Microsoft Offers IT Pro Security Tips and Gets Windows Hello FIDO2 Certification
Microsoft this week laid out security advice for organizations, which included some best-practice guidelines for IT pros.
The general idea is that system administrators are a main target of attackers. A few years ago, it was disclosed, as part the Edward Snowden leaks, that the U.S. National Security Agency specifically targets system administrator accounts.
IT Best Practices for Security
Microsoft based its security advice for organizations on its own internal processes. The advice boils down to having three precautions in place -- namely, IT pros should have a separate machine, a separate identity and "nonpersistent" access rights for performing administrative tasks.
The separate device for performing administrative tasks should be kept up-to-date with latest software patches, Microsoft advised. This device should have its security set high. Remote access to this machine should be blocked.
A system administrator's identity on a network should be separate from his or her information worker identity.
"Issue an administrator identity from a separate namespace or forest that cannot access the internet and is different from the user's information worker identity," Microsoft advised, adding that its own administrators are required to use a smartcard to access the account, as well.
Lastly, administrative accounts should have "zero rights by default." Instead, Microsoft recommends having a nonpersistent access scheme in place for IT pros. Microsoft calls these schemes "just-in-time" access solutions, where IT pros are allotted a specific amount of time to complete a particular administrative task and everything gets logged. Just-in-time solutions are part of Microsoft's various Privileged Access Management solutions, which exist for Office 365 and Azure Active Directory, among others.
Organizations also should control access by setting role-based access control policies. However, organizations need an identity governance process, too, so that IT personnel don't continue to have the same access privileges when their roles change.
"Establishing the right access for each role is so important that if you are only able to follow one of our recommendations focus on identity provisioning and lifecycle management," Microsoft advised.
Microsoft also argued that the use of passwords should be eliminated in organizations. Attackers regularly hack networks or use social media phishing attempts or conduct password spray attacks to obtain those passwords.
Organizations can take the following steps to reduce their dependency on passwords, according to Microsoft:
- Remove passwords from the identity directory by creating "consistency across Active Directory and Azure Active Directory."
- Reduce "legacy authentication" by putting "apps that require passwords into a separate user access portal."
- Set up multifactor authentication, which relies on a secondary identity verification method such as a biometric scan or a PIN before permitting network access.
Just 10 percent of Microsoft's employees still use passwords on a daily basis, Microsoft's announcement claimed.
Microsoft sees the elimination of passwords as an enhancement for end users that also serves to improve security.
Windows Hello FIDO2 Certification
Also this week, the FIDO Alliance announced that Windows Hello, Microsoft's biometric face or fingerprint scanning software for Windows 10 systems, "has achieved FIDO2 certification." Windows Hello is certified for use on the Windows 10 May 2019 Update (version 1903), which is expected to arrive late this month. With Windows Hello, a scan, card or PIN is used instead of a password for access.
The FIDO Alliance is an industry coalition that promotes an alternative identity verification method that doesn't use passwords. The FIDO2 approach combines the World Wide Web Consortium's Web Authentication specification with the FIDO Alliance's Client to Authenticator Protocol.
FIDO2 is supported by the Google Chrome, Microsoft Edge and Mozilla Firefox browsers, and such support is at the preview stage with the Apple Safari browser. In addition to Windows 10, the Android operating system is FIDO2-certified, according to the FIDO Alliance.
Microsoft's announcement on Windows Hello's FIDO 2 certification also included a note on browser support for FIDO2. The Firefox browser on Windows 10 version 1903 currently has such support. Other browser support will be coming:
Every month, more than 800 million people use a Microsoft account to access email, play a game, or access files in the cloud. That's why, in addition to FIDO2 certification, Windows 10, version 1903 will enable users of the latest version of Mozilla Firefox to log in to their Microsoft account or other FIDO-supporting websites. Chromium-based browsers, including Microsoft Edge on Chromium, will support the same capability soon.
Mozilla currently supports Windows Hello on Windows 10 with Firefox version 66.
Microsoft also produces the Microsoft Authenticator app, which is available for Android and iOS devices. It enables access via a face or fingerprint scan, or a PIN, while using a mobile device.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.