- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Even in the age of BYOD (Bring Your Own Device) and things such as the Windows Store in Windows 8+ that give end users more control over their devices, maintaining some level of control over the endpoints that your organization owns is still important for security reasons. Following are some of the things I do as best practices when securing an organization’s desktop and laptop systems.
Be transparent to the end user ^
If you’re implementing any of the technologies in this article for the first time, I highly encourage you to communicate the changes to your end users and make sure they know how the changes will impact them. Letting them know about the changes and how they will benefit the organization will go a long way toward gaining acceptance.
You should also strive to keep the changes as unobtrusive to the end user as possible. You want users to know the changes are there, but the changes shouldn’t be so drastic that they impact the performance of the users’ computers and their ability to get their work done. The worst thing you can do is implement a security change that users circumvent because the change prevents them from doing their job.
Inventory management and MDM ^
You can’t secure what you don’t know about. Running a product such as System Center Configuration Manager, LANDesk, Altiris, or some other systems management platform not only lets you inventory all of your assets but also gives you the ability to manage other aspects of your endpoints, such as software updates, antivirus, and firewalls. If a device walks away, either through loss or theft, having access to its model and serial number can be helpful to law enforcement and insurance companies if you insure your devices.
For your mobile devices, a Mobile Device Management (MDM) solution is a must for maintaining those devices that are on the go and not regularly connected to the corporate network. Products such as Microsoft’s Intune are a great option for managing those systems and can also integrate with SCCM.
This is really a no-brainer, right? Sure, Windows 8 and 10 come with Windows Defender built in to the OS, but are end users going to call their IT person or the Help Desk every time they get a notice on their computer that the antivirus application has performed an action? My experience is that most end users won’t until it impacts their ability to work.
I highly recommend using an antivirus/antimalware product that allows you to manage the application on the endpoint rather than something like the built-in Windows Defender that doesn’t send feedback to IT.
Enterprise antivirus applications check in (usually through an agent) with a central server that IT can use to control the configuration, control updates, and monitor the solution. And, it’s really nice to set up email alerts for system infections. Who wants to have to run a report on a system every day when you can just have it emailed to you?
Another no-brainer. Personally, I’m a fan of the built-in firewall in Windows 7+. It handles both inbound and outbound filtering and supported IPv6 before most of the third-party products out there did. Using the built-in firewall also gives you the benefit of being able to control it through either Group Policy or System Center Configuration Manager.
Disk encryption ^
Disk encryption is no longer just for mobile devices. Encrypting the hard drives of your endpoints is a must now. Even if you’re using technologies such as Folder Redirection to keep data off computers, sensitive data can still end up in Offline Files, temp directories, and other non-standard locations for data storage, such as folders in the user’s profile.
File Explorer showing a BitLocker encrypted OS disk, data disk, and removable drive
What if your users don’t have access to sensitive data? You should still seriously consider encrypting all devices regardless of form factor—even if the device is stationary and physically locked down. An attacker or malicious employee can use an offline attack to reset the local Administrator password and access the computer with that local Administrator account. Once After the system has been compromised, it can be used to steal the credentials of anyone logging in to the computer and all sorts of other malicious activity if it is connected to your corporate network.
Application whitelisting/blacklisting ^
One of my favorite new features that was included in Windows 7 when it was released is AppLocker. AppLocker is an application control service that allows IT to whitelist (allow) and/or blacklist (deny) executables, scripts, Windows Installers (MSI files), Windows Store/Universal apps (in Windows 8+), and even DLL files from running on endpoints.
With AppLocker (or other third-party solutions), you can allow only selected software to run based on criteria such as file location, digital signature, or file hash. Even if you set a policy that allows all software to run by default, you can still blacklist/block applications that your users shouldn’t be using with the same location, digital signature, or file hash settings.
AppLocker blocking an unauthorized application from running (program is blocked by group policy)
Windows and third-party updates ^
Even if you’ve locked down a computer to the point of being barely usable (which I don’t recommend), missing updates can still allow an attacker to compromise the computer. Smaller organizations can simply use Windows Update to automatically update systems. Larger organizations can use Windows Server Update Services (WSUS) or systems management products such as System Center Configuration Manager for pushing out updates for Windows, Office, and other Microsoft products.
Third-party updates are just as important (if not more important!) than Windows and Office updates. Adobe Flash and Oracle Java both have a bad track record when it comes to security and usually need to be patched as soon as the updates are released to the public. Configuration Manager is capable of publishing third-party updates using the System Center Update Publisher or via plugins from third-party vendors.
Enhanced Mitigation Experience Toolkit (EMET) ^
Last, but certainly not least, is the Enhanced Mitigation Experience Toolkit. EMET is a utility from Microsoft that helps prevent an attacker or malicious user from exploiting vulnerabilities in applications.
EMET can enable Windows features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and other enhanced security features for applications that don’t specifically request them based on how the vendor or programmer designed them. This can act as an additional safety net to protect applications that may have unknown security issues or known security issues that, for whatever reason, can’t be patched.
I hope this best practices guide can serve as a starting point for improving the security of your organization’s desktop and laptop endpoints. If you’re getting ready to start a project or make changes to an existing solution, we’d love to hear about in the 4sysops forums or in the comments section below!