Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

4 Ways to Prevent Baseline Drift, Zero-Day Malware, APTs, and Unwanted Software

October 10, 2018

  • Blog
  • Archive

blog-4-ways-to-prevent-baseline-drift.jpg

Much of the cost of managing Windows comes from dealing with unwanted configuration changes. Many organizations work hard to design, test, and deploy standard ‘gold’ images that are customized specifically for their business. But over time, that work is undone by users who install unwanted software, change system settings, or by zero-day malware and Advanced Persistent Threats (APTs).

As configurations deviate from known and tested standards, Windows becomes more expensive to manage and support. Unwanted system changes cause instability and performance issues. Devices that get exploited by malware can lead to data loss, system downtime, and infect other networked systems.

Here are four ways you can reduce costs by keeping Windows in a known and secure state.

Watch the on-demand webinar: How to Prevent Baseline Drift and Pirated Software from Being Installed watch now

Use Modern Deployment Technologies

Building custom Windows images is a time-consuming activity. Microsoft is encouraging organizations instead take a cloud-driven approach to deployment by using Windows AutoPilot. The idea is to utilize the carefully designed OEM images already installed on new devices and have users enroll to your organization using Windows AutoPilot, which then drives additional customization, such as deploying software and settings using Microsoft Intune or a third-party Mobile Device Management (MDM) solution.

Windows AutoPilot is new in Windows 10 and allows users to get working on their new devices without IT touching them if the vendor supports AutoPilot. Once the vendor or IT has added a device’s hardware ID to the Microsoft Store for Business, users can get started by entering their organizational user ID and password as soon as Windows 10 boots and connects to the Internet. Windows AutoPilot requires Windows 10 Enterprise and Azure Active Directory Premium if you want to register devices with Microsoft Intune.

Manage Windows using MDM or Group Policy

Whether you choose to use Windows AutoPilot or stick to building your own custom images, you should use configuration management technologies to make sure Windows is configured as required and that your settings remain in place. Both MDM and Group Policy can be used to manage important system settings. And unlike Windows 7, Windows 10 doesn’t require an agent if you want to manage the OS using MDM, which is ideal for devices that have limited network connectivity to the corporate intranet.

Active Directory Group Policy provides more granular configuration support for Windows and many third-party applications also support it. Microsoft publishes security templates that can be used to configure Windows to meet Microsoft’s best practices. But Group Policy is restricted to managing Windows devices and requires a connection to the company intranet to receive policy updates.

Remove Admin Privileges

There's little point in customizing Windows, regardless of how you choose to do it if you are going to allow users to undo your hard work. A user with administrative privileges can add and remove software, override policy settings, and block security updates. Not only that, but standard user accounts are critical in preventing malware and ensuring that it can’t spread across your network. The misuse of administrative privileges is the number one method hackers use to move laterally across your network and harvest administrative credentials from other devices, providing access to domain controllers and other mission-critical servers.

But removing admin privileges is sometimes easier said than done. Legacy apps are often incompatible with standard user accounts and many Windows features aren’t accessible without admin rights. Microsoft’s Application Compatibility Toolkit (ACT) can be used to solve many access issues for legacy apps but a third-party privilege management solution will provide more flexibility for supporting standard user accounts.

Use Application Control to Restrict Zero-Day Malware, APTs, and Unapproved Software

Finally, removing admin rights isn’t enough to provide complete protection. Unwanted software and malware can still find its way onto systems because it’s designed to be installed into the user’s profile without the need for administrative privileges. Windows AppLocker is a simple application control technology that can be used to create whitelists of applications, scripts, and installers that users can run. Everything else is blocked.

Windows 10 comes with a more robust and flexible application control system called Device Guard, which consists of two separate technologies: Windows Defender Application Control (WDAC) and Windows Defender Exploit Guard. WDAC differs from AppLocker in that it uses configurable code integrity (CI) policies that are applied by the Windows kernel almost before anything else runs. Additionally, CI policies can be digitally signed to prevent tampering by local administrators.

Windows Defender Exploit Guard provides hypervisor-protected code integrity (HVCI) and is an optional feature that protects the WDAC mechanism using virtualization-based security (VBS) if the Windows kernel is compromised.

If you would like to find out more about how to prevent baseline drift, malware, APTs, and unwanted software, register for BeyondTrust’s on-demand webinar How to Prevent Baseline Drift and Pirated Software from Being Installed, where I discuss how to overcome some of the challenges of removing administrative privileges from end users, and the options for implementing application control. Tune in to learn:

  • Windows 10 deployment strategies
  • The challenges related to using standard user accounts in Windows, and how to overcome them
  • How Group Policy can be used to prevent baseline drift
  • The built-in options for implementing application control

Russell Smith

IT Consultant & Security MVP

Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.

Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.