Mitigation strategies for securing server environments

IT konsult backuper, It konsult säkerhet, IT konsult syspeace, IT konsult återstartsplaner, It konsult Active Directory

This is a good start for mitigation planning for various attack scenarios.

I did not compile this list myself and the original can be found here . I might add a few thing in here but is very good strat indeed. Well done

Den här listan är en väldigt bra början för att planera och förhindra olika typer av attacker och hantera säkerhetsaspekter från olika synvinklar.

För hjälp med frågor som dessa, kontakta mig gärna här


backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace mitigation strategies


Mitigation strategies summary

Relative security effectiveness ratingMitigation strategyPotential user resistanceUpfront cost (staff, equipment, technical complexity)Ongoing maintenance cost (mainly staff)
Mitigation strategies to prevent malware delivery and execution
EssentialApplication whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.MediumHighMedium
EssentialPatch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.LowHighHigh
EssentialConfigure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.MediumMediumMedium
EssentialUser application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.MediumMediumMedium
ExcellentAutomated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes.LowHighMedium
ExcellentEmail content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros.MediumMediumMedium
ExcellentWeb content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains.MediumMediumMedium
ExcellentDeny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections.MediumMediumLow
ExcellentOperating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET).LowLowLow
Very goodServer application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high-availability) data.LowMediumMedium
Very goodOperating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD.MediumMediumLow
Very goodAntivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers.LowLowLow
Very goodControl removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices.HighHighMedium
Very goodBlock spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain.LowLowLow
GoodUser education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services.MediumHighMedium
LimitedAntivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers.LowLowLow
LimitedTLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted.LowLowLow
Mitigation strategies to limit the extent of cyber security incidents
EssentialRestrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.MediumHighMedium
EssentialPatch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.LowMediumMedium
EssentialMulti-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high-availability) data repository.MediumHighMedium
ExcellentDisable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials.LowMediumLow
ExcellentNetwork segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties.LowHighMedium
ExcellentProtect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases.MediumMediumLow
Very goodNon-persistent virtualised sandboxed environment, denying access to important (sensitive or high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files.MediumMediumMedium
Very goodSoftware-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic.LowMediumMedium
Very goodSoftware-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default.MediumMediumMedium
Very goodOutbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns.MediumMediumMedium
Mitigation strategies to detect cyber security incidents and respond
ExcellentContinuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity.LowVery
Very goodHost-based intrusion detection/prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence.LowMediumMedium
Very goodEndpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry-level option.LowMediumMedium
Very goodHunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise.LowVery
LimitedNetwork-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries.LowHighMedium
LimitedCapture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis.LowHighMedium
Mitigation strategies to recover data and system availability
EssentialDaily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.LowHighHigh
Very goodBusiness continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover.LowHighMedium
Very goodSystem recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts.LowHighMedium
Mitigation strategy specific to preventing malicious insiders
Very goodPersonnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties.HighHighHigh



For questions or help within these areas, please feel free to contact me here