2 provide many new features that make this a much more appetizing option.
Installation challenges can be mitigated by deploying your applications using Configuration Manager, but there are some legacy applications that may have run-time issues. In those cases, the use of Microsoft Application Virtualization (App-V) is a great solution that is designed to help. Check out Aaron Margosis’ blog for some great tips on running applications without admin privileges, and a fantastic tool called LUA Buglight that you can use to help identify admin-permissions issues in desktop applications.
Remember the following key issues. The best security solution is to run as a standard user. The next best scenario is to run as a standard user but with access to a local administrator account on the computer when you need to escalate privilege. It is significantly less secure to perform routine tasks with administrator privileges and you should always avoid using a domain administrator account for any day-to day operational tasks.
Harden your OS
Microsoft leads the industry in working with government agencies, customers, and partners to produce security hardening standards and security guides for many of our products. These can be found in our Security Compliance Manager (SCM) tool. You can use SCM to create Group Policy Objects (GPOs) to quickly configure your systems or Configuration Manager DCM configuration packs to monitor your clients for compliance with these standards.
The configuration baselines available in SCM include pre-configured recommendations for both workstations and servers. They address hundreds of the most significant controls such as passwords, firewall and network configuration, encryption, and logging. The configuration baselines are designed to meet the requirements of hundreds of regulations and standards worldwide.
In addition, system hardening includes the use of whitelists and exclusion lists. AppLocker is an evolution of the Software Restriction Policies functionality in Windows Server 2008 R2 and Windows 7 that uses the concept of signed applications to greatly simplify this process. Microsoft and many other vendors sign our applications so that they can be allowed to run based on a simple ruleset. We encourage all organizations to self-sign their own internally developed applications to take advantage of this functionality.
We do recognize that organizations can have thousands of applications so AppLocker includes an audit-only mode that you can deploy on a cross-section of your systems to monitor how the rules might have impacted production systems. It’s no small challenge, but AppLocker can provide an important piece of your overall security management solution.
Call to action:
The Microsoft Solution Accelerator team has released a set of additional baselines for our free Security Compliance Manager (SCM) tool that adds new checks to quickly monitor patch status, identify changes to the administrators group, and report on the use of whitelists using the desired configuration management feature in Configuration Manager. Here’s a quick screenshot of these checks in SCM:
Using these capabilities in conjunction with the traditional baselines provides a robust solution to monitor these key security controls. Here’s what we recommend for next steps:
- Download the evaluation version of System Center 2012 Configuration Manager if you don’t already have it installed. Evaluate the patch deployment, software deployment, endpoint protection, and compliance monitoring features that it provides.
- Try running as non-admin again. Evaluate Microsoft Application Virtualization (App-V) for the older applications that may still not work under least privilege.
- Download Security Compliance Manager (SCM) and customize a configuration baseline. Then export a DCM pack and use Configuration Manager to start monitoring your systems for compliance.
A well-managed environment pays dividends, and not only in increased security. Even mitigating one attack can save your organization hundreds of thousands of dollars and keep you out of next year’s Data Breach report!