For Windows security, what we have is a failure to communicate

Microsoft last week reported $60 billion in profit and $165 billion in sales for its most recent year — with a staggering increase in cloud revenues. But that good news comes in a year when not a day goes by without reports of another security issue, another ransomware attack. Yes, Windows 11 will require hardware that should bring with it better security, but it comes at a price. Most users have systems that won’t support Windows 11, so we’ll be stuck using Windows 10.

There seems to be a big disconnect between the reality (and financial success) of the Windows ecosystem and the reality for its users. We need more security now, not later.

For many people, malware often infiltrates systems via phishing lures and enticing links. Microsoft could serve users better by recommending security solutions we have on our systems now that aren’t enabled. Some of these settings don’t require additional licensing, while others are gated behind the holy grail of Windows licensing — the Microsoft 365 E5 license. While a user can purchase a single E5 license to get the included security enhancements, it raises a concern that Microsoft is starting to make security an add-on to the OS rather than built in. I remember when Microsoft talked up “Secure by Design,” “Secure by Default,” and “Secure in Deployment and Communication” (also known as SD3+C). Now, instead, it is touting security solutions with its E5 licensing rather than those already in Windows that could protect us better.

Those tools include the native Microsoft Defender’s attack surface reduction rules — or rather, the specific settings buried in Defender that can be adjusted without much impact. One option is to use third-party GitHub tools such as “Configure Defender” to download a zip file, extract it and run ConfigureDefender.exe. Once it’s launched, scroll down to the Exploit Guard section. In a recent blog post, Palantir details the settings it deems helpful for protection without slowing your system:

• Block untrusted and unsigned processes that run from USB.
• Block Adobe Reader from creating child processes.
• Block executable content from email client and webmail.
• Block JavaScript or VBScript from launching downloaded executable content.
• Block persistence through WMI event subscription.
• Block credential stealing from the Windows local security authority subsystem (lsass.exe).
• Block Office applications from creating executable content.

I recommend that you download ConfigureDefender and enable these settings. You’ll probably find (as I did) that enabling these settings doesn’t effect routine computer operations or trigger issues. So why doesn’t Microsoft make a better interface for these ASR rules in Windows 11? Why are they still buried away in confusing control panels aimed at IT admins with group policy and domains.

For enterprise users, it’s unsettling to constantly read that attackers have wiggled into our networks. Just recently, we found out that “80% of Microsoft email accounts used by employees in the four U.S. attorney offices in New York were breached,” according to the AP. “All told, the Justice Department said 27 U.S. Attorney offices had at least one employee’s email account compromised during the hacking campaign.”

When attackers gain access to an Office 365 mailbox it’s key to know whether an attacker actually accessed items and what they got to. But this information is gated behind an E5 license. So if you need to know exactly what any attackers read, unless you presciently purchase advanced auditing that includes MailItemsAccessed, you are out of luck. Worse yet, as Joe Stocker (a Microsoft MVP and InfoSec expert) pointed out on Twitter recently, users could at one time enable a trial version of E5 and get access to six months of Microsoft Cloud application security logs. Now, when you enable an MCAS trial, unless you manually enable audit logging for Office 365, there is no log file that can retroactively go back to a potential time of attack.

Take the case of Azure active directory. With the free version, you only get seven days of Azure active directory sign in and audit logs. In the past, you could enable (purchase) an Azure AAD P1 license, P2 license or EMS E5 license and you could immediately go back 30 days. So, if you were attacked, you could retroactively turn it back on and get the needed information. But when you enable these licenses now, no retroactive log files are accessible. You are out of luck.

In the default Office 365, the only forensic log available longer than seven days is the Security and Compliance Center file. (The normal default log retention time for the Security and Compliance Center is 90 days, and if you have an E5 license or compliance add-on, this can extend to a year. And if you purchase the new governmental logging targeted-retention SKU, you could get up to 10 years of retention.) There is one bit of good news: if you are a PowerShell guru, more information is available with a bit of scripting.

The point I’m making is that these two logging items show that Microsoft now treats compliance logging not as a default included in the product, but as a security feature that needs to be purchased. In my opinion, for cloud products, security should not require a licensing add-on.

All users, especially businesses, need security by default. What do you think? Is Microsoft doing enough to keep its customers safe? Join us on AskWoody.com to discuss.