Protecting Windows networks: Get back to basics for the new year

It’s a new year, which tends to suggest it’s time to embrace new solutions or software or methods for protecting a Windows network. In fact, that’s a misleading instinct. It’s far better to go back to basics in our networks, which often get neglected as we layer on more software and more methods that clearly are not working.

It might be easier or more expedient to deploy new external protection tools, but they don’t get to the root of the problem: the ease with which attackers can take control once they’re inside a network. What we should be doing is ensuring the foundations of our domains and guarding against lateral movements, long a prominent attack technique employed by bad actors. Just by cracking a local administrator password, they can gain fast and easy access to accounts on many machines across a network.

Fully deploy Windows LAPS

To start with, every network should have a fully deployed and functional Windows Local Administrator Password Solution (LAPS). While in the old days, we used to have to install LAPS manually on every workstation, with Windows 10 and 11 and Server 2019 and Server 2022 since April 2023, the LAPS code is included in the platform. You can use either Active Directory or Entra (formerly Azure AD) to control and manage local password encryption.

Windows LAPS specifically provides the following benefits:

• Protection against pass-the-hash and lateral-traversal attacks.
• Improved security for remote help desk scenarios.
• Ability to sign in to and recover devices that are otherwise inaccessible.
• A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory.
• Support for the Entra role-based access control model for securing passwords that are stored in Entra ID.

Different devices use different methods to join a network, so it will be necessary to plan accordingly to manage the various methods employed for password backup in each case. For example, those devices that are joined only to Entra or Azure AD have their passwords backed up only to Entra or Azure AD.

Devices that are joined to Active Directory have their passwords backed up to Active Directory.  If a device is hybrid, its password can be backed up to either to Entra, Azure AD, or to traditional Active Directory.  If you are still using the legacy Microsoft LAPS solution, set aside time and resources for deploying Windows LAPS. Protecting the local administrator is only one of the potential ways to better protect a network. But often these additional protections require testing to ensure that the workstations still function as expected.

Deploy hierarchical domains

Next, review options for deploying hierarchical domains. Setting up a network using this concept allows the partitioning of domains and subdomains to limit replication inside the network. Too many of us do not utilize the built-in Windows firewall to reduce network traffic and ensure that only those workstations and servers are communicating only to the devices they need to communicate with.

Also, review routing between domains and segments and the setup of LANs and VLANs. Many of these concepts are not new and need no additional software other than the group policy or Intune capability already available on many networks. Begin by taking a sample review of the firewall policies on workstations. What ports are open, and why have they been set up in that manner? Could the ports be restricted with no impact on the existing network? Set aside time and resources to review your firewall rules.

Segment your Windows network

A similar concept that can be employed to great effect is network segmentation. Ensuring that the network is divided into smaller sub-networks allows you to separate and compartmentalize so that should a cyber event occur, the entire firm won’t be impacted. For healthcare organizations in particular this can ensure that a hospital or clinic won’t be completely shut down during a cyber or ransomware event.

Privileged workstations also need to be inspected. Cybersecurity news has too often been dominated in recent years by stories that a network engineer or someone of similar importance within an organization had been phished and their credentials stolen. No one with key information relating to a network should be accessing devices on a workstation that may have had malicious software installed.

That’s why it’s critical to ensure that key administrative staff have workstations specifically designed to be used only for that function. The risk to the administrator is not new, nor is it unique; the network administrator is often the weakest link in an organization and should not be overlooked in risk assessments. They should always be protected.

Using techniques proven to stop many attacks

While no methodology is foolproof, it is my opinion that employing these techniques would have blunted or prevented many of the network cyberattacks that have become all too common and reduced the impact on businesses small and large. Many of these techniques do not require additional resources or licenses, but they do take time, effort and especially testing, to implement. Too often we have legacy-type networks and making changes to group policies, firewalls, or other workstation policies requires approval of change. You may need to consider using the testing resources that you use to perform patch management implementation when you make any of these network segmentation changes. The same resources and methodology to ensure that workstations function correctly after patches are often the same that you will need to determine how best to protect access to your network.

Ensuring that line-of-business applications will still work while you make changes brings risk to a functional business network. It might seem easier to layer something new onto the network that is protecting the outer network or monitoring access than it is to change how an existing network is deployed. But investing in these techniques, many of which have been available for many years, can reap rewards down the line.