Select a language to translate this page!
Powered by Microsoft® Translator
If we look at the data from the most recent Microsoft Security Intelligence Report, we see that more than 93 percent of malware required user interaction, the ability to abuse AutoRun, or leveraged known, but patched vulnerabilities. These are items that can be mitigated solely by configuring your systems correctly. Additionally, the Australian Government’s Defence Signals Directorate released it’s top 35 mitigation strategies, the top 4 of which are configuration items that would have prevented more than 85 percent of the intrusions they observed, and the Center for Internet Security has shared it’s top 10 tips to help secure your information.
There is a ton of great information in these three resources, but it can seem overwhelming. To help, we’ve boiled the information down and combined it with our own experience, as well as what we’ve heard from many of you. To address these and other security concerns, we have come up with four controls that you can use to significantly reduce your risk. It’s important to note that configuring these controls is a great first step, but on-going assurance is critical to keeping the computers in your organization protected. The great news is that now you can deploy these controls and monitor them for on-going compliance using System Center 2012 Configuration Manager and our free Security Compliance Manager Solution Accelerator.
Patch your OS
The computers in your organization are only as secure as your least-patched system. I am sure that you are tired of hearing how important patching is. I remember how painful it was when I managed thousands of desktops and servers. That doesn’t eliminate the fact that it’s one of the most significant things that you can do to successfully reduce attacks on your clients and servers.
Luckily, Configuration Manager makes this easier than ever before, taking advantage of features like Automatic Deployment Rules to automate the monthly process as well as the new Software Center interface that lets users better control their update experience. For a detailed walkthrough of these features, check out Jason Githens blog on managing updates with Configuration Manager 2012.
Update your applications & 3rd party add-ons
Secunia reports that in 2011 79 percent of all vulnerabilities reported were identified in non-Microsoft products. Amazingly patches were available for 72 percent of these vulnerabilities at the time they were disclosed. The 50 most common applications deployed are from 12 different vendors. To effectively patch them, you need to learn a variety of additional technologies.
System Center 2012 Configuration Manager provides several mechanisms to help here. The free System Center Updates Publisher tool provides a streamlined way to inject patch catalogs from other vendors (such as Adobe) into Configuration Manager and it also allows for you to create your own. There are also a variety of other add-on tools which provide even deeper application patching for other applications. One example is System Center Alliance partner- Eminentware, which delivers a terrific set of capabilities on top of Configuration Manager.
When we talk about patching and updating, don’t forget to update your anti-malware signatures. System Center 2012 Endpoint Protection is now deeply integrated into Configuration Manager as part of our evolving management and security strategy. Endpoint Protection in Configuration Manager provides deep protection through signature-based scans, behavior monitoring, vulnerability shielding, Windows Firewall management, and event-driven malware analysis and signature delivery through the Microsoft Active Protection Service.
Restrict the use of administrator accounts
According to BeyondTrust, running without admin rights would have eliminated 81 percent of critical vulnerabilities in 2010. I don’t want to oversimplify this challenge, but we’ve worked hard to eliminate some of the more common issues blocking the use of least privileged user accounts. There are still some edge cases that require administrative rights like installing some local devices or installing new software. However, Windows 7 and Windows Server 2008 R2 provide many new features that make this a much more appetizing option.
Installation challenges can be mitigated by deploying your applications using Configuration Manager, but there are some legacy applications that may have run-time issues. In those cases, the use of Microsoft Application Virtualization (App-V) is a great solution that is designed to help. Check out Aaron Margosis’ blog for some great tips on running applications without admin privileges, and a fantastic tool called LUA Buglight that you can use to help identify admin-permissions issues in desktop applications.
Remember the following key issues. The best security solution is to run as a standard user. The next best scenario is to run as a standard user but with access to a local administrator account on the computer when you need to escalate privilege. It is significantly less secure to perform routine tasks with administrator privileges and you should always avoid using a domain administrator account for any day-to day operational tasks.
Harden your OS
Microsoft leads the industry in working with government agencies, customers, and partners to produce security hardening standards and security guides for many of our products. These can be found in our Security Compliance Manager (SCM) tool. You can use SCM to create Group Policy Objects (GPOs) to quickly configure your systems or Configuration Manager DCM configuration packs to monitor your clients for compliance with these standards.
The configuration baselines available in SCM include pre-configured recommendations for both workstations and servers. They address hundreds of the most significant controls such as passwords, firewall and network configuration, encryption, and logging. The configuration baselines are designed to meet the requirements of hundreds of regulations and standards worldwide.
In addition, system hardening includes the use of whitelists and exclusion lists. AppLocker is an evolution of the Software Restriction Policies functionality in Windows Server 2008 R2 and Windows 7 that uses the concept of signed applications to greatly simplify this process. Microsoft and many other vendors sign our applications so that they can be allowed to run based on a simple ruleset. We encourage all organizations to self-sign their own internally developed applications to take advantage of this functionality.
We do recognize that organizations can have thousands of applications so AppLocker includes an audit-only mode that you can deploy on a cross-section of your systems to monitor how the rules might have impacted production systems. It’s no small challenge, but AppLocker can provide an important piece of your overall security management solution.
Call to action:
The Microsoft Solution Accelerator team has released a set of additional baselines for our free Security Compliance Manager (SCM) tool that adds new checks to quickly monitor patch status, identify changes to the administrators group, and report on the use of whitelists using the desired configuration management feature in Configuration Manager. Here’s a quick screenshot of these checks in SCM:
Using these capabilities in conjunction with the traditional baselines provides a robust solution to monitor these key security controls. Here’s what we recommend for next steps:
A well-managed environment pays dividends, and not only in increased security. Even mitigating one attack can save your organization hundreds of thousands of dollars and keep you out of next year’s Data Breach report!
Hi Stephen thanks for the post and insight on the new 2012 SCM; beta1 was great it changed our whole IT plan of attack for the department and previous deployment tools being used.
It’s been somewhat an annoying issue with so many new form factors hitting the office week after week, and with your new SCM release for 2012 I feel we will have a better handle on the compliance level and monitoring for these devices.
Thanks again for the post and 2012 Eval.
- Stay Powered by Windows
Good article, nice to see we're doing most of these things already, and a couple of other pointers for us to try, notably the Updates publisher and the SCM and DCM - slipped up on that on our last audit - we could prove things were OK, but collecting all these CI's together and adding a tick or cross in the box is what would be useful for quickly finding out of compliance machines.
I am so glad this internet thing works and your article really helped me. Might take you up on that home advice you. I just required some information and was searching on Google for it. I visited each page that came on first page and didn’t got any relevant result then I thought to check out the second one and got your blog. This is what I wanted!