4 Ways to Prevent Baseline Drift, Zero-Day Malware, APTs, and Unwanted Software

Much of the cost of managing Windows comes from dealing with unwanted configuration changes. Many organizations work hard to design, test, and deploy standard ‘gold’ images that are customized specifically for their business. But over time, that work is undone by users who install unwanted software, change system settings, or by zero-day malware and Advanced Persistent Threats (APTs).

As configurations deviate from known and tested standards, Windows becomes more expensive to manage and support. Unwanted system changes cause instability and performance issues. Devices that get exploited by malware can lead to data loss, system downtime, and infect other networked systems.

Here are four ways you can reduce costs by keeping Windows in a known and secure state.

Use Modern Deployment Technologies

Building custom Windows images is a time-consuming activity. Microsoft is encouraging organizations instead take a cloud-driven approach to deployment by using Windows AutoPilot. The idea is to utilize the carefully designed OEM images already installed on new devices and have users enroll to your organization using Windows AutoPilot, which then drives additional customization, such as deploying software and settings using Microsoft Intune or a third-party Mobile Device Management (MDM) solution.

Windows AutoPilot is new in Windows 10 and allows users to get working on their new devices without IT touching them if the vendor supports AutoPilot. Once the vendor or IT has added a device’s hardware ID to the Microsoft Store for Business, users can get started by entering their organizational user ID and password as soon as Windows 10 boots and connects to the Internet. Windows AutoPilot requires Windows 10 Enterprise and Azure Active Directory Premium if you want to register devices with Microsoft Intune.

Manage Windows using MDM or Group Policy

Whether you choose to use Windows AutoPilot or stick to building your own custom images, you should use configuration management technologies to make sure Windows is configured as required and that your settings remain in place. Both MDM and Group Policy can be used to manage important system settings. And unlike Windows 7, Windows 10 doesn’t require an agent if you want to manage the OS using MDM, which is ideal for devices that have limited network connectivity to the corporate intranet.

Active Directory Group Policy provides more granular configuration support for Windows and many third-party applications also support it. Microsoft publishes security templates that can be used to configure Windows to meet Microsoft’s best practices. But Group Policy is restricted to managing Windows devices and requires a connection to the company intranet to receive policy updates.

Remove Admin Privileges

There's little point in customizing Windows, regardless of how you choose to do it if you are going to allow users to undo your hard work. A user with administrative privileges can add and remove software, override policy settings, and block security updates. Not only that, but standard user accounts are critical in preventing malware and ensuring that it can’t spread across your network. The misuse of administrative privileges is the number one method hackers use to move laterally across your network and harvest administrative credentials from other devices, providing access to domain controllers and other mission-critical servers.

But removing admin privileges is sometimes easier said than done. Legacy apps are often incompatible with standard user accounts and many Windows features aren’t accessible without admin rights. Microsoft’s Application Compatibility Toolkit (ACT) can be used to solve many access issues for legacy apps but a third-party privilege management solution will provide more flexibility for supporting standard user accounts.

Use Application Control to Restrict Zero-Day Malware, APTs, and Unapproved Software

Finally, removing admin rights isn’t enough to provide complete protection. Unwanted software and malware can still find its way onto systems because it’s designed to be installed into the user’s profile without the need for administrative privileges. Windows AppLocker is a simple application control technology that can be used to create whitelists of applications, scripts, and installers that users can run. Everything else is blocked.

Windows 10 comes with a more robust and flexible application control system called Device Guard, which consists of two separate technologies: Windows Defender Application Control (WDAC) and Windows Defender Exploit Guard. WDAC differs from AppLocker in that it uses configurable code integrity (CI) policies that are applied by the Windows kernel almost before anything else runs. Additionally, CI policies can be digitally signed to prevent tampering by local administrators.

Windows Defender Exploit Guard provides hypervisor-protected code integrity (HVCI) and is an optional feature that protects the WDAC mechanism using virtualization-based security (VBS) if the Windows kernel is compromised.

If you would like to find out more about how to prevent baseline drift, malware, APTs, and unwanted software, register for BeyondTrust’s on-demand webinar How to Prevent Baseline Drift and Pirated Software from Being Installed, where I discuss how to overcome some of the challenges of removing administrative privileges from end users, and the options for implementing application control. Tune in to learn:

• Windows 10 deployment strategies
• The challenges related to using standard user accounts in Windows, and how to overcome them
• How Group Policy can be used to prevent baseline drift
• The built-in options for implementing application control