Here are 50 FREE things you can do to improve the security of most environments:
Access control lists are your friend (deny all first)
AD delegation of rights
App Whitelisting
Best practice GPO (NIST GPO templates)
Access control lists are your friend (deny all first)
AD delegation of rights
App Whitelisting
Best practice GPO (NIST GPO templates)
Block browsing from servers. Not all machines need internet access
Block Dns zone transfers
Change ilo settings/passwords
Close open mail relays
Diff. local admin passwords (LAPS)
Disable LLMNR/NetBios
Disable ports that are unused, & setup port security
Block Dns zone transfers
Change ilo settings/passwords
Close open mail relays
Diff. local admin passwords (LAPS)
Disable LLMNR/NetBios
Disable ports that are unused, & setup port security
Disable telnet & other insecure protocols or alert on use
DMZ behind separate firewall
DNS servers should not be openly recursive
Don't forget your printers (saved creds aren't good)
Egress Filtering (should be just as strict as Ingress)
EMET (when OSes prior to 10 are present)
DMZ behind separate firewall
DNS servers should not be openly recursive
Don't forget your printers (saved creds aren't good)
Egress Filtering (should be just as strict as Ingress)
EMET (when OSes prior to 10 are present)
Ensure web logins use HTTPS
Fail2ban
For the love of god implement TLS 1.2
Force advanced file auditing (ransomeware detection)
Geoblocking
Get rid of open shares
Incident Response drills
Incident Response Runbook & Bugout bag
Incident Response tabletops
Fail2ban
For the love of god implement TLS 1.2
Force advanced file auditing (ransomeware detection)
Geoblocking
Get rid of open shares
Incident Response drills
Incident Response Runbook & Bugout bag
Incident Response tabletops
Internal & OSINT honeypots
Least privileges EVERYWHERE
Locate and destroy plain text passwords
Log successful and unsuccessful logins - Windows/Linux logging cheatsheets
MITRE ATT&CK Matrix is your friend
Mod security
MSBSA
Network device backups
No open wi-fi, use WPA2 + AES
Least privileges EVERYWHERE
Locate and destroy plain text passwords
Log successful and unsuccessful logins - Windows/Linux logging cheatsheets
MITRE ATT&CK Matrix is your friend
Mod security
MSBSA
Network device backups
No open wi-fi, use WPA2 + AES
Password safes
Patch *nix boxes
Purple Team
Remove unneeded software
Restrict access to backups
Role based servers only! DNS servers/DCs are just that
Segment with Vlans
Separation of rights - Domain Admin use should be sparce & audited
Patch *nix boxes
Purple Team
Remove unneeded software
Restrict access to backups
Role based servers only! DNS servers/DCs are just that
Segment with Vlans
Separation of rights - Domain Admin use should be sparce & audited
Setup centralized logins for network devices. Use TACACS+ or radius
Upgrade firmware
URLscan
Use Bitlocker/encryption
User Education exercises
Vulnerability Scanner
WSUS
Upgrade firmware
URLscan
Use Bitlocker/encryption
User Education exercises
Vulnerability Scanner
WSUS
