With Windows 10 Microsoft has embedded and enhanced a number of free tools it claims give IT and security teams the opportunity to close security gaps exposed in previous versions of Windows.
One of the critical goals Microsoft aims to address is the principle of least privilege. Under a least privilege policy, administrative credentials are removed from workstations in order to block threat agents from injecting malware and gaining unfettered access to critical systems and data. “All users should log on with a user account that has the absolute minimum permissions necessary to complete the current task and nothing more,” Microsoft recommends.
Microsoft’s endpoint protection tools add up to a lot of work for admins
Do you have the time and resources to manage least privilege the Microsoft Way?
To address least privilege security on endpoints, Microsoft takes a componentized approach. Organizations must install multiple products, and configure and maintain them independently via separate interfaces. Each of these security tools has its own limitations compared with best-in-class third-party solutions. Taken together, they add up to a lot of work for admins, requiring them to cobble together and manage multiple systems.
(By the way, if you have Mac devices as well, you may also have to bolt on SCC to manage those privileges and applications, which means yet another disconnected tool for you to maintain.)
Lack of application control limits utility and adoption of a least privilege model.
Organizations using previous versions of Windows have struggled to address privilege management and application control using a combination of Microsoft’s Applocker, LAPS and group policies.
Applocker only allows for basic whitelisting and only allows for control over Windows devices that are domain-joined. It has no self-service workflows with customizable messages that instruct users on the process or share requests with IT/desktop support. As a result, Applocker leads to spikes in support calls. Additionally, Applocker has no audit trail, which is necessary to demonstrate compliance in regulated industries.
Windows 10 has some security upgrades like Device Guard and Credential Guard. However, these tools require relatively new hardware and specific configuration options (such as secure boot and virtualization extensions), which can complicate and add time to your Windows 10 rollout process.
AppLocker and Device Guard offer nearly the same functionality, but AppLocker has a UI and allows for lists of applications to block. Device Guard, on the other hand, must be managed with PowerShell scripts. It has an allowed list only, no blacklist for known malicious applications or greylist for unknown applications.
Gartner has said that even in Windows 10 Microsoft does NOT have the capabilities to support the application control requirements to make least privilege work and prevent risks associated with local user accounts.
“Those planning to move to a default deny environment with their Windows 10 migration should exploit Device Guard only if they can also invest in the administration resources to manage it. Use third-party application control solutions until Microsoft improves Device Guard management.”
– Gartner, Windows 10 Enhances Security
Demand simple, centralized management.
IT teams are stretched thin. They are responsible for an increasing number of tasks and supporting an ever growing number and variety of workstations. There is simply no time to manage multiple systems or complex interfaces. We have seen time and again that least privilege will be adopted only if you make it simple and seamless for everyone involved in the workflow – from security to IT management to desktop support, to users.
Don’t switch to Windows 10…
…at least not without an endpoint protection plan that uses the resources of your IT and security teams wisely.
Here are two ways you can learn more about least privilege and protecting endpoints:
Watch the webinar to hear the pros and cons on Microsoft’s approach to least privilege and prepare for a successful and secure migration to Windows 10.
This is a Security Bloggers Network syndicated blog post authored by Steve Goldberg. Read the original post at: Thycotic