Learn more
About our Azure Infrastructure and Security expertise
Part 1 of this blog series outlines an ideal scenario on how you, as an enterprise, would want to secure and manage endpoints in a modern way from the Microsoft Cloud. In this second part of the blog, Luc Frijters describes how practical steps are taken to apply the three principles of the Zero Trust Framework to endpoints.
Principle 1: Verify explicitly
Managing security and risk with respect to endpoints requires an overview and insight. Overview and insight are gained by connecting endpoints to an Identity Provider (IdP) - with the most prominent IdP being Microsoft Azure Active Directory - so that they become trusted identities. Once this required foundation is in place, mitigation measures can be established and built upon on the basis of Zero Trust principles. Moreover, this foundation is also one of the required prerequisites for using Microsoft Intune and setting up Conditional Access policies.
The combination between management and compliance status of an endpoint managed by Microsoft Intune, allows further fine-tuning of Conditional Access policies. A setup in this way ensures that endpoints must remain continuously compliant to maintain access to applications and services important to business operations. The endpoint owner retains access to, for example, the Dynamics 365 ERP application only when the device is considered 'compliant' and cannot access the application once the status is set to 'not-compliant. Thus, an endpoint retains the minimum permissions for accessing a particular application even when the device's 'health' is perfectly fine. This encourages the organization, IT department and end user to keep endpoints continuously compliant and secures access to applications.
Principle 2: Provide as few rights as possible
For a Windows endpoint added to Azure Active Directory (AD), the first Azure AD account someone logs in with gets 'local administrator' permissions by default. This gives an account full control over all local settings on the device, while in most situations these permissions are not even necessary. Adjusting these settings can prevent any viruses or other malicious code from easily nesting at the system level.
Microsoft Intune Company Portal can be used for application provisioning, eliminating the need for 'local administrator' permissions to install required applications.
Once an endpoint is added to Azure AD, it is possible to log on with trusted Single Sign-On. Therefore, in a case in which an Azure AD administrator role is associated with such an Azure AD account, it is important that work does not actively take place from this account on a daily basis, and instead a separate admin account is used. Ideally, an organization would use Azure Privileged Identity Management (PIM) to temporarily assign the most secure possible administrator role to an individual, with an optional approval flow.
Principle 3: Assume an intrusion
Nowadays the question is not whether or not there will ever be an intrusion, but when it will happen and how damaging it will be. Take one's own body as an example. Occasionally getting sick is inevitable, so we need to make sure we live healthy lives, mitigate health risks, limit any damage and get fit again quickly when sick.
How is that tackled when we look at securing endpoints? First, the advice is to structurally force install Windows operating system updates via one or more Intune update ring policies and oversee this with compliance policies. Installing Windows updates ensures that security issues are fixed and threats are less likely to do damage.
This remains the best remedy for keeping endpoints secure. In addition to the operating system, it is increasingly important to update non-Microsoft applications structurally, although this requires more time and effort for both the end user and the IT department.
Microsoft Defender for Endpoint also provides insight into vulnerabilities in non-Microsoft applications residing on endpoints. The list of supported applications is growing by the day. In addition, the advice is to keep the attack surface on endpoints as small as possible. Reducing the attack surface has to do with protecting an endpoint's operating system, giving attackers fewer ways to launch attacks.
It is also important to gain insight into exactly what is happening on an endpoint. Microsoft Defender for Endpoint can be used for this. Security Information and Event Management (SIEM) and eXtended Detection and Response (XDR) help increase efficiency and effectiveness with respect to security measures, obtain new analytics and protect the overall IT environment.
The data this generates directly forms the basis for Endpoint Detection and Response (EDR). EDR is a form of endpoint security that combines real-time monitoring and collection of endpoint data with rule-based, automated response and analysis capabilities. Suspicious activity on hosts and endpoints can be detected and investigated, thus using a high degree of automation to quickly identify and respond to threats.
Securing endpoints properly requires a structural approach that must be implemented on several fronts
Of course, there is much more to discover about Azure Active Directory, Microsoft Intune, securing endpoints and the Zero Trust Framework. Want to learn more about how your organization can take an active stance on IT security? Go straight to our Cloud Infrastructure and Security page.
Our Security experts are ready to help
Learn more
About our Azure Infrastructure and Security expertise
We, and third parties, use cookies on our website. We use cookies to keep statistics, to save your preferences, but also for marketing purposes (for example, tailoring advertisements). By clicking on 'Settings' you can read more about our cookies and adjust your preferences. By clicking 'Accept all', you agree to the use of all cookies as described in our privacy and cookie policy.
Purpose
This cookie is used to store your preferences regarding cookies. The history is stored in your local storage.
Cookies
Location of Processing
European Union
Technologies Used
Cookies
Expiration date
1 year
Why required?
Required web technologies and cookies make our website technically accessible to and usable for you. This applies to essential base functionalities such as navigation on the website, correct display in your internet browser or requesting your consent. Without these web technologies and cookies our website does not work.
Purpose
These cookies are stored to keep you logged into the website.
Cookies
Location of Processing
European Union
Technologies Used
Cookies
Expiration date
1 year
Why required?
Required web technologies and cookies make our website technically accessible to and usable for you. This applies to essential base functionalities such as navigation on the website, correct display in your internet browser or requesting your consent. Without these web technologies and cookies our website does not work.
Purpose
This cookie is used to submit forms to us in a safe way.
Cookies
Location of Processing
European Union
Technologies Used
Cookies
Expiration date
1 year
Why required?
Required web technologies and cookies make our website technically accessible to and usable for you. This applies to essential base functionalities such as navigation on the website, correct display in your internet browser or requesting your consent. Without these web technologies and cookies our website does not work.
Purpose
This service provided by Google is used to load specific tags (or trackers) based on your preferences and location.
Why required?
This web technology enables us to insert tags based on your preferences. It is required but adheres to your settings and will not load any tags if you do not consent to them.
Purpose
This cookie is used to store your preferences regarding language.
Cookies
Why required?
We use your browser language to determine which language to show on our website. When you change the default language, this cookie makes sure your language preference is persistent.
Purpose
This service provided by uMarketingSuite is used to track anonymized analytics on the HSO.com application. We find it very important that your privacy is protected. Therefore, we collect and store this data anonymously on our own servers. This cookie helps us collect data from HSO.com so that we can improve the website. Examples of this are: it allows us to track engagement by page, measuring various events like scroll-depth, time on page and clicks.
Cookie
Purpose
With your consent, this website will load Google Analytics to track behavior across the site.
Cookies
Purpose
With your consent, this website will load the Google Advertising tag which enables HSO to report user activity from HSO.com to Google. This enables HSO to track conversions and create remarketing lists based on user activity on HSO.com.
Possible cookies
Please refer to the below page for an updated view of all possible cookies that the Google Ads tag may set.
Cookie information for Google's ad products (safety.google)
Technologies Used
Cookies
Purpose
With your consent, we use IPGeoLocation to retrieve a country code based on your IP address. We use this service to be able to trigger the right web technologies for the right people.
Purpose
With your consent, we use Leadfeeder to identify companies by their IP-addresses. Leadfeeder automatically filters out all users visiting from residential IP addresses and ISPs. All visit data is aggregated on the company level.
Cookies
Purpose
With your consent, this website will load the LinkedIn Insights tag which enables us to see analytical data on website performance, allows us to build audiences, and use retargeting as an advertising technique. Learn more about LinkedIn cookies here.
Cookies
Purpose
With your consent, this website will load the Microsoft Advertising Universal Event Tracking tag which enables HSO to report user activity from HSO.com to Microsoft Advertising. HSO can then create conversion goals to specify which subset of user actions on the website qualify to be counted as conversions. Similarly, HSO can create remarketing lists based on user activity on HSO.com and Microsoft Advertising matches the list definitions with UET logged user activity to put users into those lists.
Cookies
Technologies Used
Cookies
Purpose
With your consent, this website will load the Microsoft Dynamics 365 Marketing tag which enables HSO to score leads based on your level of interaction with the website. The cookie contains no personal information, but does uniquely identify a specific browser on a specific machine. Learn more about Microsoft Dynamics 365 Marketing cookies here.
Cookies
Technologies Used
Cookies
Purpose
With your consent, we use Spotler to measures more extensive recurring website visits based on IP address and draw up a profile of a visitor.
Cookies
Purpose
With your consent, this website will show videos embedded from Vimeo.
Technologies Used
Cookies
Purpose
With your consent, this website will show videos embedded from Youtube.
Cookies
Technologies Used
Cookies
Purpose
With your consent, this website will load the Meta-pixel tag which enables us to see analytical data on website performance, allows us to build audiences, and use retargeting as an advertising technique through platforms owned by Meta, like Facebook and Instagram. Learn more about Facebook cookies here. You can adjust how ads work for you on Facebook here.
Cookies
Purpose
With your consent, we use LeadInfo to identify companies by their IP-addresses. LeadInfo automatically filters out all users visiting from residential IP addresses and ISPs. These cookies are not shared with third parties under any circumstances.
Cookies
Purpose
With your consent, we use TechTarget to identify companies by their IP address(es).
Cookies
Purpose
With your consent, we use this service provided by uMarketingSuite to run A/B tests across the HSO.com application. A/B testing (also called split testing) is comparing two versions of a web page to learn how we can improve your experience.
Purpose
With your consent, we use this service provided by uMarketingSuite to personalize pages and content across the HSO.com application. Personalization helps us to tailor the website to your specific needs, aiming to improve your experience on HSO.com.