Resolving conflicts between security best practices and compliance mandates

The larger and more international your corporation, the more alphabet soup of technology compliance regulations apply

So, you read a great tip on the internet and think it would improve your security posture. Before you bring that tip to management, it’s wise to determine if it’s allowed by your security compliance requirements or can become an acceptable exception to your compliance templates.

Many of you work for firms that have multiple compliance mandates. The larger and more international your corporation, the more alphabet soup of technology compliance regulations need to be followed: the European Union’s General Data Protection Regulation (GDPR), the American Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the guidance by the National Institute of Standards and Technology (NIST), the Federal Information Security Management Act (FISMA), and the Center for Internet Security (CIS) controls to name a few.

These regulations will have recommendations and controls that you may need to review before changing your network defences to ensure you remain in compliance. Keeping up with compliance templates is typically a full-time job.

Controlled versus uncontrolled Windows updates

Some mandates may surprise you given the changes we’ve seen in our networks over the last several years. Case in point is how you handle Windows updates. Some organisations’ updates are no longer controlled by Windows Software Update Services (WSUS), but the compliance regulations haven’t kept up with how we deploy updates.

The old mandate was clear: Don’t allow system updates to be uncontrolled. As the section notes for Server 2012 R2 state: “Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially provide sensitive information outside of the enterprise. Optional component installation or repair must be obtained from an internal source.”

Using WSUS and then setting the group policy that your machines can obtain .Net 3.5 components from the internet is not recommended with this setting. As is noted, it’s recommended to:

“Configure the policy value for Computer Configuration -> Administrative Templates -> System -> 'Specify settings for optional component installation and component repair' to 'Enabled' and with 'Never attempt to download payload from Windows Update' selected.”

So, can you let your servers independently connect to Windows update for servicing when installing and deploying .NET 3.5? The answer is “it depends.” For some firms you may be mandated to stick to the compliance template for your industry. Others may be able to request exceptions based on the needs and security posture of your firm.

Even Windows Server 2019 has requirements to not use more modern updating features. Case in point is the mandate for Server 2019 to not search for updates on other devices in the network using the peer-to-peer update technology known as Delivery Optimisation. As noted:

“Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the Internet. This is part of the Windows Update trusted process. However, to minimise outside exposure, obtaining updates from or sending to systems on the internet must be prevented.”

To ensure systems won’t have this setting, you need to “Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Delivery Optimisation >> 'Download Mode' to 'Enabled' with any option except 'Internet' selected.”

Patching virtual machines in Microsoft Azure

Even when using such technology as Azure you must follow compliance mandates -- for example, that virtual machines in Azure are kept up to date with patches. The recommendation is to use the Azure Security Center to review the status of Windows and Linux virtual machines. Alternatively, you can use third-party patch software to keep systems up to date.

Vetting new technology platforms

You might be required to vet and approve new technology platforms before rolling them out. Take for example Intune, Microsoft’s new platform for managing and controlling workstations. CIS has an audit template for deployment of Intune. The items to review range from settings to authentication.

Password best practices versus mandates

The benchmarks recommend password settings that are coming into question and might cause more issues with password managements. 

As the Tenable audit page points out, for example, the recommended password age settings in server templates and with Intune is 60 days or less. 

However, recent research has indicated that if multi-factor authentication is used along with better authentication technology such as Windows Hello or other biometric options, password expirations can be set higher than 60 days and may even be disabled completely. Your organisation may need to request an exception to certain compliance templates because your choices make your organisation more secure, not less.

Regulatory and guidance resources

The Center for Internet Security site requires you to allows you download PDFs of guidance that range from Apple devices to Cisco devices to firewalls to printers, once you provide an email address and firm information.

 I recommend that in addition to downloading the guidance that you sign up to participate in the benchmark community so you can ask questions and participate in the discussions. Often in these benchmark communities you find like-minded participants that can help you with your compliance project.

If you are investigating new technologies and platforms, these benchmark documents may help your deployment projects. 

The CIS includes guidance for such technologies as Apple macOS 12.0, Apple macOS 11.0 Big Sur, Apple macOS 10.15 Catalina, Apple macOS 10.14 Mojave. If you are just now looking for guidance on best practices in deploying Apple desktops, these documents will help you in your initial deployment and investigation of new technologies.

Compliance is a necessary mandate for nearly all sized firms. Your goal is to find the balance between choosing the right guidance and yet embracing new technologies that will bring more security to your firm.