Defense
Imagine the scenario… your environment is fully cloud based. there are no domain controllers, you have no “corporate” network and every device is an island. Here we are going to explore what that world might look like from a security pov. This is the modern Windows environment.
- Devices are enrolled to Azure AD
- Devices are managed by Intune
- Office 365 is deployed in cloud only mode
As a security professional on either the offensive of defensive side you have a new landscape to deal with. No longer are you running responder and moving latterly via WMI/RPC, PowerShell or RDP, because well there isn’t a ‘network’ per say.
Controls, Controls Everywhere
Let’s look at the landscape, first let’s start with the device:
Physical Security
- Physical Privacy
- Screen Privacy
- Webcam Cover
- Physical Controls
- Kensington Lock
- Environmental Controls
System Security
- BIOS
- Boot (UFI/UEFI)
- Disk (FDE)
- OS/System
- Identify and Access Management
- Authentication
- Authorisation
- Role Based Access Controls
- Least Privileged Access
- Configuration
- Antivirus
- Tamper Protection
- Endpoint Detection and Response
- Sysmon
- EDR Solution
- Log Configuration
- Log Management
- Remote Management and Monitoring
- Remote Wipe
- Mobile Device Management
- Device Control (USB/Peripherals)
- Identify and Access Management
- Data
- Encryption at Rest
- Access Control Lists
- Information Classification
- Digitately Rights Management
- Application
- Application Allow List/Block List
- Access Control Lists
- Network
- VPN
- Host Based Firewall
- HIDS
- Web Content Filtering
- Protective DNS
- System Updates
- Firmware
- OS
- Drivers
- Applications
- Device Provisioning
- Administrator Led
- Autopilot
- Modern Authentication & Biometrics
- Smart Card/Hardware Token
- Windows Hello
- PIN
- Picture
- Facial Recognition
- Phone Sign In
Considerations
- Developer Solutions often require high privileged access
- Client Hypervisors
- Windows Subsystem for Linux (WSL)
- Conditional Access
- Printing
High Level Assessment against NCSC EUD Principals
| Principle | Notes | Gaps |
| Data-in-transit protection | ||
| Data-at-rest protection | ||
| Authentication | ||
| Secure boot | ||
| Platform integrity and application sandboxing | ||
| Application allow listing | ||
| Malicious code detection and prevention | ||
| Security policy enforcement | ||
| External interface protection | ||
| Device update policy | ||
| Event collection for enterprise analysis | ||
| Incident response |
External References
https://www.ncsc.gov.uk/collection/end-user-device-security
https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/eud-security-principles
https://docs.microsoft.com/en-us/universal-print/fundamentals/universal-print-whatis
https://docs.microsoft.com/en-us/azure/architecture/framework/security/overview
https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-s-mode
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-managed-workstation
Thanks
Thanks to Nathan McNutty, Huy and other people on twitter for providing input!
