The Security Cookbook For Small and Medium Enterprises - Part 1
The Security Cookbook For Small and Medium Enterprises - Part 1
The Security Cookbook For Small and Medium Enterprises - Part 1
Microsoft Belgium
www.microsoft.com
Karel Dekyvere
Bruno Schroder
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Introduction
Many small or medium sized organizations have only a small IT staff, whose primary focus is keeping things
running, installing new soft- and hardware and fixing small issues every day.
Even though they do understand that IT Security is important, it’s not always easy to get the
proper attention for it in the organization.
Moving applications to the cloud can be an element of the answer, particularly on the security side, to benefit
from the advanced security build in the cloud infrastructure. However, the security of internal computer
systems remains critical and is often the weak point.
This “cookbook” is intended to provide small and medium enterprises detailed guidelines on how to
improve their internal security. It should help with the integration of some basic security principles for your
organization, starting from a number of recipes that can be adapted to your own taste.
4
THE SECURITY FACTORY
5
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Background How-to
Passwords are still the cornerstone for the security Users need to be trained on the topics below to resolve
of many IT-environments. Many users however fail to this situation:
choose a good password. Often they choose the same • How-to choose a good, strong password
password for every environment or even give away • Why not to re-use passwords across different
their password without thinking about it. environments
• Why to change passwords regularly (and don’t
People don’t like change! just add a number)
This well-known problem affects the overall security
of these companies. Many people re-use the same Choosing a good strong password turns out to be
password over and over since years. When asking a very complex task for many people. Good tips will
them to choose a new password, different from definitely help your users to choose better passwords
anything they’ve ever used before, it seems like an and how to manage the multitude of passwords they
impossible task to many. have across many websites.
Danger of reusing passwords across sites How-to choose a good, strong password
People have to manage a lot of passwords nowadays. Choosing a good password turns out not to be trivial.
Every online shop, subscription, social-network, photo- Especially passwords that can easily be remembered.
website, etc. will ask for a user ID and password. You There are however a number of easy tricks that every
can’t blame users that they re-use the same passwords user can learn to choose and remember good
on most sites. They don’t realize that if one of these passwords:
sites gets hacked – the user’s password becomes
public and also his accounts on other (more sensitive)
websites might/will get hacked… or even a corporate
account!
6
THE SECURITY FACTORY
REQUIRED COMPONENTS
— Communications team tasked to work on security awareness
— Management support
2. Drawing on keyboard:
3. Use long sentences, with numbers and other characters (e.g. add smiley). E.g.“This is 1 great password!!”
7
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Important is to recommend a large number of tricks to How can users handle a multitude of passwords in a
your users, so everybody can choose what works best consistent and secure way?
for him. This way, you also avoid that multiple people • Select primary accounts: users should choose
end up with the same password. a number of primary accounts that they want
to protect best. This will include their company
Important note! Be aware that attackers can also use account, their primary personal email address
your security advisories against you! For example, and some high-value social-network accounts like
they could try a sample password (provided in your Facebook, Linked-in and/or Twitter. More attention
communications) against a large number of your for good, unique passwords should be given to
user-accounts. If it works for only one user, then they these accounts.
succeeded. But on the other hand, if you don’t give • Low value accounts: these are accounts that really
proper advice to your users, the same attack will don’t have any direct value for the users, such
definitely work too! as newsletter subscriptions, etc. Users might want
to decide to use the same password for each of
Why not to re-use passwords across different these
environments • Rarely-used accounts: sometimes, users have
Users should avoid re-using passwords across multiple accounts that they only use once per year. You
websites and definitely refrain from re-using their could recommend your users to choose a good
corporate credentials elsewhere. Many users however password and have the password reset in case
will argue that it is mere impossible to choose a they forgot; typically, the password-reset links will be
different password for each site, and they do have a sent to your personal email account, so make sure
valid point. that this one is very well protected.
• Other high-value accounts: many users tend to
leave their credit card information on shopping
sites, in order to order faster next time they
connect. However, this makes the accounts much
more critical and it might be a better idea not
to leave the credit card information, if possible.
Otherwise, good passwords are a must.
8
THE SECURITY FACTORY
Delivery Tips
• Provide users multiple tips and tricks to choose a good password
• Include the aspect of good personal user-accounts in your communications
• Highlight the risks of not choosing good passwords
• Repeat often!
• Use multiple channels to deliver your message: yearly security briefing, flyers, posters, internal website
• Ensure management does support this effort and participates
9
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Enforce a strong
password policy
Background How-to
Training users to choose good passwords and use Parameters of a good password policy
them securely, is a first step. But enforcement of a A strong password policy enforces not only the length
policy, along with user-awareness, is still the best. That and complexity of users’ passwords, but also following
way, users are always remembered and forced to stick parameters:
to the best-practices.
• Maximum password age: this defines how often the
You can of course not force users to choose good users should change their password. Best-practices
passwords for their personal accounts, but you can are to have users change their passwords every 90
enforce strong passwords policies for their company days. This should not exceed 180 days.
account. • Enforce password history: this defines how many old
passwords of the users are remembered to avoid that
people will reuse old password. Set this to a high value.
• Minimum password age: this setting is relate to the
password history. In order to avoid that people will
change their password multiple times on the same
day to work around the password history enforcement,
a minimum password age of 1 day is typically set. This
implies that users can change their password only
once per 24 hours.
• Minimum password length: this sets the minimum
number of characters for a password. Common best
practices dictate a minimum length of 8, although 10
is also often used.
• Passwords must meet complexity requirements: as
described earlier, good passwords should contain a
mix of upper and lower case characters, combined
with numbers and special characters.
10
THE SECURITY FACTORY
REQUIRED COMPONENTS
— Microsoft Windows Active Directory
— Group policies
Creating a strong Active Directory password Policy • Select “Default Domain Policy” and press OK
In order to verify your current policy or create a strong
password policy on your active directory, please follow
these steps:
11
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
What about password policies for cloud user The other default (non-changeable) password policy
accounts on Office 365? parameters are set as follows:
Given the online nature of Office 365, some strong • Enforce password history: enabled
password policy parameters are required by default (last password only)
and Office 365 doesn’t even give the option to choose • Minimum password age: 0 (users can change
password that are not sufficiently strong. Only 2 their password immediately)
parameters can be changed: • Minimum password length: 8 (maximum length:
• Maximum password age (“days before passwords 16)
expire”): default set to 90 days • Passwords must meet complexity requirements: yes
• Upfront user notification (“Days before a user is (3 out of 4 categories must be selected: lowercase,
notified that their password will expire”): default set uppercase, number and special character).
to 14 days
Note that if you decide to use DirSync to synchronize
These can be found under the “Office 365 Admin your internal Active Directory with the Azure Active
Center” Service Settings Passwords, as shown below: Directory, the password policy of your internal Active
Directory will apply.
Delivery Tips
• Combine a strong password policy with user training; otherwise, users will complain and try to work
around the password policy requirements
• Use Single-sign-on whenever possible, also for non-Windows operating systems. This can be achieved
by integrating Radius authentication for network devices or LDAP-authentication for non-Windows web-
applications.
12
THE SECURITY FACTORY
13
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Separate accounts
for system
administrators
Background How-to
System administrators have a user account that has The solution is very simple and effective: make sure
access to most company data, including the most that system-administrators have a separate account
critical data. At the same time, these accounts also that is solely used for system-administration tasks.
have access to reconfigure the underlying operating
system, applications, user-accounts, etc. However, without any technical enforcement,
this requires a very strict discipline of the system-
Problem comes from the fact that these system administrators since they will have to do obvious tasks
administrators have 2 hats on: one of the sys-admin, with some extra steps. E.g. for a system administrator,
and one of a “normal” user. They need to read their he would have to switch to another account to read
emails, access applications as a normal user (e.g. something on the internet and then switch back to
time-sheets, HR applications, etc.), browse the internet, his administrator account. This can be a burden, e.g.
… Browsing the internet or opening potentially unsafe when creating documentation. On the other hand, this
email-attachments can however have a dramatic additional steps are absolutely necessary to keep the
impact on your IT environment, when this is done using environment secure.
a high-privileged account
How can you help your system administrators to stick to
the rules?
• Ensure at all times that any system-administrator
responsibility”
more details)
• Ensure that system-administrators cannot logon to
ANY end-user workstation. This can be achieved by
from “Amazing Fantasy #15, August 1962, the first Spider-Man story setting group-policies.
14
THE SECURITY FACTORY
REQUIRED COMPONENTS
— Security policy
— Management endorsement
— Good communications
15
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Using Group Policies in Active Directory, you can • On the end-user workstations OU, create a Group
control who has the right to “log on locally” on a Policy Object that:
computer. This gives you the ability to control on which • Adds this “workstation admins” group to
workstations users with an administrative account are the local “administrators” group on each
allowed to logon. workstation; this can easily be achieved
through group-policy “preferences”
Since normal user workstations might be infected with (computer configuration preferences
malware, it is a very bad idea that a highly privileged control panel settings local users and
system administrator logs on to these workstations, groups; right-click and select new local
since many more systems might get infected by doing group):
so.
16
THE SECURITY FACTORY
• on the “administrative workstations” OU, create a Group Policy Object that ensures that only “administrators”
(which includes domain Admins) have the rights to log on locally
Important note: make sure that you are familiar with Active Directory and Group Policies concepts and test
the setup described above before implementing in your production environment, to avoid that you lock
yourself out of your own systems!
Delivery Tips
• Highlight the risks of working on untrusted workstation, using high-privileged accounts
• Repeat the message often!
• Use multiple channels to deliver your message: yearly security briefing, flyers, posters, internal website
• Ensure management does support this effort
17
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Restrict internet
access for
administrators
Background How-to
It doesn’t need any clarification that today’s main Internet access policy for system administrators
security threats come from the Internet. The most important aspect is that system
administrators should understand the risks that come
Hackers will try to target the most valuable assets of along with their privileges. System administrators have
an organization and if they can successfully attack often privileges across many systems and should
somebody with high-privileges across many systems, understand that executing any untrusted program,
they gain immediate access to most data within that can infect all systems of the whole organization, even
organization. in the cloud.
System administrators should hence be very careful System administrators should therefore abide to
when accessing internet websites or reading emails. following rules:
• 2 accounts: system administrators should always
At the same time, organizations should also make sure have 2 accounts: one for normal computer usage
that administrative privileges are only be given to users (reading mail, surfing the internet, etc.) and one
that really need this. That implies that normal users only for administrative purposes
need standard privileges on their systems and should • Never go on the internet with a privileged account
not have administrative access on their workstations. • Only execute trusted and verified software when
using the administrative account.
• Only install or run software that is downloaded
directly from the vendor’s site itself.
18
THE SECURITY FACTORY
REQUIRED COMPONENTS
— Security policy
— Management endorsement
— Configuration changes on Internet proxy server
How can you enforce this policy in a simple way? Non-privileged accounts for end-users
1. Make a clear separation between normal and Normal end-users (that do not perform administrative
administrative user accounts. (see the “separate tasks) should not have an account that has any
accounts for system administrators recipe) privileged access to any system, even not their own
2. Only include administrative accounts (a- workstation or laptop.
accounts) in privileged windows groups, such as
the “Domain Admins” group. Some organizations choose however to enable users
3. In case the organization has a proxy server in to manage their own workstation/laptop, e.g. in case
place to access the internet, you can enforce this they need to install new software, configure a new
policy by not granting access to the Internet from printer, etc. It is important that users in this category
administrative workstations or by blocking access understand clearly the risk that comes along with this
for any user that has an administrative a-account privileged access and end-user training on “does”
(this requires that the proxy server authenticates and “don’ts” is essential in order to reduce the risk of
users based on their Windows credentials). compromised workstations and/or laptops.
4. Alternatively, you can set a group policy for all
administrative user accounts to use a proxy-server
with a very strict Internet-access policy (e.g. only
whitelisted websites, such as software vendors or
cloud-services used by the organization).
19
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Some examples of advice to end-users: Always make sure that workstations are fully patched,
• Only install company-approved software that is protected by an up-to-date anti-virus and that you
downloaded from either the vendor’s website or have EMET (Microsoft Enhanced Mitigation Toolkit)
from an internally software repository installed. More information on EMET can be found here:
• Be vigilant when browsing the internet http://www.microsoft.com/en-us/download/details.
• Ensure that patches for the OS and applications aspx?id=43714
are installed when available and issue separate
communications on regular basis to ensure that For the expert
users don’t forget to install security updates
• In case of doubt, bring in the computer to have See “jump-system for administrative access” recipe
it reviewed for possible malware and cleaned further in this document.
up. Avoid punishing users for having an infected
computer, since they will be reluctant to bring
in their computer and try to solve the problem
themselves, thereby putting your infrastructure in
danger. (Possible signs of an infected computer
might be: anti-virus no longer active, unexpected
browser pop-ups for advertisements, programs
being started unexpectedly, etc.)
Delivery Tips
• Highlight the risks of working on untrusted workstation, using high-privileged accounts
• Repeat the message often!
• Use multiple channels to deliver your message: yearly security briefing, flyers, posters, internal website
• Ensure management does support this effort
20
THE SECURITY FACTORY
21
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Implement “jump”-
systems for secure
administration
Background How-to
Enforcing secure system-administration rules along with The purpose of a jump-system is to separate the Admin
end-user awareness and security policies will provide a environment from the normal user environment. Admin-
better and long-term end-result. environment needs to be highly secure and accessed
by as few people as possible, with the least privileges
Jump-systems are intermediate, secure servers that possible and for the shortest time possible.
administrators can use to administer the environment The concept of a jump system is depicted below:
and through which critical systems are isolated from
insecure workstations. In addition, it even provides
a secure method for remotely administering the
environment (e.g. from home or other location).
22
THE SECURITY FACTORY
REQUIRED COMPONENTS
— Active Directory (AD) & experience managing it
— Knowledge/experience on working with Group Policies in AD
— Remote Desktop Host & some experience managing it
The purpose of the jump-system is to separate the the RD-Host can be turned into a secure administrative
administrative network flows from normal user network jump-system:
flows. This implies that all network traffic related to 1. Ensure segregation of duties:
remote administration must pass via the jump system, a. Administrator of the jump-system has
while normal user-traffic must pass via the internal no administrative privileges on domain-level,
firewall. workstations or other servers; visa-versa, the
administrators of other systems don’t have
Making a separation between administrative network any privileges on the jump-system.
flows and normal end-user traffic is not always trivial, b. Only Administrative accounts can use
since some administration can be done over network the jump-system
protocols that are also used for normal user traffic c. Administrative accounts are not
to backend servers. On the other hand, most recent allowed access on end-user workstations
software has separate protocols or ports, such as 2. Restrict administrative network flows (RDP,
PowerShell related ports, Remote-desktop protocol PowerShell and other protocols) on the internal
or separate ports for web-administration of backend firewall, in order to force all administration to be
servers. done on the workstation
3. Configure Remote Desktop Gateway to enforce
A step-by-step guide to setup a remote desktop host policies and provide direct RDP access to backend
on Windows Server 2012 (R2) is a very trivial process servers.
and a quick-start guide can be found here: https:// 4. Enforce auditing on the jump-system
technet.microsoft.com/en-us/library/hh831754.aspx 5. Don’t allow internet access from the jump-system
(Note: ensure you select “Session-based desktop or any server to the internet, except maybe for well-
deployment” and not “virtual machine-based desktop defined vendor sites
deployment”).
23
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
24
THE SECURITY FACTORY
25
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Delivery Tips
• Since system-administrators, especially in smaller organizations, will manage backend-systems and jump-
systems, they must enforce this way of working upon themselves. It’s therefore very important that they fully
understand the value of this approach and actively support this
• Workstation administrators are a “dangerous” group, since they have administrative access to all
workstations. It’s very important for them to understand that they should not access internet with their
administrative account and understand the risks.
26
THE SECURITY FACTORY
27
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Multi-factor
authentication in
Office 365 and Azure
Background How-to
Password, even good passwords, remains the Achilles Multifactor authentication is a feature that can be
heel of many organizations. Passwords can be stolen easily setup and configured out-of-the-box with any
and unless you continuously pay attention on how to Office 365 or Windows Azure subscription. The steps
use passwords correctly, there remains a significant risk below highlight how to do this for an Office 365
that one day, a password of a critical account (such account.
as a system-administrator) might leak.
1. Go to the O365 admin center and select Users
Especially for cloud-environments, this impact Active Users
of a compromised or stolen password increases
dramatically, since cloud environments are accessible
from anywhere. A better protection mechanism,
especially for the critical accounts, is hence almost a
must-have.
28
THE SECURITY FACTORY
REQUIRED COMPONENTS
— Personal (smart-)phone for each user
— Office 365 and/or Azure subscription including multifactor authentication
2. Click on “Set up” after “Set Multifactor 4. Click “enable multi-factor auth” and next on “close”
Authentication requirements”
29
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
6. Next, the user should click on “Additional security 8. He will be prompted to validate the additional
verification”; he can now select his preferred verification option, by entering the verification
option for authentication, such as phone call, code he received through a text-message
text message or multi-factor authentication app
(see further in this recipe on how to configure).
He should also update and/or verify his phone
number(s) at this point.If he doesn’t complete the
above (point 5 & 6), the next time the user logs on
after this change, he will get a message to set up
the additional security verification:
30
THE SECURITY FACTORY
10. Since applications such as Outlook, Lync and When clicking on “Configure”, the user is presented
others cannot currently deal with 2-factor a QR code that he can scan with his Multi-Factor
authentication, users can also create an authentication app (the user can install the following
“application password” that allows them to the instructions on the first line of the screen)
continue to use their applications; note that this
password cannot be used for web-authentication.
31
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
32
THE SECURITY FACTORY
Delivery Tips
• Start with most critical accounts first, such as system-administrators that manage your Office 365
environment or personnel that might store sensitive data
• Explain clearly to your end-users why you have chosen to implement this and provide training (e.g. video
available through the O365 website)
• Extend to more users after initial learning
• Ensure you have processes in place to deal swiftly with temporary exceptions (e.g. users lost or forgot his
phone) and ensure that helpdesk is trained on these procedures
33
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
Auditing and
logging on
Office 365
Background
34
THE SECURITY FACTORY
REQUIRED COMPONENTS
— Security policy
— Management endorsement and support
— Support and commitment of the organization to implement this
How-to
Generic approach to information security auditing: For example, if you want to validate that system-
administrators are not snooping into your personnel’s
emails (which is hard to enforce technically), you need
to take following steps:
• Ensure that you have a security policy defined that
clearly states this policy
• Define an audit-policy for the email-environment
• In this audit-policy, define that events must be
generated for all accesses by administrative
personnel on user’s inboxes & ensure that this
policies is technically implemented on the system
• Ensure you have a system in place to centrally
collect these events (SIEM)
• Define reporting on the central event-collection
system for these specific events
• Ensure personnel is tasked to review these reports
on regular basis and create a security incident for
Auditing is an important security process that allows each violation
an organization to measure the state of its security •
posture. As with any measurement, it is of course This simple example already shows that setting up
important that you have a clear idea of what you want and implementing good audit systems and processes,
to measure and what your Key-performance-indicators requires quite some investment and skills to do it
(KPI’s) are for this security process. properly.
35
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1
in place to facilitate the setup of security audit The “site collection audit settings” link lets you what to
reporting and security reports for most common events audit, such as actions on documents and collection
are already pre-defined and configured. objects such as sites, libraries and lists (create, edit,
move, delete, permissions change, etc.).
Configuring audit policies and accessing reports on Several predefined reports are available through the
Office 365 can be achieved in following ways: “audit log reports” link or you can create your custom
• Exchange (mailbox) auditing: go to the report. All SharePoint audit reports are stored in Excel
admin-center and access “reports” on the left format on the SharePoint site itself.
side. Standard reports that are available are for
example Mailbox access by non-owners. More More information on Office 365 auditing can be found
information on how to configure mailbox-auditing here: https://technet.microsoft.com/en-us/library/
can be found here: https://technet.microsoft. dn790283.aspx
com/en-us/library/jj150497(v=exchg.150).aspx
• Account auditing: most audit reports are
accessible under Azure AD directly; you can get For the expert
to the reports through the admin-center reports
Azure AD Reports Microsoft’s Audit Collection System (part of Systems
Center Operations Manager) allows you to quickly set
up an event-collector and reporting system, giving you
the same kind of access to audit reports as available
in Office 365.
Delivery Tips
• Don’t rely on auditing as your only defense;
prevention is better than cure!
• Make sure that trained personnel is tasked to
review the logs on regular basis and to take
actions on identified incidents
• Ensure that management support the incident-
management plan, including corrective
actions
• Ensure that all personnel is aware that auditing
is in place. If people know that they are being
watched, the will be much more reluctant to do
something wrong.
• Ensure that any type of auditing is compliant
with legal privacy regulations
36
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced,
stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with
any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.