Insights

Achieving Cyber Essentials with Microsoft technologies

Many organisations work to attain Cyber Essentials to show their commitment to keeping their and their customer’s data secure. With most organisations using Microsoft technologies, it’s logical to consider using the existing tools you have to gain Cyber Essentials. In this article, we outline how you can achieve Cyber Essentials using Microsoft solutions (and a few other products) alongside internal processes.

About Cyber Essentials

Attaining Cyber Essentials or Cyber Essentials Plus, shows that your organisation takes a proactive stance against cyber security threats and ensures that you have the foundational security measures in place to protect yourself against common attacks. You can read more on this in our introduction “Cyber Essentials overview and requirements”.

Using Microsoft for Cyber Essentials

Most organisations already use Microsoft technologies in their workplace. We have outlined how you can use Microsoft solutions to meet the requirements of Cyber Essentials – with a few additional products recommended, such as Zscaler. Of course, the technology is only one part of it. You also need the right processes in place to manage and monitor these technologies. You can find the full Cyber Essentials checklist here) but below we have outlined each of the Cyber Essentials controls and then outlined the Technical Solution or Business Process to meet each requirement.

Cyber Essentials Requirement Technical Solution of Business Process
Ongoing management of perimeter firewall(s), including patching, reviewing rules, build/configuration SOP. Cloud-managed firewall solution (we recommend Cisco Meraki)
Ongoing managed networking services (Chorus managed service)
Secure Configuration of computers and network devices:

  • Remove and disable unnecessary user accounts
  • Change any default or guessable passwords
  • Remove or disable unnecessary software
  • Disable any auto-run feature
  • Authenticate users before allowing internet-based access to commercial or personally sensitive data
Windows AutoPilot with Intune Security Baselines.
Entra ID LAPS.
Device re-deployment process.
Secure configuration of password-based authentication:

  • Brute force account protection
  • Minimum password length of 8 characters
  • No maximum password length
  • Process to change passwords promptly when known/suspected of compromise
  • Have a published password policy
Identity Protection: Entra ID Password Protection with extension on-premises.
Configuration of Entra ID/ Office 365 password policies.
Business process to ensure IT is informed when compromise or suspected compromise of user accounts.
Produce and maintain a password policy.
User Access Control:

  • Have an account creation and approval process/SOP
  • Authentication before granting access to apps or devices, using unique credentials
  • Remove accounts when no longer required (leavers/inactivity) – SOP
  • Implement MFA where available – authentication to cloud services must always use MFA
  • Only use admin accounts for administrative activities
  • Review special access privileges when no longer required (job role changes) – change SOP
AutoPilot helps ensure users are not admins of their machines.
Organisation must have a starter/leaver SOP, which we can help define.
Implement Entra ID MFA organisation-wide, including legacy authentication block.
Business process to inform when user roles change – SOP to then be created/followed to outline the process for the actions required.
MFA for all cloud apps – Integrate cloud apps with Entra ID for SSO.
RBAC and PIM for Admins.
Malware Protection – Anti-malware software:

  • Software must auto-update with latest signatures daily
  • On-access scanning must be enabled
  • Web pages must be scanned
  • Malicious websites must be blocked
Microsoft Defender for Endpoint – managed by Intune Security Baselines or CSOC.
Microsoft SmartScreen – deployed as part of Intune Security Baselines.
Defender for Endpoint content filtering.
Zscaler for advanced web filtering capabilities.
Malware Protection – Application Whitelisting

  • Only approved applications, restricted by code signing are allowed to execute on devices
Intune/AutoPilot with Native Microsoft Entra Joined.
Approved software list.
No admin access on machines.
Endpoint Privilege Management (EPM)
Patch Management

  • Software must be updated within 14 days of a patch being released if a vulnerability of ‘critical’ or ‘high risk’
Intune/AutoPilot with Native Microsoft Entra Joined, enforcing Widows Update for Business and Patch My PC for 3rd-party patches.
Microsoft Intune MDM/MAM for mobile devices, to ensure minimum OS requirements.

Getting Cyber Essentials ready

Before taking the Cyber Essentials certification or when starting on the journey, we recommend carrying out a readiness assessment. This will outline where you stand against the requirements and any gaps you need to take action on. You can read more about the benefits of a Cyber Essentials Readiness Assessment here.

Conclusion

We hope this article has shown how you can use your existing Microsoft products alongside policies and processes to meet the requirements of Cyber Essentials. Of course, the Microsoft products and features will depend on your licensing levels – if you’d like to discuss your Microsoft licensing or attaining Cyber Essentials, please get in touch and we’d be happy to help.