MWS security improvements

Security improvements don’t get a lot of attention because often they silently protect you. And in many cases we silently implement security improvements. But every once in a while, it is worth recognizing these security improvements, even if you don’t see them.

Here’s a recap of some of the recent security improvements MWS has made:

• Microsoft’s Local Administrator Password Solution (LAPS) has been implemented for Managed Workstations. This solution provides and manages a complex unique password for the built-in administrator account on each managed workstation to reduce the exposure from a single managed workstation being compromised. Many years ago, the Managed Workstation service had a compromise that affected hundreds (Coreflood). This solution would have prevented that. 
• Based on a data-driven request from the Office of Chief Information Security Officer, we recently added a firewall rule to protect managed workstations from off-campus access of Remote Desktop. Customers should first connect to the VPN before using Remote Desktop to their managed workstation. This improvement protects all UW accounts from compromise and protects your managed workstation.
• SMBv1, an insecure protocol, was disabled across all managed workstations in April, and disabled on domain controllers last month. This helps to protect interception of your data.
• Upgrades of the MWS file servers this year were prompted by a variety of vulnerabilities in their software. This also helps to protect interception of your data.
• Annually, 1-2% of managed workstations have some kind of compromise, and we’ll continue to invest in security improvements to drive that down further. But when it does happen, we’ve eliminated reimaging costs to help get you back to working on a safe computer.