How to Secure a Business Network, Servers and Endpoints
While keeping your finances safe, and brand intact
This is the only upside of these cyberattacks. However, WannaCry or NotPetya aren’t the starting point of cyber threats, they’re just the latest evolution. Ransomware has been the biggest threats for businesses for the past 2-3 years, and the conditions are set for it to remain so for the foreseeable future.
But ransomware is just the tip of the spear when it comes to cyber threats, there are many more such as phishing, whaling and data leakage. This short checklist of security measures will help you protect your business network, including your servers and endpoints.
1. Provide cybersecurity training to employees
Cybersecurity training for employees is now a must for every business. Too many users skip on basic security practices such as strong passwords, updating their software or not recognizing a phishing email.
To help your employees get up to speed to the best Internet security practices, we recommend you check out our helpful educational resources. To put things into perspective, nearly 41% of company data leaks happen because of negligent or untrained employees who fall even for simple phishing emails.
2. Make sure your servers run an antivirus program
Running an antivirus program on your server is a security-savvy decision. Without one, you run the risk of having an infection spread from your file or terminal server all the way to your endpoints.
An antivirus on your servers also helps to limit and mitigate the damage of an infection starting from one your endpoints.
When you’re out looking for an antivirus for your servers, evaluate them on their performance impact.
3. Use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET for short)
Microsoft’s EMET is a free security tool by Microsoft that boosts your security by adding additional security protocols to protect you against certain threats.
For instance, EMET will:
- Help prevent malicious data execution. EMET does this by preventing incorrect uses of code in the system memory.
- SSL/TLS certificate trust pinning. This feature of EMET helps prevent man-in-the-middle attacks that use public key infrastructure.
- Structured exception handler overwrite protection. This blocks attackers from exploiting stack overflow
This was just a short example of what EMET can do. It’s feature list is much more extensive and warrants an article of its own.
4. Track user log in / log off activity on your business network
Knowing when a user logs in or off their work accounts or devices will help you pinpoint the start of an infection. It’s also a good prevention method, since you can track if a user has dangerous habits when connecting to work accounts.
Unfortunately, login tracking can be a hit-and-miss affair, regardless of the method you use. The one that usually gets the best results is to use a script in your login process. Here’s a short tutorial on how to set up the script.
Another thing you can do to see where an infection starts and how it spreads is to track file sharing. Dedicated programs will keep track of who and when accesses a file and what they do with it. Here’s one list of such programs plus another one.
5. Always keep your servers updated
Like any other hardware and software out there, servers also require to be constantly updated with the latest feature and security patches. These can make all the difference between a clean server and a hacked one.
There’s a reason why every cybersecurity expert’s first advice is to update your software: it works and it keeps you safe from malware designed to exploit vulnerabilities (like WannaCry did).
6. Don’t do web browsing from the server side
This includes any other kind of activity not work related. Use the server strictly for its main purpose: to manage a company’s endpoints.
The less interaction a server has with the web, the fewer chances there are for a cybersecurity threat to compromise it.
Of course, in certain instances, you need to have a browser on the server in order to access other servers using a web console functionality.
7. Don’t keep multiple server services on the same hardware
In order to cut costs, you might be tempted to run two or more of your server services (such as the SQL and file server services) on the same hardware.
From a performance perspective, this isn’t always optimal. For the best performance results, it’s best to keep each server separated on their own hardware.
From a cybersecurity perspective, keeping all your server services on the same hardware will allow the infection on one service to spread to all the others and the data they contain, unless you use virtualization.
For example, on the same device, you can use two virtual machines, one to host the file server and the other for the SQL server. If an infection hits the virtual machine hosting the file server, it will not spread to the device itself and neither to the SQL server.
In essence, the infection is trapped on the virtual machine, which you can delete and reinstall at any moment, even if you lose the information on it. But at least you keep your device hardware safe as well as the SQL server.
For the best safety measures, you should run each server service on its own hardware (so the SQL server on machine A, the file server on machine B and so on). On top of that, each service itself should be hosted on a virtual machine.
8. Keep separate users and passwords for the admin’s laptop and the servers
This way, if a malicious hacker manages to compromise the login credentials to the admin’s laptop, he won’t be able to reuse them to access the servers themselves.
This is an important security tip, since many Internet users simply decide to reuse the same password and login to whatever new account they create. Cybercriminals know this, and exploit it in creative ways.
For instance, they might brute force or dictionary attack a forum or website they know the sys admin uses (could be for work, such as StackOverflow or forums for personal use, such as gaming). If the forum has weak security, then the cybercriminal will reuse that password and username for all of the sys admin’s accounts.
Mitigate brute force attacks
Aditionally, it’s key to avoid using default usernames (not to mention passwords!), especially when it comes to administrating critical services. That means that your administrator’s username should never be “admin” or “administrator”. That’s the first option attackers test when it come to brute force attacks, which are frequently used to compromise endpoints and manually infect them with ransomware.
Another security layer against brute force attacks is to set a lockout duration in your group policy:
More than a few unsuccessful password submissions during an attempt to log on to a computer might represent an attacker’s attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track logon attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached.
You can also combine that with an account lockout threshold for enhanced security.
The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until it is reset by an administrator or until the number of minutes specified by the Account lockout duration policy setting expires.
By combining the two security settings, you can limit the effectiveness of a brute force attack, nearly eliminating the risk.
9. Keep up-to-date and frequent backups
42% of businesses struck by ransomware do not recover all of their information. This includes companies that end up paying the ransom in order to get their data back.
The only way you can be sure to recover your data is by constantly backing it up. Every company is different, some need to back up their data on a weekly basis, others on a daily or multiple daily basis. What matters is that you find the best frequency for your company, and stick to it.
10. Use a good Exchange email filter
If you’re running emails through a Microsoft Exchange server, consider adjusting your email filters to block spam and other unwanted emails from unwanted sources. This will block out emails at the server level, so they won’t end up in the inboxes of your endpoints, where users might accidentally click on them.
Here’s an in-depth guide from Microsoft on how you can set up an Exchange email filter.
11. Run antivirus on all of your endpoints
Most cyber attacks against businesses target the endpoint, not the server. This is because employees are not as careful with their online activity as sys admins are.
Targeting the end points instead of the server is statistically much more prone to success. In some cases it only takes 1 infected PC to infect the rest of the network. So instead of targeting one particular user, malicious hacker will blanket all of the employee base. If just 1 out of 100 bites, then that’s something the malicious hacker can work with.
We’ve written an in-depth article to help you find out which is the best antivirus for your needs, which we recommend you check out.
12. Change your default RDP (Remote Desktop Protocol) port
One of the easiest procedures that will save you a lot of trouble in the future is to change the default Remote Desktop Protocol port used by Windows.
As you may know, Windows uses the default RDP port 3389. If you keep this port open to the Internet, you should know you are very exposed to port scanning. Cyber criminals employ a multitude of hacking tools to scan for exposed endpoints, so they can target them with attacks of all sorts.
Once online criminals determine that your default RDP port is open, nothing will keep them from running scripts to brute force their way in. The simple solution here is to change your default RDP port to something unused and not common knowledge. If you’ve never done this before, you can use this full guide provided by Microsoft to get it done.
13. You need to be proactive to survive in the malware economy
Antivirus programs have difficulty catching the latest kinds of malware, (what we refer to as second generation malware). This is because malware creators have become more adept at using evasive measures such as obfuscation, vulnerability exploitation or other such methods.
For this reason, a business should consider using other security products that close the gaps left by antivirus.
One particularly effective way to keep computers and endpoints safe is to use traffic filtering solutions. These scan incoming internet traffic to your PC, looking for malware and blocking it from even reaching your PC.
The traffic filter also scans outbound traffic, and blocks suspicious data leaks, keeping your files safe and information private.
Basically, a traffic filtering solution will scan incoming and outgoing traffic to your PC, and block the malware from entering your PC.
Keeping a company safe on the Internet can be a daunting task. But by following certain steps and procedures, you can cut a lot of cybersecurity risks coming your way.
Although it would be easier for everybody – security companies and businesses – there is no “one solution to solve each problem”. Security is a process and I think the service model is the best way to deal with it: from security audits to training sessions for employees and predicting future attacks based on threat intelligence, it is a very complex model. But it works for both enterprises as well as small companies that could become victims of attackers who target large companies.