Update Your IT Infrastructure
Insufficient monitoring of IT equipment updates regularly allows attackers to take control of one or more machines. Vulnerabilities in operating systems or applications are frequently found, requiring publishers to release patches to protect their clients. Windows releases the latest security patches every second Tuesday of the month. This is known as Patch Tuesday. For more information on the security patches released by Microsoft, you can refer to the documentation or visit the Ultimate Windows Security website.
So how can I keep my systems and applications up to date, while also monitoring the overall status of my IT infrastructure’s updates?
For the operating system, in an Active Directory environment, you’ll need to update Windows on the workstations and servers. Microsoft’s WSUS (Windows Server Update Service) is the ideal solution for this. It allows you to download Microsoft updates to the WSUS update server just once and then distribute them to all Windows workstations.
In addition to operating systems, applications will probably need to be deployed on your equipment. It’s critical that these applications are also kept up to date. Various tools exist to detect the versions of installed software and recommend updates if necessary. Sometimes, these tools even provide a list of current vulnerabilities and compare the software versions installed on different workstations to detect whether or not they are vulnerable. The CyberWatch tool fulfills this requirement, but it’s not free.
In addition to updates, there are a few other things that need to be monitored on your IT equipment. The account used to install applications is often a default account with a default password. Remember those infamous “admin/admin” or “admin/password” accounts? These accounts absolutely need to be changed. Ideally, if the application supports it, multifactor authentication should be enabled for critical applications, at the very least.
Partition Your Network
Do you remember the reconnaissance phases with network scans and lateral movement techniques to compromise new accounts and workstations? Network partitioning can significantly reduce the risks resulting from these attacks. If an attacker compromises a user’s workstation but has limited network access, the scope of the attack is reduced.
Here is one way to limit the potential of an attacker on the network architecture. You divide your IT infrastructure into three zones:
User workstations
Servers
Administrator workstations
You authorize only certain data flows and refuse all others to the network. This is more effective than banning specific data flows. Among the authorized flows will be those enabling workstations to connect to applications. These are flows from the user zone to the server zone. For example, you can allow the SMB protocol from users to file servers or HTTP to web applications. There’s also no reason to allow RDP or even data flows between user workstations in the vast majority of cases. You’ll need to authorize flows from the admin zone to other zones, but only in this one direction. No flows should be allowed into the administrator workstations.
When you learned about network scans, you understood that they provide visibility over the information system from a given location. So, this means that the admin zone must be invisible from user workstations or servers. In other words, no scan should be capable of detecting the admin zone. If it has been correctly implemented, this zone will be well protected.
Of course, there are always a few exceptions. Occasionally, for example, servers need to contact workstations in order to push updates. But a good rule to remember is that, by default, no data flows should be allowed. Add authorized flows on an as-needed basis. This will give you complete control over your network flow matrix and greatly limit an attacker’s options. Remember to properly document and trace these exceptions so that you remember the reasons why they exist.
Archive Data
Implementing security measures for your IT infrastructure greatly reduces the risk of being compromised. But this risk is never completely eliminated. You’ve no doubt heard of ransomware attacks. This is malware that encrypts all machines in the IT infrastructure and then demands money for the decryption key.
Paying the ransom is not a long-term solution. First, after you have paid, the key is often not sent, or the decryption software doesn’t work. Second, if threat actors have managed to encrypt your infrastructure once, they can always do it again at a later date.
This is why it’s important to properly backup and archive your data on a regular basis so that, if you are compromised, you can restart from the latest, clean backup.
The first step is to enable the backup feature on the servers. You may not have to backup all your servers, but domain controllers (or at least the main domain controller) and file servers are necessary. Microsoft’s Windows Server Backup feature on servers automates this process. The installation and configuration steps are explained on the RDR-IT website.
For this reason, it’s important that backups are stored in multiple locations, including at least one offline location. The offline location must not be accessible from the company network, to avoid this type of situation. There are multiple options available, such as physically storing the data on a tape. You can also outsource your backups to a cloud provider, like Azure.
Storing backups in a safe place is a good start, but it’s still useless if you can’t use them if there’s a problem. That’s why it is imperative that you test restoring your servers from backups on a regular basis. Backup solutions, authorized data flows, and OS versions constantly evolve, so the processes you’ve implemented can evolve, too.
Harden the Workstations
Finally, whatever happens, workstations and servers absolutely must be monitored and hardened. When an attacker wants to compromise a network, they will execute malicious actions on the machines. These actions must be blocked and immediately detected by the defense teams.
You need to have an EDR (Endpoint Detection and Response) solution, which is the enhanced version of an antivirus, on all workstations and servers. This tool monitors the workstation on which it is installed. It leverages rules to analyze suspicious behavior. For example, if it detects that the word.exe process has run a cmd.exe console, this could be a sign of malicious behavior. These actions can be reported and even blocked. It’s an intelligent antivirus that also has the added benefit of recording everything that happens on the workstation. For example, if it detects that a workstation has been compromised, the history of actions recorded by the EDR will allow defense teams to analyze the malicious behavior and block it from the network.
It’s also important that all hard drives are encrypted. All recent versions of Windows include the Bitlocker solution, which simplifies hard drive encryption. If a workstation is lost or stolen, the attacker will not be able to extract sensitive or personal information from the workstation’s hard drive.
The firewall must be configured to minimize incoming and outgoing data flows. It supplements the previously mentioned network partitioning.
When it comes to hardening a workstation or server, there are no real limits. Here are a few more pointers to consider:
Avoid allowing users to be administrators of their own workstation.
Add a BIOS password so that the BIOS settings cannot be changed.
Ensure that the boot sequence starts from your hard disk and not from removable media. This prevents booting from an unchecked OS.
Enable UAC (User Account Control) to protect yourself against certain pass-the-hash techniques and other elements that we’ll look at in the following chapters.
This list is not exhaustive—we’d need an entire course to talk about hardening the workstations! To learn more, take a look at the Microsoft website.
Let’s Recap!
This list is not exhaustive. There are many effective methods available to protect workstations and servers in an information system.
Update the company’s operating systems and applications on a regular basis.
Partition the network to limit the impact of an attack that has compromised a workstation or server.
Perform regular server backups so that, in the event of a compromise, you can restart from a clean base.
Harden your workstations in order to limit the actions of an attacker who may have compromised one of them.
These general rules apply to all types of information systems and are best practices for improving your infrastructure’s security. Even still, this is not enough. You also need to correctly configure and secure your Active Directory environment. We’ll be looking into this in the next chapter!
