The environment:
Windows 10+, VMware 8u2, SentinelOne, Fortigate Fw 7.0.15, Unsecured VPN tunnels to biz partners<\/p>\n\n\n\n
The Good:
+Cove backup w Cloud really good. Attackers will wipe local backup repo. Caveat; when restoring we had problems with the Virtual Disaster Recovery, it would recover disks but many of the files were “In Use” & unreadable. Instead VDR the Boot drive, Install the recovery software, create a new (thin provisioned) disk in VmWare and do a “Files & Folders” restore to the new disk. The files we restored were larger than the drive they were backed up on, we had some NAS devices grafted into the NTFS tree.
+SentinelOne; didn’t find malware on any PCs. made an alert about lateral movement
+Tailscale unaffected, doesn’t require ports open from internet
+FreeMyIp.com dynamic DNS makes great poor-mans MFA<\/p>\n\n\n\n
<\/p>\n\n\n\n
Needs Improvement: Backup\/Restore: Blue Team;
+Upgrade VmWare vCenter to 8u3 latest build
+enable AV on all VPN connectors and -limit their scope. Off for short term.
+Wazuh server deploy Script not OVA. install agent on workstations. Use a DNS name.
+Remove all users from local admin, make domain group, add users temporarily for self-service +U
+Deploy HoneyPot OpenCanary<\/a>, how 2 setup email alerts? TPot-ce, can’t login
+Logon script; Winget Upgrade –all (doesn’t run as a user with authority)
+Mgt interfaces unreachable from workstations. Router ACL’s configured VLan 1,111,121
+Vuln Scanner, gvm https:\/\/www.youtube.com\/watch?v=egiJ9A7oq3U<\/a>
+NiNite installer makes it difficult to upgrade or uninstall software. 2 versions of VLC a 32bit+64bit
+Tailscale+Terminal Server. OR RdWeb + Dyn dns from freeMyIp.com
++use Unifi to eject all the cellphones from the Corp network. Make them use the Guest network
+netbios <\/a>Disable via Group Policy Powershell script, audit w NirSoft <\/a>util
…Automate Windows updates via Group Policy 1\/w. Verify no sleep
…Windows firewall servers p135, 3389 only from servers+mgt vlan.
…SMB1 Disable via Group Policy. audit w nmap –script smb-protocols.nse
-Windows firewall forced ON in group policy, allow server + mgt networks. Breaks scan to local share.
-Stronger password policy, expires yearly, reminder notes go in wallet. Start w exp 999d
…Harden servers, disable unused services \/ tcp ports. Run IISCrypto <\/a>+Best Practices(breaks SentinelOne?)
-DB config uses IP, change to DNS name
-arpwatch \/ DHCP log alert on new MAC addresses seen. Wazuh? Unifi<\/a>ClientCheck
-Segment departments from each other, new edge switches vlans up 1 level
-Document the network OR buy Unifi switches
-Reboot Workstations nightly \/ have PCs BIOS power-on every morn 1h b4 work start, do updates etc.<\/p>\n\n\n\n
+TrueNas Storage Snapshots daily +U +T +V
+Extra backups to external drives that power off daily. -auto, sync changes
-Extra backups at a driveable offsite location
-UPS shutdown automation, easy install via Home Assistant<\/p>\n\n\n\n
-Verify you get alerts for creating a new account on server, workstation. not just in the Wazuh console
+NMAP scan all servers for open tcp port. Question everything. monitor required services<\/p>\n\n\n\n