Tom Plant discusses Windows security policy on Risky.Biz
Our Technical Product Manager, Tom Plant, caught up with Risky.Biz founder Patrick Gray on the Risky.Biz podcast.
They discussed Microsoft Windows Policy Management and the cybersecurity hurdles people encounter in corporate environments.
Listen to Tom Plant on the Risky.Biz podcast. Interview starts at 44:38.
Patrick: It’s time to speak with this week’s guest now, Tom Plant of Devicie. Devicie has figured out how to drive Intune and that's what they do for their customers. Devicie is basically a managed platform that can wrangle all of your devices, keep everything compliant and up to date, all singing, all dancing.
It's essentially built on top of Intune, which if you're not a deep expert in, is pretty frustrating to use. They've figured out how to use Intune effectively and then offered it up as a managed platform.
Tom joined me for this interview about where orgs go wrong with their Windows policies. Here's what he had to say.
Tom: It's a really broad ecosystem; that’s the biggest problem. Windows policy can mean registry, group policy, config service provider, declarative management, not to mention applications as well. And somehow as an admin, you're expected to manage that, manage Microsoft and vendors releasing changes every month and then also every other thing in the business–and somehow keep those secure as well.
The biggest thing is people finally getting some time to build a SOE (standard operating environment), getting all the right policy and then it doesn't get touched for years.
Patrick: Because we have an SOE, right? We had this conversation. We worked it out. We put it all together. Why would you change it if it ain't broke?
Tom: Exactly. And that worked for a long time. That was great because it wouldn't change. And you were set. And your staff could count on it being consistent. It would work every day.
But these days, Microsoft release an update, applications will get updated and suddenly, your SOE is giving pop-ups to users, being slow or the security policies you set aren't being applied anymore. It's really hard to keep up with that change.
Patrick: What does it look like when these things start to atrophy and go wrong?
Tom: One of the most obvious ones is Windows Update patch rates. You start to see errors here and there. Maybe, this partitioning was wrong. Over time, Windows updates will stop working across your fleet and you might have 10, 20, 30% devices unpatched and that could be terrifying.
Patrick: How does that happen as a result of a bad Windows config? What's the thing that's not being altered in the config to get you into that state?
Tom: Patching time frames and change management can be a big one. Having a pilot group then a slightly larger group and finally your whole org that has your exec staff and the sensitive stuff. Monitoring that regularly and for instance, blocking an update that you know is bad, or blocking a driver you know is bad; that's a lot of day-to-day effort.
Patrick: How does that manifest in terms of policy becoming out of date? What's the actual policy setting? What you described there sounds more like mismanagement than a policy error.
Tom: Probably a good example is one I saw recently. They had a policy to slow down a particular Windows feature update. That policy was three years old; they hadn't had time to go back. It had been blocking that feature update for years. That feature went end-of-life and stopped getting security updates. Now, the whole fleet aren’t getting security patches because that policy was sitting there, and they didn't know it either. They thought they were patched because they set up all the other patching policies correctly.
Patrick: It's stuff that people wouldn't even know is happening to them. I think that's what makes this kind of bad, right?
Tom: Yes. The biggest thing is flying under the radar. You think you're patched. A huge one is exclusions. You have one wonky app or some Windows feature that needs a particular exclusion from a security policy. Your help desk team or IT staff are under pressure, and they need to get that app working now so they do an exemption. But in Intune, exemptions can be hard to manage or track. Or they might make that scope really wide, so they may exempt everyone. And now everyone can execute Macros, and there's no-one going back to check that later, to refine the scope, and you end up with all these holes in your perfect SOE.
Patrick: In a typical enterprise, how are people actually monitoring this sort of stuff? How are people catching these sort of mistakes? I know for a lot of them, they're just not, but of the ones who are actually catching these errors, how are they doing it?
Tom: So, the SMB's definitely aren't. The larger enterprises, some of them are doing a pretty good job, but a lot of that is manual effort. You get your security team coming in and checking every other week or every day that nothing has been reverted. Or you might have really locked down policy controls that mean no one can do exclusions. Suddenly your end users are heavily impacted.
Patrick: What is the mechanism through which they might detect these things? You were talking about manual effort, is anyone doing automated discovery of these things?
Tom: There are some players in this space. For example, for the CIS standard, there's a CIS scanner that you run against your group policy, and that will find holes. But even then, a lot of those tools are very brittle. The CIS one, for example, doesn't work with a lot of Intune policy, so you might be configured correctly but the scanner is going to throw false positives out.
Patrick: Now with Intune, say, you're just using Intune raw, without Device. Is this the sort of thing that you can instrument detection of?
Tom: Not really. You could log into the portal and check, but to do that every day, that's a lot of time.
Patrick: So, I'm guessing that's a big part of what you've focused on. I've seen the backend, or what the customers see in terms of all the reporting stuff. I imagine, that's a big part of what you've actually tried to do at Devicie.
Tom: Yeah, that was a big part of why I came on board actually. I got really tired of going to dozens of customers and making the same changes over and over and over. Fixing the same Microsoft incoming change, making a policy update, or reverting the same macro policy that someone keeps enabling. We automate that; we automate that on a level that means you're not in there every day.
We’re checking that every hour for you, rapidly and we’re alerting you if something goes wrong. If we need you to, you can have a chat with that user and manage an exclusion.
Patrick: Now one thing that a lot of enterprises struggle with is install gaps, for very expensive shiny EDR (Endpoint Detection and Response) software and the like. I believe that's also something where if you're doing the job right on the Windows policy side, you should have a pretty good grip on where that install gap is. The issue is you're always going to have devices that aren’t correctly enrolled in Intune or Devicie, and you still might have it install gap there, but it's going to be better when you're managing it, right?
Tom: Yeah, for sure. And that's something people are doing pretty well; the EDR vendors make it easy to get the agent on the machine. However, keeping it up to date and configured correctly can sometimes be a bit more challenging and we do a fair bit of that.
Patrick: Are you actually manipulating EDR configs as well?
Tom: To a limited extent. It's something we're exploring. Because we can ensure the endpoint is configured and everything on that endpoint is configured correctly, if there's a security tool you want to roll out rapidly, we can make that happen. And we are talking with customers about whether endpoint config for EDR is something they want to see. For example, in the Defender space, we're starting to do a fair bit of that.
Patrick: That's one advantage of using Intune for the plumbing of Devicie, is it gives you an advantage in terms of actually configuring some of these Microsoft E5 tools, right? It almost brings us back to all of those antitrust conversations about Microsoft, not playing fair and whatever, but it is the case, isn't it, that if you are in an E5 shop and they've got access to all of these tools that you can get a little bit more granular than you can with third party tools?
Tom: Yeah, for sure. We’re built on Intune. We don't have to be implementing new config every other week–Microsoft will have done it because it's their platform. And if you’re on Intune, then the integration with other tooling in this space is really tight. We help a lot of customers take advantage of that when they don't even realise, for example, when they don't know they have a Defender license.
Patrick: Yeah. You were telling me this the other day, that people often have some of these licenses and don't even know it. And you're saying, “hey, good news, everyone. Here you go.”
Tom: There's very much a: “We bought the tool. We’re sorted, right?” In the endpoint space, that's just not possible. It's so complex. But in the EDR as well, it’s wild.
Patrick: What? Is it just a lot of people buying it and using it as shelfware; or licensing it and not realising they have the license? It both or is it one or the other?
Tom: It's both, to be honest. We get a lot who bought it as a bundle and don't know they have it. Then we get another lot who've clicked deploy, but it's only on 50% of devices.
Patrick: Yeah, right. But didn't you just say that EDR do a good job of making it easy to deploy?
Tom: They do, to be honest. Some of this stuff is very easy and that's something...
Patrick: Still, customer error, right?
Tom: We have to be careful how we sell it. It seems easy to us when we've been doing this stuff for decades. But if you’ve got an admin who has 100 devices but also servers and they're doing end user support, EDR coverage is not a priority there.
Patrick: In terms of being able to configure something like CrowdStrike or SentinelOne, is that something that you can do through Intune or is it getting a little bit experimental and tricky at that point?
Tom: We haven't done a lot of config in that space because a lot of the config is server side for security reasons. But we focus on patching.
Patrick: Well, you focus on making sure it's on the endpoint, right? Making sure it's patched. And then what? You're just making sure that it's checking in with the EDR server or the EDR service and getting its config that way?
Tom: Yeah, that sort of thing. For example, making sure it's running on the endpoint.
Patrick: Now, just before we go, could you just give us your top three golden misconfigurations in Windows fleets that you've seen throughout your career?
Tom: Defender exclusions. If something breaks for some reason, the first troubleshooting step for a lot of people is just disable Defender. And that works, but it'll be like,"ohh, disable for all the program files, we’ll exempt that”.
Patrick: Turn off the security software and turn on the stuff that's probably malware. Got it, right? So that's number one. Number two?
Tom: Number two. Compliance baselines is a big one. People have a crack at something complex like the Essential Eight, get maybe a third of the way through and then they'll tell an auditor that they're sorted. And then I can go and run macros, drive by macros, download an attachment from an email and you're out of luck. The false confidence is really rough on that.
Patrick: Alright, third one, last one. I know I'm putting you on the spot, but you gotta have one more.
Tom: Certain large organizations... you'll join, you'll plug your laptop into a Thunderbolt monitor. Nothing. Doesn't work. There was a vulnerability in 2018, I think. Direct memory access and some issues.
Patrick: Yeah, yeah. I knew you were going to say DMA, right?
Tom: That's been patched in modern hardware for years and years. It's still in compliance standards. It's still in SOEs. To this day, we get customers ringing us up and going, “Hey. Why can't I use my monitor?”. There's a lot of that, a lot of those old mitigations to resolve issues that stopped being relevant years ago. But who's got the time to go back and check those, especially when the impact feels minimal. It doesn't seem like a big deal.
Patrick: That's real funny because we are partly to blame for that because Adam Boileau, my co-host is actually the guy who wrote winlockpwn something like 20 years ago, or 15 years ago and this was the DMA tool that you would plug in through Thunderbolt port on a Windows computer and it would bypass the lock screen. So, that was actually released by Adam back then. Totally on him.
Tom Plant, thank you so much for joining us for that conversation, all good stuff and we'll talk to you again soon. Cheers.
Tom: Thanks so much, Patrick.
Patrick: That was Tom Plant from Devicie there. And if the idea of a management platform that uses Intune to keep your fleet of devices happy sounds appealing, you can check them out at devicie.com.