How to start a fire before our fire or our list of general IT security principles
Analyzing the consequences of the WannaCry and Petya viruses, as well as how they affected our customers, we present here the conclusions and tips that we can give to a respected community. Basically, these tips will apply to Windows system administrators, and they are known to be affected by these viruses.
1. Servers:
The Active Directory forest level must be at least 2012-2, and users must be in the protected user group , in this case, mimikatz passwords cannot be intercepted.
Access to shared files must be implemented through a system with versioning support or snapshots, for example, Sharepoint + OneDrive Pro
On hypervisors, the secure boot must be enabled, the encryption program will not be able to start instead of the native OS.
Mail server settings should prohibit the receipt of executable files and unopened archives; an extreme measure can be made to change the format of letters to plain text, which will exclude links in the body of letters.
Updates must be installed regularly, at least once every two weeks. Carrying out a routine update of the OS servers, drivers, firmware. This is one of the most important points of information security, one he will seriously strengthen your defense. You should have a clear plan for the implementation of updates with the date of the last execution and the person in charge.
Moving the backup system outside the current environment. Set up replication to the backup site.
2. Workstations:
Client computers must run on Windows 10 LTSB. LTSB has fewer potentially dangerous components and, theoretically, does not follow the user, although it still does not hurt to prohibit telemetry.
Enable UEFI and secure boot. As on servers, the cryptographer will not be able to run instead of the native OS. Petya virus overloads the machine to start encryption. These two settings will not let it start. There is a big chance that future coders will use this strategy.
Updates should automatically be placed not only on the operating system itself, but also on all applications, especially on the office. With WSUS or directly from Microsoft servers - it doesn't matter. This item does not need comments: if the update servers must be set manually, controlling the process so as not to stop the work, then the workstations must be set automatically.
System administrators should not work on workstations with domain administrator rights.
3. General:
')
Separation of the working environment and Internet surfing, separation of different areas / departments of the company into isolated environments, for example, as indicated here
Separation of infrastructure media by VLAN, between which traffic filtering must be configured. In this case, by blocking access on certain ports, you can stop the network distribution of the malware, as in the case of Petya, TCP, ports 135 (139, 445) are blocked (SMB and WMI services)
It is advisable not to use server programs that require network access to shared folders. Business software, such as 1C, should be on SQL Server.
At the user stations and servers, a network filter should be configured to prohibit outgoing access to all applications except those required. Detailed information on how and why in the article.
On servers and workstations, SMBv1 should be turned off , and SMBv2 if possible.
Specialized and rare programs, such as MEdoc Internet banking (especially in Java), should be run on a separate virtual machine with a hard-tuned firewall.
Do not rely on antiviruses, they create a false sense of security, an example of the latest viruses and reactions to them from leading manufacturers. For example, even the standard Windows Defender updated one of the first.
Facilitate your state IT technical certificates. Choose an outsourcer with valid professional certificates for the areas you require.
Hold seminars and other events to increase the level of IT awareness and IT culture of all employees, with the obligatory adduction of real examples and consequences.
Comments, additions are pleased to discuss in the comments.