All the Guards–Part 10

This article is a part of a series. The previous article can be found here:

All the Guards – Part 9 Control Flow Guard

In this article I’m going to summarise all the previously articles which included:

All the Guards – Part 9 Control Flow Guard

All the Guards – Part 8 DMA Guard

All the Guards – Part 7 Exploit Guard

All the Guards – Part 6 Application Guard

All the Guards – Part 5 Credential Guard

All the Guards – Part 4 System Guard

All the Guards – Part 3 Device Guard

All the Guards – Part 2 Virtualization Based Security

All the Guards – Part 1 Secure Boot

To successfully implement many of these you’ll need current hardware and an up to date version of Windows 10 Professional or Enterprise. The majority of protection is provided by virtualisation, which the device needs to support and have enough RAM (recommended minimum would be 8GB, but you can do it with less) to facilitate.

Configuration of these options can be handled individually but a better approach is to use a policy method such as via Microsoft Endpoint Manager across your fleet.

I have shared all the information I have found on these topics, hopefully in a manner that makes sense. Unfortunately, information about many of these technologies is not presented in a straight forward manner and in many cases, specifics are hard to find and confirm. Hopefully, however, there is enough information there to show you the benefits of implementing these technologies across your Windows 10 devices.

My advice, is that you look at implementing these technologies in the order that I have presented them to accommodate dependencies that exist. I have done exactly that in my production environment and now don’t even think about them.

So if you haven’t as yet implemented all the Guards that Microsoft has available, I’d encourage you to do so. The improvement in security it provides is worth the investment.

Verify Endpoint Manager Service release

image

To verify the release you are on with your Microsoft Endpoint Manager environment, navigate to:

https://endpoint.microsoft.com

1. Select, Tenant administration from the menu on the left.

2. Ensure that Tenant details is selected as shown above.

3. Look for the Service release heading on the right as shown above.

The version number here is also linked to:

What’s new in Microsoft Intune

which provides more granular information about what capabilities have been added to the environment.

Remember, these service updates occur regularly, so ensure you check the updates regularly.

All the Guards–Part 7

This article is a part of a series. The previous article can be found here:

All the Guards – Part 6 (Application Guard)

In this article I’m going to focus on the next component, which is:

Exploit Guard

The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviours commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements.

These four components are:

The four components of Windows Defender Exploit Guard are:

  • Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
  • Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
  • Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
  • Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

More details can be found here:

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

Typically you use Microsoft Endpoint Manager to:

Create and deploy Exploit Guard policy

but there are other methods as I have detailed here for

Attack Surface Reduction (ASR)

Windows Defender Exploit Guard is one of the best ways that you can minimise the risk of malware infection on Windows 10 devices and as such, should be enabled across all such devices in your fleet.

The next article will look at:

DMA Guard

Basics of deploying Windows Defender Application Control (WDAC) using Intune

Windows Defender Application Control (WDAC) is the more modern approach to application white listing on a windows 10 device when compared to AppLocker. It is however, just as easy to deploy using Intune as this video shows:

https://www.youtube.com/watch?v=M2cZrV-mRlo

You firstly need to create your WDAC policy as an XML file. Then you use the PowerShell command:

ConvertFrom-CIPolicy

to ‘compile’ it into a .bin file. You upload this .bin file into an Intune device configuration policy and apply that to all the desired machine.

Remember, unlike AppLocker, WDAC applies to the whole machine, not individual users of that machine.

Remember, WDAC is already part of Windows 10 so there is no additional cost and using Intune, it will work with both Windows 10 Enterprise and Professional to help you secure your environment.


Basics of deploying AppLocker using Intune

One of the great things about deploying Windows AppLocker via Microsoft Intune is that it supports both Windows 10 Enterprise and Professional. It is also quite straight forward to deploy as I hope the video conveys.

Once you have your base policies, you create a custom Windows 10 device Configuration policy with Intune and deploy it to your device fleet. Once that process is complete you’ll have the same application control you had on a single device but now across as many machines as you wish.

Remember, that Windows AppLocker is free with Windows 10 and easily deployed to machined from the cloud using Microsoft Intune.

Windows Print Spooler Remote Code Execution Vulnerability–CVE-2021-34527

Information about this from Microsoft can be found here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

At the moment one of the work arounds is:

Option 2 – Disable inbound remote printing through Group Policy


You can also configure the settings via Group Policy as follows:


Computer Configuration / Administrative Templates / Printers


Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.


You must restart the Print Spooler service for the group policy to take effect.


Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

You can also make that settings change via Endpoint Manager and Intune.

image

You’ll need to ensure you have an Administrative template (ADMX) profile in the Device Configuration profiles. If not, then simply create one.

image

In that Administrative policy settings do a search for ‘spool’ or the like. You should find the above setting under \printers – Allow Print Spooler to accept client connections, which you should then set to Disable as shown.

if you then save the policy it should be pushed out to all machines. According to the CVE, you’ll also need to restart the spooler service as well. You can do this with the following PowerShell command once the policy has taken effect:

restart-service –name spooler

Perhaps a reboot is easier anyway?

You’ll need to be careful about potential disabling existing printing configurations with shared machines, so it will be best to monitor the impact just in case.

Hopefully, a patch will become available soon for this but even when it does, I think leaving the setting disabled in general is a good idea!

CIAOPS Need to Know Microsoft 365 Webinar – June

laptop-eyes-technology-computer

I think we should  try something a little different this month for the session. I’m going to attempt to use the new Microsoft Teams Webinars feature. For anyone who has attended a previous session this means the registration process will look a little different, but in the end it should achieve the same result but with less manual work by me. To start with you need to navigate to:

http://bit.ly/n2k2106

and submit your registration details. Shortly after this you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite!

How this all works come webinar time I’m still working out, but hopefully I should be across it all before the webinar starts. However, I’m sure there will be things that I’ll learn during the process, so if you want to see what unfolds then you best register to find and be part of the inaugural CIAOPS Teams webinar!

The topic for this month will be Device Management. I’ll dive into how you connect and manage devices in Microsoft 365 including iOS, Android and Windows devices. You’ll see how Microsoft 365 Device Management is a great way to improve the security of your information environment. As always, I’ll also share the latest news and events from Microsoft and as always, there’ll be plenty of time for your questions, so I hope you’ll join me at the event.

You can register for the regular monthly webinar here:

June Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – June 2021
Friday 25th of June 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.