Defense

Imagine the scenario… your environment is fully cloud based. there are no domain controllers, you have no “corporate” network and every device is an island. Here we are going to explore what that world might look like from a security pov. This is the modern Windows environment.

  • Devices are enrolled to Azure AD
  • Devices are managed by Intune
  • Office 365 is deployed in cloud only mode

As a security professional on either the offensive of defensive side you have a new landscape to deal with. No longer are you running responder and moving latterly via WMI/RPC, PowerShell or RDP, because well there isn’t a ‘network’ per say.

Controls, Controls Everywhere

Let’s look at the landscape, first let’s start with the device:

Physical Security

  • Physical Privacy
    • Screen Privacy
    • Webcam Cover
  • Physical Controls
    • Kensington Lock
  • Environmental Controls

System Security

  • BIOS
  • Boot (UFI/UEFI)
  • Disk (FDE)
  • OS/System
    • Identify and Access Management
      • Authentication
      • Authorisation
      • Role Based Access Controls
      • Least Privileged Access
    • Configuration
    • Antivirus
      • Tamper Protection
    • Endpoint Detection and Response
      • Sysmon
      • EDR Solution
    • Log Configuration
    • Log Management
    • Remote Management and Monitoring
    • Remote Wipe
    • Mobile Device Management
    • Device Control (USB/Peripherals)
  • Data
    • Encryption at Rest
    • Access Control Lists
    • Information Classification
    • Digitately Rights Management
  • Application
    • Application Allow List/Block List
    • Access Control Lists
  • Network
    • VPN
    • Host Based Firewall
    • HIDS
    • Web Content Filtering
    • Protective DNS
  • System Updates
    • Firmware
    • OS
    • Drivers
    • Applications
  • Device Provisioning
    • Administrator Led
    • Autopilot
  • Modern Authentication & Biometrics
    • Smart Card/Hardware Token
    • Windows Hello
      • PIN
      • Picture
      • Facial Recognition
      • Phone Sign In

Considerations

  • Developer Solutions often require high privileged access
  • Client Hypervisors
  • Windows Subsystem for Linux (WSL)
  • Conditional Access
  • Printing

High Level Assessment against NCSC EUD Principals

Principle Notes Gaps
Data-in-transit protection
Data-at-rest protection
Authentication
Secure boot
Platform integrity and application sandboxing
Application allow listing
Malicious code detection and prevention
Security policy enforcement
External interface protection
Device update policy
Event collection for enterprise analysis
Incident response

External References

https://www.ncsc.gov.uk/collection/end-user-device-security

https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/windows-10-1803-with-mobile-device-management

https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/eud-security-principles

https://docs.microsoft.com/en-us/universal-print/fundamentals/universal-print-whatis

https://docs.microsoft.com/en-us/azure/architecture/framework/security/overview

https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations

https://docs.microsoft.com/en-us/mem/intune/configuration/device-firmware-configuration-interface-windows

https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-s-mode

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-managed-workstation

Thanks

Thanks to Nathan McNutty, Huy and other people on twitter for providing input!

Leave a Reply