Credit: Microsoft / Gerd Altmann
Microsoft’s revised hardware specifications for the upcoming Windows 11 release on October 5 don’t change the fact that I’m stuck on Windows 10 for most of the machines in my network. Microsoft has expanded its testing application to include a few more processors that support Windows 11 (Intel Core X-series, Xeon W-series, and some Intel Core 7820HQ), but the end result is the same: We will have a mixed network of Windows 10 and Windows 11 machines going forward.
I’m used to tracking no more than two sets of patches: Windows 10 for the bulk of the network and a few isolated Windows 7 Extended Security updates for older machines kept for specific purposes. I will have to get used to patching and maintaining more operating systems.
It might require years of infrastructure upgrades before we can take advantage of Windows 11’s many security features, but the idea that we are missing out is a bit presumptuous. Windows 11 protections like virtualisation-based security, Hypervisor-protected code integrity, and Secure Boot enabled by default might need new hardware and specific licensing to be fully implemented. They might also need Active Directory or Azure Active Directory infrastructure that your network is not ready for.
Upgrading your way to the latest security features never was a good idea. It’s best to have a plan of attack and a plan for upgrading. Upgrades can be done over time with a risk-based process, not merely aging out hardware as we did in the past. Consider taking these steps now to protect your network from attacks.
Review default browser and web application dependencies
If you still rely on Java Script or cannot perform updates that remove Adobe Flash from your browsers because of video presentation applications that rely on it, evaluate why you rely on older browser technologies that put your workstations at risk. Review internal applications and their reliance on older browser technologies and focus your resources on removing dependencies on older browser technologies.
If your internal web apps still rely on Internet Explorer, it’s time to review and possibly redesign them. Rather than spending money on Windows 11 hardware upgrades, consider internal web applications upgrades first.
Review how you deploy Windows 10
Review Microsoft’s security baseline recommendations or Microsoft 365 Secure Score options. Test if you can deploy workstations that block Link-Local Multicast Name Resolution (LLMNR), NetBIOS, Web Proxy Auto-Discovery (WPAD), and LM Hash by default. Legacy applications might need these outdated name resolution standards. Test to see if you can disable these older, less secure methods. If you cannot disable them now, make it a goal to do so soon. Attackers can use these legacy lookups to harvest authentication credentials by forcing machines to send NTLMv2 password hashes. Additionally, if you don’t have SMB signing enabled, attackers can relay SMB connections.
Disable LLMNR by using Group Policy or Intune in more modern deployments. Open gpedit.msc and then go to “Computer Configuration” then to “Administrative Templates” then to “Network” then to “DNS Client”. Set “Turn Off Multicast Name Resolution” to “Enabled”.
NetBIOS can’t be disabled directly via Group Policy but you can use a PowerShell script to deactivate it.
The WPAD protocol is a method used by clients to locate the URL of a configuration file using DHCP or DNS discovery method. To disable WPAD, turn off the automatic proxy configuration settings option in Internet Explorer. In Group Policy, expand “User Configuration” then go to “Administrative Templates” then to “Windows Components” then to “Internet Explorer” then to “Disable changing Automatic Configuration” settings. Alternatively, you can configure WPAD, as this will make poisoning the entry impossible.
Review Active Directory forest level
Ensure that it has been raised to Server 2008 or higher. If you are on a lower forest level, you may still have LM Hash values stored in your network. Once again in Group Policy, expand “Computer Configuration” then go to “Windows Settings” then to “Security Settings” then to “Local Policies” then to “Security Options” then to “Network security: Do not store LAN Manager hash value on next password change”.
Review your password policy length and increase the password policy to at least 12 and preferably 16 characters or more. Urge users to use a password manager program in their personal password management process as well as offer a firm-wide tool for your internal processes. Too often we reuse the same passwords across many websites and attackers can crack a password in one database and then reuse the hash value in another database.
Review macro use
Adjust the macro settings in your Office deployments accordingly. Macros introduce great risk into a network and only users who need should have the ability enabled. CISecurity.org recommends using Group Policy to disable Office macros when the role is not needed.
Review two-factor authentication for internal processes and external applications
Especially if you are still using on-premises workstations and servers, two-factor solutions can add protection and keep your network more secure.
Bottom line, relying on and waiting for Windows 11 to better secure your network will result in your network being at risk. Review what you can do now to better secure your network.
