While initial fixes are crucial for strengthening defenses, you must apply them regularly.
A new report, Proactive Preparation and Hardening to Protect Against Destructive Attacks provides extensive guidance on cybersecurity. Written by experts, it helps organizations prepare, contain, eradicate, and recover from threats.
The report provides hundreds of tips for securing Windows systems, including command-line strings, group policy tweaks, and signs of compromise.
Although the report’s breadth is overwhelming, its detailed guidance is invaluable. It serves as a blueprint for IT and security managers, whether for large corporations or small businesses.
Active Directory hardening and backups
Organizations should verify that backups, including system state backups, are available for domain controllers and critical assets. The report provides commands to initiate and verify these backups and ensures they are protected against unauthorized access or modification. The report also has loads of suggestions on malware “tells” that security managers can look for. Such as, unauthorized users accessing backup media or shadow copies being deleted (a common event that precedes a ransomware attack).
Network segmentation
Organizations should have both physical and logical separation between IT domains and operational technology processes and controls. This means using separate AD forests, network segments, and IP protocols to prevent bridging between domains. A common sign of potential compromise is a failed login attempt across domains. Whereby, an attacker is attempting to reuse credentials to move around your infrastructure.
Disable administrative access wherever possible
Audit and limit administrative access as a security measure. Many organizations have too many accounts with excessive permissions. The report recommends modifying registry keys, stopping certain service accounts, and using group policies to control access. It also provides commands to track, secure, and prevent abuse of privileged accounts.
Further reading:
Why SMBs should include access revocation in their employee separation process
Avast finds employees connecting personal devices to SMB networks
RDP hardening
As we wrote about earlier this year, the Remote Desktop Protocol (RDP) can be a major way for attackers to enter your networks. Organizations should periodically scan their public IP address ranges to ensure that all systems do not have any open ports 445 and 3389. The link above has other suggestions to lock down this vulnerability, and the report also has additional proactive measures, such as using network-level authentication settings in group policies and using RDP’s restricted admin mode.
We suggest reading through the full report to explore the full collection of tips and research that it contains. Before you get overwhelmed, though, you should realize that the report shows how you need to make these changes and look for possible compromised systems on a regular basis after you’ve implemented these “hardening” activities.
Many organizations don’t have regular follow-ups to see if changes to their network infrastructure or securing the accounts of former employees are actually done. While it’s certainly wise to make the initial fixes to strengthen your defenses, these actions need to be applied on a regular basis.
Publish with permission from Avast Business