Securing Windows and hardening Windows devices are ongoing tasks made all the more difficult because it is the most commonly used enterprise OS -- and, therefore, one of the most targeted environments by attackers.
Windows security requires a deep understanding of the OS, its users and devices, and its settings. Cybersecurity practitioners Mark Dunkerley and Matt Tumbarello wrote Mastering Windows Security and Hardening: Secure and protect your Windows environment from cyber threats using zero-trust security principles, an in-depth guide that helps security pros, solutions architects and sys admins gain the understanding needed for successful Windows security. Their book covers everything from Windows security fundamentals to Windows server security to hardening Windows clients.
In the following interview, authors Dunkerley and Tumbarello share their top enterprise Windows security advice, including why it would be wise for security teams to use low-hanging fruit as a starting point in their journey to lock down their company's Windows environment.
Check out an excerpt from Chapter 10 of Mastering Windows Security and Hardening to learn how to use Microsoft Intune, a cloud-based endpoint management platform, to configure Windows privacy settings.
Editor's note: The following interview has been edited for clarity and conciseness.
Why did you write the book?
Mark Dunkerley: Windows is the largest OS from an enterprise user perspective. There aren't many books that consolidate Windows security and hardening into one. We identified an opportunity to cover the broader aspects of Windows security and go beyond just setting a baseline for enterprise security efforts. We wanted to help organizations with modernized security efforts protect the entirety of Windows.
Matt Tumbarello: Being a Microsoft Learn and Docs junkie, a plethora of information is out there around Windows and securing devices. We wanted to consolidate some of that information and present it in a different way. And we wanted to help prevent administrators and security teams from having to browse through thousands and thousands of resources on the internet.
Which chapter do you consider the most important?
Tumbarello: Chapter 5, where we cover identity and access management [IAM]. So much of security has shifted from hardening the network and perimeter to protecting the identity layer. Identity plays a key role in overall Windows security.
Dunkerley: The IAM chapter is closest to my heart. Identity is the new perimeter. No matter how much you harden a device, no matter what you do -- once the identity has been compromised, the attacker has access to everything else on that Windows device.
What is your top Windows enterprise security tip?
Dunkerley: I have two: Focus on zero trust, and use a multilayered security approach. Zero trust has multiple models available. Microsoft has its own with six pillars to protect the device, identity, infrastructure, network, data and apps. My advice would be to implement zero trust with a big emphasis on protecting identity.
Tumbarello: I suggest organizations create a security baseline. When talking more tactically about Windows devices and configurations, pick an organization such as CIS [Center for Internet Security], and focus on its recommendations and benchmarks as a starting point. This can be especially helpful if no baselines are already in place.
What is the most difficult aspect of Windows security and hardening?
Tumbarello: Lots of things come to mind because it's an ever-evolving space. For example, it's challenging to stay up to date on the latest vulnerabilities from tracking to remediation efforts. Another challenge is making sure your patch management program is effective and that you're applying the latest recommended security configurations. It's also challenging to have an effective monitoring system and to ensure you're capturing the right log sources for an audit trail.
Dunkerley: One of the biggest challenges is that technology continues to grow at a fast pace. Most companies are still in a legacy or hybrid deployment and trying to modernize while keeping up with current threats. I agree that patching is a challenge. We traditionally updated test devices following Patch Tuesday and validate no issues for a week or more, then, maybe a month later, update all production devices. That is no longer acceptable. Updates need to be pushed immediately, even with the risk that we may break an application in the process. We can't risk getting compromised because of not pushing patches right away.
What low-hanging fruit can teams target to quickly improve Windows security in the enterprise?
Tumbarello: Focus first on Azure Active Directory [AD] join, and make it a priority. [This means connecting all user devices to your organization's Azure AD.] If using Azure AD, set up Conditional Access policies, and configure device compliance checks using Intune. This includes making sure hardware has secure boot enabled, devices are encrypted and antivirus is enabled, and making sure scans are running and definitions are up to date. Also, have endpoint detection and response threat protection in the back end that monitors those endpoints. Lastly, make sure multifactor authentication is enabled on user accounts.
Speaking of monitoring endpoints, what is the best way to combat shadow IT?
Dunkerley: Shadow IT is challenging to tackle as it's the unknown. One way to combat shadow IT is to build better relationships with different areas of the business to become more engaged with them and their deliverables. Support from a broader organizational level is needed to manage and reduce shadow IT. From a technical perspective, enforce single sign-on for all applications to gain more visibility across business applications. Use a cloud access security broker [CASB] to bring all your apps through a cloud proxy. This gives you visibility and understanding of what traffic is out there and what users are accessing.
Tumbarello: It's tough from strictly an endpoint perspective, so the more applications you can move into the cloud, the better the monitoring can get by supplementing with third-party products. Like Mark said, having a CASB is huge because everything can proxy through it to help identify shadow IT. Having a data loss prevention program identifies and classifies data to get an understanding of what is happening with it on devices in an environment. This would also help control shadow IT.
About the authors
Mark Dunkerley is a cybersecurity and technology leader with over 20 years of experience working in higher education, healthcare and Fortune 100 companies. Dunkerley has extensive knowledge in IT architecture and cybersecurity through delivering secure technology solutions and services. He has experience in cloud technologies, vulnerability management, vendor risk management, identity and access management, security operations, security testing, awareness and training, application and data security, incident and response management, regulatory and compliance, and more. Dunkerley holds a master's degree in business administration and has received certifications through (ISC)2, AirWatch, Microsoft, CompTIA, VMware, Axelos, Cisco and EMC. He has spoken at multiple events, is a published author, sits on customer advisory boards, has published several case studies and is featured as one of Security Magazine's 2022 Top Cybersecurity Leaders.
Matt Tumbarello is a senior solutions architect. He has extensive experience working with the Microsoft security stack, Azure, Microsoft 365, Intune, Configuration Manager and virtualization technologies. He also has a background working directly with Fortune 500 executives in a technical enablement role. Tumbarello has published reviews for Azure security products, privileged access management vendors and mobile threat defense solutions. He also holds several Microsoft certifications.