<\/p>\n\n\n\n
Business Process<\/strong> Data<\/strong> Identity<\/strong> <\/p>\n\n\n\n
Assets<\/strong>
Internal IP’s
External IP’s
Network Devices – Switches \\ Routers \\ AP’s
Storage Devices
Hypervisor Versions<\/p>\n\n\n\n
New User and Leaver Guide
Password Management Tool
Vulnerability Management
Change Management
Monitor HaveIBeenPwned
Ransomware Readiness Assesment
SOC Assesment
Compromise Assessment<\/p>\n\n\n\n
DLP?
Review Permissions and Changes?
SAN? Storage Snapshots?
Blobs Public?
Security recommendations for Blob storage – Azure Storage | Microsoft Learn<\/a><\/p>\n\n\n\n
MFA?
Admin Count? https:\/\/pariswells.com\/blog\/research\/powershell-for-fixing-admincount-variable-for-users-who-have-left-privledged-roles-onprem<\/a>
Logging Level in Azure AD ( Default 30 days )
Logging Level in AD
Domain Admin Group
Azure AD Identity Review Reports for Guest Access
Defender for Identity ( if Licensed )
Separate Domain Admin Accounts
Stale Computer Accounts<\/a> ( Not Disabled )
Stale User Accounts <\/a>( Not Disabled )
Protected Users?
SSO SAML for Apps
Password Policies ( https:\/\/activedirectorypro.com\/how-to-configure-a-domain-password-policy\/<\/a> )
Password Strength ( https:\/\/evotec.xyz\/strengthening-password-security-in-active-directory-a-powershell-powered-approach\/<\/a> )
Password Crack https:\/\/bluewantingred.com\/post\/ad-password-audit-in-kali\/<\/a>
Lockout Policies ! ( https:\/\/activedirectorypro.com\/account-lockout-policy\/ )
AD \\ Azure Active Directory password protection ( Banned Password List for Company Name )
AADconnect Version
Managed Service Account
dcdiag
Risky Sign in behaviour Alerting
Canary Files ( Honey Tokens ) https:\/\/canarytokens.org\/generate
Device Compliance (assuming Microsoft Endpoint Manager (Intune) is in play) ( Intune Best Prac<\/a> )
Privileged Identity Management (PIM)
Accounts set to Not Expire – get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq “true” } | Select-Object DistinguishedName,Name,Enabled
Break Glass Account
https:\/\/www.michev.info\/blog\/post\/5608\/azure-ad-previews-step-up-authentication-for-admins-via-protected-actions
<\/a>https:\/\/github.com\/ClaudioMerola\/ADxRay<\/a> – Health Check<\/p>\n\n\n\n
Enable Self Service Password Reset<\/a>
Servers<\/strong>
Backup? Monitoring \\ Restores \\ Item Level \\ Notifications 321 Rule
Business RPO and RTO Sign off
LAPS?
Hypervisor Versions
Ilo? Versons
AV? EDR?
ADCS?– https:\/\/github.com\/GhostPack\/Certify \\ https:\/\/github.com\/ly4k\/Certipy
Warranty?
DR?
Internet Information Services (IIS) Securing Best Prac
<\/a>Monitoring Useage?
Licensing
RDS Rate Limiting<\/a>?
Radius Lockouts? RADIUS Based Authentication: Enabling Account Lock-Out – Intrust IT (intrust-it.com)<\/a>
GPOs and Best Prac
TLS 1.0\\1.1 ( CVE-2014-3566 (POODLE) )
Diffie-Hellman prime is less than 2048 bits
mDNS \\ Netbios
WPAD
IPV6
Patching
HTTP Header – https:\/\/securityheaders.com\/<\/a>
Expired SSL Certs \\ https:\/\/www.ssllabs.com\/ssltest\/<\/a>
Good Size SSL Cert ( 2048 + )<\/p>\n\n\n\n