However, all of these measures are not very effective against attacks coming from users who already have legitimate access to the system – malicious insiders. Successful prevention and detection of insider attacks requires a completely separate set of measures, such as protection of privileged accounts and user action monitoring.
Let us take a more detailed look at what Windows offers in this area out of the box and how built-in Windows features can be used to protect your company computers from insider threats.
Types of Windows accounts
In order to clearly assign privileges and preferences to a specific user, Windows employs various types of user accounts. Using a password-protected account is the easiest way to protect your data and system settings from being altered or even accessed without authorization. By restricting user privileges, you restrict their ability to conduct malicious actions.
Windows account policy changed over the years, to make it more secure and enterprise friendly. Slowly, Microsoft moved to less account types and less accounts created by default in order to minimize surface area of a potential attack.
All Windows 7 types feature the following three main types of accounts:
- Administrator – account with the largest level of Windows privileges and a complete control over PC. Can make any changes and install any software.
- Standard user – generic user account designed for everyday use with limit access to core system settings. Changes made by this accounts will not affect other users.
- Guest – special account designed for one time use. It has no password and does not allow user to make any changes to the system
Windows 8 and Windows 10 also use local Standard and Administrator account types, but they also introduce a separate Microsoft account. This account can be used for multiple Windows devices and Microsoft services. It allows you to use your email to sign in an unlike local accounts, that can be used without a password, it is always password-protected.
The simple way to check administrator rights on Windows 7 and older versions is to use Control Panel. You can also change account type this way, if you have enough permissions for it. However, you can also do this via Local Users and Groups and even using CMD commands, such as whoami /priv.
Windows account system becomes a little more complicated when using domain accounts, but the basic principles are the same. Administrator has all the right and can make any system changes and collect all the necessary data using built-in monitoring and diagnostic tools. With smartly configured policies, it makes it possible to detect insider attacks, such as data misuse from non-privileged, accounts, but most of those tools will prove ineffective against users with Windows administrator rights.
Now, let’s look at what those tools are and how they can be utilized.
Windows Event Viewer
Windows Event Viewer is the most basic feature that logs every system event and sorts them into different categories. Traditionally, these categories included Application, Security, System, and Setup, however, since Windows Server 2012, Microsoft also included separate application and service logs, allowing to look up logs for a specific application with less clutter.
Event Viewer is easily searchable and can give you some insight into user actions, but ultimately, it is an administrative tool designed for troubleshooting applications and does not provide all the necessary information for insider threat detection.
Local policy editing and auditing
Microsoft also has a built-in auditing feature that allows you to track various events, such as object access, privilege use, logon events, policy changes, etc., on a per user basis. It can be used both with a Windows Server to audit remote and domain users and locally. This audit feature gives you an accurate picture for certain types of user activity and is fairly easy to use. The most useful feature is the ability to audit file access, which allows you to see when data was accessed or altered in any way. However, the capabilities of this feature are fairly limited in what it can monitor and how it presents its data, which makes it not very effective for detecting insider threats.
There are several built-in ways to monitor network traffic in windows. You can use CMD commands to sniff packets or use Resource monitor Network feature. Resource monitor is an application, designed to track various performance metrics of the system, such as CPU and disk usage, but you can also use it to check network traffic. However, you cannot save any network usage data with it in order to review it later, which leaves only real-time monitoring on the table, making it fairly ineffective for insider threats and data misuse protection.
Windows family of operating system have various built-in monitoring tools, all of which are ultimately designed for troubleshooting and fall short when it comes to employee monitoring and protection from insider threats. Windows account system can be effective when users are kept with low level of privileges and their passwords are thoroughly protected, but it cannot provide any protection or give any insight into actions of privileged users. The question then is how to check privileged users on Windows and get an insight into their actions?
If you wish to truly protect your company from insider threats, you would be much better off using a professional privileged activity monitoring solution, specifically designed to record user actions. Such system is thoroughly protected and is able to gather and sort all the necessary data in order to provide effective prevention and detection of insider threats.