Step-by-Step Guide

20 days to a more secure enterprise

Desktop administrators are responsible for ensuring that systems are operating properly, end users are happy, and systems are updated as needed. Security -- although important --often falls to the bottom of their "to-do" list.

But securing an organization doesn't need to be a burden or a large undertaking. Making minor changes every day can improve security.

Follow the guide below for a more secure enterprise in 20 days.

Week 1

  • Monday
    Evaluate the "password last changed date" for all the user accounts on your domain controllers. Pay particular attention to administrative accounts because they are not subject to the standard password-change policy.
    Suggested tool:

    Requires Free Membership to View

    Login

  • Dumpsec

  • Tuesday
    Check the password strength of user accounts. Run a dictionary attack against the password hashes, and identify those that are easy to crack. Force password changes as necessary.
    Suggested tool: Cain & Abel

  • Wednesday
    Make sure your antivirus definitions are up to date.
    More information: Bash Bosh Blog

  • Thursday
    Review corporate firewall logs, and look for any unusual activity. Also, consider reviewing firewall logs for key laptop systems.
    More information: "How to review a firewall log in 15 minutes or less"

  • Friday
    Review security logs on your domain controllers. Look for successful connections from accounts that shouldn't be in use and for failed connections that could indicate an attempt to guess a password.
    More information: List of Windows security log events

Week 2

  • Monday
    Implement stronger password-creation rules on your domain controllers.
    Suggested tool: Passpol

  • Tuesday
    Scan the internal network, and look for any unauthorized Web servers. Scan for TCP Ports 80 and 443. Shutdown any Web servers that aren't approved.
    Suggested tool: Superscan

  • Wednesday
    Read the new Microsoft security bulletins and prioritize for deployment.
    More information: "Structuring patch management in seven steps"

  • Thursday
    Start deploying patches to your systems.
    Available tools: PatchManagement.org list of vendors

  • Friday
    Review malware logs. If using Windows Defender, check the System Event Log for "windefend" items.
    More information: Windows Defender technical overview

Week 3

  • Monday
    Evaluate last login dates for user accounts. Identify accounts that are still active but haven't logged in for six months or more. Disable these accounts where appropriate. (Make sure to scan all domain controllers to get accurate last login data.)
    Suggested tool: Dumpsec

  • Tuesday
    Check the patch status of your third-party applications, such as Sun Java, Mozilla Firefox, Adobe Reader and Apple iTunes.
    Available tools: PatchManagement.org list of vendors

  • Wednesday
    Look for dual-homed machines on the network that may be connected to two networks at the same time, bypassing the corporate firewalls or routers. Look for machines with multiple network interface cards (with different Media Access Control addresses or protocols).
    Suggested tool: Getmac (part of the operating system)

  • Thursday
    Examine your systems for any evidence of "autoadminlogon" data. Check to see if the user's password is listed in the registry in plain text. Disable autoadminlogon unless explicitly needed for your business.
    More information: "How to turn on automatic logon in Windows XP"

  • Friday
    Review the local administrator group on each workstation, server and domain controller. Identify any user accounts that shouldn't be included in this group. Make sure to look at membership of global groups that may be referenced in the local group.
    Suggested tool: Dumpsec

Week 4

  • Monday
    Scan the network to check on the status of the Microsoft and third-party patch deployments.
    Available tools: PatchManagement.org list of vendors

  • Tuesday
    Scan the network, and locate unapproved instances of Microsoft SQL Server. Look for the presence of TCP Port 1433. Shut down any unapproved SQL servers.
    Suggested tool: Superscan

  • Wednesday
    Review your domain controller group policy settings for the Windows Firewall. Ensure that all the firewall settings for each location are properly set.
    More information: "Deploying Windows firewall settings with Group Policy"

  • Thursday
    Run the Microsoft Malicious Software Removal Tool on your desktop systems.
    Download (32 bit)

    Download (64 bit)

  • Friday
    Review your corporate security policies, and make sure they reflect your current needs.
    More information: SANS Security Policy Project

Rinse and repeat the next month, and you'll have a more secure environment in no time!

Have some more ideas? Email them to eric@pureplaysecurity.com, and we'll publish them in a future article.

ABOUT THE AUTHOR:   
Eric Schultze
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.

This was first published in November 2009

Back to top