Anti-malware protection, software updates and properly tested backups are all important in the fight against ransomware. Here are five tips that can provide defense against efforts to exploit Microsoft devices:
1. Use Microsoft Security Baseline Recommendations
Ransomware attacks are often successful because businesses don’t follow security best practices.
The recommended security settings for Windows can be applied in your environment using Group Policy Object (GPO) backups.
2. Remove Admin Privileges
Don’t make it easy for hackers to get access to the OS; otherwise, they might be able to move laterally across the network and gain access to other devices.
Make sure that employee user accounts are not members of the local administrators group. And — equally crucial — IT staff should never use domain admin accounts on devices that are not domain controllers. Use Group Policy Preferences so that only approved groups and accounts are listed in the local administrators group.
3. Enable Application Control and Whitelisting
If a hacker can bypass defenses such as anti-malware, malicious payloads can run in the context of a logged-in user — or, in a worst-case scenario, with elevated admin privileges.
Application whitelisting stops untrusted executables, scripts, Windows Installer files and Windows Store apps from running, providing an important layer of defense.
Device Guard in Windows 10 provides robust app whitelisting, and AppLocker can also be used to allow more granular control.
4. Use PowerShell Constrained Language Mode
PowerShell has become a favorite in hacker circles for compromising Windows. Because of that, consider using AppLocker and Device Guard User Mode Code Integrity to set devices to PowerShell Constrained Language mode.
Using this mode, you will limit what can and cannot be loaded into PowerShell — either by hackers directly or by legitimate users inadvertently.
Warning: Device Guard is the more secure method because, unlike AppLocker, there is no easy way to disable code integrity policies, even for users with administrator privileges.
5. Manage Macro Security in Microsoft Office
Hackers often exploit vulnerabilities in Office to get payloads on users’ systems.
In Office 2016, all macros are disabled by default, but users can change the settings in the Trust Center to enable all macros.
Administrators can use the Office Group Policy administrative templates to enable a setting that blocks macros that are downloaded from internet zone locations.
The built-in Extract All feature in Windows 10 applies zone identifier information to files extracted from zip archives; many third-party unzip apps do not.
For more on how organizations are using technology to battle ransomware today, visit, “Inside the Real-World Fight Against Ransomware.”