Complete Network Security Checklist

Want to ensure your network and organization are secure against internal and external threats?

Internal and external attacks cause significant harm and upheaval to an organization. From insider threats to social engineering to email-borne threats, organizations must apply measures to protect their networks. However, as networks have become fuzzy at the edges, with cloud computing changing our working habits and expanding to incorporate myriad devices and apps, securing the network has become challenging. These challenges are reflected in the statistics:

• There was a 72% increase in data breaches between 2021 and 2023.
• A staggering 94% of organizations experience email security incidents.
• In 2023, 349,221,481 people were impacted by data breaches.
• Over the last five years, 76% of organizations have suffered from insider threats. However, less than 30% have the right tools to prevent it.
• 90% of MSPs have been victims of a successful cyberattack, and 82% have experienced increased attacks targeting their clients.

Securing your network is tough. However, TitanHQ has developed a toolkit to get you started. Our Network Security Checklist gives you tips and tricks for effective network security and guides you on assessing, configuring, installing, and maintaining your virtual environment.

1. Policies and Security Rules

Let’s begin with policies. Here's a short list of the security and compliance policies every company with more than two employees should develop and deploy to help secure their network, communications, and users:

• Acceptable Use Policy
• Internet Access Policy
• Email and Communications Policy
• Workplace security policies, including identity and access policies
• Network Security Policy
• Remote Access Policy
• BYOD Policy
• Encryption Policy
• Privacy Policy

Discover how TitanHQ can assist MSPs in building a robust security tech stack and in marketing, selling, and delivering a comprehensive end-user security platform through our best-in-class partner program.

2. Steps for Provisioning Servers

Data is a valuable commodity that can be quickly sold or traded in any business environment. Because an organization's servers typically store most of its company's most valuable data, they become a target for attackers. To harden your network against these attacks, TitanHQ has provided some tips for securing your servers against common data threats.

The first step is to create a server deployment checklist and ensure the recommendations are on the list. Then, before deploying a server to production, ensure that each server you deploy complies 100% with the recommended standards. Ensuring that your servers follow common security and provisioning standards will reduce the risks of data breaches and make it easier for administrators to manage.

Server List

(A quick reference that is easily updated and maintained as your environment changes, new servers are added, and old ones are retired). Audit your environment and create documentation that lists every server, its specifications, and its purpose within the network environment. The server list details all the servers on your network, including name, meaning, IP address, date of provisioning, date of deployment to production, service tag (if physical), rack location or default host, operating system, and responsible person. Any additional information necessary for maintenance should also be included.

Responsible Party Per Server

Document the person responsible for maintaining the server. The person or team responsible for the server should know what the server is for. They are responsible for ensuring it is kept updated and can investigate any anomalies associated with that server.

Naming Convention

Naming conventions may seem strangely related to security, but quickly identifying a server is critical when you spot anomalies and potential unauthorized traffic. During incident response, every second counts, so having a naming convention helps administrators more quickly identify servers and locate them within the network. In addition, it's crucial in large environments where servers can be found in different geolocations.

Network Configurations

Perform quality assurance on all network configurations. Ensure that all network configurations are done correctly, including static IP address assignments, DNS servers, WINS servers, whether or not to register a particular interface, binding order, and turning off services on DMZ, 00B management, or backup networks.

SPAM

All servers should be assigned static IP addresses, and data must be maintained in your IP Address Management tool, even if this means it's documented on an Excel spreadsheet. When strange traffic is detected, it's vital to have an updated and authoritative reference for each IP address on your network.

Patching

Once the operating system is installed, every server deployment must be fully patched. The server should then be added to the patch management application so that future updates are applied automatically.

Antivirus

All servers must run antivirus software and report status updates to your central management console. In addition, scanned exceptions must be documented on your server list so that if malware threats are installed on the network, those directories can be manually validated.

Host Intrusion Prevention and Firewall Deployment

If you use host intrusion prevention, you must ensure it is configured according to compliance standards and business productivity requirements. Reports should provide analytics and information to identify anomalies that should be investigated. In addition, software firewalls must be configured to permit authorized traffic across the network environment but reject unauthorized traffic. Legitimate traffic might include remote access, logging and monitoring, web hosting, and other business services.

Remote Access

Pick one remote access solution and stick with it. For Windows servers, RDP (Remote Desktop Protocol) is commonly used, and SSH (Secure Shell) is typical for Linux and other services. Creating a standard makes it more efficient for security and protects the environment from misconfigured third-party remote access services. In addition, remote services should be available to only high-privileged users and must be monitored for unauthorized access.

UPS and Power-Saving

Ensure all servers are connected to a UPS (Uninterruptible Power Supply). A UPS keeps servers and other critical network resources from downtime during an electrical brownout or blackout, which will interrupt services and could cause reboot failures. Data centers use power generators to avoid power-based downtime, but they could be too expensive for small businesses. At worst, a UPS allows administrators to gracefully power down equipment during long-term power outages, reducing the chance of data corruption and bugs.

Importantly, check that the UPS is working regularly.

Domain Joined

For Windows-based services, all servers and workstations should be joined to a domain where Active Directory (AD) controls permissions and controls network resource access. Non-Windows servers and workstations on a Windows environment should be authenticated using LDAP (Lightweight Directory Access Protocol). LDAP connects users to Active Directory so that the Windows domain control manages permissions on non-Windows devices.

Rename the Administrator Account, Reset the Account's Password, and Enforce MFA

Rename the local administrator account for local workstations and servers, and make sure you set and document a complex password of at least ten characters. Use a password vault to store passwords instead of keeping them documented in plaintext files or on physical paper. The password vault password should also have a solid complex password, but it's easier to remember one complex password rather than several for every server.

Use multi-factor authentication (MFA) to strengthen an administrator's access control to network resources. MFA could be an auto-generated app code or biometric if supported. Multi-factor authentication reduces risk, but it is not a complete answer. MFA should be used in combination with least privilege permissions.

Assign Local Group Memberships and Least Privilege Permissions

Least privilege access is a fundamental policy to apply across your network. NIST defines least privileged access as: "NIST seeks to ensure the right people and things have the right access to the right resources at the right time."

Policies can be used to assign an administrator least privilege permissions. Enforcing privileges on a need-to-know basis reduces the risk of accidental or malicious unauthorized access to network resources. Role-based access controls (RBAC) and attribute-based access control (ABAC) models should be used to enforce least privileged permissions. These authentication and authorization policies will enforce access on a need-to-know basis and allow for more granular administration rights. Setting group permissions also makes it easier to manage user permissions and avoids accidental privilege escalation if credential theft occurs.

Manage OU with Appropriate Policies

Using Active Directory, you can apply the Organizational Unit (OU) feature to group servers and network resources into logical groups. OU is part of managing security across departments within the internal network.

OU is used to manage permissions across departments within the network environment. OU should be used in large environments to ensure servers and network resources across critical departments do not share sensitive data with unauthorized users.

Reporting Data to Management Consoles

Central analytics dashboards display reports to stakeholders and administrators so that the network environment can be monitored. All servers and network resources should be configured to send data to centralized reporting dashboards for manual review and investigations into anomalous behaviors.

Disable Unnecessary Services

Turning off a server that doesn't need to run a particular service saves the organization on power expenses and reduces the network environment's attack surface.

Configuring SNMP

If you use SNMP (Simple Network Management Protocol), configure community strings and restrict management access to known authorized systems.

Installed Agents

Agents can be misconfigured and add security vulnerabilities. Backup agents, logging agents, management agents, and any other third-party installations used to manage your network must be deployed, configured, and tested before a server integrates into the production environment.

Backups

Backups are critical components in disaster recovery, business continuity, and compliance. Use a backup system to ensure you do not suffer from data loss after a cybersecurity incident or server failure.

Restoring Data

An important aspect of backup automation is using a system that checks for data corruption. Test your backup restoration process in a test environment to ensure backups are correctly recovered in a disaster.

Vulnerability Scans

The Capital One breach evidenced the impact of poorly configured network resources. Over 100 million customers were affected after a software engineer used a tool to scan AWS accounts to identify and exploit misconfigurations in cloud-based data stores.

When a server is ready for deployment into production, perform a full vulnerability scan checking for security issues before accepting the build for deployment. A vulnerability scan will scan the attack surface of a network, finding misconfigurations, outdated software, operating system bugs, and common application vulnerabilities. The scan results can be used to generate reports that help an organization mitigate security issues. The actions include patching, updating software, reconfiguring agents and other systems, or implementing specific security measures. After the initial vulnerability scan, regular scans must be carried out. These scans should be done for all servers, software, and infrastructure on the network.

Sanity Checks on Servers

Someone other than the person who built the server should spot-check it to be sure all testing and scans were performed before it's deployed to production. By "signing" it, the secondary user verifies that the server meets the organization's security policies and standards requirements. Having a secondary administrator sign off on server requirements adds another layer of security to ensure the initial build didn't miss any software installations or security configurations.

3. Deploying Workstations

User workstation configurations and permissions are critical to ensuring security across your network environment. Unfortunately, most workstation manufacturers ship machines with basic operating system configurations, often with unnecessary software pre-installed. Any third-party components or software can potentially add vulnerabilities that attackers can use to gain unauthorized access to data or systems. Default passwords are an example of a security vulnerability built into a pre-installed app. To mitigate the risks of poorly configured and default security settings in workstations, administrators must manually review, configure, and set up workstations for corporate users. Use the CVE (Common Vulnerabilities and Exposures) database to keep up-to-date with significant workstation vulnerabilities.

Here is a list of tips to ensure that a workstation meets business standards and security requirements.

Audit Workstations and Keep a List

Visibility is critical in ensuring you have oversight of security vulnerabilities. Audit your network devices and maintain a list of all workstations. Like the server list, this should cover whom the workstation was issued to and when its lease is up, or it has reached the end of its depreciation schedule—tag workstations with a name that follows your naming convention so that they can be located when necessary.

Assign a User to a Workstation.

Log the user assigned to the workstation so that it can be tracked to an office location. Auditing and logging the user assigned to a workstation will make managing updates and patches easier. IT support can contact the user before any work is done to the workstation, warning them of any changes that may affect their work schedule.

Naming Conventions

Workstations should follow the same naming convention as servers for consistency. They should be named for their location or the group they belong to. Every organization has its rules for naming conventions, but they should be consistent for every workstation on the network for easy identification and location.

Network Configuration

Most administrators assign IP addresses using DHCP (Dynamic Host Configuration Protocol), so review the DHCP scope to ensure that servers and workstations get appropriate assignments. Next, use a GNext (Group Policy Object) to categorize and assign IP addresses to critical workstations and network resources in the DMZ (Demilitarized Zone).

Read more: “Best Firewall Security Zone Segmentation for Optimal Network Security.” 

Patching

Any workstations with access to the Internet are at a higher risk of threats than internal servers disconnected from Internet activity. For example, CACTUS ransomware attackers gain initial network access by exploiting vulnerable Virtual Private Network (VPN) services. Once inside the network, they use internal scanning tools like PowerShell commands to find workstations, identify user accounts, and ping remote endpoints. CACTUS exploits CVE vulnerabilities on the Windows version of the business analytics platform Qlik to gain initial access to target networks.

Workstations should be automatically patched using a patch management system, especially for applications responsible for the machine's security. The operating system, antivirus software, installed applications, and firmware should be updated with the latest vendor patches. Patch all software on the workstation before sending it to the assigned user.

Install Antivirus

All workstations should have an antivirus installed and continually updated when the vendor releases patches. Users should not have permission to turn off antivirus, and vulnerability scans should send alerts when a workstation is out of compliance with antivirus requirements. Anti-malware services protect against email-borne malware and viruses, protecting workstations from any cloud-based apps exploited by malware actors.

Read more: “What are Advanced Malware Threats?”

Host Intrusion Prevention and Firewalls

Consider using a host intrusion prevention or personal firewall product on the workstation to provide more defense against host-based threats, especially for mobile devices used on public Wi-Fi and private networks. Personal firewalls enforce policies to control network traffic and communications.

Remote Access Privileges

In 2023, 72% of global respondents were very concerned or somewhat concerned about the security risks of remote employees. In the same way that server access is secured, choose a single remote access method as a standard requirement for any remote control. Ban all other applications to avoid vulnerabilities and misconfigurations and ensure administrators can manage what is used on workstations. Ensure only authorized users can access the workstation remotely and require remote users to use their network credentials instead of shared credentials. Enforce the principle of least privilege based on RBAC and ABAC.

Power Saving Configurations

Consider deploying power-saving settings using a Group Policy Object (GPO) to help extend the life of your hardware. While power savings for a single workstation might seem small, added up, they can save thousands in power consumption costs in large network environments.

Domain Joined

All Windows workstations should be assigned and joined to a domain so that every workstation is controlled using Windows Active Directory. Non-Windows workstations should be managed using LDAP.

Archive

If regulations like FINRA and HIPAA cover your company, you must use an email and data archive service. An email archive automatically captures any inbound and outbound emails across your network. The repository is designed to save communications securely for a specific number of years as directed by the regulations. The archive is searchable, and emails can be retrieved as needed.

Read more on email archiving.

Use Best Practices for User Access Control

Enforce the use of best practices based on your access policy. These best practices should include the following:

Require strong passwords: Passwords should be at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and special characters. Do not repeat passwords at updates.

Use a Password Manager

Enforce MFA: Require users to use additional authentication factors, such as a one-time code.

• Limit login time and do not allow "remember me" options.
• Change default passwords immediately
• Implement "just in time" access (JiT): users on use privileges when needed.

Assign Local Group Memberships and Permissions

Google research has found that 86% of breaches involve stolen credentials. Granular privilege and access permissions should be assigned using rules based on RBAC and ABAC. By enforcing the least privilege using these access policies, you mitigate the risks associated with unauthorized access.

Use an OU with Appropriate Policies

Organize your workstations in Organizational Units and manage them with Active Directory Group Policies to ensure consistent management and configuration.

Reporting Data to Management Consoles

Validate that each workstation sends logs to a central patch management system to ensure all software has the latest patches and updates. The primary dashboard system also provides reports on workstation use and can be used to detect abnormal behavior.

Backups and Disaster Recovery

Users should store critical data in a network directory so that backup systems can include user-generated data when they take a snapshot of business data. Workstations can be imaged if they need to be restored after hardware failure. Images restore all data and applications so that administrators do not manually install software during workstation disaster recovery.

Local Data Encryption

Local data encryption protects against data loss when a mobile device or workstation is lost or stolen. Whether you use BitLocker, TrueCrypt, or hardware encryption, make drive encryption mandatory. For any data being transferred between workstations and external servers and clients, for example, in emails, Data Leak Prevention (DLP) can be managed using a DLP solution.

Read more: “What is Data Leak Prevention (DLP)?”

Vulnerability Scans

Perform regular vulnerability scans of a random sample of your workstations to help ensure your workstations are up to date.

4. Network Equipment

Corporate network infrastructure is easy to overlook but critical to secure and maintain. The following checklist includes recommendations for all network equipment and platform-specific suggestions.

Audit Network Hardware and Document it in a List

Maintain a network hardware list like your server list. The list should include the device name, type, location, serial number, service tag, and responsible party.

Network Configurations

Having a standard configuration for every type of device helps maintain consistency and facilitates management. Consistent configurations avoid misconfigurations that can lead to vulnerable devices and potential compromise.

IPAM (IP Address Management)

Assign static IP addresses to all management interfaces, add A (address) records to DNS, and track everything in an IP Address Management (IPAM) solution.

Patching

Network hardware must be patched in the same way standard workstations and server operating systems are automatically patched. Develop a patch strategy that covers your network hardware. Keep network resource firmware patched and always install security updates quickly. Once patched, test the patched hardware in a controlled environment before deploying it into production.

Remote Access

Use the most secure remote access method your platform offers. For most hardware, the most secure protocol is SSH (Secure Shell Protocol) version 2. SSH is a cryptographic network protocol that uses a secure channel over an unsecured network. This layer of security ensures that the communication between a user and a network device (hardware) is encrypted. This prevents a Man in the Middle (MITM) attack.

When enabling SSH V2, you must also disable telnet and SSH 1 and enforce robust password policies and where possible enable MFA on both the remote and local -- serial or console -- connections.

Unique Credentials

Use a password vault and management system that requires unique credentials for every network device. The remote management solution should also monitor access and restrict remote control to only authorized users. Again, work towards the least privilege principle and use robust authentication options.

SNMP Configurations

If administrators use SNMP (Simple Network Management Protocol), change the default community strings and set authorized management stations. If SNMP is not needed, disable it to reduce your attack surface.

Backups and Disaster Recovery

Disasters happen, so backups are essential to get your company back up and running quickly. Ensure that administrators install an automated backup system that takes regular backups of network configurations whenever administrators make a change. Restore configurations to a test environment occasionally to ensure that backups are valid and uncorrupted.

Vulnerability Scans

Include all network resources in your regular vulnerability scans to detect misconfigurations or outdated firmware so that these issues can be remediated immediately.

Use Switches to Configure VLANs (Virtual LANs)

Use VLANs to segregate traffic types so critical data is unavailable on the open network. VLANs segregate networks into logical groups, and every workstation, server, management tool, and backup should be on a VLAN to contain traffic.

Promiscuous Devices and Hubs

Policies like “Promiscuous Mode” can create vulnerabilities within a network, allowing nefarious actors to take control of network equipment. Set port restrictions so users cannot run promiscuous mode devices or connect hubs or unmanaged switches without prior authorization.

Disable Ports

Ports not assigned to specific devices should be disabled or set to a default guest network that cannot access the internal network. This configuration prevents external devices from connecting to your internal network from empty offices or unused cubicles.

Firewalls

Firewalls should be configured to block unauthorized traffic and allow traffic that should flow for legitimate services. The following configurations help with firewall setups.

• Explicit Permits, implicit deny
• 'Deny All' should be the default response on all access lists - inbound and outbound.
• Logging and alerts
• Log all violations and promptly investigate alerts.

Routers and Routing Protocol

Use only secure routing protocols that use authentication and accept updates from known peers along the network perimeter.

5. Vulnerability Scanning

Vulnerability scanning is an essential strategy to identify weaknesses in your network. As cybercriminals continually add new tactics and techniques to their portfolio of attacks and vectors, keeping abreast of these changes should be done weekly. Organizations like MITRE ATT&CKⓇ provide threat intelligence to help you build a scanning strategy. MITRE ATT&CK provides procedure examples for performing effective vulnerability scans.

If possible, vulnerability scans should be performed automatically. Various tools exist to help you achieve this. Configure your vulnerability scanning application to scan all internal and external address spaces weekly. Here are a few more tips for vulnerability scanning.

Differences Compared Weekly

Validate any differences from one week to the next against your change control procedures to ensure no one has enabled an unapproved service or connected a rogue host.

Schedule Internal Scans Monthly

Perform monthly internal scans to help ensure that no rogue or unmanaged devices are on the network. In addition, run scans to ensure the infrastructure is updated on the latest security patches.

6. Backups

Backup policies are critical for compliance and disaster recovery. A recent survey by Sophos found that 94% of organizations have experienced a ransomware attack in which cybercriminals attempted to access backups. Therefore, backups themselves must be secure. Every organization should have a backup policy and management systems to ensure every resource is included and the backup is held securely. Here are a few tips for your backup policy.

Establish a Tape Rotation

Ensure you establish a tape rotation policy that tracks all backup tape cartridges' location, purpose, and age. Only repurposed tapes are used to back up highly sensitive data for more secure data storage.

Have Two Copies

The backup policy should allow for two copies of the original data. For example, if the source data is on-premises, one copy should remain on-premises for rapid recovery, and the other should be stored remotely. Remote storage is typically within a cloud repository designed to handle backup volumes.

Destroy Old Tapes

When a tape has reached its end of life, destroy it to ensure no data can be recovered.

Secure Offsite Storage

Use a service that provides secure offsite data storage.

Encryption

Even reputable backup services could lose tapes. Therefore, ensure that any tape transported offsite—whether through a service or by an employee—is encrypted to protect data against accidental data loss.

Restrict Access to Tapes to a Backup Operator's Group

Assign responsibility, authority, and accountability for executing the backup and recovery policy. Backup tapes contain all data, and a backup operator's group of users can bypass file-level security in Windows to back up all data. Therefore, secure physical access to tapes and restrict membership in the backup operator's group just like you do to the domain admin group.

Validate Backup File Integrity

Backups are worthless if they cannot be restored. Therefore, verify your backups at least once a month by performing test restores to ensure your data is not corrupted.

7. Remote Access

Remote work has become part of the work environment, either as permanent remote employees or by using hybrid work environments. Almost half of employees have continued to work remotely post-pandemic. A remote access policy is essential for security and productivity. Policies should encompass:

Approved Methods of Access

Set up and maintain an approved method for remote access and grant permissions to any user who can connect remotely. For example, ensure that users can only use a company-approved process for remote access and that others are disabled.

Apply Least Privilege Permissions

Enforce the principle of least privilege and use risk-based authentication to ensure remote employees have the right level of permission from wherever they sign in.

Multi-Factor Authentication (MFA)

Consider using a two-factor authentication (2FA/MFA) system such as tokens, smart cards, certificates, or SMS solutions to secure remote access further. Login systems based on FIDO U2F Authentication Devices (Security Keys) are increasingly gaining traction.

Regular Reviews

Perform regular reviews of your remote access audit logs and spot-check with users if you see any unusual patterns, including authentication in the middle of the night or during the day when the user is already in the office.

Other Areas to Consider

Set strong account lockout policies and investigate any locked-out accounts to ensure attackers cannot use your remote access method to break into your network.

If you perform split tunneling, enforce internal name resolution only to protect users further when they use insecure networks.

Protect your traveling users on insecure wireless networks by tunneling all their traffic through the VPN instead of enabling split tunneling.

8. Wireless Networking

Wireless networks in your business environment must be securely configured to protect data. Protection and restrictions should also be set on any guest networks. Here are a few tips to keep user data safe.

Wireless SSID

Obfuscate your SSID (Service Identifier) so that it cannot be easily associated with your company; do not broadcast the business SSID. Of course, both are only somewhat effective against someone seriously interested in your wireless network, but it does keep you off the radar of the casual war driver.

Read more: “Managing Wi-Fi Security at the DNS level.”

Encryption

Use the most robust encryption standard possible for the task. The current recognized standard for Wi-Fi security is WPA3™, which uses the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM). If you have barcode readers or other legacy devices that can only use WEP, set up a dedicated SSID for those devices and use a firewall to connect to the central software over the required port.

Read about NIST’s AES encryption standard.

Authentication

An 802.1X network uses a RADIUS server as an authentication server. User credentials are verified, and access rights are granted at varying levels of access to the network. 802.1X networks use credentials or certificates and do not rely on a single network password. EAP-TLS is regarded as the most secure authentication protocol for 802.1X networks.

Guest Network

Use your wireless network to establish a guest network for visiting customers, vendors, and any other user without authorized internal network permissions. Do not permit connectivity from the guest network to the internal network but allow authorized users to use the guest network to connect to the Internet.

BYOD (Bring Your Device) Policies

Create a "Bring Your Own Device" policy for user devices, even if that policy is to prohibit users from bringing their laptops and tablets into the office. Be clear on the permissible use of data and applications on personal devices and require VPN for remote network access on personal devices.

9. Email

Email continues to be the top vector of attack by cybercriminals. Social engineering and phishing often rely on emails to carry malicious content into the heart of an enterprise. Email phishing can be complex and multi-part, especially when highly targeted attack types, like spear-phishing. Some tips to prevent email from being used to attack your network resources include the following:

Use Multiple Layers of Protection

Email attacks are often complex, use emerging threats, and are augmented using social engineering tactics. To counteract these complex threats, use a multi-layered protection approach to email security. For example, add to basic, in-built mail server filtering capabilities in Office 365. Augment this simple email filtering with a dedicated third-party solution that uses advanced email filtering technologies, like AI and Natural Language Processing (NLP). Technologies like AI can identify patterns and predict emerging threats and zero-day attacks.

Deploy an email filtering solution that can filter both inbound and outbound messages to protect customer data.

Ensure that your edge devices reject directory harvest attempts.

Deploy mail filtering software that protects users from the full range of email threats, including malware, phishing, and spam.

Read more about how PhishTitan uses layers of protection to prevent email-borne attacks.

Read more: “Phishing Attack Examples and how to Prevent Them.”

10. Internet Access

Configure on-the-go (OtG) protection to protect remote users. Protect your users when they are not in the office with third-party OtG solutions that can help filter traffic on their laptops and identify when they are in the office and need to use the office filtering solution.

Deploy web content filters for internet security from web-based threats. Use internet web content filters to protect your users and business from malicious websites. For example, ransomware is one of the most devastating types of cyber-attacks, but web content filters stop users from downloading malicious executables that install threats on the environment.

Read about TitanHQ’s On-the-Go roaming agents.

Encryption

Use encryption to protect data across all internet access points. For example, reject website access when the site is connected over HTTP and not HTTPS. Use encryption at rest and in transit; TLS 1.3 is the current standard for protecting data in transit. TLS should be enabled for email encryption to ensure that MitM attacks are prevented.

Malware Scanning

Scan all web activity for malware, including file downloads, streaming media, or scripts on web pages. Malware scanners should be AI-powered to identify emerging threats that come in over email. Email filters must utilize multiple layers of protection to cast a wide net to prevent the many forms of malware and methods used to evade detection.

DNS Filtering

There were almost one million phishing websites online in Q1 2024. Phishing attacks often link to spoof sites to harvest credentials, steal other data, or install malware. A DNS filter can help stop users from navigating these spoof websites. DNS filtering can also be used on a per-device basis, for example, by applying filtering policies to education sector Chromebook users. DNS filters effectively break the phishing cycleassign a user to .

Bandwidth Restrictions

Protect your business-critical applications by deploying bandwidth restrictions on user devices and non-critical resources. Bandwidth restrictions ensure that internet-based non-critical traffic doesn't adversely impact company functions.

Port Blocking

Block outbound traffic that could be used to bypass internet monitoring and filtering.

11. File Shares

File shares available on the network should be secured and monitored for unauthorized access. Users can share files on the network, but administrators should implement safeguards to protect data from malware, and external and internal threats. Here are a few tips.

Least Privilege Principle

The "least privilege" principle is a strategy that limits user permissions to only the data necessary for a user to perform their job function. For example, the default permission should be set to "read only" unless users need permission to update data. "Full control" should only be granted to admins, and even then, control can be granular by applying rules that dynamically change permissions based on attributes like geographic location (ABAC).

Remove the Everyone and Authenticated User Groups

Default group permissions can be overprovisioned and open security gaps. Remove the "Everyone" group from legacy shares and the "Authenticated Users" group from new shares. Set more least privilege permissions, allowing access to only the "domain users" group. Depending on your identity management system, permission changes can be made manually or using automation tools.

Groups

Avoid assigning permissions on an individual basis. Instead, create user groups based on roles and assign users to these groups. Permissions can then be set using RBAC. It's easier to track and manage permissions and limit mistakes on data access.

Use Delegated Authorization of Access Rights

It would help if you allowed rather than blocked user permissions. For example, the "Deny Access" permission blocks specific users and enables all others to. Instead, leave the default permission to deny all users and configure permitted access on a role or group basis using authorization models like RBAC and ABAC.

Delegation of access rights can help alleviate IT overhead. Delegation models are controlled using authorization models, like RBAC. Delegation allows an organization to redistribute authority. With a 53% increase in cyber threats targeting Microsoft Office in 2023, ensuring access controls are enforced requires an organization to utilize its teams and enforce authorization-led delegation models.

12. Log Aggregation and Correlation

Always automate log aggregation and correlation to avoid manually reviewing servers. Manually reviewing a few servers might be feasible, but it leads to oversights and mistakes in large environments with dozens of servers. Instead, a log and analytics tool can be used to collect server logs and provide insights into environments in a central location.

13. Time

Use a central form of time management within your organization for all systems, including workstations, servers, and network resources. For example, NTP (Network Time Protocol) can keep all systems in sync, making correlating logs much easier since the timestamps will align.

Getting started with security policies, workflows, standards, and compliance requirements is challenging, especially for small to midsize businesses without in-house staff. Managed service providers (MSPs) can help, but your IT staff still needs guidance with choosing a consultant team and building on-premises and cloud resources. This network security checklist should help get you started, but always keep informed about the right resources to manage your environment.

Get Started With TitanHQ

Want to ensure your network and organization are secure against internal and external threats?

Need help getting started? If yes, then use this TitanHQ' Network Security Checklist. This checklist gives you tips and tricks for effective network security and guides you on assessing, configuring, installing, and maintaining your virtual environment.

Get Started with TitanHQ's best in class Cybersecurity solutions to protect your business.