If you’re like most IT professionals today, you have a million things to do and a short window of time to get them done, so in order to alleviate our endless load, we sometimes implement out of convenience rather than according to good policy. Unfortunately, the measures we takeout of convenience today can end up creating more work for us down the road, which ends up creating a vicious circle that is hard to escape from. Below we have outlined five measures that may require a little time up front but boast a substantial potential payoff in reduced support calls and malware attacks that is more than worth it.
- Enforce the Local Admins Group
Let’s face it. Making our users an administrator of their device is easy. We don’t have to worry about applications which may require admin rights to function properly. Unfortunately, it goes against every facet of enforcing the practice of least privilege. Giving users local admin rights to their devices is like throwing a 16-year-old the keys to a Lamborghini without any limitations, at some point it’s not going to end well at some point.
The concept of least privilege is simply that users should only have the privileges and rights they need to do their job and nothing more. With admin rights, users have unwarranted access to software configuration settings that they shouldn’t be meddling in. They also inherent elevated privileges to install malware. Fortunately, you can easily control the membership of the local administrators group of all of your machines through group policy preferences. Once enabled and deployed across the domain, unauthorized accounts will be deleted and inhibited from joining in the future.
- Disable any Unused or Unnecessary Services
A key aspect of device hardening is to turn off and disable any services on your devices. This is a task made ridiculously simply once again through Group Policy Preferences. You will need to create this policy on a management machine with the most up-to-date operating system in order to ensure that all services are addressed. You also may need to make multiple policies to accommodate different hardware configurations. For instance, many organizations like to disable blue tooth service on user laptops for security reasons. In this case the policy would have to be created on a device that utilizes this service.
- Keep Patching up-to-date with Proper Testing
We all realize the importance of keeping our machines up-to-date with the latest patches and updates. We also know the chaos that an untested update can wreak upon the desktop experience for our users sometimes. For that reason, a many organizations exercise a purposeful lag time of 30 to 60 days from when updates are released. The problem of course is that well known vulnerabilities remain exposed during that time. Having a virtual test environment to properly validate updates and patches upon their release can help identify possible conflicts that could occur within your user environment, while allowing your organization to deploy updates and patches network wide in a timely manner.
- Reassess your Spam and Web Filters
Email phishing is probably the single biggest social engineering threat to your organization. Some of our recent blogs have outlined the recent ransomware outbreaks that have wreaked havoc on mission critical organizations such as hospitals, forcing them to shut down all because someone clicked a link within an email. We’ve also outlined some of the CEO phishing scams that cost some of the biggest company names in the world millions of dollars. Spamming has virtually no cost which is why it is so prevalent and the methodologies used to go about attacks are far more advanced than they were even five years ago. One phishing email can bring down your entire network, which is why it is worth your time conduct an assessment every year of your current SPAM filtering service and compare its features to other alternatives. A solution that seemed completely suitable five years may be outdated today.
- Implement Local Device Firewalls
For years, most organizations could rely on a network perimeter strategy like the king that depended on his castle wall and moat to protect him. Due to evolving military strategies, backed by advancing technologies, the sole dependence on a perimeter strategy proved fatal for many kingdoms, as it does today for many networks. With today’s mobile world, sole reliance on perimeter protection is not enough. Every device that leaves the safety of the network should have local firewall protection. Again, before any broad implementation, this requires extensive testing of all desktop and cloud applications utilized by your users, but like all of these measures, a little time investment in prevention can go a long way.
bradinthecloud 
Posted on November 29, 2016
0