This gist focuses on (relatively) free and (relatively) easy things organizations can do to better protect their networks without buying yet another black box with blinking lights.
Got some ideas of your own that should be on this list? Please leave a comment below!
Microsoft has a great paper on the topic that gives some nice high level recommendations:
- Use a unique password per site
- Enable complexity
- Use some mechanism to ban people from picking known bad/leaked/breached passwords (more on that below)
- Turn on 2FA everywhere you can
The Local Administrator Password Solution from Microsoft will manage and and randomize your workstation local admin passwords. I've got a full step-by-step write-up on LAPS here
Per Microsoft's password guidance, you should use some mechanism to stop people from using weak/leaked/breached passwords in your environment. Troy Hunt’s Pwned Passwords project is a great tool for this. And I've got a write-up on using the PwnedPasswordsDLL to implement Pwned Passwords for free. Alternatively you could use a commercial solution like SafePass.me.
Whenever I need to show/explain this I load up this how-to which is a great resource.
I think this talk by byt3bl33d3r gives a great explanation and demonstration on how SMB signing can be easily abused to rain shells around the network. I wrote a gist based on his talk here with step-by-step instructions to follow in your own environment.
I'm still floored when I see organizations patching boxes by hand. There are many good tools out there that don't break the bank. I reviewed some as part of a patching solutions bake-off.
Using a password manager will help you generate long/gnarly passwords - unique per site! - and not have to remember them. Personally I use 1Password but am very fond of LastPass and Dashlane as well. Also, don't write down passwords!
You should turn on multi-factor authentication on every site/service that supports it. A good list of the sites that support it is here.
If you're not needing IPv6 in your environment, you may want to disable it. Tools like mitm6 make it easier for an attacker to takeover your domain by just abusing IPv6 traffic. You can read more about the narrative of the attack here and see a video of this attack in action here
Around 29 minutes into this Black Hills Information Security podcast episode they talk about some insecure Group Policy Preferences that attackers abuse as an easy win.
You can do this pretty easily in GSuite or O365.
Additionally, consider another rule to stop display name spoofing (h/t to Rob on Slack!)
If you're hosted with a major provider like O365/GSuite, this should already be in place. But if not there are many good ones out there I've used in the past, like Securence and Barracuda.
Don't have your users run as local admins! If you need a strong case for the value in doing so, read through this Avecto Vulnerabilities Report for some great stats, like:
The ever-popular report makes the compelling case for least privilege, finding that of the 235 Critical vulnerabilities reported in 2017, 80% would be mitigated by removing local admin rights from users.
Train your users regularly - via computer-based training or in person. And don't shame/blame people into it, or give them a hard time if they click a phish from one of your tests. Make it positive and fun.