How do you secure a device according to Zero Trust principles? Part 2

Luc Frijters
27 Nov, 2023

Part 1 of this blog series outlines an ideal scenario on how you, as an enterprise, would want to secure and manage endpoints in a modern way from the Microsoft Cloud. In this second part of the blog, Luc Frijters describes how practical steps are taken to apply the three principles of the Zero Trust Framework to endpoints.

Principle 1: Verify explicitly

Managing security and risk with respect to endpoints requires an overview and insight. Overview and insight are gained by connecting endpoints to an Identity Provider (IdP) - with the most prominent IdP being Microsoft Azure Active Directory - so that they become trusted identities. Once this required foundation is in place, mitigation measures can be established and built upon on the basis of Zero Trust principles. Moreover, this foundation is also one of the required prerequisites for using Microsoft Intune and setting up Conditional Access policies.

The combination between management and compliance status of an endpoint managed by Microsoft Intune, allows further fine-tuning of Conditional Access policies. A setup in this way ensures that endpoints must remain continuously compliant to maintain access to applications and services important to business operations. The endpoint owner retains access to, for example, the Dynamics 365 ERP application only when the device is considered 'compliant' and cannot access the application once the status is set to 'not-compliant. Thus, an endpoint retains the minimum permissions for accessing a particular application even when the device's 'health' is perfectly fine. This encourages the organization, IT department and end user to keep endpoints continuously compliant and secures access to applications.

Principle 2: Provide as few rights as possible

For a Windows endpoint added to Azure Active Directory (AD), the first Azure AD account someone logs in with gets 'local administrator' permissions by default. This gives an account full control over all local settings on the device, while in most situations these permissions are not even necessary. Adjusting these settings can prevent any viruses or other malicious code from easily nesting at the system level.

Microsoft Intune Company Portal can be used for application provisioning, eliminating the need for 'local administrator' permissions to install required applications.

Once an endpoint is added to Azure AD, it is possible to log on with trusted Single Sign-On. Therefore, in a case in which an Azure AD administrator role is associated with such an Azure AD account, it is important that work does not actively take place from this account on a daily basis, and instead a separate admin account is used. Ideally, an organization would use Azure Privileged Identity Management (PIM) to temporarily assign the most secure possible administrator role to an individual, with an optional approval flow.

Principle 3: Assume an intrusion

Nowadays the question is not whether or not there will ever be an intrusion, but when it will happen and how damaging it will be. Take one's own body as an example. Occasionally getting sick is inevitable, so we need to make sure we live healthy lives, mitigate health risks, limit any damage and get fit again quickly when sick.

How is that tackled when we look at securing endpoints? First, the advice is to structurally force install Windows operating system updates via one or more Intune update ring policies and oversee this with compliance policies. Installing Windows updates ensures that security issues are fixed and threats are less likely to do damage.

This remains the best remedy for keeping endpoints secure. In addition to the operating system, it is increasingly important to update non-Microsoft applications structurally, although this requires more time and effort for both the end user and the IT department.

Microsoft Defender for Endpoint also provides insight into vulnerabilities in non-Microsoft applications residing on endpoints. The list of supported applications is growing by the day. In addition, the advice is to keep the attack surface on endpoints as small as possible. Reducing the attack surface has to do with protecting an endpoint's operating system, giving attackers fewer ways to launch attacks.

It is also important to gain insight into exactly what is happening on an endpoint. Microsoft Defender for Endpoint can be used for this. Security Information and Event Management (SIEM) and eXtended Detection and Response (XDR) help increase efficiency and effectiveness with respect to security measures, obtain new analytics and protect the overall IT environment.

The data this generates directly forms the basis for Endpoint Detection and Response (EDR). EDR is a form of endpoint security that combines real-time monitoring and collection of endpoint data with rule-based, automated response and analysis capabilities. Suspicious activity on hosts and endpoints can be detected and investigated, thus using a high degree of automation to quickly identify and respond to threats.

Securing endpoints properly requires a structural approach that must be implemented on several fronts

Of course, there is much more to discover about Azure Active Directory, Microsoft Intune, securing endpoints and the Zero Trust Framework. Want to learn more about how your organization can take an active stance on IT security? Go straight to our Cloud Infrastructure and Security page.

Connect with us

Our Security experts are ready to help

By using this form you agree to the storage and processing of the data you provide, as indicated in our privacy policy. You can unsubscribe from sent messages at any time. Please review our privacy policy for more information on how to unsubscribe, our privacy practices and how we are committed to protecting and respecting your privacy.

Learn more

About our Azure Infrastructure and Security expertise