Initial Network Security Checklist for IS Security Reference

Network Security Checklist below was created with input from not less than a dozen technology consultants and security experts from Experts Exchange. This Network Security Checklist is not intended to validate a network as secure but as an INITIAL checklist to start from, covers many areas / items that consultants and admins often forget to check and set including business, user accounts, service accounts, file security, passwords, users, administrators, network, computers, firewall / router, email security, remote access, monitoring, devices and backups. The questions / items below may not be appropriate or applicable to all organizations for a variety of reasons due to the risk profile for every organization is different.

Content Summary

Business
User Accounts
Service Accounts
File Security
Passwords
Users
Administrators
Network
Computers (Workstations & Servers)
Firewall / Router
Email Security
Remote Access
Monitoring
Devices
Backups
Additional Resources
Source

Business

1. Is there a plan in place for what to do in the event of a breach?

2. Is there a procedure to address breaches that expose customer data?

User Accounts

1. Do usernames match email address?

2. Are policies and procedures in place to close user accounts immediately upon employee termination, including any remote access permitted?

3. Are users running as local administrators on their computers?

4. Do users have the ability to install software (using separate dedicated admin accounts)?

5. Are logon hours defined for users without 24×7 access requirements?

6. Is folder redirection in use to ensure data does not reside on less secure workstations/devices?

7. For users with local admin rights, does the account used grant access to many systems or just the user’s regular computer?

  • Is there an identical account on all systems or all systems the user uses?
  • Is there a domain account that’s been assigned to multiple systems as an administrator?

Service Accounts

1. Are service accounts denied interactive logon?

2. Are service accounts in privileged groups like Domain Admins?

  • It may be necessary for a service account to have admin rights, but does it need Domain Admin rights or just the local Administrators group?
  • Is it possible to adjust user rights so the service account no longer requires Administrator rights?

3. Active Directory User Account Properties:

  • Are service accounts explicitly denied remote access (AD Dial-in tab)?
  • Is the service account limited to logon to only the computers it needs to? (AD Users and Computers, User Properties, Account tab, Log On To… button).
  • Is the “Account is sensitive and cannot be delegated” checkbox checked?

File Security

1. Are permissions configured to allow end users to alter them for group shares? (Full access?)

2. Is user access controlled via Groups or by assigning individual users?

3. Is auditing enabled for highly sensitive files?

4. Is File Classification used to protect sensitive information?

Passwords

1. What kind of password policy exists?

  • What is the minimum password length?
  • What is the change frequency?
  • Are there complexity requirements?

2. Are users observed to have passwords written down in obvious places?

3. Is multi-factor authentication used in-house?

4. Password change frequency is related to the password complexity and minimum length.

Users

1. Are users provided with at least annual training to recognize threats such as social engineering attempts?

2. Are users provided with training regarding security best practices and why they should follow them?

Administrators

1. How many admin accounts are there (relative to the number of users in the environment).

2. Is Default Administrator account disabled and renamed?

3. Do any Domain Admin accounts have “admin” in their name?

4. Do all individuals requiring admin access have their own separate admin accounts? This includes all owners, administrators, consultants, and vendors.

5. Do all individuals who have admin rights routinely operate as non-privileged users?

6. Do administrators routinely ask for/know end-user passwords?

7. How often are admin account passwords changed?

8. Are all scripts developed by administrators documented as to their authors?

9. Do scripts include clear-text passwords in their body?

10. Are Domain Admins logging in to local computers?

11. Have all important groups been verified for appropriate membership, including (but not necessarily limited to):

  • Domain Admins
  • Backup Operators
  • Enterprise Admins
  • Schema Admins
  • Group Policy Creator Owners

Network

1. Are VLANs used to segregate wifi, servers, printers, workstations, VoIP?

2. Is Wifi in use?

3. Is the Wifi firmware up-to-date?

4. Is the Wifi password protected?Common key?

  • User authenticated?
  • How often is the key changed?
  • Is the SSID named something that identifies which network it belongs to?

5. Guest Wifi

  • Is the Guest Wifi also the company Wifi?
  • Is the Guest Wifi on a Separate network?
  • Does the Guest Wifi have a separate public IP?

6. Are managed network switches in use?

7. Are unused network ports disabled?

8. Is a Proxy Server used/properly configured?

9. Is the network and all related systems and processes properly documented?

10. Is the documentation maintained/up-to-date?

Computers (Workstations & Servers)

1. Are systems patched regularly and up-to-date?

2. Are third-party utility programs up to date? For example, Java, Acrobat, Flash, etc.

3. Are the hard drives encrypted – both Servers and Workstations?

4. Is there a policy automatically locking workstations that remain idle too long?

5. Is there a policy removing the default username from the logon screen?

6. Is there a software firewall (Windows Firewall or an antivirus firewall?)

7. Is there an antivirus program installed and up-to-date?

8. Computer naming – are high-value systems named something identifying?

9. Are computers and network equipment labeled appropriately?

10. Are local accounts kept to a minimum and administrative access granted to specific domain-based accounts (for domain environments)?

Firewall / Router

1. Deny by default or Allow by default?

2. Is the device Business Class or Home Class?

3. If Business class, Does the device support UTM capabilities, such as Antivirus, Web Filtering, and Spam Filtering?

4. Are there expired/unneeded rules still in place?

5. Are you geo-blocking where appropriate?

Email Security

1. Is spam filtering used?

2. Is the spam filtering provided by a third-party service?

3. Is the spam filtering done in-house?

4. Is the spam filter updated regularly?

5. Has the spam filter been tweaked/configured to provide the maximum protection or are default settings in use?

6. Is the SPF record setup and correct?

7. Is the DMARC record setup and correct?

8. Has the domain been checked using resources such as MXToolbox.com?

Remote Access

1. Is remote access provided?

2. Is VPN used?

  • Is it a full tunnel?
  • Is it DirectAccess?
  • Is workstation health enforced?

3. Are ports open/redirected for services other than VPN (such as RDP, VNC, or other third-party remote access programs that don’t register with a central server?)

4. Is multi-factor authentication used with remote access?

5. Are any web services providing remote access using valid SSL certificates (such as Remote Desktop Gateway)

6. Is RDP configured to prohibit redirection of resources as a rule (do not redirect printers, drives) except for users that explicitly require such redirection?

7. Is RDP set to require Network Level Authentication?

8. Are user IPs whitelisted to limit remote access rights where possible?

Monitoring

1. Is there centralized logging?

2. Is there centralized alerting?

3. Is there an Intrusion Detection System / SIEM Solution (log correlation) in place?

4. Are the logs reviewed regularly?

Devices

1. Are the device passwords changed from their defaults upon setup?(Including Wifi access points, network switches, iLo/DRAC/etc devices).

2. Are devices configured to only accept SSL connections wherever possible?

3. Are there procedures for devices with storage (such as copiers) to be certifiably wiped upon decommission?

4. Are printers appropriately monitored and in a physically secure area where only authorized users have access?

Backups

1. Are backups encrypted?

2. Are backups physically secured?

3. Is Volume Shadow Copy / Equivalent enabled?

4. Are there off-site backups?

  • Are the offsite backups transferred securely?
  • Are the offsite backups physically secured?

Additional Resources

Microsoft Local Administrator Password Solution (LAPS)
KnowB4 – User training service. Includes tools that allow you to test your users, such as a free phishing test
Open Source SIEM Solutions

Source

Expert Exchanges: Network Security Checklist