Coming up with a good network security checklist can be challenging. The list below was created with input from not less than a dozen technology consultants and security experts.
Disclaimer: I’m not a Certified Information Systems Security Professional (CISSP). This checklist is not intended to validate a network as secure. It is intended to be an INITIAL checklist to start from. It covers many areas/items that consultants and admins often forget to check and set or may have at one time side-stepped due to assurances or beliefs that they were only doing so temporarily. Even if you can check off every aspect of this list in the affirmative, you should consult a declared security professional to ensure you are as secure as is appropriate/required for your organization.
Security is a balance between ease of use and protection from threats. Threats can be malicious or non-malicious. Obvious malicious threats include hackers and viruses while obvious non-malicious threats can include hardware failures and natural disasters.
When implementing a security policy, it’s important to understand that your organization needs to limit access in order to secure the data your company uses. Data such as credit card numbers, financial information, health information, and other sensitive data needs to be protected lest your company have an unfortunate public relations mess at best and an extinction level event at worst. Small businesses often have a familial feel and don’t see the need to protect shared data from any member of the staff. This is a potentially costly mistake. Even data that is not ordinarily sensitive needs to be protected. Such data, if open and unprotected, could be subject to malicious software attacks such as ransomware. But limiting the users who have access to data, you are limiting the potential disruption in the event of a breach.
The questions/items below may not be appropriate or applicable to all organizations for a variety of reasons. The risk profile for every organization is different. Though it's possible some items below will simply not apply to your organization, the vast majority should. In general, the average business is not being specifically and directly attacked to gain specific information. However, the average internet connected business is under constant attack through scripts and malicious software attack vectors (infected websites, email, etc).
If your organization is of a kind that has sensitive data, such as information about high-profile individuals, highly valuable trade secrets, or information on publicly traded companies that is not publicly known, for example, it could be specifically targeted. In which case, you need to be even more conscious of social engineering attacks. Such attacks can include “cleaning staff” that install keyloggers on machines or go through discarded printouts or documents left out on desks. They can include people attempting to trick your staff into giving up passwords or sending documents to unauthorized individuals. Though social engineering efforts may be more targeted to companies with valuable intellectual property, all organizations need to be aware of the tactic – often in recent years, companies get calls or emails impersonating clients or staff and directing company employees to issue payments immediately to prevent a big opportunity from being missed. Once payments are complete it can be extremely difficult if not impossible to recover the funds.
- Is there a plan in place for what to do in the event of a breach?
- Is there a procedure to address breaches that expose customer data
- Do usernames match email address?
- Are policies and procedures in place to close user accounts immediately upon employee termination, including any remote access permitted?
- Are users running as local administrators on their computers?
- Do users have the ability to install software (using separate dedicated admin accounts)?
- Are logon hours defined for users without 24x7 access requirements?
- Is folder redirection in use to ensure data does not reside on less secure workstations/devices?
- For users with local admin rights, does the account used grant access to many systems or just the user’s regular computer?
- Is there an identical account on all systems or all systems the user uses?
- Is there a domain account that’s been assigned to multiple systems as an administrator?
- Are service accounts denied interactive logon?
- Are service accounts in privileged groups like Domain Admins?
- It may be necessary for a service account to have admin rights, but does it need Domain Admin rights or just the local Administrators group?
- Is it possible to adjust user rights so the service account no longer requires Administrator rights?
- Active Directory User Account Properties:
- Are service accounts explicitly denied remote access (AD Dial-in tab)?
- Is the service account limited to logon to only the computers it needs to? (AD Users and Computers, User Properties, Account tab, Log On To… button).
- Is the “Account is sensitive and cannot be delegated” checkbox checked?
- Are permissions configured to allow end users to alter them for group shares? (Full access?)
- Is user access controlled via Groups or by assigning individual users?
- Is auditing enabled for highly sensitive files?
- Is File Classification used to protect sensitive information?
- What kind of password policy exists?
- What is the minimum password length?
- What is the change frequency?
- Are there complexity requirements?
- Are users observed to have passwords written down in obvious places?
- Is multi-factor authentication used in-house?
Password change frequency is related to the password complexity and minimum length.
- Are users provided with at least annual training to recognize threats such as social engineering attempts?
- Are users provided with training regarding security best practices and why they should follow them?
- How many admin accounts are there (relative to the number of users in the environment).
- Is Default Administrator account disabled and renamed?
- Do any Domain Admin accounts have “admin” in their name?
- Do all individuals requiring admin access have their own separate admin accounts? This includes all owners, administrators, consultants, and vendors.
- Do all individuals who have admin rights routinely operate as non-privileged users?
- Do administrators routinely ask for/know end-user passwords?
- How often are admin account passwords changed?
- Are all scripts developed by administrators documented as to their authors?
- Do scripts include clear-text passwords in their body?
- Are Domain Admins logging in to local computers?
- Have all important groups been verified for appropriate membership, including (but not necessarily limited to):
- Domain Admins
- Backup Operators
- Enterprise Admins
- Schema Admins
- Group Policy Creator Owners
- Are VLANs used to segregate wifi, servers, printers, workstations, VoIP?
- Is Wifi in use?
- Is the Wifi firmware up-to-date?
- Is the Wifi password protected?
- Common key?
- User authenticated?
- How often is the key changed?
- Is the SSID named something that identifies which network it belongs to?
- Guest Wifi
- Is the Guest Wifi also the company Wifi?
- Is the Guest Wifi on a Separate network?
- Does the Guest Wifi have a separate public IP?
- Are managed network switches in use?
- Are unused network ports disabled?
- Is a Proxy Server used/properly configured?
- Is the network and all related systems and processes properly documented?
- Is the documentation maintained/up-to-date?
Computers (Workstations & Servers):
- Are systems patched regularly and up-to-date?
- Are third-party utility programs up to date? For example, Java, Acrobat, Flash, etc.
- Are the hard drives encrypted – both Servers and Workstations?
- Is there a policy automatically locking workstations that remain idle too long?
- Is there a policy removing the default username from the logon screen?
- Is there a software firewall (Windows Firewall or an antivirus firewall?)
- Is there an antivirus program installed and up-to-date?
- Computer naming - are high-value systems named something identifying?
- Are computers and network equipment labeled appropriately?
- Are local accounts kept to a minimum and administrative access granted to specific domain-based accounts (for domain environments)?
- Deny by default or Allow by default?
- Is the device Business Class or Home Class?
- If Business, Does the device support UTM capabilities, such as Antivirus, Web Filtering, and Spam Filtering?
- Are there expired/unneeded rules still in place?
- Are you geo-blocking where appropriate?
- Is spam filtering used?
- Is the filtering provided by a third-party service?
- Is the filtering done in-house?
- Is the spam filter updated regularly?
- Has the spam filter been tweaked/configured to provide the maximum protection or are default settings in use?
- Is the SPF record setup and correct?
- Is the DMARC record setup and correct?
- Has the domain been checked using resources such as MXToolbox.com?
- Is remote access provided?
- Is VPN used?
- Is it a full tunnel?
- Is it DirectAccess?
- Is workstation health enforced?
- Are ports open/redirected for services other than VPN (such as RDP, VNC, or other third-party remote access programs that don’t register with a central server?)
- Is multi-factor authentication used with remote access?
- Are any web services providing remote access using valid SSL certificates (such as Remote Desktop Gateway)
- Is RDP configured to prohibit redirection of resources as a rule (do not redirect printers, drives) except for users that explicitly require such redirection?
- Is RDP set to require Network Level Authentication?
- Are user IPs whitelisted to limit remote access rights where possible?
- Is there centralized logging?
- Is there centralized alerting?
- Is there an Intrusion Detection System / SIEM Solution (log correlation) in place?
- Are the logs reviewed regularly?
- Are the device passwords changed from their defaults upon setup?(Including Wifi access points, network switches, iLo/DRAC/etc devices).
- Are devices configured to only accept SSL connections wherever possible?
- Are there procedures for devices with storage (such as copiers) to be certifiably wiped upon decommission?
- Are printers appropriately monitored and in a physically secure area where only authorized users have access?
- Are backups encrypted?
- Are backups physically secured?
- Is Volume Shadow Copy / Equivalent enabled?
- Are there off-site backups?
- Are the offsite backups transferred securely?
- Are the offsite backups physically secured?
9 Tips for Preventing misuse of Service Accounts in Active Directory
I'd like to thank CISSP Michael Schenck, the members of the Long Island Windows Administrator's Group, the members of the Long Island Linux User Group - Security and Infrastructure Special Interest Group, and the members of the New York Small Business Server/New York Small Business Specialists User Group who contributed to the creation of this list.