Can you trust your users to resist the temptation offered by phishing emails? Probably not.
There is always someone Phishing...
Of course, standard Windows Desktop users should be provisioned as Users without Local Admin rights for everyones’ sakes, but can you even trust yourself not to be caught out? Probably? Almost certainly?
What about other Privileged Users in your organization? If the right phishing bait was sent at just the right (wrong) time, would even the savviest and most cybersecurity-aware user always avoid the trap?
We have all seen plenty of crude phishing emails – poor spelling, not personalized, and easily-spotted fake URLs.
But what if you were targeted by a more sophisticated attack? An attack where the protagonist had done some research on you and crafted their phishing email with finesse? Would you still have your guard up and not click?
While this can never be guaranteed, the risk exists that a Privileged User, maybe even one with Domain Admin Rights, could fall victim to phishing malware.
System Hardening - On Steroids
System hardening measures exist to close-off the huge range of vulnerabilities within Windows that can be exploited. The CIS Benchmarks offer the most comprehensive guidance with a detailed rationale for each vulnerability and remediation advice. Likewise the Microsoft Threats and Countermeasures content covers the same ground but it isn’t always easy to get the clear, prescriptive advice that is needed.
But beyond system hardening measures there are a range of other security measures available that are both hugely beneficial and at the same time very underused. Here is a brief summary of what is on offer (all for free if you are using Enterprise operating system versions)
Enhanced Malware Defenses - Built-in and ready to go
EMET – Microsoft's EMET (Enhanced Mitigation Experience Toolkit) provides a range of technical countermeasures to a variety of Windows vulnerabilities. This stuff really works to eliminate opportunities for malware through use of
- DEP (Data Execution Prevention to block memory exploit malware)
- ALSR (Address Space Layout Randomization to prevent process hijacking)
- SEHOP (Structured Exception Handler Overwrite Protection defends against exception handler exploits, common to many browser exploits)
- Certificate Trust (aka Certificate Pinning to prevent Man-In-The-Middle attacks)
EMET is provided as an optional extra and for good reason – it is very good at preventing malware execution but this also means it will often break other applications. As with any hardening measure, test and introduce gradually. The default settings comprise Recommended and Maximum Security with the option to customize.
AppLocker – the latest iteration of Microsoft’s Software Restriction Policy technology is highly effective and not difficult to implement. Rule-based policy for determining who can execute which software installations and programs. The rules are either defined by path, publisher or by an exact filehash.
Set via Group Policy, there are three steps needed.
- Enable the Application Identity Service
- Configure Rule Enforcement (Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Executable Rules)
- Create Rules (Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules, and the equivalent Installer Rules)
The Default Rules essentially restrict Users to only run executables outside of their User Profile path but still allows any Administrator to run anything from anywhere. It is sensible practice to restrict even Admin users to the same policy, but create a ‘Safe Execution’ folder. In this way, an Admin user needs to make a conscious, deliberate decision to run new executables and installers.
UAC – User Account Control - This is a case of 'Take your medicine' – we all hate UAC because it gets in the way for every step of any support task but it is there for our protection. You can disable it – cast off the safety harness and takeaway the net to walk the tightrope unhindered, but for a safety-first approach, learn to tolerate UAC.
Finally, just for completeness while the focus is on the latest Windows Security Policy extensions, the BitLocker featureset is less about prevention of a breach and more about contingency, providing full drive encryption. Again this is pre-packed with the Professional/Ultimate/Enterprise OS editions.
In summary, there is a range of highly-effective malware protection options provided with contemporary Windows versions which should be considered for operation in conjunction with system hardening and breach-detection file integrity monitoring technology.