![Page 1: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/1.jpg)
![Page 2: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/2.jpg)
Securing
Privileged
Access
Information
Protection
Datacenter
Security
Securing High
Value AssetsInformation Worker
and
Device Protection
![Page 3: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/3.jpg)
Admin Environment
On-Premises
Datacenters
3rd Party SaaS
Customer and
Partner AccessBranch Office Intranet and Remote PCs
High Value Assets
3rd Party IaaS
Mobile Devices
Microsoft AzureOffice 365
Azure Active
Directory
Rights Management
Services Key Management
ServicesIaaSPaaS
![Page 4: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/4.jpg)
More than 200 days (varies by industry)
First Host Compromised Domain Admin Compromised Attack Discovered
Research & Preparation Attacker Undetected (Data Exfiltration)
24-48 Hours
![Page 5: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/5.jpg)
Active Directory and Administrators control all the assets
![Page 6: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/6.jpg)
under attack
One small mistake can
lead to attacker control
Attackers Can
• Steal any data
• Modify
documents
• Impersonate users
• Disrupt business
operations
Active Directory and Administrators control all the assets
![Page 7: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/7.jpg)
Tier 2 Workstation &
Device Admins
Tier 0Domain &
Enterprise Admins
Tier 1Server Admins
1. Beachhead (Phishing Attack, etc.)
2. Lateral Movementa. Steal Credentials
b. Compromise more hosts &
credentials
3. Privilege Escalationa. Compromise unpatched servers
b. Get Domain Admin credentials
4. Execute Attacker Missiona. Steal data, destroy systems, etc.
b. Persist Presence
24-48 Hours
![Page 8: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/8.jpg)
DC
Client
Domain.Local
Attack Operator DomainAdmin
http://aka.ms/pthdemo
![Page 9: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/9.jpg)
How to protect your privileges against these attacks
2-4 weeks 1-3 months 6+ months
Attack Defense
Three Stage Mitigation Plan
http://aka.ms/privsec
![Page 10: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/10.jpg)
These practices are still importantPart of a complete long term security strategy
Domain Controller Security Updates
Target full deployment within 7 days
Remove Users from Local
Administrators
Manage exceptions down to near-zero
Ensure only admin of one workstation
Baseline Security Policies
Apply standard configurations
Manage exceptions down to near-zero
Anti-Malware
Detect and clean known threats
Log Auditing and Analysis
Centralize logs to enable investigations
and analysis
Software Inventory and Deployment
Ensure visibility and control of
endpoints to enable security operations
![Page 11: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/11.jpg)
1. Separate Admin account for admin tasks
3. Unique Local Admin Passwords
for Workstationshttp://Aka.ms/LAPS
2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW
4. Unique Local Admin
Passwords for Servershttp://Aka.ms/LAPS
2-4 weeks 1-3 months 6+ months
First response to the most frequently used attack techniques
![Page 12: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/12.jpg)
First response to the most frequently used attack techniques2-4 weeks 1-3 months 6+ months
Top Priority Mitigations
Attack Defense
![Page 13: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/13.jpg)
2. Time-bound privileges (no permanent admins)http://aka.ms/PAM http://aka.ms/AzurePIM
1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening
(Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
4. Just Enough Admin (JEA)
for DC Maintenancehttp://aka.ms/JEA
9872521
6. Attack Detectionhttp://aka.ms/ata
5. Lower attack surface
of Domain and DCs http://aka.ms/HardenAD
2-4 weeks 1-3 months 6+ months
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
3. Multi-factor for elevation
![Page 14: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/14.jpg)
2-4 weeks 1-3 months 6+ monthsAttack Defense
![Page 15: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/15.jpg)
2. Smartcard or Passport
Authentication for all adminshttp://aka.ms/Passport
1. Modernize Roles and
Delegation Model
3. Admin Forest for Active
Directory administratorshttp://aka.ms/ESAE
5. Shielded VMs for
virtual DCs (Server 2016
Hyper-V Fabric)http://aka.ms/shieldedvms
4. Code Integrity
Policy for DCs
(Server 2016)
2-4 weeks 1-3 months 6+ months
Move to proactive security posture
![Page 16: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/16.jpg)
2-4 weeks 1-3 months 6+ monthsAttack Defense
![Page 17: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/17.jpg)
Securing Privileged Access
Microsoft is committed to mitigating security threats
Industry Leading Technology
Integrated Intelligence
Microsoft is bringing the power of cloud to securing your assets
on premises
cloud hosted
Leverage the security capabilities you own
![Page 18: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/18.jpg)
How Can Microsoft Services Help?
Assess your current risk level and build a plan
Prioritized
Tailored to your needs
Rapid deployment of proven solutions
Support and operationalize new technologies
Let’s get this deployed to maximize your defenses!
![Page 19: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/19.jpg)
![Page 20: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/20.jpg)
Technical Reference (2-4 Week Plan)
Microsoft Technology Microsoft Services Solutions3rd party Alternate
(Examples)
1. Separate Admin account for admin tasks
N/A N/A N/A
2. Privileged Access
Workstations (PAWs) Phase 1 - Active Directory admins
Windows 10 Enterprise
• Privileged Account
Workstation (PAW)
• Enhanced Security
Administrative Environment
(ESAE)
N/A
3. Unique Local Admin Passwords for Workstations
Local Administrator Password
Solution (LAPS)
http://aka.ms/LAPS
• Securing Lateral Account
Movement (SLAM)
• Lateral Traversal Mitigation (in
pilot)
Credential Vault
Solutions
(Lieberman,
CyberArk, Thycotic,
Dell PPM, etc.)4. Unique Local Admin Passwords for Servers
![Page 21: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/21.jpg)
Technical Reference (1-3 Month Plan)
Microsoft Technology Microsoft Services Solutions3rd party Alternate
(Examples)
1. Privileged Access
Workstations (PAWs) Phases 2 and 3 –All Admins and
additional hardening (Credential
Guard, RDP Restricted Admin,
etc.)
Windows 10 with Device Guard
and Credential Guard
• Privileged Account
Workstation (PAW)
• Enhanced Security
Administrative Environment
(ESAE)
N/A
2. Time-bound privileges (no permanent administrators)
Microsoft Identity Manager
(MIM) Privileged Access
Management (PAM)
Managed Access Request System
(MARS)
Credential Vault
Solutions
(Lieberman,
CyberArk, Thycotic,
Dell PPM, etc.)3. Multi-factor for time-bound elevation
MIM PAM + Azure AD Multi-
factor Authentication (MFA)
![Page 22: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/22.jpg)
Technical Reference (1-3 Month Plan)
Microsoft Technology Microsoft Services Solutions3rd party Alternate
(Examples)
4. Just Enough Admin (JEA) for DC Maintenance
PowerShell Windows
Management Framework 5.1
(Supported OS from Windows
7/Windows Server 2008 R2)
Custom Scoped N/A
5. Lower attack surface of Domain and DCs
Advanced Directory Services
Hardening (ADSH)
6. Attack Detection Advanced Threat Analytics (ATA)
http://aka.ms/ata
ATA Implementation Services
(ATAIS)
Strongly recommended services solution to enable customer to handle events!
N/A
![Page 23: Securing High Device Protection - ISACA Denver …...Baseline Security Policies Apply standard configurations Manage exceptions down to near-zero Anti-Malware Detect and clean known](https://reader034.vdocuments.site/reader034/viewer/2022042019/5e76b081cceda76fe47c1d2c/html5/thumbnails/23.jpg)
Technical Reference (6+ Month Plan)
Microsoft Technology Microsoft Services Solutions3rd party Alternate
(Examples)
1. Modernize Roles and Delegation Model (Consulting)
Builds on MIM PAM, JEA, and
others to achieve least privilegeCustom Scoped N/A
2. Smartcard or Passport Authentication for all admins
Microsoft Passport -
http://aka.ms/Passport
Public Key Infrastructure using
Microsoft Active Directory
Certificate Services
3rd Party MFA (RSA
SecureID, others)
3. Admin Forest for Active Directory administrators
MIM PAM with Windows Server
2016
Enhanced Security Administrative
Environment (ESAE)N/A
4. Code Integrity for DCs (Server 2016)
Windows Server 2016 N/A until Server 2016 release N/A
5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)
Windows Server 2016 N/A until Server 2016 releaseN/A