Security Best Practice \ Health Check


Assets
Internal IP’s
External IP’s
Network Devices – Switches \ Routers \ AP’s
Storage Devices
Hypervisor Versions

Business Process
New User and Leaver Guide
Password Management Tool
Vulnerability Management
Change Management
Monitor HaveIBeenPwned
Ransomware Readiness Assesment
SOC Assesment
Compromise Assessment

Data
DLP?
Review Permissions and Changes?
SAN? Storage Snapshots?
Blobs Public?
Security recommendations for Blob storage – Azure Storage | Microsoft Learn

Identity
MFA?
Logging Level in Azure AD ( Default 30 days )
Logging Level in AD
Domain Admin Group
Azure AD Identity Review Reports for Guest Access
Defender for Identity ( if Licensed )
Separate Domain Admin Accounts
Stale Computer Accounts ( Not Disabled )
Stale User Accounts ( Not Disabled )
Protected Users?
SSO SAML for Apps
Password Policies ( https://activedirectorypro.com/how-to-configure-a-domain-password-policy/ )
Password Strength ( https://evotec.xyz/strengthening-password-security-in-active-directory-a-powershell-powered-approach/ )
Password Crack https://bluewantingred.com/post/ad-password-audit-in-kali/
Lockout Policies ! ( https://activedirectorypro.com/account-lockout-policy/ )
AD \ Azure Active Directory password protection ( Banned Password List for Company Name )
AADconnect Version
Managed Service Account
dcdiag
Risky Sign in behaviour Alerting
Canary Files ( Honey Tokens ) https://canarytokens.org/generate
Device Compliance (assuming Microsoft Endpoint Manager (Intune) is in play) ( Intune Best Prac )
Privileged Identity Management (PIM)
Accounts set to Not Expire – get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq “true” } | Select-Object DistinguishedName,Name,Enabled
Break Glass Account
https://www.michev.info/blog/post/5608/azure-ad-previews-step-up-authentication-for-admins-via-protected-actions
https://github.com/ClaudioMerola/ADxRay – Health Check


Enable Self Service Password Reset


Servers
Backup? Monitoring \ Restores \ Item Level \ Notifications 321 Rule
Business RPO and RTO Sign off
LAPS?
Hypervisor Versions
Ilo? Versons
AV? EDR?
ADCS?– https://github.com/GhostPack/Certify \ https://github.com/ly4k/Certipy
Warranty?
DR?
Internet Information Services (IIS) Securing Best Prac
Monitoring Useage?
Licensing
RDS Rate Limiting?
Radius Lockouts? RADIUS Based Authentication: Enabling Account Lock-Out – Intrust IT (intrust-it.com)
GPOs and Best Prac
TLS 1.0\1.1 ( CVE-2014-3566 (POODLE) )
Diffie-Hellman prime is less than 2048 bits
mDNS \ Netbios
WPAD
IPV6
Patching
HTTP Header – https://securityheaders.com/
Expired SSL Certs \ https://www.ssllabs.com/ssltest/
Good Size SSL Cert ( 2048 + )

Crack Access on PC -> https://dannyda.com/2023/05/24/some-microsoft-windows-system-network-information-and-password-gathering-methods/

Windows Updates?


Network
Backup?
Make and Model of Network Devices ( AP’s \ Switches Routers ) \ Firmware Up To Date?
HA Hardware and Internet
Remote Access 2fa?
Least Privilege?
VLANS?
Web Filtering?
DDOS?
IPS?
Wireless Auth Radius? IDS \ IPS?
Firewall Rules
Internet Usage
Web browsers do not process web advertisements from the internet.
Physical Access Control on Switches ( NAC )
Ports open ?
DNSSEC is not configured ?
VPN Encryption Length

Physical

Unsecured Networking & Server Equipment
Shared PIN Access Code
DefaultApplicationCredentials
Password Reuse on Shared User Accounts
Excessive Close Time on Main Entry Door
Guest Wireless Network Without IntraSegmentation


Email
365 See Best Prac
Backup? 321 Rule
SPF\DKIM\Dmarc
SPAM Filter
Archive
Office Version

Workstations
AV? EDR?
Third Party App Updates \ Drivers \ Browser ( Chrome )
Intune Updates for Windows Drivers?
Office Updates ( config.microsoft.com )
Bitlocker?
OneDrive?
Silverlight Installed?
Shadow IT? Cloud Apps

Moibile
MAM?
Block enrollment and access for other devices
Enable web-only access

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...