Best Practice Guide for SME IT Part 2: Devices

by Rupert Davey
April 2020

Introduction

In my previous post I discussed people and user identity in the context of a modern IT security systems.

In summary, a username and passwords are no longer enough, get MFA wherever it's offered and reduce the number of identities in play. If you haven't done so already, have a read of the post so you're up to speed. 

Once we’re happy with the identity, do we know the device is virus free, secure and encrypted? Is that it or is there more we can do to ensure we trust a device?

In this post, I'm going to discuss two of the cornerstones of having end users' devices in play in your IT systems:

  1. Management
  2. Security

Management

Managing client computers in a corporate environment was a fairly easy process... back in the day.

Microsoft Windows PCs, running Windows NT, then Windows 2000 Pro, then Windows XP Pro, then Vista Business (briefly), then Windows 7, then Windows 8.1 (everyone skipped over Windows 8) and now Windows 10 Pro were domain joined to a Windows Server of the same-ish generation as the PC, which acted as a control machine for the domain: that server was a Domain Controller.

The users did a ctrl-alt-del, popped in a username and password, the Domain Controller approved the details and the user logged in.

As system administrators we can send configuration information to the computers in the domain.  This is done using a policy. For example, we could create a policy that sets the background wallpaper to be the company logo when the user logs in. This is called Group Policy and the settings are made in Group Policy Objects (GPOs).

This model is still used to great effect; Windows Server 2019 and Windows 10 Pro is an excellent team. 

But this model requires quick local access between the client PC and server.

Fast forward to a cloud-first-mobile-first world. Data is held offsite, in the cloud, users are demanding to use their own devices and companies are following that demand. The IT department needs a solution.

In response to the Bring Your Own Device (BYOD) movement, a suite of tools were released and Microsoft were at the forefront. 

We're now entering the world of Mobile device management or MDM for short! 

In the example above, I used desktop wallpaper as the setting we deployed from our Domain Controller. That's a pretty dull thing to deploy; you'd probably be out of things to deploy if that's what you're doing. More interestingly is deploying settings telling the PC when to check for security updates, and where to get them from. Or when what level of encryption to use. Or how to configure its local firewall. Really, the list is huge.

We still need to do that, but we do it securely over the internet now and not over a private company network.

This requires us to have a management hub on the internet somewhere and to have the PCs configured to look at that hub.

The good news is that Windows 10 Pro has the client PC bit baked in and it marries up with a Microsoft cloud product call Microsoft Intune. Microsoft Intune itself, is part of a wider group of products that make up the Microsoft Enterprise Mobility & Security (aka EMS) package.

With Windows 10 Pro and EMS allow us to domain join Windows 10 PCs over the internet and deploy settings to them while they're scattered around the world. Intune is a full mobile device management platform able to look after Android and iOS devices too.

Ensure all your machines are on the current version of Windows 10 Pro. Use EMS and Microsoft Intune to manage them; Azure Active Directory domain join them for management. 

Security

Ok, so we're happy with the user identity, we're happy the device is managed using Microsoft Intune.

We're deployed some wallpaper.

When is comes to "security", please keep a few things in mind:

  • Security is a journey, not a destination
  • IT systems can always be more secure
  • Security is on a continuum with Flexibility

There are some basics; these can all be deployed and controlled using Microsoft Intune.

Encryption

If you don't have a server, or operate any client machines caching software (Box, DropBox, OneDrive for Business, SharePoint Online etc...) you will almost certainly have data held on the client PC.

If this is the case, which it will be, encryption is critical.

Your Windows fleet should all be on the current version of Windows 10 Pro or Windows 10 Enterprise. This gives you the features needed, specifically Microsoft BitLocker. 

When you're procuring machines, ensure they come with a Trusted Platform Module 2.0 (TPM 2.0, the 1.2 version will do, but 2.0 is best) as this gives you the hardware needed.

Use Microsoft Intune or GPOs to configure Microsoft BitLocker on your client machines.

Antivirus

The IT industry have been banging on for ages about this, but things are progressing.

The absolute basic option is to enable Windows Defender which is built into Windows 10.  It's good enough.

Microsoft offer the ability to integrate the Windows 10 Defender agent into the Microsoft cloud to allow you to do full, deep, endpoint protection. This requires Windows 10 Enterprise and, again, using Microsoft Intune, allows you to track and trace issues in much more detail. Once setup, this is Microsoft Defender Advanced Threat Protection (ATP). This isn't to be confused with Office 365 Advanced Threat Protection!

Your best bet for getting this is with a Microsoft 365 E3 subscription as this includes a licence for Windows 10 Enterprise and EMS E3, amongst other things. 

Also review other options, such as the excellent Sophos Intercept X. This can run in parallel to Windows Defender and offer excellent protection again ransomware.

Other steps

As mentioned earlier, this topic can run and run, but other security items we like to see in use include:

The IT systems your business use will almost certainly be mission critical to your business, they are the tools of your trade. 

Take some time to understand them, they are complex things.