Naturally Secure Windows Machine

How to utilize native Windows security features to get beyond all the tools in the market?!

Most of the times ‘extra tools’ are just for doing things in a different way, perhaps more convenient, but not necessary in a better way, or more effective, cheaper or faster way and Windows is not an exception. Speaking of Windows security features, all the features we need are already part of operating system, they are either initially included or later provided by Microsoft. There are exceptions, but only when we are looking for a totally different structure, a very unique extraordinary situation, and that is where what we want is behind the Windows native features and capabilities, so we have to add something to the kernel or expand the API.

Windows Firewall and power of Micro Segmentation, EFS and power of Windows native file-level encryption, basic Access Supervisory via powerful native to kernel, Windows Event Monitoring and Sysmon, Group Policy and world of unlimited capabilities, PowerShell and unexpected security administration possibilities… and many more unleashed Windows features are already there, you just need to utilize them before thinking of buying a new tool!

In following articles I will explain how to unleash Windows native security features before shopping for a tool. Even though tools might be free, why add anything to Windows when it is already packed with most of the necessities? Let’s get through the basics briefly:

Windows Firewall provides all you need as the cheapest and fastest host-based firewall for Windows. It does not matter if the target machine is part of a corporate network or small office or home computer. Most importantly, it is very easy to utilize it as part of your micro-segmentation and see how you can reach the effective filtering and totally eliminate lateral propagation of malware in a large scale network. But if you ask me why administrators ignore Windows Firewall, I have no explanation unless admitting that beauty of third-party firewalls totally blinds them!

Encrypting File System (EFS) is a powerful file encryption which surprisingly has been ignored among new generation of IT administrators. Perhaps ‘encryption’ is enough scarry for most of IT staff to deal with so they decide to rely on third-party colorful tools, but I will show you later how to use EFS as the integral part of ACL and take your access supervision to next level!

We will deep dive into one of the most effective monitoring extensions of Windows, Sysmon, and see how a couple of extra megabytes can change the scope of Windows Event audit trial, needless to say Windows event log is a quiet piece of intelligence where all those shinny system and network monitoring tools are relying on, and if we add a little bit of AI to it how a free SIEM could evolve from it!

The point is, Windows has enough native tools to touch almost anything you want in terms of security, and for some hidden tiny tweaks we could always get into Registry, at least we won’t be worried about extra security vulnerabilities result of introducing new tools to environment, so why not get more familiar with the operating system and get maximum benefit from its native security features and capabilities? Then some day if you had a very specific requirement which Windows was not capable of providing it, you could consider using third-party tools or even switching to a whole new operating system!

Why Environment Constantly Faces Insecurities?

There is no doubt that security is not a project, there is no end and we need to constantly evolve but does it seem to you that you may put more effort you expect? You would sense some doubt about why you are constantly running after fixing issues, but is this the way security works? 

No, although you may get bombed with market elements that you have to run but it is not true, the problem is in a different area… the choice is yours:

Gaining “Security” via constant “fire fighting” vs. “guaranteed security” via adequate system and network administration!

It is all about the way we manage and configure our tech environment, from infrastructure to end-user’s machines, from software to processes. That is the most observed cause of general failure with cyber security: tech team (usually IT department) is not well managing the system and network! 

The way we administer technology is the main driver of our security program, it can fail us or take us to the next level. If we are running all the time to catch up, if we are struggling with a smooth patch management process, if we do not know where are the risk at any given time, if we constantly introducing risk and insecurities to our system…all are because we do not manage our system and network properly. 

The simplest examples would be how we setup a software or hardware with default configuration and hoping that works! How we leave systems and network nodes unattended until they start screaming by indirectly breaking some elements and we always blame technology; we never ask ourselves how we manage the technology! 

Default configuration is not the only example but it happens more frequently because teach team is configuring a new system, software, hardware, script…sooner or later and this usually happens with no security in mind!