Need help getting started? If yes, then use this TitanHQ' Network Security Checklist.' This checklist gives you tips and tricks for effective network security and guides you on assessing, configuring, installing, and maintaining your virtual environment.
Need more time to read the guide now? Enter your details here, and we'll email you a copy so that you can read it later.
Here's a short list of the security and compliance policies every company with more than two employees should have to help secure their network:
Acceptable Use Policy
Internet Access Policy
Email and Communications Policy
Network Security Policy
Remote Access Policy
BYOD Policy
Encryption Policy
Privacy Policy
Data is a valuable commodity that can be quickly sold or traded in any business environment. Unfortunately, an organization's servers store most of its company's most valuable data. Here are some tips for securing your servers against common threats determined to steal them. The first step is to create a server deployment checklist and ensure all the following are on the list. Then, before deploying a server to production, ensure that each server you deploy complies 100% with the following standards. Ensuring that your servers follow common security and provisioning standards will reduce the data breach risks and make it easier for administrators to manage.
Audit your environment and create documentation that lists every server, its specifications, and its purpose within the network environment. The server list details all the servers on your network, including name, meaning, IP address, date of provisioning, date of deployment to production, service tag (if physical), rack location or default host, operating system, and responsible person. Any additional information necessary for maintenance should also be included.
Document the person responsible for maintaining the server. The person or team responsible for the server should know what the server is for. They are responsible for ensuring it is kept updated and can investigate any anomalies associated with that server.
Naming conventions may seem strange to tie to security, but quickly identifying a server is critical when you spot anomalies and potential unauthorized traffic. During incident response, every second counts, so having a naming convention helps administrators more quickly identify servers and locate them within the network. In addition, it's crucial in large environments where servers can be found in different geolocations.
Perform quality assurance on all network configurations. Ensure that all network configurations are done correctly, including static IP address assignments, DNS servers, WINS servers, whether or not to register a particular interface, binding order, and disabling services on DMZ, 00B management, or backup networks.
All servers should be assigned static IP addresses, and data must be maintained in your IP Address Management tool, even if this means it's documented on an Excel spreadsheet. When strange traffic is detected, it's vital to have an updated and authoritative reference for each IP address on your network.
Every server deployment must be fully patched once the operating system is installed. The server should then be added to your patch management application so that future updates are applied automatically.
All servers must run antivirus software and report status updates to your central management console. In addition, scanned exceptions must be documented on your server list so that if malware threats are installed on the network, those directories can be manually validated.
If you use host intrusion prevention, you must ensure it is configured according to compliance standards and business productivity requirements. Reports should provide analytics and information to identify anomalies that should be investigated. In addition, software firewalls must be configured to permit authorized traffic across the network environment but reject unauthorized traffic. Legitimate traffic might include remote access, logging and monitoring, web hosting, and other business services.
Pick one remote access solution, and stick with it. For Windows servers, RDP (Remote Desktop Protocol) is commonly used, and SSH (Secure Shell) is typical for Linux and other services. Creating a standard makes it more efficient for security and protects the environment from misconfigured third-party remote access services. In addition, remote services should be available to only high-privileged users and must be monitored for unauthorized access.
Ensure all servers are connected to a UPS (Universal Power Supply). A UPS keeps servers and other critical network resources from downtime during an electrical brownout or blackout, which will interrupt services and could cause reboot failures. Data centers use power generators to avoid power-based downtime, but they could be too expensive for small businesses. At worst, a UPS allows administrators to gracefully power down equipment during long-term power outages, reducing the chance of data corruption and bugs.
For Windows-based services, all servers and workstations should be joined to a domain where Active Directory (AD) controls permissions and controls network resource access. Non-Windows servers and workstations on a Windows environment should be authenticated using LDAP (Lightweight Directory Access Protocol). LDAP connects users to Active Directory so that the Windows domain control manages permissions on non-Windows devices.
Rename the local administrator account for local workstations and servers, and make sure you set and document an intense and complex password of at least ten characters. Use a password vault to store passwords instead of keeping them documented in plaintext files or on physical paper. The password vault password should also have a solid complex password, but it's easier to remember one complex password rather than several for every server.
Instead of assigning permissions individually to each user, create groups for similar departments and users and assign users to these groups. Setting group permissions makes it easier to manage user permissions, and it avoids accidental privilege escalation during credential theft and a compromise.
Active Directory uses an Organizational Unit (OU) to assign servers and network resources into logical groups. It's used to manage permissions across departments within the network environment. They should be used in large environments to ensure servers and network resources across critical departments do not share sensitive data with unauthorized users. It's one step in managing security across departments within the internal network.
Central analytics dashboards display reports to stakeholders and administrators so that the network environment can be monitored. All servers and network resources should send data to centralized reporting dashboards for manual review and investigations into anomalous behaviors.
If a server doesn't need to run a particular service, disable it. It saves the organization on power expenses and reduces the network environment's attack surface.
If you use SNMP (Simple Network Management Protocol), configure community strings, and restrict management access to known authorized systems.
Backup agents, logging agents, management agents, and any other third-party installations used to manage your network must be deployed, configured, and tested before a server integrates into the production environment.
Backups are critical components in disaster recovery, business continuity, and compliance. Use a backup system to ensure you do not suffer from data loss after a cybersecurity incident or server failure.
Included in backup automation, use a system that checks for data corruption. Occasionally, restore backups to a test environment to ensure that backups are valid should you need them for disaster recovery.
When a server is ready for deployment to production, scan it for vulnerabilities before deployment. A vulnerability scan will find misconfigurations, outdated software, operating system bugs, and common application vulnerabilities. After the initial vulnerability scan, add it to regular scans in the future, which should be done for all servers, software, and infrastructure on the network.
Someone other than the person who built the server should spot-check it to be sure all testing and scans were performed before it's deployed to production. By "signing" it, the secondary user verifies that the server meets the organization's security policies and standards requirements. Having a secondary administrator sign off on server requirements adds another layer of security to ensure the initial build didn't miss any software installations or security configurations.
User workstation configurations and permissions are also crucial in the security of your entire network environment. Unfortunately, most workstation manufacturers ship machines with basic operating system configurations with additional unnecessary software installed. AdminiAs a result, administrators manually review, configure, and set up workstations for corporate users. Here is a list of tips to ensure that a workstation meets business standards and security requirements.
Keep a list of all workstations, just like the server list, that includes who the workstation was issued to and when its lease is up or it's reached the end of its depreciation schedule. Tag workstations with a name that follows your naming convention so that they can be located if necessary.
Log the user assigned to the workstation so that it can be tracked to an office location. In addition, workstations only need updates, so auditing and logging the user assigned to it will make it easier to contact the user before any work is done to the workstation.
Workstations should follow the same naming convention as servers. The workstation should be named for its location or the group it belongs to. Every organization has its rules for naming conventions, but they should be consistent for every workstation on the network for easy identification and location.
Most administrators assign IP addresses using DHCP (Dynamic Host Configuration Protocol), so review the DHCP scope to ensure that servers and workstations get appropriate assignments. Next, use a GNext (Group Policy Object) to categorize and assign IP addresses to critical workstations and network resources in the DMZ (Demilitarized Zone).
Any workstations with access to the Internet are at a higher risk of threats than internal servers disconnected from Internet activity. Workstations should be automatically patched using a patch management system, especially for applications responsible for the machine's security. The operating system, antivirus software, installed applications, and firmware should be updated with the latest vendor patches. Patch all software on the workstation before sending it to the assigned user.
All workstations should have an antivirus installed and continually updated when the vendor releases patches. Users should not have permission to disable antivirus, and vulnerability scans should send alerts when a workstation is out of compliance with antivirus requirements.
Consider using a host intrusion prevention or personal firewall product on the workstation to provide more defense against host-based threats, especially for mobile devices used on public Wi-Fi and private networks.
Like servers, pick one remote access method and make it a standard requirement for any remote control. Ban all other applications to avoid vulnerabilities and misconfigurations when administrators are unaware that the application is being used on workstations. Ensure only authorized users can access the workstation remotely and require remote users to use their network credentials instead of shared credentials.
Consider deploying power-saving settings using a Group Policy Object (GPO) to help extend the life of your hardware. Power savings for a single workstation might seem like little, but power savings settings can save thousands in power consumption costs in large network environments. Use waIn addition, use on-LAN configurations to provide remote availability when the workstation is powered down.
All Windows workstations should be assigned and joined to a domain so that every workstation is controlled using Windows Active Directory. Non-Windows workstations should be entered using LDAP.
Initial user passwords should be randomly created and must be at least eight characters, including complexity standards with special characters. During the user's initial authentication on the network, users must change their password, but they must also use the same complexity and length rules. Do not allow reuse of passwords, and users must change their passwords every 60 or 90 days.
Users with local administrator permissions should be set using groups and group policies. In addition, local administrator accounts should be renamed, and passwords should be complex, with at least ten characters.
Organize your workstations in Organizational Units and manage them with Active Directory Group Policies as much as possible to ensure consistent management and configuration.
Validate that each workstation sends logs to a central patch management system to ensure all software has the latest patches and updates. The primary dashboard system also provides reports on workstation use and can be used to detect abnormal behavior.
Users should store critical data in a network directory so that backup systems can include user-generated data when they take a snapshot of business data. Workstations can be imaged if they need to be restored after hardware failure. Images restore all data and applications so that administrators do not manually install software during disaster recovery of a workstation.
Local data encryption protects from data loss when a mobile device or workstation is lost or stolen. Whether you use BitLocker, TrueCrypt, or hardware encryption, make drive encryption mandatory.
Perform regular vulnerability scans of a random sample of your workstations to help ensure your workstations are up to date.
Corporate network infrastructure is easy to overlook but critical to secure and maintain. The following checklist is a set of recommendations for all network equipment and platform-specific recommendations.
Maintain a network hardware list similar to your server list. The list should include the device name, type, location, serial number, service tag, and responsible party.
Have a standard configuration for every type of device to help maintain consistency and easier management. Consistent configurations avoid misconfigurations that can lead to vulnerable devices and potential compromise.
Assign static IP addresses to all management interfaces, add A records to DNS, and track everything in an IP Address Management (IPAM) solution.
Network hardware runs an operating system too, and it must be patched in the same way standard workstation and server operating systems are automatically patched. Keep network resource firmware patched and always install security updates as soon as possible.
Use the most secure remote access method your platform offers. For most hardware, the most secure protocol is SSH version 2. Disable telnet and SSH 1, and set strong passwords on both the remote and local -- serial or console -- connections.
Use a password vault and management system that requires unique credentials for every network device. The remote management solution should also monitor access and restrict remote control to only authorized users.
If administrators use SNMP, change default community strings and set authorized management stations. If SNMP is not necessary, disable it to reduce your attack surface.
Ensure that administrators install an automated backup system that takes regular backups of network configurations whenever administrators make a change. Restore configurations to a test environment occasionally to ensure that backups are valid and uncorrupted.
Include all network resources in your regular vulnerability scans to detect misconfigurations or outdated firmware so that these issues can be remediated immediately.
Use VLANs to segregate traffic types so critical data is unavailable on the open network. VLANs segregate networks into logical groups, and every workstation, server, management tool, and backup should be on a VLAN to contain traffic.
Set port restrictions so users cannot run promiscuous mode devices or connect hubs or unmanaged switches without prior authorization.
Ports that are not assigned to specific devices should be disabled, or they should be set to a default guest network that cannot access the internal network. For example, this configuration prevents external devices from connecting to your internal network from empty offices or unused cubicles.
Firewalls should be configured to block unauthorized traffic and allow traffic that should flow for legitimate services. The following configurations help with firewall setups.
1) Explicit Permits, implicit deny
'Deny All' should be the default response on all access lists - inbound and outbound.
2) Logging and alerts
Log all violations and promptly investigate alerts.
Use only secure routing protocols that use authentication and accept updates from known peers along the network perimeter.
Vulnerability scanning should be done weekly, and it should be performed automatically. Configure your vulnerability scanning application to scan all internal and external address spaces weekly. Here are a few more tips for vulnerability scanning.
Validate any differences from one week to the next against your change control procedures to ensure no one has enabled an unapproved service or connected a rogue host.
Perform monthly internal scans to help ensure that no rogue or unmanaged devices are on the network. In addition, run scans to ensure the infrastructure is updated on the latest security patches.
Backup policies are critical for compliance and disaster recovery. Every organization should have a backup policy and management systems to ensure every resource is included. Here are a few tips for your backup policy.
Ensure you establish a tape rotation that tracks all backup tape cartridges' location, purpose, and age. Only repurposed tapes are used to back up highly sensitive data for more secure data storage.
When a tape has reached its end of life, destroy it to ensure no data can be recovered.
Use a reputable courier service that offers secure storage for offsite tape storage.
Even reputable courier services lose tapes occasionally. Therefore, ensure that any tape transported offsite -- whether through a service or by an employee -- is encrypted to protect data against accidental data loss.
Backup tapes contain all data, and a backup operator's group of users can bypass file-level security in Windows so that they can back up all data. Therefore, secure physical access to tapes and restrict membership in the backup operator's group just like you do to the domain admin group.
Backups are worthless if they cannot be restored. Therefore, verify your backups at least once a month by performing test restores to ensure your data is not corrupted.
7. Remote Access
Set up and maintain an approved method for remote access and grant permissions to any user who can connect remotely. For example, ensure that users can only use a company-approved process for remote access and that others are disabled.
Consider using a two-factor authentication system such as tokens, smart cards, certificates, or SMS solutions to secure remote access further.
Perform regular reviews of your remote access audit logs and spot-check with users if you see any unusual patterns, including authentication in the middle of the night or during the day when the user is already in the office.
Set strong account lockout policies and investigate any accounts that are locked out to ensure attackers cannot use your remote access method to break into your network.
If you perform split tunnelling, enforce internal name resolution only to protect users further when they use insecure networks.
Protect your traveling users on insecure wireless networks by tunnelling all their traffic through the VPN instead of enabling split tunnelling.
8. Wireless Networking
If you support wireless networks in your business environment, you should configure them to protect data. Protection and restrictions should be set on any guest networks also. Here are a few tips to keep user data safe.
Use an SSID (Service Identifier) that cannot be easily associated with your company, and do not broadcast the business SSID. Of course, both are only somewhat effective against someone seriously interested in your wireless network, but it does keep you off the radar of the casual war driver.
Use the most robust encryption cipher possible, preferably WPA3 Enterprise. Never use WEP. If you have barcode readers or other legacy devices that can only use WEP, set up a dedicated SSID for only those devices and use a firewall so that they can only connect to the central software over the required port.
Use 802.1x to authenticate your wireless network so only approved devices can connect.
Use your wireless network to establish a guest network for visiting customers, vendors, and any other user without authorized internal network permissions. Do not permit connectivity from the guest network to the internal network, but allow authorized users to use the guest network to connect to the Internet.
Create a "Bring Your Own Device" policy for user devices, even if that policy is to prohibit users from bringing their laptops and tablets into the office. Be clear on the permissible use of data and applications on personal devices, and require VPN for remote network access on personal devices.
Use a multi-layered protection approach to email security. For example, don't rely on more than mail server filtering capabilities. Instead, add a dedicated third-party solution to filter your mail and help protect users and business data.
Deploy an email filtering solution that can filter both inbound and outbound messages to protect customer data.
Ensure that your edge devices reject directory harvest attempts.
Deploy mail filtering software that protects users from the full range of email threats, including malware, phishing, and spam.
Configure on-the-go (OtG) protection to protect remote users. Protect your users when they are not in the office with third-party OtG solutions that can help filter traffic on their laptops and identify when they are in the office and need to use the office filtering solution.
Deploy web content filters for internet security from web-based threats. Use internet web content filters to protect your users and business from malicious websites. For example, ransomware is one of the most devastating types of cyber-attacks, but web content filters stop users from downloading malicious executables that install threats on the environment.
Require encryption across all internet access. For example, reject website access when the site is connected over HTTP and not HTTPS.
Scan all web activity for malware, including file downloads, streaming media, or scripts on web pages.
Protect your business-critical applications by deploying bandwidth restrictions on user devices and non-critical resources. Bandwidth restrictions ensure that internet-based non-critical traffic doesn't adversely impact company functions.
Block outbound traffic that could be used to bypass internet monitoring and filtering.
File share available on the network should be secured and monitored for unauthorized access. Users can share files on the network, but administrators should implement safeguards to protect data from malware, external and internal threats. Here are a few tips.
Default group permissions are usually a little too permissive. Remove the Everyone group from legacy shares and the Authenticated Users group from new shares. Manually set more restrictive permissions, allowing access to only the "domain users" group.
The "least privilege" principle is a strategy that limits user permissions to only the data necessary for a user to perform their job function. For example, the default permission should be read only unless users need permission to update data. "Full control" should only be granted to admins.
Never assign permissions to individual users. Instead, create user groups, transfer users to these groups, and then assign permissions to individual groups. It's easier to track and manage permissions and limits mistakes on data access.
It would help if you allowed rather than blocked user permissions. For example, the "Deny Access" permission blocks specific users and enables all others to. Instead, leave the default permission to deny all users and configure permitted access to particular users and groups.
Always automate log aggregation and correlation to avoid manually reviewing servers. Manually reviewing a few servers might be feasible, but it leads to oversights and mistakes in large environments with dozens of servers. Instead, use a log, users, and analytics tool to collect server logs and provide insights on environments in a central location.
Use a central form of time management within your organization for all systems, including workstations, servers, and network resources. For example, NTP (Network Time Protocol) can keep all systems in sync, making correlating logs much easier since the timestamps will align.
Getting started with security policies, workflows, standards, and compliance requirements is difficult, especially for small to midsize businesses without in-house staff. Managed service providers can help, but your IT staff still needs guidance with choosing a consultant team and building on-premises and cloud resources. This network security checklist should help get you started, but always use the right resources to manage your environment.
A network security checklist is a list of questions relating to security issues. This is a great a way to check whether your business has the right security in place to protect itself against a variety of online attacks.
A networking hardening checklist is a procedure used to make sure an organisation has the right security measures in place for their employees to work on their laptops without having to worry about being vulnerable to attacks. This can include strong passwords and having them changed regularly. Also making sure any updates are installed automatically to keep the system up to date.
Some examples of best practices when it comes to network security includes deploying provisioning servers to include anti-virus and backups for the employees machines to keep them secure. Another example would be an email system to filter out inbound and outbound emails to protect users from any malicious emails. You can read this page for the complete checklist on best practices when it comes to network security.
Advanced spam protection service protects your business by blocking spam, viruses, malware, ransomware and links to malicious websites from your emails. This is included with SpamTitan.
TitanHQ provides this free network security checklist to get you started with configuring your environment. This guides network administrators or business owner looking for general data security and privacy information. It's also an excellent guide for compliance, including PCI-DSS, HIPAA, FINRA, and many others. In addition, an MSP can help build a strategy around your business requirements and will ensure that your cybersecurity infrastructure is configured correctly.
Building a plan for effective cybersecurity infrastructure can take time for businesses struggling with risk management. TitanHQ provides you with our own network security best practices checklist to help get you started and guide you in the right direction. However, a managed service provider (MSP) can help with additional strategies. Use our guide to create general policies and get help from an MSP to build deployment and management strategies.
Both individuals and businesses should have a cybersecurity strategy, but companies must take additional steps to protect data. Businesses are responsible for consumer data and must follow compliance regulations. With compliance, companies could avoid millions in violations after a data breach for failure to put the right policies and infrastructure in place. TitanHQs network security guidelines checklist offers businesses professional advice for securing data and compliance.
Every network environment contains at least one workstation or server. A computer network checklist protects data stored on computers. A network security checklist covers every resource in a business environment, but a computer network checklist focuses more on individual workstations, servers, laptops, and personal devices. It should be included in your network security policies and strategies, but there should be other checklists that you use to create network cybersecurity infrastructure.
A good IT infrastructure security checklist considers every aspect of your network environment and guides the steps necessary to protect data. You might still need help creating policies and strategies for deploying security infrastructure. Still, a managed service provider (MSP) or security consultant can provide more details on what you specifically need for your business environment. A risk assessment might also be necessary to determine gaps in your current cybersecurity strategies.
A security checklist guides methods and best practices for protecting data and business continuity. It covers security best practices for network resources, workstations, servers, employee-consumer interactions, personal devices containing business data, incident response, and logging and monitoring. In addition, compliance regulations require businesses to review their IT infrastructure, set up policies and cybersecurity resources, and continually monitor for anomalous behavior.
To ensure that business operations staff and stakeholders recognize all critical cybersecurity best practices, a network review checklist covers several aspects of infrastructure configurations and guides administrators to perform a risk assessment on their environment. A network review and risk assessment should be done by a professional. Still, the TitanHQ network security checklist is a good starting point for small and midsize businesses to build effective cybersecurity infrastructure.
Call us on USA +1 813 304 2544 or IRL +353 91 545555
Contact Us