Priority hardening – do these first

NOTE: Any device with File Share Exposed, including hidden admin file shares is a File Share Service

  • Ensure Systems are current and patched in a timely manner
    • Especially Files Servers and Domain Controllers (Prioritize these first)
  • Ensure the transport is properly protected and encrypted
    • Disable SMBv1
    • Disable SMBV2, where possible, and document and track risk when it cannot be  disabled
    • Enable SMBv3.1.1 or higher, with signing and encryption applied to protect the confidentiality and integrity of the data in transit
      • This should be enforced on all files shares, except  SYSVOL,
      • SYSVOL provides policies for encryption
      • On SYSVOL signing is required and encryption is preferred.
  • Ensure all systems have active, up to date anti-virus
    • Use Next Generation EndPoint Protection, where possible

Hardening

  • Domain Controllers (Authentication Zone) and File Share Services (Internal Server Zone) are designed for Trusted Clients.
    • Only allow clients that meet a high level of security – e.g. managed clients
    • These zones SHOULD never be used by or accessible to BYOD devices.
  • Harden your systems (by default they are insecure)
    • Leverage CI Security Baselines (non-windows) and Microsoft Security Toolkit (for windows, which already includes CI Security Benchmarks)
    • Disable unnecessary services and application, where possible
      • The more services enabled, the more work there is to secure the system.
  • Use unique local administrator accounts
    • WARNING: once a machine is compromised, so are the credentials on it from any account that has logged into the device. By ensuring unique local administrator accounts you prevent the local administrator account from being used for lateral movement to the surrounding systems.
    • Preferably use Privileged Identity Management to ensure a unique local credential on each device.
  • Configure Domain Controller host firewalls to prevent internet access.
    • Usually, these systems do not have a valid need for direct internet access.
    • Update servers with internet connectivity can be used to pull necessary updates in lieu of allowing internet access for Domain Controllers.

See the CISA MS-ISAC Ransomware Guide 2020 for more hardening pointers.