You already own the tools needed to thwart attackers
Category: IT careers, Professional development
February 3, 2020
There are many programs and applications you can buy to secure your Windows network, but they can cost a lot of money. If your employer or customers are looking for ways to lower their IT costs, you may find you already have the tools you need to fully protect your network.
Microsoft comes with many tools included with the operating system. They can protect both physical and virtual computers, but they first need to be enabled and configured. Let’s look at some of these tools and discuss how they can help you secure your Windows network.
Tools to protect an Active Directory domain and forest
I was surprised to read that 95% of all Fortune 500 companies use Active Directory. Group Policy is a powerful Active Directory tool you can utilize, and many already do.
I was once asked to lock down Active Directory users who were employees of a work release program selling satellite services by cold calling customers. Around 3 p.m. each day, they would shut down the remote desktop terminal server and go off into the neighborhood until the bus came to take them back to jail. The company’s owner asked for help to resolve the situation. He wanted to keep the server running, block applications that shouldn’t be run and keep the staff working. Here is how I used Group Policy to save the day:
- Locked work-release employees out of the control panel and command prompt
- Only granted access to job-critical programs
- Auto launched approved applications at startup
- Limited the websites they could visit
- Removed the shutdown feature from the start menu
I also removed them from the domain admins group and made them guests on the remote desktop sessions. This kept the employees from getting to personal email, so phishing attacks were no longer an issue. This type of protection was mainly designed to keep staff from breaking or corrupting company resources.
Tools to protect your email servers and employees
Most companies use either Exchange On-premises, Exchange Online or Google apps for email. These products have anti-spam and anti-virus capabilities that should be configured and enabled. However, some companies loosen these rules because they work with files that may be needed to run their business — but they can carry a payload. Phishing and ransomware attacks are the biggest threats.
To mitigate these threats, I’ve used the following protections:
Educate the staff
This has been the most overlooked vehicle for protecting employees in my experience. If they know what to look for, they can better protect themselves. Make sure they don’t register their work email to any websites, so they won’t get spammed.
Move group email and FTP computers to a separate subnet or VLAN
Many infections come from staff sending out requests for resumes or responses from clients. They open an attachment and the network gets encrypted with ransomware. If employees only register group emails to websites, then their individual work email can’t be targeted by phishing attacks as easily. The separate network can use an access control list to keep any potential infections from getting to the production environment.
This can also work well for FTP traffic. Instead of downloading files directly into your network, use a protected computer that won’t affect production for large file downloads. I sometimes use locked down virtual desktops in a separate Active Directory forest that can be accessed using Remote Desktop for group emails. This helps if you don’t want to physically go to the computer that is separated from production.
Use File Server Resource Manager (FSRM) or AppLocker
Both of these products come with Windows servers but are not used as often as they should be. You can use FSRM to block harmful attachments. You can use AppLocker to approve programs for users in a Group Policy Object. Once you lock down any file extension that shouldn’t be in use, it is very difficult to infect a system.
Use built-in ransomware protection
Windows 2019 and Windows 10 come with the ability to keep files from being encrypted. This can stop ransomware attacks before they even start. Most people aren’t aware that this feature exists, but it can help keep you protected at no extra cost.
Tools to protect file and folder access
Many clients over the years have had their data compromised due to local IT administrators using weak security on shared folders. This is typically how dreaded ransomware will propagate — by looking for shared folders from the computer that was compromised
I had a client who used a vendor for their copier service. The copier service wanted the client to drop my company and use theirs for IT service. The client declined, and during an office visit, the copier technician encrypted publicly shared folders using guest access.
I was able to pinpoint the time and location of the port used so there was no doubt who did it and why. I was able to restore the data within an hour using Volume Shadow Copy Service and off-domain backups. I then educated the local IT admin how we can lock down the shares. This is what we did:
- Removed Everyone share and replaced with Domain Users: This can keep guest access from encrypting the files. The access is based on least privilege between share and NTFS permissions.
- Added access-based enumeration: This makes all shared folders that a user doesn’t have permission to completely invisible. They can’t encrypt what they can’t see.
- Added Active Directory Rights Management Services: This adds additional security beyond access control lists in the share and security tab. You can create policies that work even if files are moved off domain. If preferred, you could also substitute that method with Dynamic Access Control.
Other Windows tools
There are so many more tools built into Windows operating systems that can assist you at no additional charge. For more tips and tricks on Windows 10 Host Security check out my learning path in Infosec Skills.
You’ll learn about:
- Securing data using NTFS security and share permissions
- Passwords, biometrics, PINs and other authentication methods
- Using Active Directory to update and patch Windows 10
- Configuring local policies and accounts
- Securing and using tools like the Edge browser and AppLocker
- Creating certificates and backups, using Windows logs and more
I’m also working on a Windows Server 2019 Security Learning Path to be released later this year.
About Robert McMillen
Robert McMillen started his career as an IT administrator for a manufacturing company after earning his CompTIA A+. He quickly learned how to fix and troubleshoot desktops and laptops, but his real passions were networking and server administration. Shortly after, he earned his first MCSE and Cisco CCNA and has continued with various certifications over the years (now over 50). He earned a Microsoft Certified Trainer certification and seven MCSEs. He started a successful consulting company in 2001 and eventually sold it in 2017 to focus on teaching networking and security in college and being a video and book author. Some interesting jobs he’s performed include restoring the Enron emails for the Justice Department, training troops headed to Iraq on network security, and managing a billion dollar merger of Cisco network and Microsoft technologies.