As a security consultant, I see companies of all sizes breached at an alarming rate. I see the true consequence go beyond system damage or downtime. I see larger consequences—including loss of confidence and damaged trust. To prevent this, I help organizations defeat intrusions and enhance the probability of detection.
Most cyberattacks are not complex or coordinated. Many simply exploit compromised passwords, faulty configurations, or obscure settings. Using these, attackers access a network and—once inside—escalate their own privileges. Defeating such exploits before someone finds them can improve your security posture dramatically. Below are low-cost, low-impact security controls that reduce the risk to your company's valuable reputation.
Exploiting compromised passwords or other user credential is the most-common way attackers penetrate commercial networks. Setting tougher access controls is the first line of defense.
- Separate domain administrator accounts from personal accounts. An administrator’s personal PC is subject to hacking, phishing, malware, and other threats.
- Separate your password policy. Setting stricter password policies, holding to them, and requiring they change frequently helps ensure secure access.
- Ensure domain administrators only log in to domain controls. When an administrator logs in, their password is often visible. Having them log in only where required helps limit access.
- Delegate administrative controls to appropriate groups. Limiting administrator access to a specific area helps mitigate the effects of a breach or other compromise.
- Disable cached credentials. Remote access leads to credentials stored or cached on external devices. For devices that never leave your physical environment, set the cache to zero.
Policy exploits, faulty controls, and mismanaged network settings are the second most-common means of attack. Review your network settings to greatly reduce vulnerability.
- Deploy Microsoft Security Compliance Manager. This tool helps users establish baseline security controls for all systems that they can add to, relax, or modify as needed.
- Disable Null Sessions. Null sessions allow unauthorized intruders who have already achieved entry to guess passwords in an attempt to gain further access to your systems.
- Disable Link-Local Multicast Name Resolution (LLMNR). This protocol allows an attacker to access to your authentication credentials. This passive attack is likely to avoid detection.
- Set Simple Network Management Protocol (SMNP) to "Require and Enable." The "Require and Enable" setting requires authentication of any user issuing system commands.
- Do not store passwords and group policy preferences. Passwords in SYSVOL are accessible to authenticated users. Consider an alternate solution to change local administrator passwords.
Additional steps I recommend to secure against attack include disabling interactive login for service accounts, using managed service accounts, using NT LAN Manager (NTLM), and disabling both command and power shells. I have seen firsthand how these quick, simple steps can strengthen a client’s security posture and help them defeat many common forms of intrusion.
I have based these insights on experience helping organizations of all sizes located all over the world to detect, defend, and defeat security breaches since 2006. This experience ranges from ethical hacking and vulnerability assessments to comprehensive managed security services programs, incident response, and forensic analysis.
Start a conversation with one of my colleagues to discuss how you can strengthen your current information security strategy. Schedule a consultation