Securing Microsoft Windows and Microsoft 365

Episode Notes

Transcript

Digital Detectives

Securing Microsoft Windows and Microsoft 365

04/23/2020

 

Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

 

[Music]

 

Sharon D. Nelson: Welcome to the 114th Edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity, and information technology firm in Fairfax, Virginia.

 

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, ‘Securing Microsoft Windows and Microsoft 365′.

 

Sharon D. Nelson: Before we get started I would like to thank our sponsor. Thanks to our sponsor Logikcull, instant discovery software for modern legal teams. Logikcull offers perfectly predictable pricing at just $250 per matter per month. Create your free account at anytime at logikcull.com/ltn.

 

John W. Simek: Today our guest is Ben Schorr, Senior Content Developer at Microsoft. He is also the author of several books and articles on technology including ‘The Lawyer’s Guide to Microsoft Outlook’, ‘The Lawyer’s Guide to Microsoft Word‘ and ‘OneNote in One Hour’. He was a Microsoft MVP for 20 years and involved with management and technology for more than 30.

 

In his free time he is a slow Ironman triathlete and a high school football coach. He currently lives in Redmond, Washington with his wife Carrie and their son Keith.

 

As usual Ben, it’s great to have you with us.

 

Ben Schorr: It’s great to be back. Thanks for inviting me.

 

Sharon D. Nelson: Well Ben, let’s start right off with the basics. What’s the most important thing someone can do to improve their security in Windows?

 

Ben Schorr: So this one is going to sound a little obvious, but honestly upgrade to Windows 10. We still see a lot of people on Windows XP, not as many as we did, still a lot of people on Windows 7, which as you know went out of support earlier this year. Windows 10 really has modern security features, things like Secure Boot, a lot of those things under the hood that really make it a much more secure operating system and it’s going to be supported for quite a bit longer to come.

 

The other thing I would recommend would be make sure you are using a modern browser. Thankfully this is one area where most people do pretty well as far as keeping up with the browser, but if your browser is out of date then can impair your security too.

 

John W. Simek: So upgrading to Windows 10 is great Ben, but what if they are already on Windows 10, any other advice for them?

 

Ben Schorr: Absolutely. So one of the things that we are really trying to encourage folks to do on 10 to improve their security is to use modern authentication methods like Windows Hello, that would be one good example.

 

We are trying to get people to go passwordless. Nobody likes passwords except hackers because they are hard to remember, you have got to try and create secure ones, if you remember what they are, you try not to reuse them; I always encourage people not to reuse passwords, or trying to get people away from passwords. And in Windows one of the ways to do that is to use some of our modern authentication methods like Windows Hello. And if you have a device that’s fairly modern, you can use Windows Hello, which is either facial recognition, can be fingerprint recognition, or it could be a secure pin on the device and that’s a much more secure way to go than passwords.

 

So that would be my number one thing, enable Windows Hello. And if you are an organization, you should help get your entire organization on Windows Hello.

 

Sharon D. Nelson: And what’s the most important thing that they can do to improve their security in Microsoft 365?

 

Ben Schorr: So Microsoft 365, and for the context of this podcast when I say Microsoft 365 I am also referring to Office 365, as you know we are in the middle of a rebranding right now, so you can just sort of hear Microsoft 365 and Office 365 somewhat interchangeably for this context.

 

So, it’s an easy answer and that’s enable Multifactor Authentication. It’s available in every plan of Microsoft 365 and it’s really easy to enable in the Admin Center. So if you go into your Admin Center, in the User’s Settings, you can turn on Multifactor Authentication, that’s going to let, as you and hopefully most of your listeners know, that’s going to require your users the first time they sign in on a new device to have a second factor of authentication which would be, it could be a pin sent to their smartphone, it could be a 502 compatible device like a YubiKey, which is a USB device that you plug into your device, it could be an authenticator like Microsoft Authenticator on a mobile device, there are number of different things you could use there.

 

But that Multifactor Authentication dramatically reduces your odds of somebody getting into your system because they have compromised an account and a password. And one of the big misconceptions on Multifactor Authentication is that it makes things way too inconvenient for users, that users will hate it.

 

(00:04:56)

 

But the reality is that once you have signed in the first time on that device, you get that cache token on the local device and so usually it doesn’t prompt you for that second factor again unless you have changed your password or you are signing into a new service, something like that. Of course we use Multifactor Authentication at Microsoft and I very rarely, I mean maybe once a month do I ever get asked for my second factor if I am signing in on a device that I use every day. So it really isn’t — it’s nearly transparent to the user, especially if using it in conjunction with Windows Hello.

 

John W. Simek: Yeah, we use it as well Ben and I agree with you, unless you change the password and it’s — I always forget that I have to do the Authenticator App after I have changed my password, then it prompts me and I go oh darn, yeah, I did, I changed my password, okay, I got to get that out.

 

Ben Schorr: The Authenticator App is amazing. I mean when you have got it integrated with Microsoft 365, with Azure Active Directory, which is what backs up all of our cloud services like that, you can even have it so that like for me, when I have to do my second factor, what it does is I type in my pin and then my second factor comes to my smartphone, but it comes to the Authenticator App and I just have to touch my finger to the fingerprint reader on my smartphone and that approves my second factor auth. It’s so easy and fast, I don’t even have to type anything on the phone, I just touch the fingerprint reader and boom, it’s in.

 

John W. Simek: I still like the six digits. So then another question for you though is what’s the most common security mistake that folks that are using Microsoft 365 and I am never ever going to get used to saying that instead of Office 365?

 

Ben Schorr: It’s taking a little time for us to get used to it too, so totally all right. I would say, and this isn’t necessarily unique to Microsoft 365, but I still see it today and that is firms not having a good exit procedure for their people is a huge mistake.

 

A couple of years ago I was presenting at an ALA meeting and after my presentation a woman came up to me, she is holding her iPhone and she asked how she could get the emails from her old phone — or from her old firm off her phone. And it turns out she had left the firm six months ago and still had all the email that she had downloaded on her personal iPhone from when she worked there and that included attachments, like partner compensation reports and information about open matters and clients. I mean she didn’t take it maliciously, there was nothing — I mean she was just using her iPhone as her mobile device with her firm’s blessing and when she left nobody bothered to say hey, by the way, can we wipe the company email off your phone, just little things like that, it happens every day. I see it everywhere.

 

I have seen firms where they haven’t even disabled, much less deleted any of the accounts from their Active Directory for when people left, they just don’t have that exit procedure. And so you will go into firms and look at their Active Directory and they have got active user accounts in there for people that haven’t worked in that firm in months or years. And the thing is if that account is still active, if the person still has the password — knows the password to it, they can still log into it. They could be working for a competing firm across town, but they have still got an active user account in your network. So just little things like that where they just haven’t done a good job with the exit process, that’s a big one.

 

I also see firms that are using too many generic accounts for multiple people on shared machines. They have receptionists or messengers and they are just giving them a generic account and as part of that a lot of times they include that generic account with too many permissions. So that generic account has access to all sorts of files and folders that they probably shouldn’t have.

 

I was at a firm one time where their receptionist could access all their HR and payroll stuff because they just had never bothered to not include that account in the permissions for that information, things like that are big mistakes.

 

Sharon D. Nelson: Well, that is certainly a very stupid one and we certainly see a lot of stupid mistakes when it comes to getting ransomware too and we have had a couple of firms hit here recently and I just read about a couple up in Canada that have been struck. So what would be your tips for protecting against ransomware?

 

Ben Schorr: Yeah. So first and foremost, have a good current tested backup, it seems obvious, but it’s amazing how many firms I have been to that they really didn’t have any backups or nothing tested. If you haven’t tested your backup you haven’t finished backing up.

 

And don’t just have one copy; I have seen firms that have just a single copy of their backup, but have multiple copies so you have backups from yesterday sure, but you also want to have a backup from the day before that and the day before that and the week before that. And the reason for that is so you can backup a historical version also if you had to.

 

You occasionally see an issue where their backups are too good and the ransomware encrypts all their files and then their backup backs up all the encrypted files, which that’s unfortunate, but if you could backup — if you could go to a previous backup that was uncorrupted, you are still okay.

 

Before I joined Microsoft I was working with a client that had gotten — they were a health care provider and they had gotten hit with ransomware and they had a backup from yesterday. So they just restored their backup from yesterday, reinstalled a few apps on the affected workstation and within a few hours they were kind of back in business and they didn’t care too much. So backups can sort of cover for all manner of sins to some extent.

 

(00:09:55)

 

And the second thing I would say is with regards to testing your backups, testing a backup is — there is some advanced ways to do it, but there is also one really easy way to do it. Create a test file; you can even call it test file in your system, let it get backed up a few times as part of your normal backups and one day go in and delete that test file from your system and see if you can restore it. If you can’t restore it, that tells you that either your backups aren’t working properly or you don’t know how to restore files, either way that’s a problem you need to solve. And it’s good to learn that when it’s only a test file that you have lost.

 

John W. Simek: That’s true.

 

Ben Schorr: You don’t care the Word document that just says test file in it has been deleted, but if that happens for real, then you have got a problem.

 

And the next thing I would say, kind of ties into our previous tip, which is be selective about who can access what. If somebody in your firm accidentally clicks the wrong thing and activates some ransomware, the ransomware can only impact the files they have access to and so you can really limit the spread and limit the damage if this person doesn’t have access to every file in your system.

 

This goes back to the previous tip again about being smart about giving access to people, it’s bad if this person loses the cases they have access to, it’s worse if they lose — if you lose all the files in the firm and the chances are that most people don’t need access to everything in your firm.

 

And the final thing I would say is just train your users. It’s something that a lot of firms overlook is you don’t have to make it — you don’t have to be standing over their desk every day banging them on the head about security, but you should have some regularly scheduled quarterly, semiannual, whatever it is training, even if it’s just bring in a pizza and watch some security videos together as a firm and talk about them or bring in somebody from the outside to do a one hour lunch and learn about it. You have got to do something to keep your firm and your users up to date.

 

Sharon D. Nelson:T That sounds like a good plan and they always love a free lunch.

 

Ben Schorr: Absolutely. It’s a lot cheaper than recovering from ransomware.

 

John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.

 

[Music]

 

Advertiser: Trying to cut costs, you are not alone. In today’s climate a five-figure eDiscovery bill per month is steep. Don’t pay that, use Logikcull to reduce expense and control your discovery process. Get started today for only $250 per matter and they will waive migration costs from competing platforms. For more information, visit logikcull.com/ltn.

 

[Music]

 

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is ‘Securing Microsoft Windows and Microsoft 365’, and our guest is Ben Schorr, a Senior Content Developer at Microsoft.

 

John W. Simek: So, Ben, right before the break we talked about ransomware but what about just regular old malware that comes in with — via email in general?

 

Ben Schorr: Yeah, for that the basics still apply. You should be running a good up-to-date anti-malware program. If you are on Windows 10, for example, Windows Defender Antivirus is installed and running by default and granted, I am a little bit biased, but I think it’s pretty good. There are of course also lots of third parties out there — third-party antivirus products out there if you are more comfortable with one of those, but whatever you are running make sure it’s up-to-date.

 

Before I joined Microsoft I had worked with a firm I checked on their anti-malware one day when we first got there and they hadn’t been updated in months, I mean, they didn’t have these signatures, they didn’t have anything, they just had never bothered, they had been ignoring the update message. So don’t do that. Make sure it’s up-to-date and current.

 

Same thing with your operating systems, you should be making sure that you are running Windows update, you may be on a deferred channel, maybe you are not getting the updates the minute they ship out, but you should be pretty prompt about installing security updates.

 

Also, train your users to be wary of unexpected links or attachments in email, I mean, that’s kind of security 101, but it’s amazing how many times we still see people click on links or attachments that they really have no business clicking on. I often tell them, even if it seems to be coming from somebody you know, if it’s an unexpected file or if it’s an unexpected link, especially if it’s not explained, then you should definitely not click on it.

 

I won’t throw this person under the bus, but I know somebody who has a tendency to send emails to family, and the only thing in the email message will be a link to some article or something or comic or something they thought was funny. Well, there’s no explanation of what it is, it’s just this random link in an otherwise empty email and there’s no way on clicking on that and you shouldn’t either.

 

Also they consider if the link or the attachment seems in character for the person who’s sending it to you. My mother sends me links and attachments with some regularity, but if she sends me an attachment that purports to be salacious photographs of Britney Spears or something, my mother is fun but she is not that fun. So that would be a red flag to me that maybe I shouldn’t click on that, and it’s not that you have the FOMO of what could that link have been, email — reach out to the person who sent it to you and say, hey, is this legit? What is this that you just sent me? And confirm with them that it’s good before you click on it. So that’s it.

 

(00:15:04)

 

Now for some of you if you’re on one of the enterprise SKUs of Office 365 or Microsoft 365 you should also be looking at Microsoft Defender Advanced Threat Protection. There are a lot of really powerful tools in there because presumably if you are using Microsoft 365 one of the enterprise SKUs, for example, like E3 or E5 you are probably using exchange — our exchange server and so with Advanced Threat Protection you can go in and there are some things you can configure that will scan messages for malware, scan for bad attachments, things like that before that even gets to you, before it even gets to your end-users.

 

And so, if you have got a basic plan you may not have Advanced Threat Protection available to you, if you have got one of the more advanced plans you do then and you should definitely be looking into what you can configure there to ramp up your security.

 

Sharon D. Nelson: Well, in the last little bit it took about two weeks before all the lawyers were working from home, and it wasn’t pretty although it was good for Sensei because they needed a lot of IT help, but any tips that you have been for making the remote working more secure?

 

Ben Schorr: Yeah, if you think so, if they’re not on a dedicated work device, if they have got a company issued laptop, that’s good, and presumably it’s a managed device so the company can make sure that the updates are installed, that the antivirus is running, the firewalls turned on, but if they are not on a dedicated work device, if they have just sort of relocated to their house and now they are using the Mac in their dining room as their work machine, you should encourage them to use the web apps rather than the local apps whenever possible.

 

And one reason for that is that the web apps don’t download the data to your local machine, and so if the machine breaks down or gets stolen or whatever happens you don’t have all these work files sitting on the local machine, and so that would be one thing.

 

Secondly, make sure they are ideally storing files on a secure cloud, which could be OneDrive or SharePoint, OneDrive for Business or SharePoint, several advantages to that. One, again, if the machine gets damaged, stolen, destroyed, you spill a cup of coffee on it, the files are still accessible and they are still in a place where the firm can get to them.

 

Our cloud data is all backed up naturally, so when you have got the files in our cloud it’s stored on multiple servers, within a data center it’s generally replicated to a second data center. So there are multiple copies of the file which means you have got some built-in backups there.

 

And the other one which a lot of — I am surprised this is still an issue in 2020 but make sure your Wi-Fi is secure. Too many people are still using Wi-Fi that doesn’t have any encryption on it at home and so I would say make sure your Wi-Fi is secure also.

 

John W. Simek: So would you consider those been the common security mistakes that people are making when they are working from home or are there any additional ones?

 

Ben Schorr: Yeah, those are kind of the big ones, I said the other one, well, actually I guess there’s one I kind of forgot, which is using insecure devices whether it’s your work device or otherwise; for example, if you have kids in the house, don’t let them use your work laptop, kids have a tendency to install games and all sorts of other things some of which may not be too on the up-and-up as it were. And so I would be pretty strict about not letting your kids use your work laptop or work devices or family members, I think that’s important, and that also includes locking the machine when you walk away from it for the same reason. So I would say that’s a big one.

 

Sharon D. Nelson: Yeah, that’s a big one, that’s one of our slides in our presentations too, so certainly agree with that. Do you have any special advice for law firms in this new environment where they are now having their folks all work remotely?

 

Ben Schorr: Yeah, I would say be careful with the word “No”. The word “No” tends to lead to Shadow IT when somebody asks you, can we do this and you just say no and you don’t pursue it anymore, what they end up doing is going around you and going to some third-party solution and now your data, your firm data is potentially being stored on servers or in apps that you have no knowledge of it all and that would be bad. So if somebody comes to you and says, hey, I want to do whatever and it’s not something you can do already, work with them, you don’t necessarily have to use the solution they want, maybe they want to use some crazy third-party association that you don’t like, that’s okay, but work with them and enable them to do it and if you can enable them to do it in an approved manner that you are controlling, that’s going to be a lot better for your firm.

 

And then the second part I would say would be, again, encourage those web apps and also encourage local disk encryption, pretty much every operating system now including Windows 10 it has supports local disk encryption where to encrypt the hard drive and that’s a good practice to be in anyway.

 

John W. Simek: Well, Ben, a lot of folks working from home now and they are glad they made that decision to go to Microsoft 365, I am sure.

 

Ben Schorr: I hope so.

 

John W. Simek: But part of that as you know is the subscription to Teams and there’s a lot of — this whole collaboration and now they want to keep contact — connect to their clients or to co-counsel or something and Teams have been included as part of Microsoft 365 but are there any special security considerations for when they are using Teams, hearing all this news hype about end-to-end encryption with Zoom and everything and I know Microsoft’s taking advantage of that news, but I also find it interesting that they have an integration between Teams and Zoom, but talk to us about some security stuff with Teams.

 

(00:20:14)

 

Ben Schorr: So Teams kind of out of the box was built with security in mind. So we do have that end-to-end encryption. When you are storing files in Teams it’s actually being stored in SharePoint underneath the hood, and that’s all a pretty secure encrypted both in transit and at rest.

 

Most of the time when I see security issues with Teams it’s that somebody has made a bad decision along the way and this comes back again usually to permissions to who they have invited to the Team and what they have chosen to do.

 

So a couple things are when you create a team you can create it to be either public or private, and I should elaborate that public means public within your firm, not public to the world. So a public team means that anybody in your organization can see and join that team. A private team means only people you have invited and/or approved can join that team.

 

So that’s an important distinction. If you have got a sensitive matter you should probably make that a private team so that you can control the membership more tightly.

 

You can invite guests to Teams, but be thoughtful about it, and that’s the same thing, if you would invite co-counsel or the client or somebody in, that’s fine, but just make sure you know that you have done that and that everybody in the team knows that you have done that so that they don’t accidentally say something that somebody outside your firm shouldn’t see.

 

You can also create private channels now; that was a popular request. So if you have got a team and maybe you do have some guests or maybe you do have other people in the firm and you need an even more restricted audience, you can create a private channel and restrict that channel to specific people.

 

And then two other things that we see a lot because people using obviously we are all doing video calls now and conference calls on video, if you have got your camera turned on we do have a Blur Background feature, and so you might want to use that especially if what’s behind you could be sensitive in some way. So it would be on camera potentially, so use the Blur Background feature.

 

And finally, be aware if other people can hear you, this is especially trying those people on headphones tend to shout for some reason, and so it’s not as big an issue now that we are not working in coffee shops. I can’t tell you how many times I have walked into a coffee and some guy on the headphones with his Apple MacBook in the corner is shouting on his conference call, and the entire coffee shop is listening to the details of his call. It’s not as big an issue now that we are hopefully all working at home but there can still be an issue there. So be aware of what other people might be able to hear when you are on your calls.

 

Sharon D. Nelson: That was a great wrap up with a lot of tips and I know that folks are really interested in everything there is to know about that Microsoft Windows and Microsoft 365 and they are still going to call it Office 365 in perpetuity as far as I can determine nobody seems to know that this is — rebranding is really coming unless you are in the industry. But thank you so much, Ben, it’s always entertaining to have you and you are always full of information that everybody wants. So really appreciate you taking the time out of your day.

 

Ben Schorr: Yeah, my pleasure, thanks for having me.

 

John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.

 

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, information technology and cybersecurity services at senseient.com.

 

We will see you next time on Digital Detectives.

 

[Music]

 

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.