Chapter 16: Top 10 Recommendations and the Future

Welcome to the final chapter. We hope you've gained a better understanding of the tools and methodologies for securing Windows systems, and the value of building a well-rounded security program to protect your users and devices. We often hear of the challenges of keeping up to date with today's fast-growing technologies; therefore, the primary focus of the book is centered around solutions readily available in Microsoft's cloud. We hope to have provided you with the necessary knowledge to better understand these tools and the security solutions that can help support your transition to a more secure environment.

In this chapter, we will provide an overview of what we believe to be the 10 most important topics covered in this book. We hope these 10 recommendations will provide you with an actionable list of items to incorporate into your environment's security. Following these recommendations are additional items that we feel should be considered to strengthen your security program even further.

At the end of this chapter, we will provide our thoughts as they relate to the future of security and device management, and how the anywhere-at-any-time access model is forcing enterprises to modernize their access strategies using cloud technologies. We will discuss the role that security plays in the future and how everyday interactions need well-defined security models, and how a more autonomous world will require the right governance and security in place to stay protected.

In this chapter, we will cover the following topics:

• The 10 most important to-dos
• The future of device security and management
• Security and the future

The 10 most important to-do's

To finish the book, we wanted to highlight what we believe to be 10 of the most important areas covered within this book. These items are not listed in any priority order, but we feel they should be the focus of attention for your security program.

Implementing identity protection and privileged access

In a world that has shifted outside the walls of the office to an anywhere-at-any-time access model, identities have become a high target of attention and prone to weaknesses. They are a fundamental focus for attackers to gain access to your environment. Because of this, it is critical that your identities have multiple layers of protection and that preventative measures are in place.

Proper identity protection will require implementing account and access management tools and enforcing the principle of least privilege. A user must only be provided access to the specific data, applications, and systems that are necessary for their job role. Use role-based access control (RBAC) to streamline access, and enforce strong passwords or adopt passwordless technologies. Encourage users not to use the same password more than once, and provide an enterprise-grade password management tool to provide more efficient password management. Require multi-factor authentication (MFA) to access systems and implement conditional access controls that allow MFA to be bypassed from company-compliant devices for a better user experience. Enable biometric authentication when available and consider an end goal of working towards a passwordless-authentication world.

Tip

If you don't have MFA enabled for all users, ensure this is your highest priority. According to Microsoft, enabling MFA can prevent over 99.9% of account compromise attacks: https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/.

Information about access management and identity protection can be found by reading Chapter 5, Identity and Access Management. We also cover privileged access models in Chapter 11, Server Infrastructure Management. The important areas to focus on include adopting a tiered model for privileged access and following Microsoft's privileged access strategy, which is aligned with Zero Trust principles. Always enforce the principle of least privilege when assigning permissions to users. This includes Active Directory's built-in roles and Azure Active Directory roles. To manage access to resources in Azure, use Azure RBAC. Furthermore, enhance access security for your privileged users by deploying the following solutions:

• Privileged access management (PAM)
• Just-in-time access (JIT)
• Privileged identity management (PIM)

These solutions provide a well-rounded privileged access administration program for both your traditional on-premises environment and your cloud environment. If you don't have any privileged management tools available, create a secondary account for these purposes and ensure you educate your users not to use the same passwords between accounts.

Enact a Zero Trust access model

Ensure you adopt a Zero Trust access architecture for your systems, identities, applications, and infrastructure where applicable. In Chapter 1, Fundamentals of Windows Security, we covered Zero Trust access and its value in securing your environment. This is a model in which we trust no one until we can validate who they are, where they are coming from, and confirm their authorization. This approach will require an access model that consists of multiple layers and can evaluate several facets in the authentication and authorization chain, from the network and firewall to the physical devices, down to the user's identity. Implementing cloud-based security technologies will significantly help if you are looking to adopt a Zero Trust access model. You can read more about the Zero Trust access model at Microsoft here: https://docs.microsoft.com/en-us/security/zero-trust/.

Define a security framework

In Chapter 2, Building a Baseline, we covered the adoption of a security framework to serve as the foundation of your organization's security program. It should consist of recommendations from widely adopted frameworks, such as the following:

• Control Objectives for Information and Related Technology (COBIT): https://www.isaca.org/resources/cobit
• ISO (International Standards Organization) 27000 standards: https://www.iso.org/isoiec-27001-information-security.html
• NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cybersecurity: https://www.nist.gov/cyberframework

We also covered the importance of well-documented policies, standards, procedures, and guidelines as part of your security program. The framework should consist of one or more security baselines that outline a minimum set of configurations for your devices. The security program should be sponsored by leadership and promoted throughout the organization to help educate users about the importance of security and the part they play.

Get current and stay current

Get current and stay current with the latest feature builds and security updates for your Windows clients and servers. In Chapter 11, Server Infrastructure Management, and Chapter 8, Keeping Your Windows Client Secure, we covered infrastructure and end user device management tools that assist with keeping your devices up to date. In Chapter 6, Administration and Policy Management, we reviewed how to administer your devices to ensure they remain current and compliant. For example, enforcing a compliance evaluation to ensure your devices meet a minimum operating system build version is helpful to flag non-updated devices that might be at risk. You can even enforce additional security controls, such as the requirement of MFA, based on this compliance evaluation using a conditional access policy. Configure Windows Update for Business (WufB) on Windows devices and Windows Server Update Services (WSUS) or Azure Update Management for Windows servers to keep your devices patched. This will help ensure that your devices are as secure as possible against ongoing threats. In addition to updating the Windows operating system, other business applications such as Google Chrome, Microsoft Office, and Adobe products need to be kept up to date as well. Plan to incorporate third-party applications into your update strategy.

Make use of modern management tools

Use modern management tools to enforce security configurations and administration of devices. Enterprise-grade solutions, such as Microsoft Endpoint Configuration Manager and Intune, can enforce security baselines, perform compliance evaluations, deploy applications, apply device configurations, and manage software updates. Use tools such as the Microsoft Deployment Toolkit (MDT) and Configuration Manager to build hardened images and deploy task sequences for in-place upgrades or migrations. Reduce the number of tools, if applicable, to avoid complexities in your environment. Simplicity with a reduced footprint helps to reduce the number of vulnerabilities. We primarily covered the management of your server infrastructure and end user devices in Chapter 11, Server Infrastructure Management, and Chapter 8, Keeping Your Windows Client Secure.

Certify your physical hardware devices

For end user physical devices and any physical servers within your environment, ensure that the hardware specifications pass a hardware certification program and can support virtualization-based security features. In addition to this, ensure that a process to securely update hardware and device firmware is built into your documented baseline procedures. In Chapter 3, Hardware and Virtualization, we covered hardware certification in more detail. As a reminder, make sure you review the Windows Server Catalog and Windows Hardware Compatibility List before procuring any hardware for your Windows operating systems, from the following links:

• https://www.windowsservercatalog.com/
• https://partner.microsoft.com/en-us/dashboard/hardware/search/cpl

Administer network security

In Chapter 4, Networking Fundamentals for Hardening Windows, we covered network security for your Windows environment. Even with recent trends focusing on securing the user devices and identity, network security still plays a pivotal role. The function of network security should focus on network appliances, physical offices, and data centers and include network-related configurations for end user devices and servers. These configurations should be included in your documented security baselines and could include settings for software-based firewalls and VPNs. For Windows devices, communications can be locked down by configuring Windows Defender Firewall with Group Policy, Intune, or Configuration Manager. Enhanced network protection that can block traffic to risky hosts or inappropriate websites can be added by deploying a proxy server or VPN or using advanced features of Microsoft Defender for Endpoint.

For servers running in Azure, apply a network security group to the subnet or network interface resource, and only allow the necessary communications to pass through. As your users become more decentralized, ensure that you implement a reliable and secure VPN service, such as Microsoft's Always On VPN, which we covered in Chapter 4, Networking Fundamentals for Hardening Windows.

Always encrypt your devices

Always require encryption for end user devices and servers. This should also include mobile devices that store company data or could be used to open company documents and email. For Windows clients, BitLocker disk encryption can easily be deployed using Intune and Azure Active Directory, Configuration Manager, or with Active Directory and Group Policy. For virtual machines in Azure, leverage Azure Disk Encryption and Key Vault for key storage. Additionally, ensure that backups for critical systems are configured. We covered encryption in detail for both end user devices and servers in Chapter 8, Keeping Your Windows Client Secure, and Chapter 12, Keeping Your Windows Server Secure.

Enable XDR protection beyond EDR

XDR is an extremely valuable strategic approach to implement in your cybersecurity program. XDR expands beyond the original EDR capabilities focused primarily on a single technology to join multiple technologies together. This allows security teams to help improve detection by adding context to alerts and seeing a holistic picture of a potential attack. An XDR strategy will combine capabilities that cover end user devices, email, servers, cloud infrastructure, identity and access management, network and applications, and data. This primary benefit of XDR helps consolidate everything into a centralized view. For EDR capabilities, which have replaced the traditional antivirus model, ensure you onboard your workstations and servers into Microsoft Defender for Endpoint, which provides next-generation endpoint protection with behavioral detection, native cloud-based analytics, and threat intelligence. We covered XDR in more detail within Chapter 14, Security Operations. In Chapter 8, Keeping Your Windows Client Secure, and Chapter 12, Keeping Your Windows Server Secure, we covered the Microsoft Defender for Endpoint onboarding process.

Deploy security monitoring solutions

Having the right security tools in place is a critical part of your security program, but if you don't have well-implemented operations and monitoring, the value of your security tools diminishes. Being a Microsoft customer means taking advantage of the XDR capabilities available, which allow instant reaction and automated remediation of any detected incidents within your environment. Take advantage of the enterprise-class security monitoring and reporting solutions readily available including Log Analytics, Microsoft Defender for Endpoint, Defender for Cloud Apps, Microsoft Defender for Cloud, and Microsoft Sentinel. Many of these solutions integrate with third-party SIEM tools should they be used in-house or from an outsourced security operations center. In Chapter 13, Security Monitoring and Reporting, and Chapter 14, Security Operations, we covered security operations, security monitoring, and reporting in detail.

Notable mentions

In addition to hardening devices and the top 10 list, we want to highlight other important items of the overall security program.

Stay educated

Stay current on the ever-evolving threat landscape in today's world. It is important as a security professional that you are aware of and understand the complexities of current threats to ensure you are applying the appropriate remediations. This is one way to ensure that you can help reduce the risk of a compromise. The following is a list of some of the resources referenced in Chapter 1, Fundamentals of Windows Security, and are great places to visit for up-to-date cybersecurity trends and new and emerging threats:

• DarkReading: https://www.darkreading.com/ 
• The Hacker News: https://thehackernews.com/ 
• Risky Business podcast: https://risky.biz/ 
• Microsoft Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/
• Common Vulnerabilities and Exposures (CVE) List: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Windows

Validate controls

In Chapter 15, Testing and Auditing, we reviewed in detail the testing and auditing of your environment. It is critical to validate that your controls are in place by regularly scheduling audits. Additionally, at a minimum, schedule ongoing vulnerability assessments and annual penetration tests to help find and mitigate any new risks discovered in your environment. Don't exclude validating controls from your security program, as it could be a fatal mistake.

Application controls

Ensure you are only allowing access to applications you trust within your environment. Plan for and deploy Windows Defender Application Control (WDAC) adaptive application controls with Defender for Servers or using Microsoft Defender Vulnerability Management for full fine-grained control over what applications can run on your systems for your users. We covered WDAC in more detail in Chapter 9, Advanced Hardening for Windows Clients.

Security baselines and hardening

Ensure you harden your end user devices and servers by configuring Microsoft security baselines, the Security Technical Implementation Guide (STIG), and CIS benchmarks. The hard work of building recommended controls has already been done by Microsoft and communities of other security professionals, so you don't have to. Security baselines can be enforced using Group Policy and modern management solutions such as Microsoft Endpoint Manager. Leverage reporting and auditing features with device compliance policies and configuration profiles in Intune or by deploying configuration baselines in Configuration Manager. Don't forget to include security baseline policies for other enterprise-based apps such as Microsoft 365 Apps, Zoom, Adobe, Google Chrome, Edge, and other web browsers. We covered the fundamentals of security baselines and hardening in Chapter 2, Building a Baseline. In Chapter 8, Keeping Your Windows Client Secure, and Chapter 12, Keeping Your Windows Server Secure, we reviewed how to deploy these baselines and hardening configurations to your workstations and servers.

Business continuity, disaster recovery, and cyber incident response

Having a well-defined business continuity plan (BCP), disaster recovery plan (DRP), and cyber incident response plan (CIRP) helps ensure that your organization is prepared for impactful events. Plans should not only include covering business operations but also the ongoing and evolving security threats that can have catastrophic ramifications for your company. Threats such as ransomware can prevent organizations from being able to operate normally, can lead to extortion and ransom demands, and have the potential for large amounts of data loss. We briefly covered business continuity, disaster recovery, and cyber incident response in Chapter 14, Security Operations.

Hopefully, this overview summarized some of the key takeaways in this book. Our goal was to provide you with insights into the critical components that need to be focused on to best protect your Windows workstations and servers. Next, we want to provide some personal insight into the future of security and device management.

The future of device security and management

As the technology we consume evolves and the access model becomes more internet-centric, the better our security posture and defense must be. We need to completely shift the way security has been implemented in the past beyond the four walls of the office. Users are far more dynamic today than ever and need access to company data from anywhere at any time. This challenge also extends beyond corporate devices to personally-owned mobile devices and even to bring-your-own (BYO) laptop/tablet models. Ensuring that your corporate data is protected and not exfiltrating the environment requires effective modern security tools and well-defined controls. At the same time, it's important to ensure we don't inhibit end user productivity; otherwise, they will look to circumvent the controls put in place and create a more vulnerable environment.

To help succeed with implementing your overall security strategy, it's recommended to simplify where you can. Having disjoined security tools can make maintenance unsustainable and as a result, make you more vulnerable due to their complexities. Because of this, plan a review of what you have implemented and set goals to consolidate your security footprint where applicable. Simplicity is key to a successful program, and Microsoft has done a great job in this regard, having evolved its security presence over the years.

During your consolidation efforts, we recommend reviewing next-generation security tools. Traditional security tools will no longer suffice in today's modernized world. Next-generation security tools can be enabled and deployed at scale using cloud technologies with limited or zero infrastructure and are, typically, always kept up to date by the vendor. These tools and services should support a level of automation, leverage artificial intelligence, analyze big data, and incorporate behavioral analytics. Without these features, organizations will miss out on valuable security insights that can help prevent attacks as opposed to reacting to a breach.

As already mentioned, your protection strategy needs to continue to incorporate an identity- and device-focused foundation. As next-generation security tools continue to improve and evolve, always assess new features, and enable them when applicable. They will be able to provide intelligent security insights using cloud-driven telemetry that analyze your users' and devices' behavior based on their location and alert on any atypical travel or anomalies based on user activity. Layering automation that automatically remediates incidents based on these anomalies is also a significant step to improving the effectiveness of security operations and results in a more secure organization. In addition, most modern technology now supports biometric-based authentication and can leverage fingerprint scans and face recognition. These technologies are pivotal in creating a path to a world without passwords. If you haven't already heard of Fast Identity Online 2 (FIDO2), you should quickly become familiar with it, as this specification is currently driving the passwordless initiative.

It's commonly been said that "Company data is the crown jewels of the organization." To protect data in an available-anywhere-from-any-device model, data protection needs to be considered to prevent leakages. To do this, continue to grow and evolve your data loss prevention (DLP) program using cloud-based technologies. Enhance your protection with information rights management (IRM) and data classification tools, such as Microsoft Purview Information Protection. Your organization's data should be automatically labeled and classified based on industry-standard privacy regulations, along with custom rules used to identify sensitive data unique to your business. Based on the data classification, there should be automatic protections applied that include the ability to enforce encryption, require authentication, block data from leaving your devices, and restrict copy and paste to non-protected apps.

Beyond protecting the classic Windows and server operating system is the Internet of Things (IoT). IoT has grown exponentially in recent years and continues to grow, as devices are now being built for everything imaginable. Microsoft also has a presence in this space with its Windows for IoT platform, which includes multiple versions available for building your IoT infrastructure including Windows IoT Enterprise, Windows Server IoT 2022, and Windows 10 IoT Core Services.

Tip

You can learn more about Windows IoT here: https://azure.microsoft.com/en-us/services/windows-iot/.

As IoT continues to grow, serious security concerns are beginning to surface as we become more dependent on IoT devices in today's world. We need to define a unified standard to govern, manage, and secure these devices. This includes unifying the management of all devices for centralized governance and a standard security approach. Currently, we are not aware of a true unified model. However, we are hopeful that this is something that may become available as the adoption of IoT continues to grow. The following is a diagram of the ideal future unified management model:

Figure 16.1 – The ideal unified management model in the future

Next, we will discuss security and the future.

Security and the future

We wanted to share some thoughts on the growth and future of security and the importance it will play in a world that becomes more connected every day. Technology continues to evolve at a significant pace. As this technology grows, security needs to be brought to the forefront, not only within the enterprise but also within the consumer space. Devices, gadgets, lightbulbs, health monitors, household appliances, entertainment, landscaping equipment, automobiles, accessories, and drones are all examples of the types of internet-connected things we can use today. Unfortunately, from a security perspective, usability is typically the primary design focus of these smart devices. Their internet connectedness, lack of security standards, and heavy usage in our daily lives expose a significant security risk. The following link provides some real-world examples of security weaknesses and challenges with IoT technology: https://www.conosco.com/blog/iot-security-breaches-4-real-world-examples/.

Hopefully, as we continue to evolve in this space, we will see the creation of a more universal standardization that can be followed with some form of certification showing whether a device meets the minimum security specifications for both enterprise and consumer usage. A few standardized examples include a PIN number for debit and credit cards, a fingerprint/face ID to unlock your phone, and the adoption of MFA across many services.

As highlighted throughout this book, shifting your security strategy to leverage cloud technologies will help you be more efficient in the future. By adopting the use of next-generation technologies, you will be gaining the benefit of an environment that has little to zero self-managed infrastructure. It allows for scalability and automation, makes use of artificial intelligence, and incorporates behavioral analytics using big data. This model is most suited for companies going through a digital transformation to cloud-based infrastructure and supports a decentralized user base that requires work access from anywhere at any time.

Moving forward, no matter the size of your organization or business, a security presence should be required. For a smaller business, security in the form of an outsourced model that leverages a managed security service provider (MSSP) might make more sense than hiring in-house. Having an MSSP available will give you the necessary resources to provide the expertise needed to handle security-related incidents. Larger organizations may opt for an in-house security team, but many MSSPs can cater to larger organizations as well. Data released by Frost & Sullivan predicts that the market for MSSPs will grow from $12.01 billion in 2020 to $18.81 billion by 2024: https://www.msspalert.com/cybersecurity-research/managed-security-services-market-forecast/.

Services considered as critical infrastructure, which includes operational technology (OT), are another area that should be at the forefront of developing security-based technologies. Examples of critical infrastructure services include energy, emergency services, chemical and nuclear facilities, transportation, and the government sector. These are essential services that support our daily lives, and even a minor disruption could be catastrophic. We need to ensure these critical components used in everyday life are highly protected, as the stakes are too high.

Transportation services, from public to private to space travel, all involve internet-connected technology. These services are used by millions of people daily and any compromise could potentially diminish the safe operations of these vehicles and result in significant damage, injury, or loss of life. For example, in 2015, security researchers were able to remotely commandeer a Jeep Cherokee driving on the highway and disable the car's engine and brake systems: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.

As our personal digital identity continues to evolve and be enhanced, where do we go beyond this? FIDO2 usage continues to grow and the benefits of adopting a passwordless approach have become obvious. Are we heading towards a unified identity where a single item we carry represents our self? We already see this, as smartphones can supplement car keys, wallets, digital identification, and more. The concept of Web3 introduces a decentralized internet model. Here, you control your digital identity and not the big tech companies that have profited tremendously by scraping your data and selling it to advertisers. Web3 projects a fundamental change in how we transact as our digital self in the future.

Recently, although considered controversial, the topic of microchip implants has become more than just a conversation. Neuralink, a company of which Elon Musk is a founder, has recently promoted beginning human trials on their brain chip implant by the end of 2022. Neuralink hopes to help people that suffer from neurological deficiencies by repairing certain cognitive and sensory-motor functions controlled by the brain. Will this ever become a reality or requirement for humans? Perhaps we will live in a world where a microchip could become mandated. Only time will tell.

Another interesting area with significant technological advances is that of robotics and autonomy. What does the future hold, and where do we draw the line in terms of how markedly intelligent robots can become. We all have most likely watched futuristic movies that entail robots becoming smarter than humans with the strength to overpower humanity. Could this ever become a reality? Could robots become programmed or compromised to do more harm than good? These are real conversations happening now and it's critical that we build a solid, core security model that includes protection against these threats as robotic technology continues to evolve. There should be no failure of security in this space.

From our discussion, the importance of security from a holistic approach should be clear, that is, one that does not overlook any area of the infrastructure, the physical device, or the underlying software down to the user identity. Security should be at the forefront when designing any solution and should be natively embedded into the product from the beginning. Failure to incorporate security shouldn't be a risk your company is willing to take.

Summary

In this chapter, we provided an overview of the 10 most important takeaways from the content of this book. We also covered additional items to keep in mind as you continue to harden and secure your Windows workstations and servers. Each of these items includes a reference back to the original chapter, where you can review the material in more detail to gain a better understanding.

We then provided our personal insights into the future of device security and management. Here, we covered a few essential areas related to securing devices, as well as the importance of security management in the IoT space. We finished the chapter with our thoughts on security and the future, especially as they relate to the ever-evolving innovation of new and futuristic technologies.

This chapter concludes the subjects in this book. We hope you enjoyed the content provided and were able to take away the necessary knowledge to help secure and strengthen your environment.