Back in October 2023, I wrote about the findings from Microsoft’s Digital Defense Report for 2022-2023. One of the four things I recommended in that column was using the “return on mitigation” metric to pick the security improvements that would give you the biggest return on investment. It’s a solid strategy for making sure that you’re getting the most for your money; in the same vein, you can use Microsoft Secure Score to identify the mitigations that give you the most score improvement.

But what if that approach is wrong?

When the Experts Speak, What Do They Say?

The US National Security Agency (NSA) has two jobs: spying on other countries and protecting American and allied government and defense communications. In this latter role, they have a very robust cybersecurity program, and they work very closely with the US Cybersecurity and Infrastructure Security Agency (CISA), which describes itself as “the operational lead for federal cybersecurity.” Both of them work very closely with major technology vendors, including Microsoft, Cisco, Google, and others. It’s safe to say that they probably have the broadest insight into the nature, kind, and severity of the most significant cyber threats. Both CISA and NSA will issue alerts about specific threats or actions. For example, CISA issues weekly ransomware threat alerts, and the NSA occasionally drops bulletins warning of activity by specific threat actors. When the two of them team up and release a joint advisory, then, it’s super important to pay careful attention to it.

That brings us to today’s topic: NSA and CISA released a joint bulletin titled “NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations.” Just reading the title should clue you into a few significant facts: red teams attack and blue teams defend, so this top-10 list is a synthesis of things that attackers and defenders have found as common mistakes. You can read the list of ten issues in under a minute, and none of the issues they list will surprise you; it’s the specific technical recommendations they make later in the document that are deserving of deeper study. The bulletin says that “[m]any of the assessments were of Microsoft Windows and Active Directory environments…and mostly focuses on these products” so we will do the same. For each of the threats highlighted, the bulletin points to items from the MITRE ATT&CK or D3FEND frameworks (which I’ll write about another time )to explain the underlying security weakness then gives specific Microsoft-oriented guidance.

I can’t cover details of all ten misconfigurations, much less the individual examples included in the bulletin, so instead I’ll pick a few of the most significant ones to highlight.

Insecure Default Configurations

The big two items mentioned here are things you’ve probably seen mentioned in the past: insecure default configurations of Active Directory Certificate Services and continued use of unsigned SMB and/or insecure legacy versions of SMB. The good news is that many of you probably don’t have AD CS on your networks; the bad news is that some of you probably do and don’t realize it. Use of insecure SMB has been a Windows security problem as long as the SMB protocol has been in Windows so it’s a little disheartening to see it make the list here. Windows 11 disables SMBv1 by default, and you should make an effort to ensure that it’s disabled on your network as well.

Improper Separation of Privileges

The second issue on the NSA/CISA list isn’t new either: improper account permissions that allow an attacker to either seize or escalate to privileged access. This is such a well-worn topic that I’m not going to give you any recommendations for fixing it—there are plenty out there already. Don’t use your administrative account for everyday work.

Improving Network Design and Monitoring

Network design can be difficult, especially because many of us have networks that grew organically over time instead of being designed from the start. The NSA/CISA team points out that improper network segmentation may allow an attacker to pivot from a less-secure part of the network into a more critical part. They specifically call out operational technology (OT) networks for devices that control or monitor physical devices like water treatment plants or manufacturing equipment, but you should ensure that an average user on your production network can’t easily pass network traffic to your data center, and of course, if you don’t already have a hardened and segregated network for guests, you really should. They also make some specific recommendations about network monitoring, which is a complicated enough topic that it deserves a column of its own in the future.

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

Patch Management and Software Updates

Microsoft has invested hugely in improving Windows patch management, and they have clearly documented the support lifecycle for all their products. Despite that, NSA/CISA called out patch management as the fifth problem on their list. They break the issue down into two parts: lack of patching and using old, unsupported OS and firmware versions. Interestingly, they call out some specific patches in both Microsoft and non-Microsoft products, including log4j and Zimbra Collaboration Suite.   

Return on Mitigation

Microsoft’s return-on-mitigation list in their Digital Defense Report focuses on Microsoft-centric issues, as you’d expect. The NSA/CISA bulletin also includes a list of suggested mitigations, but their emphasis is different. NSA/CISA is focusing on the most critical problems, whether or not they are easy or cheap to remediate; Microsoft is focused more on maximizing the return on investment. When I earlier asked “But what if Microsoft’s approach is wrong?” I think the answer is not that their approach is wrong but that it complements the traditional approach of focusing on the most serious problems without considering cost or return.

Take a look at the NSA/CISA report in the next few days—it makes for interesting reading.  

About the Author

Paul Robichaux

Paul Robichaux, an Office Apps and Services MVP since 2002, works as the senior director of product management at Keepit, spending his time helping to make awesome data protection solutions for the multi-cloud world we’re all living in. Paul's unique background includes stints writing Space Shuttle payload software in FORTRAN, developing cryptographic software for the US National Security Agency, helping giant companies deploy Office 365 to their worldwide users, and writing about and presenting on Microsoft’s software and server products. Paul’s an avid (but slow) triathlete, an instrument-rated private pilot, and an occasional blogger (at http://www.paulrobichaux.com) and Tweeter (@paulrobichaux).

Leave a Reply