book

Mastering Windows Security and Hardening - Second Edition

by Mark Dunkerley, Matt Tumbarello

August 2022

Intermediate to advanced

816 pages

18h 53m

English

Packt Publishing

Read now

Unlock full access

Second EditionContributorsAbout the authorsAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare Your Thoughts
Understanding the security transformationLiving in today’s digital worldToday’s threatsRansomware preparednessIdentifying vulnerabilitiesRecognizing breachesCurrent security challengesFocusing on zero trustSummary
Overview of baseliningIntroduction to policies, standards, procedures, and guidelinesDefining policiesSetting standardsCreating proceduresRecommending guidelinesIncorporating change managementImplementing a security frameworkBuilding baseline controlsCISWindows security baselinesComparing policies with Policy Analyzer Intune's security baselinesIncorporating best practicesSummary
Technical requirementsPhysical servers and virtualizationMicrosoft virtualizationHardware security concernsVirtualization security concernsCloud hardware and virtualizationIntroduction to hardware certificationThe firmware interface, TPM, and Secure BootProtecting the BIOSUnderstanding UEFIUEFI Secure BootTPK (TPM 2.0)Isolated protection with VBSWindows Defender Credential GuardHVCIMicrosoft Defender Application GuardWindows Defender System GuardKernel DMA ProtectionProtecting data from lost or stolen devicesSecure Memory Encryption (AMD)Total Memory Encryption (Intel TME)Hardware security recommendations and best practicesSummary
Technical requirementsNetwork security fundamentalsUnderstanding Windows network securityNetwork baseliningWindows clientsWindows ServerNetworking and Hyper-VNetwork troubleshootingWindows Defender Firewall and Advanced SecurityConfiguring a firewall rule with Group PolicyWeb protection features in Microsoft Defender for EndpointUsing custom indicatorsWeb content filteringBlocking connections with network protectionIntroducing Azure network security Controlling traffic with NSGsConnecting privately and securely to Azure servicesProtecting Windows workloads in AzureSummary
Technical requirementsIdentity and access management overviewIdentityAuthenticationAuthorizationAccountabilityImplementing account and access managementHR and identity managementIntegrating directory servicesManaging Azure external user access (B2B)Understanding the Azure cloud administrative rolesImplementing privileged access security tools (PIM, PAM, and JIT)Securing local administrative accountsUnderstanding authentication, MFA, and going passwordlessSecuring your passwordsEnabling SSPRAuthenticating with Azure AD from WindowsEnabling SSO for apps with an Azure identityConfiguring MFATransitioning to passwordless authenticationPasswordless authentication using Windows HelloUsing Conditional Access and Identity ProtectionEnabling Azure AD Conditional AccessConfiguring Azure AD Identity ProtectionSummary
Technical requirementsUnderstanding device administrationDevice management evolutionDifferences between domain join, hybrid, and Azure AD-joined devicesManaging devices with Configuration ManagerClient collections, settings, and communicationsSecurely deploying clients for Configuration ManagerConnecting to the Azure cloud and Intune co-managementManaging policies and baselines in Configuration ManagerQuerying devices with CMPivotManaging devices with IntuneCSPMDM versus MAMUsing Intune and Microsoft Endpoint ManagerManaging policies and baselines in IntuneAdministering a security baselineDeploying managed configurationsSummary

Technical requirementsDevice provisioning and upgrading WindowsUpgrading WindowsBacking up user data and settingsBuilding hardened Windows imagesWindows ADKWindows Configuration Designer (WCD)Using MDT to build custom imagesDeploying images with WDSMDT and Configuration ManagerProvisioning devices with Windows AutopilotDeployment scenariosRegistering devices with the Autopilot serviceConfiguring an Autopilot profileDeploying images to Azure Virtual DesktopManaging hosts in AVDBuilding a master imageReplication with Azure Compute GalleryDeploying images in AzureDeploying Windows 365 Cloud PCDeploying customized or gallery imagesProvisioning policies for Cloud PCAccessing Windows 365 Cloud PCsSummary
Technical requirementsSecuring your Windows clientsStaying updated with Windows Update for BusinessPlanning for deploymentConfiguring update rings for Windows clientsPausing update deploymentsManaging feature updates and expedited quality updatesUsing delivery optimizationEnforcing policies and configurationsCreating security baselines in Configuration ManagerDeploying MDM policies in IntuneControlling policy conflicts with MDMManaging Azure AD local device administratorsEnabling BitLocker to prevent data theftConfiguring BitLocker with IntuneViewing BitLocker recovery keysGoing passwordless with Windows Hello for BusinessEnabling Windows Hello for BusinessConfiguring a device compliance policyDeploying Windows Security BaselinesBuilding a GPO using Microsoft Security BaselinesReviewing CIS recommendationsConverting a GPO into a Configuration BaselineDeploying security baselines with IntuneConfiguring Windows Security featuresConfiguring a Defender Antivirus baselineAccount protection featuresFirewall and network protectionApp and browser controlDevice securitySetting the Windows Security experienceSummary
Technical requirementsSecuring enterprise web browsersConfiguring a Microsoft Edge security baselineConfiguring a Google Chrome security baselineSecuring Microsoft 365 appsBuilding a security baseline for M365 appsAdvanced protection features with Microsoft Defender Defense evasion with tamper protectionProtecting against untrusted applications and websitesReducing the attack surface Zero trust with Application GuardProtecting devices with a removable storage access control policySummary
Technical requirementsPreventing an Adversary-in-the-Middle attackLLMNRNBT-NSmDNSThe WPAD protocolNTLM relay attacks Preventing IPv6 DNS spoofingARP cache poisoningProtecting against lateral movement and privilege escalationPreventing resources from being enumeratedProtecting Kerberos ticketsMitigating OS credential dumpingPreventing user access to the registryWindows privacy settingsControlling application privacy permissionsAdditional privacy settingsSummary
Technical requirementsOverview of the data center and the cloud (IaaS, PaaS, and SaaS)Types of data centerImplementing access management in Windows serversPhysical and user access securityUsing a tiered model for privileged access Privileged access strategyUnderstanding privileged account managementAccess management best practicesUnderstanding Windows Server management toolsIntroducing Server ManagerLooking at Event ViewerUsing WSUS Introducing Windows Admin CenterUsing Azure services to manage Windows serversThe Azure portal and MarketplaceARMImplementing RBAC Using Azure BackupLeveraging ASRIntroducing Azure Update ManagementUnderstanding Azure ArcUsing Azure AutomanageConnecting securely to Windows servers remotelyRemote management and support toolsUsing Microsoft Defender for Cloud JIT accessConnecting with Azure BastionSummary
Technical requirementsWindows Server versionsSecurity roles in Windows ServerReducing the Windows Server footprintEnabling features on Server Core 2022Configuring Windows updatesImplementing WSUSImplementing Azure Automation Update ManagementConfiguring Windows DefenderConnecting to Microsoft Defender for EndpointWindows Defender security baselineHardening Windows Server Implementing a security baselineHardening tips for Windows ServerAccount controls for Windows ServerSecuring the logon and authentication processEnabling Disk Encryption to prevent data theftDeploying application control policies using WDACImplementing PowerShell securityConfiguring PowerShell loggingEnabling PowerShell constrained language modePowerShell script executionJEASummary
Technical requirementsMDE featuresThe Threat analytics dashboardThe TVM dashboardDevice Inventory dashboardDevice health and complianceSoftware inventory reportSecurity recommendationsIdentifying weaknessReviewing advanced featuresConfiguring API connectorsOnboarding Windows clients into MDEConfiguring the Microsoft Intune connectionCreating an EDR policyCreating a machine risk compliance policyCollecting telemetry with Azure Monitor LogsOnboarding Windows Servers to Log AnalyticsOnboarding Windows clients to Log AnalyticsMonitoring solutions and Azure WorkbooksMonitoring with Azure Monitor and activity logsSecure access to Azure MonitorMonitoring Azure activity logsCreating Azure WorkbooksAzure Service HealthOverview of Microsoft Defender for CloudReporting in MEMSecurity-focused reports in MEMEnable Windows Health MonitoringUsing Endpoint analyticsCollecting client-side diagnostic logsMonitoring update deploymentsReporting in Microsoft Endpoint Configuration ManagerMonitoring the health and update status of Office appsMicrosoft 365 Apps health dashboardMonitoring Security Update Status Viewing the Office Inventory reportServicing Office appsSummary
Technical requirementsIntroducing the SOCUnderstanding XDRUsing the M365 Defender portalImproving security posture with Microsoft Secure ScoreSecurity operations with MDERole-based access control in MDEReviewing incidents and alertsAutomated investigationsUsing advanced huntingTracking remediation requestsInvestigating threats with Defender for Cloud Enabling Azure-native SIEM with Microsoft SentinelCreating the connectionProtecting apps with MDCAConnecting apps to MDCADiscoveryInvestigateConfiguring policies and controlsMonitoring hybrid environments with MDIPlanning for MDIActivating your instanceIdentifying attack techniquesLooking at the attack timelineData protection with M365Using Microsoft Purview Information ProtectionAn overview of DLPWIPPlanning for business continuityLearning DRPThe importance of a CIRPSummary
Technical requirementsValidating security controlsAudit typesSOC reportsVendor risk managementThe Microsoft Service Trust PortalMicrosoft Defender for Cloud regulatory complianceMicrosoft ODAOther validationsVulnerability scanning overviewAn introduction to vulnerability scanningVulnerability scanning with Microsoft Defender for CloudThe Microsoft 365 Defender portalPlanning for penetration testingExecuting a penetration testReviewing the findingsAn insight into security awareness, training, and testingUsing attack simulation training with Microsoft 365 DefenderExecuting a tabletop exerciseSummary
The 10 most important to-do'sImplementing identity protection and privileged accessEnact a Zero Trust access modelDefine a security frameworkGet current and stay currentMake use of modern management toolsCertify your physical hardware devicesAdminister network securityAlways encrypt your devicesEnable XDR protection beyond EDRDeploy security monitoring solutionsNotable mentionsThe future of device security and managementSecurity and the futureSummary
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from Mastering Windows Security and Hardening - Second Edition

Chapter 13: Security Monitoring and Reporting

In this chapter, we will review the methods that are used for reporting and monitoring endpoints within the environment. Throughout this book, we've provided recommendations that help secure and harden Windows environments by enforcing baselines and security controls. After these controls are in place, proper monitoring should be established to ensure application availability, storage alerting, track assets and inventory, and identify weaknesses and vulnerabilities in the underlying software and operating systems. Many products are available that can help provide these insights, so let's review where they can be found based on the solutions we've discussed throughout this book.

First, we will review ...