Server coverage in ControlsInsight provides organizations with a new way to surface how well Windows Servers are configured to protect against known tactics that an attacker may use to infiltrate a network. One interesting way this information can help an organization improve its security posture is by presenting visibility into what systems are executing services at high privilege levels. By monitoring the coverage for the "Service processes run as a limited user" control, an organization can identify both when new services are deployed in the network in a way that may not comply with best practices, as well as when established service accounts privilege levels increase. Changes such as these in a network can be indicators of increased surface area for attack or, in the case of a breach, help to identify assets that may have been modified as the attacker moved through the server environment.
By improving combined coverage with the "Limited Egress" control, an organization can further improve security posture by adding more layers that must be traversed by an attacker attempting to move freely within a network. While many organizations focus on centralized firewall and routing rules, once an attacker gets access to a system, restrictions on the account and the system are the first hurdles that must be crossed. When reviewing Windows server configurations, ControlsInsight evaluates firewall controls and access rights at the system level, providing guidance that helps fill out this layer of protection.
This stacking effect for controls in an organization provides an approach for reducing surface area on a network from a proactive view and allows members of the security organization another way to monitor for anomalies that may indicate undesired activity occurring on the network.