deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5255 from MicrosoftDocs/master

Browse Source 
Publish 06/04/2021, 3:30 PM
This commit is contained in:
Gary Moore 2021-06-04 15:44:44 -07:00 committed by GitHub
commit 1e3aa1ebdb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 68 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -542,7 +542,7 @@ Value type is integer. Supported values:
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML).
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
> [!Note]
> Web Sign-in is only supported on Azure AD Joined PCs.

79
windows/security/threat-protection/intelligence/ransomware-malware.md
View File

@ -26,9 +26,9 @@ The trend towards increasingly sophisticated malware behavior, highlighted by th
Most ransomware infections start with:
* Email messages with attachments that try to install ransomware.
- Email messages with attachments that try to install ransomware.
* Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.
@ -38,11 +38,11 @@ Ransomware is one of the most lucrative revenue channels for cybercriminals, so
Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits.
* Spora drops ransomware copies in network shares.
- Spora drops ransomware copies in network shares.
* WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers.
- WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers.
* A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
- A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid.
@ -52,16 +52,71 @@ Ransomware like **Cerber** and **Locky** search for and encrypt specific file ty
## How to protect against ransomware
Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets and attackers can demand bigger ransoms.
Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets because attackers can demand bigger ransoms.
We recommend:
To provide the best protection against ransomware attacks, Microsoft recommends that you:
* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
1. Use an effective email filtering solution
* Apply the latest updates to your operating systems and apps.
According to the [Microsoft Security Intelligence Report Volume 24 of 2018](https://clouddamcdnprodep.azureedge.net/gdc/gdc09FrGq/original), spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, you must adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats.
* Educate your employees so they can identify social engineering and spear-phishing attacks.
By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress.
* [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
**HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization' Exchange Online mailboxes against spam, malware, and other email threats.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
2. Deploy regular hardware and software systems patching and effective vulnerability management
A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software publishers release them.
A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident.
Regular patching and an effective vulnerability management program are important measures to defend against ransomware and other forms of malware.
**HOW:** Use [update channels](/microsoft-365/enterprise/deploy-update-channels-examples) for recommendations on updates for Windows 10 and Microsoft 365 Apps for Enterprise (Windows 10).
3. Use up to date antivirus and an endpoint detection and response (EDR) solutions
While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, ensure that your antivirus solutions are kept up to date with your software publishers.
Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines.
EDR solutions collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by an EDR solution can help stop advanced threats and are often leveraged for responding to security incidents.
4. Separate administrative and privileged credentials from standard credentials
Separate your system administrative accounts from your standard user accounts to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single standard user account doesnt lead to the compromise of your entire IT infrastructure.
**HOW:** To effectively reduce your credential attack surface, use Microsoft support for [Azure Multi-Factor Authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) to require stronger authentication for privileged accounts, [Azure Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/) for just-in-time use of privileged accounts, and [Privileged Access Management (PAM)](/microsoft-365/compliance/privileged-access-management-solution-overview) for just-in-time access to Microsoft 365 tasks that need elevated permissions.
5. Implement effective application allowlists
You need to restrict the applications that can run within an IT infrastructure. Application allowlists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.
**HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps.
6. Regularly back up critical systems and files
The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, its of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack.
<!--
- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
- Apply the latest updates to your operating systems and apps.
- Educate your employees so they can identify social engineering and spear-phishing attacks.
- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
-->
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
## Human-operated ransomware
Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go.
Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands.
The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware).
See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks.