Network Security Checklist: A Comprehensive Guide

How secure your online network is directly correlates to the safety of your business operations. Especially in today’s economic climate, one day offline to address security concerns can make all the difference in your profit margins. Don’t wait until the worst has happened, make sure your company network is secure now. 

The following checklist is a combination of configurations, policies and procedures at a base level which will enhance the security of any corporate network. It is the minimum starting point of recommendations a corporation should take, especially if they are under investigation for a malevolent network intrusion. If your company doesn’t have its own IT department, a reputable IT service provider like Network Security Group can ensure each item is checked off the list below with ease. 

Network Storage and Backups

  • The network should be in a physically secured room or facility.
  • The network servers and other devices should be housed in an environmentally controlled room or facility.
  • The network should have the infrastructure in place to support continuous operation, through power outages, or at a minimum, to gracefully power down the equipment.
  • The company should issue a complete set of policies and procedures to all employees, and have them acknowledge receipt with an executed signature page retained by the company.
  • All employees should store their data on file servers and not locally on their workstations. Workstations are not typically backed up in most networks, and if a workstation hard drive crashed or was encrypted by ransomware, it’s possible to lose all of the data.
  • The network should have local backups performed for all servers at least once per day, preferably four times per day.
  • The network should have all their server backups moved offsite automatically to an appropriately secured facility that will enable the restoration of backups in a timely manner.

Firewall, DMZ, VPN and VLAN Configurations

  • The network should have a firewall that is securely configured, and the rules should be examined by an independent third-party to verify that there are no unintentional security flaws in the configuration.
  • At a minimum, the network design should identify an external network, a DMZ, and the secure portions of the network.
  • All publicly accessible servers should be placed on the DMZ. The DMZ is designed to house publicly available servers, such as a web server. You purchased and installed the firewall to keep people out of your secure network. If you place the Web server inside your secure network, you are letting the world into your secure network. For added security, web servers are placed on a DMZ and not inside the network.
  • The firewall should deny any traffic coming from the DMZ to the secure portions of the network.
  • The email server is configured to accept incoming emails from only one IP address, which should be an email processing center that cleans all messages before sending them to employees within a corporation’s network. If you don’t lock this down, anyone can attempt to access your email server and try to hack it. By locking the server down to accept email from just one provider, whom you have a business relationship with, enhances your security.
  • All incoming emails are sent to an online provider to be checked for viruses, malware and spam. This assures that only clean emails are coming through your server, so you don’t have to worry about infectious messages inside your network.
  • The firewall is configured to prevent managing the firewall from an external IP address. Administrators should VPN into your network and manage the firewall from an internal workstation, rather than open the management port from the outside. If they do open the management port on the outside of the firewall, it can be attacked by anyone.
  • No unauthenticated connection should be allowed inbound to the secure portions of the network.
  • All authenticated inbound connections to the secure portions of the network should be established by an authenticated VPN. When you work remotely using Remote Desktop, it should be through an established VPN, which is an encrypted tunnel between your computer and your company’s Firewall. This is the only way to enhance the security of your network and keep confidential information secure as it travels across the Internet. 
  • All authenticated inbound connections to the secure portions of the network should be limited and based on need.
  • Network and administrative servers should be on their own VLAN. The only way to protect the servers from ransomware, and other attacks often caused by employees, is to segment resources so they can’t spread rapidly throughout the network.
  • Employee workstations should be on their own VLAN.
  • Management workstations should be on their own VLAN.
  • Servers should be locked down and access granted based on need.
  • File shares should be locked down to the appropriate users or groups of users and provided based on need.
  • Remote Desktop should be turned off on all servers. If Remote Desktop is left on and a hacker gains access to the network, they can use this feature to make their way throughout the network or VLAN, going from server to server.
  • All servers should have User Access Controls enabled, unless there are compelling reasons to have it disabled. User Access Controls stop the execution of applications and requests that the user approve or terminate the application from starting. This can prevent malware from infecting your server, if you accidentally click on a malware infected file.

How Employees Should Use The Network

  • No extracurricular web browsing or accessing personal email should be performed from a server. Viruses, malware and ransomware can infect a computer by simply browsing the web – you don’t want to expose servers to that type of risk. 
  • The default administrator’s account should be given a long, complex password, which is recorded and stored in a safe location. The default administrator’s account should only be used in emergencies as it cannot be locked out due to exceeding the number of password attempts. 
  • Administrators should be issued their own administrative login and set to lockout after three attempts.
  • Administrators should also be provided a regular user account that does not have administrative privileges. 
  • Administrators should use this regular account for all tasks that do not include administrative privileges to limit the risks of network infection. 
  • All workstations should have Remote Desktop turned off unless an employee uses it to work remotely. Again, this privilege should be issued on an as needed basis.
  • All workstations should have Windows Defender turned on, unless there are compelling reasons to have it disabled. Windows Defender may be disabled by antivirus software as it often conflicts with the application.
  • All workstations should have Windows Firewall turned on, unless there are compelling reasons to have it disabled. Similar to Windows Defender, Windows Firewall often conflicts with other antivirus software. 
  • All workstations should have antivirus installed, unless there are particular circumstances where it is not needed.
  • All workstations should have User Access Controls enabled, unless there are  compelling reasons to have it disabled.
  • All antivirus applications should be set to automatically update their virus signatures as frequently as possible. Antivirus software updates protect against the latest threats. If you don’t update the software frequently, you may not have the most advanced protection and subject your computer and network to an infection.

Knowledge is Your Company’s Best Form of Digital Defense

After you address all the items above, it’s important to enforce maintenance of your network security. The best way to protect your network is to equip the people using your network with the right knowledge. Employees should receive refresher awareness training for potential malware in email attachments, phishing emails, email scams, online scams, phone scams and a network security overview. Network Security Group can conduct this kind of training at your office space as part of the outsourced IT support we provide to small businesses. We truly believe that addressing the human factor of cyber security is indispensable and we will perform these workshops on a quarterly basis if necessary! 

To learn more about the outsourced IT services we provide to corporations across New Jersey, please visit our website at: https://www.nsgi.com/it_outsourcing_company_nj/

*This article includes excerpts from “Pocket Guide for Investigating Ransomware and Network Intrusions” written by John Lucich, the Founder and CEO of Network Security Group, Inc and eForensix



Share
Categories
Tags

Related Posts