Skip to content

Complete basic cybersecurity hygiene tasks

After you have completed the steps to Get started with ActZero’s Managed Detection & Response services, there are a few basic security hygiene tasks that, when complete, establish a foundation upon which to build your organization’s cybersecurity posture.

The following tasks address common cybersecurity vulnerabilities. Complete each of these tasks to introduce a basic level of security hygiene in your network infrastructure.

Apply all patches and updates

Attackers can potentially access your network through endpoints that use out-of-date or insecure software. Secure the endpoints in your network – servers, desktop computers, tablets, laptops, etc. – by ensuring that the software and operating systems of each are up-to-date.

  1. Use Microsoft’s instructions for Configuring Windows Update for Business to organize the devices in your network infrastructure and define when and how to automatically update devices with software patches and updates.
  2. Use Microsoft’s instructions to set deadlines for updates and restarts to occur every week on the devices in your network.

Configure host-based firewalls

Set policies on host-based firewalls in your network to protect the devices in your organization from unwanted network traffic. These policies should reasonably restrict the inbound and outbound traffic to each device.

Use Microsoft’s instructions for Windows Firewall service to manage group policies with advanced security.

  • Apply policies to disable unnecessary applications on workstations.
  • Apply policies to control IP-specific inbound or outbound services.
  • Restrict the deployment of any administrative programs to a subset of reserved, management IP addresses.

Apply full disk encryption

Protect your digital assets by applying full disk encryption to all the devices in your network. Disk encryption turns readable information into unreadable, encrypted code. Should an attacker gain access to an asset, disk encryption helps to prevent them from reading or using its content.

Use Microsoft’s Windows BitLocker Drive Encryption service instructions for group policy settings to apply full disk encryption on all devices in your network.

Set up password management

Once upon a time, it was not unusual to see system login credentials written on a Post-it note attached to a computer monitor. This old practice and other weak password management systems are an open door for attackers. Set up a proper system to securely store and manage access to the login credentials for users to gain access to devices and systems in your network.

  1. Download and install Microsoft’s local administrator password solution (LAPS). This tool stores login credentials in Active Directory (AD) where only legitimate users can access the credentials or request their reset.
  2. Use LAPS to apply reasonable restrictions to all accounts and groups. With some restrictions in place, should an attacker compromise one account, they will not have access to more than a few systems in your network.
  3. Ensure that users in your organization do not share administrator account credentials for systems.

Apply password policies for domain users

Configure and enforce password policies to limit an attacker’s ability to gain access to a user’s account via a brute force or credential stuffing attack.

  1. Use Microsoft’s Password Policy to configure password policy settings via the Group Policy Management Console.
  2. Use Microsoft’s Enforce password history instructions to set users’ password history to greater than five. This ensures that users cannot reuse the same passwords often.
  3. Use Microsoft’s Maximum password age instructions to set the maximum password age to fewer than 90 days.
  4. Apply an Account Lockout Policy that includes an account lockout threshold of fewer than five attempts, and an account lockout duration that is greater than five minutes.

Go further



Was this documentation helpful? Please send us your feedback!