|
|
I. Migrate To Modern Operating Systems.
a) Migrate all workstations and servers off of Windows 2000, XP, Vista, NT and 2003 effective immediately to Windows 8 or Windows 2012 Server.
b) Consider migration of Windows 2008 to Windows 2012 when possible.
c) Consider migration from Windows 7 to Windows 8.1 when possible.
II. Border Security Protection
a) Use a Firewall in front of all computing resources. When possible, avoid directly attaching any computer to the Internet with a publicly facing IP address.
b) Consider setting up a De-Militarized Zone (DMZ) in front of your private network to properly isolate internal assets from assets at the border gateway (ie: mail servers, web servers, etc).
III. Secure Passwords
a) Always use at least 12-16 character passwords with a 4-6 month rotation cycle.
b) Never set a user account so the password does not expire except the in the case of a service account.
IV. User Accounts
a) Do not mix Administrator and Non-Administrator level account levels. Setup a separate account for administration and only use that account for administration purposes. Never enable or use email from an administrator account.
b) Do not mix service accounts and user accounts. Service accounts should be exclusively used for software processes.
V. WiFi
a) Always use WPA-PSK wherever possible.
b) Limit WiFi access point range by turning down the radio power whenever possible to prevent over penetration into nei**oring structures/offices.
c) Consider RADIUS for WiFi authentication whenever possible. This allows the WiFi to authenticate users individually to a Windows Active Directory Domain Controller.
VI. Mobile Device Security
a) Implement encryption such as Bitlocker on all mobile devices such as Laptops running Windows.
VII. Advanced Mitigation Strategies
a) Enable Application Whitelisting.
b) Enable Microsoft’s Enhance Mitigation Toolkit (EMET).
http://support.microsoft.com/kb/2458544
c) Enable ASLR and DEP on all assets. |
|
