Windows 10 made its debut back in July and has since garnered some generally positive reviews, though the release hasn’t been without its share of vulnerabilities. For IT and operations, this means (begrudgingly) supporting/hardening another variant of the Windows OS on an ongoing basis. Even in homogeneous Windows-only environments, managing vulnerabilities and patches across different OS versions can be a daunting affair. The following can serve as a practical starting point for protecting today’s Windows-based infrastructures against cyber attacks.
1. Identify Untested/Secured Firmware and 3rd-Party Firmware Modifications
As you may recall, Lenovo’s Silverfish malware fiasco has derailed the company’s long-term aspirations as a trusted Windows hardware manufacturer—if it indeed had such aspirations to begin with. Shortly after this event, Lenovo was again discovered surreptitiously installing software—this time, in the form of a hard-to-remove application planted in its devices’ firmware. These firmware modifications are almost never good and—as in Lenovo’s case—introduce low-level security flaws into computers and devices.
Modern Windows (7, 8, 10, and Windows Server versions) use what’s known as the UEFI firmware standard in place of a computer/device’s standard BIOS. Because the Windows Binary Loader uses UEFI, and UEFI implementation is in the hands of hardware vendors (e.g., IBM, Lenovo, Dell)—less scrupulous brands may be inclined to make “extra” modifications. It’s therefore critical that computers/devices manufactured by suspect brands be identified and carefully scrutinized for their potential impact on IT security.
2. Fix Unpatched/Incompatible Drivers
A myriad of hardware devices and services are in use by today’s computers, which invariably creates an ongoing concern around the incompatibility and vulnerability of drivers. And increasingly, drivers are a common source of new security gaps introduced into the environment. Just a couple months ago Microsoft introduced a patch for Windows to address vulnerabilities in its font drivers. Vulnerability detection should therefore include both software packages as well as discreet, standalone components such as drivers. Outdated and/or non-supported drivers should be removed from systems entirely.
3. Address Vulnerabilities Introduced By Non-Microsoft Software
Microsoft would be more than delighted in satisfying all your software needs with Redmond-approved applications complete with a solid history of patches—but clearly, this seldom will suffice in satisfying an organization’s needs complete. The reality is that 3rd party software will be introduced into the environment at some point, which makes understanding key vulnerabilities inherent to each package crucial in gauging their impact on the firm’s security posture.
4. Address Vulnerabilities in Windows-Bundled Software
Windows 10 ships with several bundled apps like Photos, Groove Music, and Skype, among others. These items are pre-installed with every user account on your Windows 10, but like all software—are subject to their own specific vulnerabilities and flaws. Software vulnerability scanning should include both the Windows operating system and bundled apps that ship with it.
5. Enforce Data Encryption
Data breaches may be inevitable, but stolen data can still be protected—even when in the hands of attackers. Encryption has its pros and cons, but for the most part is a relatively transparent and easy way to prevent data from being exposed, before and after it has been stolen. BitLocker is Microsoft’s solution for file encryption, and ships with newer versions of Windows. The drawback to BitLocker is that every Windows machine using it also sport a supporting BIOS, as well as have the Trusted Platform Module (TPM) chip enabled.
6. Obfuscate Local Administrator Accounts
More often, malicious programs and hackers will target default local administrator accounts as lowing hanging fruit for exploitation. A simple renaming of an administrator account adds a simple but effective layer of defense against brute force attacks. Choose a less common name makes the account less susceptible to hacking attempts—though in later versions of Windows, local administrator accounts are disabled by default.
7. Disable Guest/Anonymous Accounts
This applies to both Windows and Windows-related services—so guest/anonymous accounts in use by Windows as well as other Windows-related services (e.g, MS SQL, Exchange) should be disabled. Be sure that you account for all Windows-related packages, including Sharepoint deployments and IIS instances.
8. Put LAN Manager in Check
The dated LM (LAN Manager) and NTLMv1 authentication protocols have vulnerabilities and should be disabled. LM hash storage should also be disabled, as LM password hashes are easily converted back to plain text.
9. Institute Proper Password Management
In the Windows security realm, 12 characters is the bare minimum for a marginally strong password. As an added precaution, requiring users to select passwords with a 15-character minimum will suffice—with the usual symbol and case assortment requirements.
10. Cover The Basics (Firewall, IDS/IDPS, Antivirus/Ant-Malware)
Last—but most assuredly not least—basic IT security mechanisms should be in place: firewalls, IDS/IDPS, Antvirus/AntiMalware software, and continuous integrity monitoring and validation. Today’s threat landscape is far too complex for a monolithic security solution to handle on its own. Effective enterprise security requires a layered approach to security—one that combines traditional IT security tools with advanced solutions for continuous security.
In short, many of the above items are rudimentary but can be a pain to tackle piecemeal. How about one policy that can manage all of these things with only a few mouse clicks? UpGuard’s policy for Windows environment security can do just that—give it a test drive today, it’s free.