Q&A

The State of Windows Security: What's Coming, What's Obsolete and How To Deal

For starters, it's time to throw out the concept of regular password expirations.

• By Gladys Rama
• 10/24/2024

Windows admins have needed to adapt to innumerable changes in the past few years. In their upcoming Live! 360 session titled "Security Baselines / Hardening for Windows Servers and Desktops," top cybersecurity consultants Cristal and Dave Kawula will share their best advice for hardening Windows systems for current and upcoming threats.

Ahead of their talk, though, they shared their insights on how we got here, including recent tectonic shifts like the normalization of remote work to the advent of enterprise-ready AI.

Redmondmag: How has the security landscape changed in the last few years, and what effect have those changes had on how organizations should approach Windows security?
Kawulas: The security landscape has evolved significantly in recent years due to the increasing complexity and frequency of cyber threats. Here are some key changes and their impact on how organizations should approach Windows security:

• Rise of Sophisticated Threats: Cyber threats have become more sophisticated, with advanced persistent threats (APTs), ransomware and zero-day exploits targeting organizations more frequently. Attackers are using AI and automation to create more effective and elusive attacks. Organizations need to adopt a proactive security posture. This includes continuous monitoring, real-time threat detection and rapid response capabilities. Windows security solutions should integrate advanced threat protection (ATP) tools, such as Microsoft Defender for Endpoint, to detect and mitigate threats early.
• Increased Remote Work: The shift to remote and hybrid work models has expanded the attack surface. Employees accessing corporate resources from various locations and devices introduce new vulnerabilities. Organizations should focus on securing endpoints and ensuring robust access controls. Implementing zero-trust principles, such as identity verification for every access request and least-privilege access, is crucial. Windows security configurations should emphasize multifactor authentication (MFA) and conditional access policies.
• Cloud Adoption: The migration to cloud services has transformed how data and applications are managed and secured. While cloud platforms offer robust security features, they also present new challenges, such as misconfigurations and data exposure. Organizations must extend their security strategies to include cloud environments. This involves using tools like Microsoft Azure Security Center to monitor cloud workloads and enforce compliance. Windows security settings should align with cloud security policies to ensure consistent protection across on-premises and cloud environments.
• Regulatory Compliance: The introduction of stricter data protection regulations, like GDPR and CCPA, has heightened the importance of data security and privacy. Noncompliance can lead to severe penalties and reputational damage. Organizations should implement strong data protection measures, such as encryption and data loss prevention technologies. Windows security should support these efforts by ensuring that sensitive data is protected at rest and in transit, and that security policies are enforced consistently.
• Supply Chain Attacks: Supply chain attacks, where attackers compromise a trusted vendor or software provider to infiltrate their customers, have become more common. High-profile incidents have highlighted the need for stronger third-party security. Organizations should vet their vendors and enforce stringent security requirements. Windows security settings should include monitoring for anomalous behavior and unauthorized software installations, as well as leveraging solutions like Microsoft Defender Application Guard to isolate potential threats.

The recent Crowdstrike debacle downed potentially millions of Windows systems worldwide. Are there any teachable nuggets from that incident that IT pros should remember?
The Crowdstrike incident, which led to widespread system outages, serves as a crucial learning opportunity for IT professionals. Here are some key takeaways:

• Importance of Change Management: The issue arose from a faulty update or configuration pushed by Crowdstrike, affecting many Windows systems. Always follow strict change management processes. This includes thorough testing in a controlled environment before rolling out updates or patches to production systems. IT pros should also maintain a robust rollback plan in case an update causes unexpected issues.
• Criticality of Monitoring and Alerts: The problem went unnoticed until it began causing widespread disruptions. Implement continuous monitoring and set up alerts for unusual system behavior. Real-time monitoring tools can detect anomalies or degradation in performance early, allowing IT teams to act before a situation escalates.
• Need for a Layered Security Approach: The dependency on a single security solution (Crowdstrike) led to widespread vulnerabilities when it malfunctioned. Avoid reliance on a single security vendor or solution. A layered security approach, with multiple tools and technologies, ensures that if one layer fails, others can provide protection. This could include combining endpoint protection solutions, firewall rules, network segmentation and behavioral analytics.
• Proactive Communication and Transparency: Delays or gaps in communication during the incident may have exacerbated the situation. Ensure there is a clear communication plan in place for emergencies. Vendors should quickly inform customers about potential issues, while IT teams should promptly communicate with their stakeholders, including users and management, about ongoing incidents and expected resolutions.
• Disaster Recovery and Business Continuity Planning: The outage disrupted operations across many organizations, highlighting the importance of preparedness. IT pros should ensure that disaster recovery and business continuity plans are up to date and regularly tested. This includes having backups and alternative solutions in place that can quickly be activated if a primary security tool fails.
• Vendor Relationships and Accountability: The incident underscored the critical role vendors play in an organization's security posture. Maintain strong relationships with vendors, ensuring they are accountable and transparent. Establish SLAs that include provisions for incident management, and regularly review vendor performance and security practices.
• Regular Audits and Assessments: The fallout from the Crowdstrike issue may have been exacerbated by unaddressed vulnerabilities or system dependencies. Conduct regular security audits and assessments to identify potential risks or dependencies that could be impacted by a vendor's failure. This proactive approach can help identify and mitigate vulnerabilities before they lead to significant issues.
• Incident Response Readiness: Organizations may have struggled with their response due to the unexpected nature of the problem. Ensure that incident response plans are robust and well-practiced. This includes having predefined roles, responsibilities, and communication channels for dealing with security incidents. Regular drills and simulations can prepare IT teams to respond effectively to real-world scenarios.

There was a lot of security-related backlash against Windows Recall, the AI feature that was initially set to debut on Microsoft's new Copilot+ PCs this past summer. What are your thoughts on how Recall (and AI features like it) will affect Windows security in the future? 
The controversy surrounding Windows Recall, the AI feature intended for Microsoft's Copilot+ PCs, highlights the growing concerns about the intersection of AI and security. Here's how Recall and similar AI features could impact Windows security in the future:

• Enhanced Security Capabilities: AI features like Windows Recall have the ability to significantly enhance security by providing more sophisticated threat detection and response. AI can analyze vast amounts of data in real-time, identifying patterns and anomalies that traditional security tools might miss. This could lead to more proactive defenses against emerging threats. As AI becomes more integrated into Windows, security measures will likely become more automated and efficient. AI-driven features could reduce the time it takes to detect and mitigate threats, potentially lowering the risk of successful attacks.
• Increased Attack Surface: Introducing AI features into operating systems could also create new vulnerabilities. AI systems are complex and could be targeted by attackers looking to exploit flaws in the algorithms, data processing, or integration points with other systems. Organizations will need to carefully assess and manage the risks associated with AI in Windows environments. This includes regularly updating AI models, securing the data these models rely on, and implementing rigorous testing to identify and patch vulnerabilities.
• Data Privacy and Security: AI features like Windows Recall are designed to process and analyze large amounts of user data to function effectively. This raises significant concerns about data privacy, especially if the data is sensitive or personally identifiable. Companies will need to ensure that AI features adhere to strict data privacy standards. This includes implementing data encryption, anonymization, and strict access controls. Organizations should also be transparent about how data is collected, processed, and stored, to build trust with users and comply with regulations like GDPR.
• Potential for AI Manipulation: Malicious actors could potentially manipulate AI models or feed them biased data, leading to incorrect decisions or behaviors. For instance, adversarial attacks could trick AI systems into misclassifying threats or generating false positives. To counteract this, organizations will need to implement robust AI governance practices. This includes regular model audits, bias detection, and continuous learning mechanisms that ensure AI systems are resilient against manipulation.
• Human-AI Collaboration: AI features like Recall are designed to augment human capabilities by automating routine tasks and providing insights that might be missed by human analysts. This can free up security professionals to focus on more complex, strategic tasks. AI will likely become a valuable tool for security teams, enabling them to respond to threats more effectively and efficiently. However, it's important to ensure that human oversight remains in place, as AI decisions may still require human interpretation and validation.
• Regulatory and Ethical Considerations: As AI becomes more prevalent in security, there will be increasing regulatory scrutiny and ethical considerations around its use. Questions about AI accountability, decision-making transparency, and the potential for discrimination will need to be addressed. Organizations will need to stay informed about evolving regulations and ethical standards related to AI. This includes ensuring that AI features comply with legal requirements and do not inadvertently introduce biases or unfair practices.
• User Trust and Adoption: The backlash against Windows Recall underscores the importance of user trust. If users perceive AI features as invasive or insecure, they may be reluctant to adopt them. Microsoft and other vendors will need to prioritize user education and communication, explaining how AI features work and what safeguards are in place to protect privacy and security. Building trust will be key to the successful adoption of AI-driven security features.
• Future of AI-Driven Security: In the long term, AI features like Recall could lead to a more intelligent and adaptive security ecosystem within Windows. AI could enable more personalized security settings, dynamic risk assessment, and real-time adaptation to new threats. The future of Windows security will likely be increasingly AI-driven, with AI features becoming integral to the OS's ability to protect users and systems. However, balancing the benefits of AI with the potential risks will be crucial to ensuring that these advancements enhance rather than undermine security.

Are there any Windows security "rules of thumb" that you think are outdated and in need of a refresh?
Sure; here are the top three that come to mind:

• "Regular Password Expiration is Essential." For years, it was standard practice to enforce regular password changes, with users required to update their passwords every 60 or 90 days. The idea was that frequent changes would reduce the risk of compromised credentials being misused over time. Regular password changes can actually lead to weaker passwords as users often resort to simple, predictable patterns (e.g., Password1, Password2). Modern security strategies emphasize the use of strong, unique passwords combined with MFA, rather than frequent password changes.
• "Antivirus Alone is Sufficient for Endpoint Protection." Traditionally, installing antivirus software on all endpoints was seen as the primary line of defense against malware and other threats. Today's threats are more sophisticated, with attackers using advanced techniques like fileless malware, ransomware, and phishing that can evade traditional antivirus solutions. Relying solely on antivirus software leaves gaps in security.
• "Security is the IT Department's Responsibility Alone." In the past, security was often viewed as the sole responsibility of the IT department, with minimal involvement from other parts of the organization. Modern cybersecurity is a shared responsibility. Threats can target anyone within an organization, and a security breach can occur due to human error, social engineering, or poor practices by any employee.

On the flipside, what's an evergreen Windows security best practice that you find yourself talking about conference after conference?
An evergreen Windows security best practice that remains crucial and consistently relevant is "Implementing the Principle of Least Privilege (PoLP)." This concept is foundational in cybersecurity and continues to be a key talking point at conferences. The core idea of PoLP is that users and applications should be granted only the minimum level of access -- or permissions -- necessary to perform their required tasks. This reduces the risk of accidental or malicious misuse of privileges.

There are several reasons why this idea is considered evergreen:

• Minimizes Attack Surface: By restricting access, you limit the potential impact of compromised accounts or software vulnerabilities. Attackers have fewer opportunities to escalate privileges or move laterally within a network.
• Reduces Human Error: With fewer privileges, the chances of users unintentionally executing harmful actions are reduced, which is particularly important in environments where users may not be security experts.
• Limits Damage from Insider Threats: Insider threats -- whether intentional or accidental -- are mitigated because users can only access what they truly need, reducing the potential for damage.

IT teams have do need to consider these best practices when it comes to applying PoLP:

• User Accounts: Regular users should not have administrative rights. Admin accounts should be separate and used only when necessary, with strong authentication mechanisms.
• Applications and Services: Configure applications and services to run with the least privileges required for their operation. Avoid granting unnecessary access to system files or network resources.
• Regular Review: Continuously review and adjust permissions as roles or needs change. Automated tools can help monitor and enforce these privileges.