7 tools to secure your Microsoft network for free

Cybersecurity is a hot topic. The rules are getting increasingly strict – look at the GDPR – and attackers are becoming ever more inventive. So robust protection is vital. Luckily, an acceptable level of protection doesn’t need to cost very much. If you use Microsoft, you have access to all kinds of free tools included in the existing Windows licences. Here are seven ways to secure your network for free:

By gathering useful logs from workstations and servers on a central collection server, you increase visibility on these machines. This enables you to detect attackers. This function, ‘Windows Event Forwarding’ (WEF), does not require an extra licence, making it a free alternative to other log centralisation solutions. By combining this with a free log analysis tool such as ELK, you can create a powerful solution to detect attacks while they happen and collect evidence after an incident. There is one drawback, WEF is limited to Microsoft platforms.

Securing administrative IT tasks is one of the most important mainstays of a secure IT environment. A new solution – Privileged Access Workstations – is available in Windows 10 Enterprise. PAWs provide extra protection against attacks for workstations that are used for privileged access. There are no extra licences needed, so this tool is also completely free.

In most business environments, the built-in local administrator account remains active on all workstations so that it’s possible to have emergency access at any time even when the Windows domain is not available or reachable. In many cases, this local account has the same password on all the workstations. That is practical until the password is leaked and attackers suddenly have access to all your workstations. Enterprise password managers may provide a solution here, but they often require extra equipment or paid licences from external software vendors. The built-in Local Administrator Password Solution offered by Microsoft stores the password in an active directory. These passwords can be generated automatically and at random, and are only accessible by authorised persons.

Many companies are embracing remote working and the BYOD principle. As a result, laptops, tablets and smartphones with sensitive information are more frequently outside the familiar business environment. When a laptop is stolen, the thief also has access to all the information saved on the local hard disk. Microsoft has a solution for this. BitLocker encrypts the hard drive with full disk encryption. External media can also be encrypted in the same way. This solution is included in the licences for Windows Professional and Enterprise. Moreover, key management can be centralised in a business environment so that an administrator can still decrypt the information if the user loses their key.

Physical access to workstations can be even further protected with Secure Boot. This prevents hackers from installing infected firmware on the system, which can cause damage before the operating system is even loaded.

New types of malware are appearing every day, which means that the traditional signature-based detection is no longer enough. Using techniques like polymorphism it is child’s play to get around traditional anti-virus detection. Device Guard is a combination of technologies that ensure that only trusted applications can be run on the system, and it is included in the licences for Windows 10 and Windows Server 2016. Code integrity policies block programs that do not have a digital signature from the developer or whose digital signature is not on the list of permitted applications. This ensures that only reliable software can run on the system and malware can’t get a foothold.

Credential Guard uses virtualisation techniques for extra protection of the passwords and access tokens that are stored in memory. This is information that attackers are looking for when they take over a system and want to move laterally on the network. Credential Guard makes it more difficult for attackers to find and use credentials and hashes in memory. Without this information, the attacker is more easily contained on a single system.