{"id":6571,"date":"2023-01-23T06:33:29","date_gmt":"2023-01-23T06:33:29","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6571"},"modified":"2026-05-21T05:41:40","modified_gmt":"2026-05-21T05:41:40","slug":"health-check","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/health-check","title":{"rendered":"Security Best Practice \\ Health Check"},"content":{"rendered":"\n

<\/p>\n\n\n\n


Assets<\/strong>
Internal IP’s
External IP’s
Network Devices – Switches \\ Routers \\ AP’s
Storage Devices
Hypervisor Versions<\/p>\n\n\n\n

Business Process<\/strong>
New User and Leaver Guide
Password Management Tool
Vulnerability Management
Change Management
Monitor HaveIBeenPwned
Ransomware Readiness Assesment
SOC Assesment
Compromise Assessment<\/p>\n\n\n\n

Data<\/strong>
DLP?
Review Permissions and Changes?
SAN? Storage Snapshots?
Blobs Public?
Security recommendations for Blob storage – Azure Storage | Microsoft Learn<\/a><\/p>\n\n\n\n

Identity<\/strong>
MFA?
Admin Count? https:\/\/pariswells.com\/blog\/research\/powershell-for-fixing-admincount-variable-for-users-who-have-left-privledged-roles-onprem<\/a>
Logging Level in Azure AD ( Default 30 days )
Logging Level in AD
Logging Level Onprem ( Enable Event Logs )
Logging Level DNS Not on by default
Domain Admin Group
Azure AD Identity Review Reports for Guest Access
Defender for Identity ( if Licensed )
Separate Domain Admin Accounts
Stale Computer Accounts<\/a> ( Not Disabled )
Stale User Accounts <\/a>( Not Disabled )
Protected Users?
SSO SAML for Apps
Password Policies ( https:\/\/activedirectorypro.com\/how-to-configure-a-domain-password-policy\/<\/a> )
Password Strength ( https:\/\/evotec.xyz\/strengthening-password-security-in-active-directory-a-powershell-powered-approach\/<\/a> )
Password Crack https:\/\/bluewantingred.com\/post\/ad-password-audit-in-kali\/<\/a>
Lockout Policies ! ( https:\/\/activedirectorypro.com\/account-lockout-policy\/ )
AD \\ Azure Active Directory password protection ( Banned Password List for Company Name )
AADconnect Version
Managed Service Account
dcdiag
Risky Sign in behaviour Alerting
Canary Files ( Honey Tokens ) https:\/\/canarytokens.org\/generate
Device Compliance (assuming Microsoft Endpoint Manager (Intune) is in play) ( Intune Best Prac<\/a> )
Privileged Identity Management (PIM)
Accounts set to Not Expire – get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq “true” } | Select-Object DistinguishedName,Name,Enabled
Break Glass Account
https:\/\/www.michev.info\/blog\/post\/5608\/azure-ad-previews-step-up-authentication-for-admins-via-protected-actions
<\/a>https:\/\/github.com\/ClaudioMerola\/ADxRay<\/a> – Health Check<\/p>\n\n\n\n

<\/p>\n\n\n\n


Enable Self Service Password Reset<\/a>


Servers<\/strong>
Backup? Monitoring \\ Restores \\ Item Level \\ Notifications 321 Rule
Business RPO and RTO Sign off
LAPS?
Hypervisor Versions
Ilo? Versons
AV? EDR?
ADCS?– https:\/\/github.com\/GhostPack\/Certify \\ https:\/\/github.com\/ly4k\/Certipy
Warranty?
DR?
Internet Information Services (IIS) Securing Best Prac
<\/a>Monitoring Useage?
Licensing
RDS Rate Limiting<\/a>?
Radius Lockouts? RADIUS Based Authentication: Enabling Account Lock-Out – Intrust IT (intrust-it.com)<\/a>
GPOs and Best Prac
TLS 1.0\\1.1 ( CVE-2014-3566 (POODLE) )
Diffie-Hellman prime is less than 2048 bits
mDNS \\ Netbios
WPAD
IPV6
Patching
HTTP Header – https:\/\/securityheaders.com\/<\/a>
Expired SSL Certs \\ https:\/\/www.ssllabs.com\/ssltest\/<\/a>
Good Size SSL Cert ( 2048 + )<\/p>\n\n\n\n

Crack Access on PC -> https:\/\/dannyda.com\/2023\/05\/24\/some-microsoft-windows-system-network-information-and-password-gathering-methods\/<\/a><\/p>\n\n\n\n

Windows Updates?<\/p>\n\n\n\n


Network<\/strong>
Backup?
Make and Model of Network Devices ( AP’s \\ Switches Routers ) \\ Firmware Up To Date?
HA Hardware and Internet
Remote Access 2fa?
Least Privilege?
VLANS?
Web Filtering?
DDOS?
IPS?
Wireless Auth Radius? IDS \\ IPS?
Firewall Rules
Internet Usage
Web browsers do not process web advertisements from the internet.
Physical Access Control on Switches ( NAC )
Ports open ?
DNSSEC is not configured ?
VPN Encryption Length
<\/p>\n\n\n\n

Physical<\/strong><\/p>\n\n\n\n

Unsecured Networking & Server Equipment
Shared PIN Access Code
DefaultApplicationCredentials
Password Reuse on Shared User Accounts
Excessive Close Time on Main Entry Door
Guest Wireless Network Without Intra\u0002Segmentation<\/p>\n\n\n\n


Email<\/strong>
365 See Best Prac
Backup? 321 Rule
SPF\\DKIM\\Dmarc
SPAM Filter
Archive
Office Version

Workstations<\/strong>
AV? EDR?
Powershell in Constraint Language Model
Disable CMD for Admins
AppLocker
Third Party App Updates \\ Drivers \\ Browser ( Chrome )
Intune Updates for Windows Drivers?
Office Updates ( config.microsoft.com )
Bitlocker?
OneDrive?
Silverlight Installed?
Shadow IT? Cloud Apps<\/p>\n\n\n\n

<\/p>\n\n\n\n

Moibile<\/strong>
MAM?
Block enrollment and access for other devices<\/em>
Enable web-only access<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

AssetsInternal IP’sExternal IP’sNetwork Devices – Switches \\ Routers \\ AP’sStorage DevicesHypervisor Versions Business ProcessNew User and Leaver Guide Password Management ToolVulnerability ManagementChange ManagementMonitor HaveIBeenPwnedRansomware Readiness AssesmentSOC AssesmentCompromise […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4189,1889],"class_list":["post-6571","post","type-post","status-publish","format-standard","hentry","category-research","tag-prac","tag-security"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t