Security Best Practices for Windows Devices

Managing Windows devices requires a special focus on managing security. These best practices will help you keep your endpoints and users safer.

Security risks continue to grow, affecting organizations of all sizes in all sectors. Although every device manufacturer is working toward better out-of-box security, it’s important to take further control over securing Windows computers, laptops, and mobile devices. This article provides some general security best practices for deploying and managing Windows devices.

Keep Windows and Apps Up to Date

With every new Windows OS install, the first thing you must do is check for the latest security updates and patches for the operating system. However, ongoing patching is just as important as rolling out devices that are security compliant. Some of the most destructive malware, including WannaCry, PowerGhost, and NotPetya, exploited vulnerabilities that had been left unpatched for years – despite available patches. In fact, 90 percent of companies experiencing a cyber attack have traced back to vulnerabilities that are three or more years old.

When it comes to protecting your devices, it’s not about the patches, it’s about the holes. Your organization needs a way to implement patches across your devices and third-party applications with minimal network load and end user involvement. Just as importantly, you need compliance reporting to know that patches have deployed correctly – assuming patches have deployed to all devices is a recipe for vulnerabilities.

Set Up User Access Controls

Deployment will assign each device and user an appropriate level of access to company resources, following your strict user access controls. If you supply a user with administrative controls, any malware would have that same access – so always supply the lowest level of access possible for employees to be productive.

If you have multiple administrators in your organization, ensure that you create a personalized account for each of them – shared access controls introduce greater risk and make it difficult for you to track who did what. Next, each administrator should also have a normal account, only logging into the administrator account when necessary.

Hand-in-hand with access controls is authentication, with two-factor or multi-factor authentication (MFA) as the preference versus traditional username and passwords.

Enforce Security Configurations

Organizations can manage data and device risk by enforcing security configurations, restrictions, personalizations, and passcode rules for every minute of the device life cycle. You need a way to ensure employees have the applications they need, correctly configured to company standards. IT should have a way to push these settings to targeted users or groups, no matter where they are in the organization.

Determine Security Layers

When you think of securing data, every protection you apply is another layer of defense. Ideally, if one layer is compromised, your defenses are not immediately breached. Layered security involves applying different layers of tools, training, policy, and physical security measures to provide a strong defense against attack.

Typical security software layers could include Microsoft Threat Protection or third-party solutions for:

Anti-virus / malware / phishing / spyware
Cloud security
VPN
Firewall (disabling unneeded ports)
Device management
Encryption
Authentication method / management
Backup

The caveat here is that past a certain point, simply adding more layers does not lead to an increase in security effectiveness. In order to respond to rapidly shifting threats, best practices focus on visibility and fortified response capabilities, adding in automated responses, whether that’s responding to a threat or self-healing existing layers as malware tries to take them down.

Automated Self-Healing

Some Windows 8 and 10 devices can leverage System Restore to create a memory of system files and settings on the computer at a particular point in time, helping ensure critical files, settings, or applications can be recovered, but recovery is a manual process for end users or IT that impacts both productivity and security compliance.

Whether it’s inadvertent or malicious, applications are sometimes removed or altered on devices. Corrupted files or deleted applications introduce points of system vulnerability, so the ideal security would automate the detection, repair, and reinstall of mission-critical applications and settings.

Remote Control of Endpoint Devices

In the event that configurations, files, or patches do not run, that a security incident needs investigating, or that a user runs into a problem, IT needs a way to remotely connect to systems for troubleshooting. IT needs to be able to easily navigate firewalls and NAT configurations to view and operate devices to streamline resolution and help regain compliance quickly and effectively.

Watch for Unauthorized Devices & Applications

Application blacklisting can prevent the execution of known programs, but leaves open the opportunity for unforeseen risk. Today’s users are self-reliant, finding and downloading their own “solutions” to remain productive. Shadow IT reduces visibility and introduces risk, contributing to $1.7 billion lost to downtime and data loss. The solution is to:

- Provide approved content: Give users an alternative way to solve their problems with a customizable self-service kiosk filled with approved applications, content, and resources.
- Detect unauthorized devices: Detect, differentiate, and report on different devices connected to your network, including computers, mobile devices, routers, and more.
- Use only reputable applications: Limit risk by downloading applications from reputable sources such as the official Microsoft Store, avoiding freeware that may contain ads or malware.
- Keep tabs on installed apps: By keeping a close tab on your devices, users, and applications with IT Asset Management (ITAM), you can keep your pulse on the applications installed on user devices. Regularly check for and block unauthorized applications.
- Remove unused software: One of the key ways of reducing risk is removing unused software or software that is no longer being well managed with regular updates and patching.
- Leverage Secure Score: Microsoft Secure Score will analyze your organization’s security based on regular activities and settings of Office 365 products to help identify security gaps or areas where you can improve best practices.

Want to see how FileWave empowers security and productivity through better endpoint management? Sign up for a free trial of our software today.