Infographic text included for screen readers:
There isn’t one way to secure all environments — but based on the attack surface trends we’re seeing, this immediate-action checklist can help you cover your most important bases.
1. Multifactor Authentication (MFA)
- Disable any SMS-based MFA and require the organization to use a multifactor application (like Authenticator or Authy) or a physical security device. (Identity Management)
- Revoke all security tokens and force MFA if you are able. This will require everyone to log back in using the new MFA requirement. (Incident Response)
2. Authentication & authorization systems
- Ensure all teammates responsible for creating or changing Active Directory accounts have a multifaceted verification process to confirm the authenticity of the contact — and are retrained on these procedures on a regular basis. (Identity Management)
- Use Privileged Identity Management for all global admins and elevated accounts. If available, use Just in Time (JIT) access. (Separation of Duties/Least Privilege)
- Confirm Active Directory is patched to the latest level and consider increasing the frequency of regular patching. (Vulnerability Management)
- Ensure all third-party tools connecting to or federating with Active Directory are patched to the latest version. (Vulnerability Management)
- Restrict accounts used for federation across Active Directory to the minimum amount of required permissions. (Least Privilege)
- Confirm logging and alerting are enabled for all Active Directory activity, including federation and operational changes at the domain level. (Monitoring)
- Turn off and block legacy authentication methods, i.e. New Technology LAN Manager (NTLM). (Vulnerability Management)
- Consider tools like Defender for Identity to help surface lateral movements and malicious activities. (Monitoring)
3. Hypervisor security
- Disable administrative access over SSH for all your hypervisor hosts. (Vulnerability Management)
- Ensure that local administrative accounts on hypervisor hosts are disabled or severely restricted. The passwords should be unique per host. (Privileged Identity Management/Password Management)
- Validate that any shared authentication for management of your hypervisors are restricted to the minimum level of access required. (Least Privilege)
- Confirm that MFA is applied to access any administrative function in your hypervisor. (Identity Management)
- Ensure you have logging and alert enabled for all administrative activity on the hypervisor. (Monitoring)
4. Backup infrastructure
- Ensure your backup platform storage is completely immutable via a vaulting mechanism. (Business Continuity/Disaster Recovery)
- Disable all noncritical administrative access to the backup infrastructure. (Privileged Identity Management)
- Check that MFA is required to access administrative functions. (Privileged Identity Management)
5. Continuity planning
- Have an incident response team on standby in the event of an incident. In some instances, time of compromise to complete loss of platforms occurs in under two hours. (Incident Response)
- Check to make sure your organization’s business continuity plan is up to date and practiced on a regular basis. (Business Continuity/Disaster Recovery)
- Consider executing a tabletop activity to test adding multiple system failures to the continuity plan — taking the above recommendations into account. (Security Assessments & Testing)
We’re here to help.
Remember: It’s better to invest in preventing fires than it is to constantly be fighting them. As your teams work on that prevention, Insight can assist in discussions around strategy as well as deeper, more specific recommendations.
