Domain Security Recommendations

These come from 7minsec, Brian Johnson makes an entertaining podcast which is unusual in the normally dry security space. Highly recommend. I love podcasts as i can listen while I do other less productive things like drive or try to get to sleep…. or watch CSI for the 4th time because it’s my wife’s turn to choose…. not that I’m bitter…

disable users adding pcs to the domain
smb signing
strong unique passwords + LAPS
run ping castle
disable insecure protocols; netbios, llmnr, mdns, smbv1
power up sql, find sql servers, stored procedures,
turn off print sharing, esp on DCs, ping castle scanners print spool

take local admin away from everyone
Pre-filter email (yes they are all a pain)
Use GPO to auto-install the chrome extension Ublock Origin see here