What are the basics you need to secure your computers and devices?
The needs of consumer and business users are different, but the foundation of security is the same for both. We all need an operating system we can trust, a means to surf the Internet in a trustworthy fashion, and a way to save and store passwords securely. And I’ll add a fourth to this list, increasingly important: we need an application or device to allow us to effectively and efficiently use multi-factor authentication.
Recommendations for consumer and home users
There are four major things that your Windows computer must have.
The first is an up-to-date browser. It doesn’t matter which browser you prefer — just make sure you’re always using the most current version. I can’t emphasize this enough, especially given the recent furor over Firefox’s new Proton UI. Some users have resolved to keep their version of Firefox “pre-Proton,” a dangerous move. This can be especially dangerous where e-commerce, banking, finance, health, or other sensitive activity is concerned. Avoiding Proton at the expense of security is risky. But if you are anti-Proton, use a userchrome.css process to change the look back to the classic Firefox rather than staying on an older, unpatched version.
Second, and this may surprise you, don’t use a third-party antivirus product. In this era of zero-day vulnerabilities and phishing, all antivirus solutions are reactionary, not proactive. That being the case, using a program that doesn’t interfere with Windows updates or feature releases is a better idea. And that means using Windows Defender, which provides good, unobtrusive performance with less likelihood of problems. Over the years, Microsoft’s antivirus offerings have gone from less-than-stellar protection to ones that hold their own in comparison tests. Microsoft’s security products are used at the enterprise level more than you might guess.
Next, I strongly recommend using a password program in lieu of storing passwords in your browser. Stealing passwords stored in your browser is trivial, and writing down passwords on paper doesn’t force you to choose good passwords. Using a tool to generate complex passwords is highly recommended. Look for a password tool that is platform-agnostic and will allow you to log in to sites across all your devices. Once you set up a password program, go back to your browser software and remove the saved passwords. Over time, as you log in to your key websites, change the passwords on these sites to more complex, secure ones.
Last but not least, ensure that you have a good two-factor authentication process — and use it on a regular basis. The most common choice for a second authentication factor is text messages to a phone; even though the news is full of SIM-card attacks, any second factor makes it much harder for attackers. The bad guys will move on to easier targets. Also consider using a two-factor authentication platform such as Authy or Microsoft Authenticator for additional protection.
For those of you with Chromebooks, carefully watch the state of support for your device. These inexpensive computers will not be provided with security updates for as long as Windows will receive them. Google originally supported versions for five years but then changed to a 6.5-year program called Auto Update Expiration (AUE). That unfortunate choice of names warns you that after six years, your Chromebook may still work but won’t be secure. And because Chromebooks are almost useless without connecting to the Web, outdated security means danger.
Recommendations for business users
The US Cybersecurity & Infrastructure Security Agency (CISA) describes business bad practices that lead to cybersecurity issues and ransomware attacks. Not surprisingly, the basics are similar to those I’ve mentioned above for consumers:
- Don’t use out-of-date or unsupported software, especially if the device is Internet-facing.
- Don’t use weak passwords.
- Use multi-factor authentication.
In business, the danger might be greater due to third-party business applications, or apps built in-house, that contain embedded credentials, often in clear text. If an attacker can gain access to the system and read any file, it can find those credentials and then use them.
Another vulnerability, often overlooked, is a failure to change the default passwords associated with networking equipment, such as firewalls, routers, and managed switches. Those credentials should be strong, securely stored, and changed instantly any time a person previously entrusted with them is no longer associated with the business.
Microsoft’s bad defaults
Recently Microsoft released a cloud computer platform called Windows 365. It allows businesses of any size to have a hosted Windows 10 (and soon Windows 11) instance in the cloud but otherwise act like a desktop operating system. I signed up for the beta and was surprised (and a bit shocked) to find it configured with what I consider to be less-than-ideal defaults. I found that Windows was deployed to the assigned end user with local administrator rights!
In my test case, the Windows 365 instance was a trial tied to a Microsoft 365 subscription that does not have the additional control platform provided by Microsoft Endpoint Manager (formerly called Intune). Thankfully, the operating system was not connected to the local domain and resources of my local computer. But it still concerned me that after years of recommending to businesses that they deploy workstations with least privilege rights, Microsoft bypassed its own best-practice advice. I was not the only one who thought this unusual; several security researchers also questioned this approach.
Clearly, Microsoft heard that feedback and recently advised in a blog post how better to deploy Windows 365 to users without local administrator rights. Microsoft uses the excuse that “This is similar to what happens in many small businesses: users purchase a physical PC themselves from a retailer and they retain local admin rights for that device.”
Microsoft goes on to state that “standard IT security practices” are to set users as standard users. And then it recommends that you use Microsoft Endpoint Manager to better control the users and the operating system — but this is provided only with higher Microsoft 365 Business subscriptions and not the basic one that many small businesses often start with. Furthermore, Microsoft just announced that all Microsoft 365 subscription plans are going up in price — with the exception of the highest plan, which features the best security features (called the E5 license). This makes it harder to ensure that Windows 365 has the “basic” security it needs from the get-go.
Microsoft 365 E5 includes actionable guidance for workstations to make them more secure. It includes security-threat information and guidance that allow you to gain insight into how attacks occur. It exposes a timeline analysis, so you can go back in time and review what has happened to your system and how it got owned by an attacker. It provides the ability to know whether an attacker was able to open and review an email (called MailItemsAccessed — an audit technique exposed only in the E5 license). But all these security features come at a price tag of US $57 per user per month.
To put that in perspective, Windows Professional edition costs $200, once, and is often part of the cost of the computer you buy. Office for business use can be purchased for around $250. An E5 license costs $684 per year, per person. That’s a lot for a small business on a tight budget.
You can purchase a single Microsoft 365 E5 license in order to review the features, or you can try out Office 365 E5 (just the Office part of the suite) for free, or you can set up a simulated test lab. Test it out and see whether there are situations or users that might need this extra protection; you don’t have to cover all users.
I’m hoping that Microsoft makes this license cheaper so that it can be utilized by more customers. To me, the items in the E5 license are “basic” needs of auditing and security especially when I’m in the cloud. I just can’t justify $57 monthly per person.