MS-DEFCON 2: Preparing for the new year

By Susan Bradley

It’s time to prepare for the upcoming patching month, and that means it’s time for MS-DEFCON level 2.

If you’re groggy from holiday reveling, here are my reminders: back up your system, install all the December updates, and confirm that your system is operating smoothly.

Then defer updates, using whichever method you’re comfortable with — Registry keys, Windows Settings, or BlockAPatch.

The beginning of the year is also a good time for you IT pros out there to evaluate your existing home technology and decide whether you can simplify it, thereby lowering your stress level. Over the years, your skills have allowed you to install servers and other machines on your home network, mimicking what you do at work. With Microsoft focusing more and more on cloud-first deployments, keeping up with the latest office tech in a home setting has become more difficult and more expensive. Maybe it’s time to move your home technology to peer-to-peer workgroup computing.

That’s what I’ve done. It’s not as geeky as running a server and maintaining an Active Directory infrastructure, but managing a workgroup, NAS, and local backup drives is much less stressful. My stress levels are down, for sure.

It’s also a good time to review the goals and plans for a business environment. One of my goals this year is to do what I can to eliminate “lateral movement” on my network. Lateral movement may occur when an attacker gains access to either a server or a workstation in a way that allows immediate access to other systems on the same network. The most common scenario is having a shared local administrator password used throughout the network. It’s very convenient — you don’t need to keep track of individual passwords for each machine — but it’s also a gaping security hole.

There is a better way: the Local Administrator Toolkit, now known as Windows LAPS. As of May 2023, it is built into Windows 10 and 11. I have been using legacy LAPS in the network and now want to pivot to using the built-in LAPS, because the encrypted password set by LAPS can be backed up to Entra ID (formerly Azure AD). This will allow you to sync the passwords to either local Active Directory or Entra ID.

Continuing along the security line, it’s time to review your use of multifactor authentication and make sure such protections are applied to any cloud service you access. The past year showcased that a determined attacker could take code signing certificates left behind in a dump file, lie in wait for several years, and then target government servers and assets to gain access. Without a very savvy IT team, this could go undetected for years. So review anything that has access from the Web, and see whether you can add multifactor to the mix.

If you installed the December updates and did not receive the Copilot icon on your taskbar, you are not alone. Microsoft is slowly dribbling it out to review its impact. If you’ve installed the Registry keys to keep Copilot at bay and now want to enable it, you can easily do so. I’ve documented the Registry key information in this Knowledge Base page.

Copilot is readily available from a browser by visiting copilot.microsoft.com. You can examine Copilot plugins, some of which act very much like apps. For example, the Instacart plugin (Figure 1) allows you to ask for a recipe idea and tells you where to shop for its ingredients.

Figure 1. The Instacart plugin for Copilot

I’m a fan of Instacart because it helps me avoid driving around to multiple stores. It also helps me avoid “hunger shopping,” the phenomenon we all experience when we grocery-shop after work — when we’re hungry — and end up with a cartload of items we didn’t actually need.

Even so, I’m not convinced that I need a Copilot plugin for a browser, given that the Instacart app meets my needs. Just because Microsoft seems to be pushing Copilot everywhere (it’s now available for Android) doesn’t mean we need it everywhere.

2024 will bring more unknown patching combined with known implementations of additional hardening in Active Directory domains. In next week’s Patch Watch, I’ll be touching on more of what you can expect in business patching.

Make 2024 the year that you evaluate your patching tools. Whether you patch and manage Windows, Linux, or Apple devices, you’ll want to ensure that you have a proper management tool for your network. There may be times during the upcoming patching year when I’ll recommend that you install updates immediately, and you’ll need to ensure you have the tools and techniques to do so. Remember: You are a target.

But for now, ensure your backup methodology is in place, and batten down the hatches.

Resources

Source