Recently three of the best and most knowledgeable Microsoft MVPs—Dave Kawula, Cristal Kawula, and John O’Neil Sr.—got together to present a webinar that outlined seven things that sysadmins can do to protect and monitor the systems they’re in charge of. If you have time, I highly recommend that you watch the whole thing, because there’s a ton of value here for any sysadmin. But if your time is limited, do the next best thing and check out these key points from that presentation.
Ransomware attacks such as Kaseya are increasing all the time, and companies that thought they were adequately protected are finding out that’s not the case. Kaseya was a particularly nasty one because it hit thousands of organizations at the same time and attacked not only production servers but also backup targets and recovery servers.
When it comes to paying the ransom, companies are in a double bind, because they can’t afford NOT to pay (because their data is worth a lot more than the ransom), but they also in some cases can’t legally pay because paying would violate anti-terrorism laws. (That’s true in the EU, for instance.) Actually, make that a triple bind, because many companies feel like they can’t afford to implement the robust protections that would decrease the likelihood of getting hit in the first place.
This leads to the first tip: it’s not enough to have online backups, because modern ransomware can seek out and corrupt online backups too, as Kaseya did. You need to make backups that are: 1) offline, so the ransomware has a harder time getting to it, 2) immutable (that is, unchangeable), so that if the ransomware does get to the backup, it can’t change it, and 3) frequent. Think about how much drift the company can afford to put up within the event of a complete restore and set your on-prem backup schedule accordingly.
Even if a company does pay the ransom from a ransomware attack, it’s not a simple case of making the drop and suddenly everything is back to normal. One organization had 20+ days of downtime after an attack, for example. That’s 20+ days of non-profitability—basically hemorrhaging money. The cloud backups were useless because the ransomware got to them. They did have on-prem backups, but they were 4 months old, and their sysadmins had enabled deduplication on their backup appliance. Nobody ever tested how long a full-out recovery and restore would take—and it took over 81 hours for one of their primary restores of the single VM that held most of the data they needed.
Lesson learned here: deduplication is all well and good as far as efficiency of storage, but it can negatively impact restore speeds. If you’re not sure what the best trade-off is in your situation, do a test. Are 81 hours for restoring a backup acceptable? If not, what is an acceptable time? Configure your backup appliances accordingly.
Every sysadmin is probably familiar with this scenario: it’s Patch Tuesday and you forgot to put your servers in maintenance mode. It’s the middle of the night, and suddenly your phone starts blowing up with tons of alerts coming from every direction. Receiving alerts from your servers is important, of course, but the sheer volume of alerts can approach the level of ridiculous at times. High message volume can, ironically enough, also cause you to miss important messages because you get overwhelmed, and they all start sounding like white noise to you.
When you use Microsoft 365 Defender, everything is automated, but it’s important to realize that, even though you do want to automate the collection and correlation of alerting, automation is not really the point. At the end of the day, the reason we’re doing all that is so we as professionals—people with knowledge and training—can quickly look at what we’re being presented and decide to take action. The goal isn’t to automate so we don’t have to worry about things; it’s to automate so that the information we do get is timely and thoroughly correlated.
Microsoft has some great solutions to help you filter that noise. Look at Azure Sentinel’s capabilities, for example. Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution that can help you automate smart.
Here’s one for organizations that are in some sort of hybrid configuration, such as Hybrid AD Joined. Microsoft recently released AD Connect 2, and it’s important that everyone upgrades to that. You probably have auto-update for AD Connect turned on, but this is a major version upgrade, so it doesn’t fall under the auto-upgrade functionality. You must do this one manually. And it’s so important to do so, because AD Connect uses SQL Server bits, and the bits that are in the 1-point versions are older and soon to be unsupported. You get the 2019 bits with the 2.0 release. That’s a huge reason to get it done sooner rather than later. Obviously, you improve your security if you get away from those older, about-to-be-EOL bits.
Bonus tip: Microsoft has come out with a fantastic Office 365 lab kit that covers almost everything for modern desktops. It’s a comprehensive lab guide that will take you through the setup of Endpoint Manager (Intune) and Autopilot, walking you through a bunch of features and scenarios.
Advanced Persistent Threat Protection is a sysadmin’s best friend these days for a sysadmin. Traditional antivirus solutions are just not enough to protect against today’s malware. You need intelligent solutions to help defend against an ever-evolving threat landscape.
If you don’t already have Advanced Persistent Threat Protection, you need to look at getting it, not only on your servers but also on your endpoints, core network infrastructure, and cloud providers. Its current name in the Microsoft universe is Defender 365 Security Suite. Get a project spun up right now to evaluate it. It can often stop ransomware attacks dead in their tracks. This solution does what we were talking about earlier with the logs—it takes data from multiple sources and puts it together into a single alert that enables IT pros to decide to act. With anything security-related, the faster and more informed we can be, the more prepared and protected our organizations are.
Best of all, there might be no extra charge involved. Microsoft provides a good portion of all of that as part of the E5 licensing suite, so you might already own it. If you’ve got an E3 license, look at what you get with that versus E5, and run the numbers; E5 might actually be a better overall deal.
As multi-factor authentication becomes more widespread, it’s important to be able to protect that second factor, which is often the user’s smartphone. A lot of people don’t realize that one possible way to steal someone’s information is to steal their phone number. I know that sounds like an odd way to go about it, but how many people put their phone numbers at the bottom of every email they send? That’s like broadcasting your number out into the world. Once someone has hacked your account, it’s not that difficult to call your cell phone provider to set up a new phone and port your number over to it. This is a way people have gotten around the MFA pretty easily.
To prevent this, make a call to your carrier and ask them to add port protection on the phones you manage. With port protection, to change the phone that a number is assigned to, someone would have to call in and provide a password.
Do you consider yourself a security professional? Not all sysadmins do; a lot of them say “I’m just a day-to-day admin; I don’t deal in the security policy-making stuff.” But in today’s landscape, that mindset needs to shift. It doesn’t matter whether you’re a Level 1 helpdesk operator or the CIO—you have a role to play in security. Improving an organization’s security involves minimizing the threat profile across all devices, and oftentimes helpdesk pros are on the front line. When they are supporting someone on their computer, for instance, and they see some questionable software, or an administrative account being used on an endpoint, they should have the authority to take action to fix it. People who administer Office 365 and SQL also play an important part, because these systems house a lot of the information that is critical for the organization to deliver its products and services.
Educate all sysadmins at all levels be on the lookout for areas where security can be tightened up without loss of functionality, like unneeded services being enabled, end user accounts having permissions they don’t need, and server administrator accounts being used for routine daily activities.
Today’s threat landscape is brutal, especially in ransomware threats. This article provided seven tips that any M365 sysadmin can use to make the systems they manage less vulnerable to attacks and save the company a lot of time, money, and grief. Another way to harden security is to invest in a platform management suite such as CoreView. To find out more about CoreView and get a free security evaluation, check out https://www.coreview.com/request-a-demo.