10 Tasks for a Microsoft Network Security Mid-Year Exam

We are in the middle of 2022 and it is the perfect time to review your plans, objectives and risks for your network, especially given the changing threat landscape. Ransomware, for example, has become more humane. Ransomware operators are now looking for additional methods and payloads, as well as extortion. Ransomware entry points range from targeting emails and phishing lures as well as unpatched vulnerabilities to more targeted attacks.

With that in mind, here are the ten tasks you need to complete for your mid-year security review:

1. Review access and identification policies for third parties

Attackers will seek RDP (Remote Desktop Protocol) access and use brute force attacks like credential stuffing. They know that people tend to reuse credentials that attackers obtain from stolen databases to try to gain access to your network.

I’m looking for ways to better manage credentials or other access approvals for external consultants because I’m most concerned about their security processes and procedures. When dealing with outside consultants, write into your contracts what security protection you want them to use. Whether that means including them in your multi-factor authentication (MFA) plans or, at a minimum, opening up access and firewall rules to restrict access to specific networks, you need to have a procedure that you include in your service level agreements and agreements as to how consultants manage access and credentials. User credentials should never be passed from the company to the consultant in a way that exposes them unnecessarily. Storage of such credentials should be done in accordance with the hiring company’s policies and procedures. Review and audit these processes accordingly.

2. Review the security scan results

Review the results of scheduled scans and ensure that they are performed on assets that truly present the external risk to the business. I recently had a company perform an external resource scan of my network. When I looked at the results of the automated scan, I realized that they were scanning a series of computers that didn’t reflect the outer edge of my network. The report, while interesting, was not a true external risk assessment for my network. So, when hiring an external penetration testing or scanning company, make sure that the review and deliverables they provide reflect the actual boundary of your network. Automatic scans are useless if they don’t give you actionable insights.

3. Review cloud resources and permissions

If you’re moving IT assets to the cloud, don’t just set up a mirror of what you have on-premises. Review how resources are configured, what permissions are set, and who should have rights to which assets. Then go back to your on-premises deployments and review any security baselines or NIST guidelines that can further harden your internal network.

4. Deploy attack surface reduction rules

If you haven’t deployed attack surface reduction rules on your workstations and servers to help block suspicious activity, make that your goal for H2 2022. You may need to test and examine the impact, but start with this first set of rules and enable as many as you can:

  • Prevent all Office applications from creating child processes.
  • Block executable content from email client and webmail.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
  • Block the execution of potentially obfuscated scripts.
  • Prevent JavaScript or VBScript from running downloaded executable content.
  • Prevent Office applications from creating executable content.
  • Prevent Office applications from injecting code into other processes.
  • Prevent the Office communication application from creating child processes.
  • Block untrusted and unsigned processes that run from USB.
  • Block persistence via WMI event subscription (Persistence).
  • Block Windows Local Security Authority Subsystem (lsass.exe) credential theft (elevation of privilege).
  • Block process creations from PSExec and WMI (Lateral Movement) commands.

5. Review network security settings and policies

Check your network configuration. For too long we have set up networks with less restrictive permissions and even to the point of disabling firewalls inside the network. Review how you configure workstations and move to where your workstation firewalls are set to specific protocols.

Review security and password policies and consider adding Azure AD Identity Protection to your existing Active Directory to better identify weak passwords in your network. Be sure to review options for MFA with Windows Hello or other third-party MFA solutions.

6. Review Workstation Deployment Processes

Review your workstation deployment and installation process and ensure that you are not using the same local administrative passwords when deploying workstations. Review your options for managing local administrator password solutions that randomize and encrypt the local administrator password.

7. Review backup policies

Review the processes you use to back up and protect important files. Review backup processes to have multiple backups, two on different storage types, and at least one offsite backup, and consider using OneDrive cloud storage for additional backup to protect your files.

8. Use email filtering

Use email filtering and scanning to ensure that your emails are reviewed before reaching your workstations. Links included in emails should be scanned as soon as you click on them and should be removed from your inboxes if these links are later found to be malicious.

9. Review Patch Policy

When managing patches, review issues that you have encountered in the past on your network. If your edge devices didn’t have issues with the patches, you might want to streamline and time your updates for edge devices faster than the devices that had issues with the update. Review the side effects you had and the mitigations you had to take to recover from any problems. Investigate if there are alternative software or other workarounds that can be implemented to minimize patch side effects.

10. Examine the ransomware detection capabilities of anti-virus and endpoint protection solutions

Make sure your anti-virus and endpoint detection solution can identify typical symptoms of a ransomware attack. From situations where file backups are suddenly deleted, to Cobalt Strike activity on your network, or other suspicious activity, your solutions should alert you when attackers start laying the groundwork for ransomware.

Copyright © 2022 IDG Communications, Inc.

Kevin M. Risinger