Skip to main content

Ensuring the security of your systems is paramount. However, the task can seem daunting and often expensive. For nonprofit organizations, balancing tight budgets with robust security measures can be challenging. Luckily, there are simple, cost-effective ways to harden your systems simply by using scripting or Group Policy. Any internal IT team or managed IT services provider should be able to harden your system for little to no additional cost. Here’s a list of easy-to-implement strategies to bolster your security:

1. Disable Unnecessary Services

Why it matters: Unused services can be exploited by attackers to gain unauthorized access or escalate privileges within your network. Services like Telnet, RDP, SNMP, and SMBv1 are often targeted because they are known to have vulnerabilities or are outdated and insecure.

Examples:

  • Telnet: Rarely used and highly insecure.
  • RDP: Disable if not needed to prevent remote attacks.
  • SNMP: Disable or configure securely if not in use.
  • SMBv1: Outdated and vulnerable to attacks like WannaCry.

How to do it: Use Group Policy to identify and disable these services across all machines. Check the documentation for each service and disable them through the Services console or by creating scripts for bulk changes.

2. Enforce Strong Password Policies

Why it matters: Weak passwords are an open invitation for breaches through methods like brute force attacks. Enforcing strong password policies reduces the likelihood of unauthorized access.

Examples:

  • Password length: Minimum of 15 characters.
  • Complexity: Require a mix of uppercase, lowercase, numbers, and special characters.
  • Expiration: Set passwords to expire every 365 days.
  • History: Prevent the reuse of the last 5 passwords.

How to do it: In Group Policy Management Console, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Set the parameters as per your policy requirements.

Bonus: Consider using a password filtering solution to prevent users from using certain words or character combinations (e.g. ‘Password123456!’)

3. Enable Firewall and Antivirus Protection

Why it matters: Firewalls and antivirus software are your first line of defense against malicious attacks. They help block unauthorized access and detect malware.

Examples:

  • Windows Firewall: Ensure it is enabled and configured to block inbound connections by default.
  • Antivirus software: Verify that it is installed, updated, and actively scanning.

How to do it: Use Group Policy to enforce firewall settings. For antivirus, ensure that the antivirus software is part of the standard deployment for all machines and use scripts or management consoles to check for updates and scan status regularly.

4. Implement Account Lockout Policies

Why it matters: Limiting the number of failed login attempts helps to thwart brute force attacks by locking accounts after several failed attempts.

Examples:

  • Lockout threshold: 5 failed attempts.
  • Lockout duration: 30 minutes.
  • Reset account lockout counter: After 15 minutes.

How to do it: Configure these settings in Group Policy under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy. Adjust thresholds and durations based on your organization’s security policy.

Bonus: Consider not resetting the account lockout counter. While this means manually unlocking accounts, if necessary, it helps protect against password-spraying attacks.

5. Regular Software Updates and Patching

Why it matters: Unpatched software is a common entry point for attackers looking to exploit known vulnerabilities. Regular updates and patches close these security gaps.

Examples:

  • Operating systems: Ensure Windows updates are applied weekly.
  • Third-party software: Regularly update applications like browsers, PDF readers, and other frequently used tools.

How to do it: Use centralized patch management tools that can automate updates across the organization.

6. Restrict Administrative Privileges

Why it matters: Limiting administrative privileges reduces the risk of a compromised account causing widespread damage. Only essential personnel should have administrative access.

Examples:

  • Principle of least privilege: Only grant administrative rights to those who absolutely need them.
  • Regular audits: Review administrative accounts quarterly.

How to do it: Use Group Policy to enforce least privilege. Regularly review and adjust permissions through audits and maintain an updated list of all administrative accounts.

7. Audit and Monitor System Logs

Why it matters: Monitoring system logs helps detect and respond to suspicious activities quickly. Logs can provide critical insights into security events.

Examples:

  • Log retention: Retain logs for at least 90 days.
  • Critical event alerts: Set up alerts for events such as multiple failed login attempts, changes to security settings, and new user account creation.

How to do it: Implement centralized logging using tools and set up alerts for critical events. Automate log analysis to identify suspicious activities quickly.

8. Disable USB and Removable Media

Why it matters: Disabling USB ports and removable media helps reduce the risk of data leakage and malware infections. Unauthorized devices can be a security risk.

Examples:

  • USB storage devices: Disable or restrict usage.
  • CD/DVD drives: Disable if not needed.

How to do it: Use Group Policy to manage device installation restrictions under Computer Configuration > Administrative Templates > System > Removable Storage Access. Disable or restrict access to USB and other removable media devices.

9. Configure Secure Remote Access

Why it matters: Ensuring secure remote access is crucial to protect against unauthorized use, especially in the era of remote work. Secure remote access reduces the risk of data breaches.

Examples:

  • Encrypted solution: Enforce the use of a VPN or secure 3rd party tool for remote access.
  • Multi-factor authentication (MFA): Require MFA for all remote access.

How to do it: Use scripts or management tools to enforce VPN usage for remote connections. Implement MFA using solutions like Azure MFA or third-party tools to add an extra layer of security.

10. Enable BitLocker or Disk Encryption

Why it matters: Disk encryption protects your data in case of physical theft of devices. It ensures that data remains inaccessible without proper authorization.

Examples:

  • BitLocker: Enable on all Windows devices.
  • Recovery keys: Store securely and manage properly.

How to do it: Use Group Policy to enable BitLocker and configure encryption settings under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. Ensure recovery keys are stored securely in Active Directory or another secure location.

11. Disable NTLM Authentication

Why it matters: NTLM is a less secure authentication protocol that can be exploited in pass-the-hash attacks. Using more secure protocols reduces this risk.

Examples:

  • NTLM: Disable and enforce the use of Kerberos.

How to do it: Use Group Policy to configure this setting under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Ensure all systems and applications are compatible with Kerberos before disabling NTLM.

12. Disable mDNS (Multicast DNS)

Why it matters: mDNS can be exploited for network reconnaissance and lateral movement within a network. Disabling it can reduce internal attack vectors.

Examples:

  • mDNS services: Disable on all devices.

How to do it: Use Group Policy or scripts to disable mDNS by managing the services associated with it. This can often be done by disabling the Bonjour service or similar mDNS services on devices.

13. Disable IPv6, WPAD (Web Proxy Auto-Discovery) and LLMNR (Link-Local Multicast Name Resolution)

Why it matters: IPv6, WPAD, and LLMNR can be exploited for man-in-the-middle attacks, allowing attackers to intercept network traffic or redirect it to malicious servers.

Examples:

  • IPv6: Most networks don’t rely on IPv6 internally, so rogue DHCP servers can pose as IPv6 servers and intercept communication
  • WPAD: Disable to prevent automatic proxy configuration that could be hijacked.
  • LLMNR: Disable to avoid local name resolution vulnerabilities.

How to do it: Use Group Policy to disable these protocols. For WPAD, configure the settings under Computer Configuration > Administrative Templates > Network > Network Connections. For LLMNR, configure the settings under Computer Configuration > Administrative Templates > Network > DNS Client. For IPv6, configure this setting under Computer Configuration > Administrative Templates > Network > IPv6 Configuration in Group Policy. Disable IPv6 on interfaces that do not require it.

By implementing these straightforward measures, your nonprofit can significantly enhance its security posture without breaking the bank. Start with these low-hanging fruits and build a solid foundation for your cybersecurity strategy. Remember, proactive steps today can prevent major headaches tomorrow. Stay secure!

For more tips on improving your organization’s cybersecurity, contact our team stay tuned to our blog at Connect Cause.

–www.ConnectCause.com–

 

Share: