MSP

CYBERSECURITY
CHECKLIST
More Cyber
Attacks are
Targeting MSPs
Cyber attacks targeting MSPs are on the rise. This checklist
will help you confirm you’re protecting yourself and your
customers by reducing your attack surface and improving
your ability to prevent, detect, and respond to attacks.

NOTE: These recommendations obviously aren’t

comprehensive. Depending on your specifics (size,
infrastructure, etc.), some may not be appropriate for your
business. Security isn’t one-size-fits-all. What may be critical
for some may be overkill for others. Do what’s practical,
take a layered approach, and remember, when
implementing new controls it’s always a good idea to test
them first to avoid unintended disruption.
Restrict Access The earth isn’t flat and

Across Your your network shouldn’t be

either.

Network CATHERINE PITT

VP INFORMATION SECURITY OFFICER
AT PEARSON

Many of today’s attacks are designed to land and expand throughout

victims’ networks. To prevent that you need to establish barriers
between your users and assets.

Actively inventory all network assets* and classify NinjaRMM’s discovery wizard combs
your network so you don’t have to.
them by risk.
Get real-time monitoring data and
Resource Walkthrough
identify new devices automatically.

Use unique, case-sensitive passwords combining

Learn more
letters, numbers, and symbols (password managers
are our friends)

Enable multi-factor authentication whenever possible

Refrain from using default usernames (admin,

administrator, default, user, etc.)

Adhere to the principle of least-privilege by limiting

privileges to the minimum required to perform
necessary functions

Create buffers between different tiers of privileged

access
Resource: Walkthrough

Avoid the use of admin accounts for non-admin

functions
 Apply “least privilege” to service accounts for specific
applications
Resources: Tips to avoid service account misuse;
walkthrough of using Group Managed Service
Accounts

Use unique local admin passwords

Resource: Microsoft’s Local Administrator
Password Solution (LAPS)

Remove end users from local admin group

Resource: Walkthrough

Audit systems for inactive user accounts

Block lateral movement between workstations

Resource: Walkthrough

Securing Remote
Management Tools
Not only are remote access capabilities critical to your business, there
are also few things an attacker would love to hijack more.

Restrict access to remote management tools and

accounts

Use strong, unique passwords and multi-factor

authentication

Limit what remote accounts have access to

Don’t log into workstations with domain

administrator accounts
 Keep remote management software up-to-date

Enable centralized logging/monitoring and alerting for

remote access sessions

Securing Remote
Desktop (RDP/RDS)
Securing RDP may be basic security 101, but failure to do so continues
to be one of the leading causes of compromise.

Don’t expose RDP (or any internal resources) to the

Internet unless absolutely necessary

Use port scanners to identify RDP (and other ports

and services) exposed to the Internet
Resources: ShieldsUP, Nmap, Shodan

Identify systems that have been compromised with

RDP backdoors
Resources: Tools available here or here

Disable RDP on machines that don’t need it

Remove local admin account access to RDP and

create a restricted user group in the Group Policy
Management Console, instead
Resource: Walkthrough

Implement an account lockout policy to prevent

successful brute-force attacks
Resource: Microsoft recommendations
 Log off disconnected and idle sessions

Restrict RDP access using firewalls, RD Gateways,

and/or VPNs
Resources: How to restrict RDP access to
whitelisted IP addresses; more info on RD
Gateways

Leave Network Level Authentication (NLA) enabled

Resource: How to check your Group Policy settings
to confirm NLA is enabled

Change the default listening port (TCP 3389)

Resource: Walkthrough

Protect your Show me a malicious

Users & email and I’ll show you a

user who will click.

Endpoints ANCIENT INFOSEC PROVERB

The vast majority of attacks target the most vulnerable part of your
network: your users. Here are best practices for protecting them and
securing their devices.

Use antivirus (AV) software that utilizes

machine-learning and/or behavioral analysis in
addition to or in place of signature matching
See why NinjaRMM is rated #1 for
patch management
Keep endpoint systems and software up-to-date by
Simplify patching for Windows and
automating patch management*
over 120 third-party vendors.
Learn more
 Develop a standard operating procedure for auditing
your firewall policies

Utilize DNS filtering to protect against known

malicious websites

Utilize a spam filtering service for active email

protection

Set up DMARC, SPF, and DKIM to protect your domain

from being spoofed
Resources: Walkthrough; free DMARC monitoring
and reporting tool

Provide security awareness training to employees to

help them spot malicious emails and websites
Resources: Overview of classic warning signs;
collection of real examples

Utilize a reliable backup solution with multiple

restore points as well as offsite replication

Test recovering from backups regularly

Windows System Hardening

Many of today’s attacks attempt to abuse built-in tools and functionality.
This tactic of “living off the land” helps them bypass defenses and evade
detection by blending in with legitimate admin activity. Here are steps
you can take to mitigate the threat:

Guard against credential dumping by limiting or

disabling credential caching
Resource: Walkthrough for Windows 10 and Server
2016; walkthrough for older systems
Disable or restrict PowerShell with Constrained
Language Mode and AppLocker
Resource: Walkthrough

Restrict the launch of script files

Resources: Walkthrough for Windows 10;
walkthrough for older systems

Use AppLocker to restrict applications

Resource: AppLocker design guide

Block “Living-off-the-Land” binaries (LOLbins) or

restrict them from making outbound requests
Resources: List of LOLbins (start with certutil,
mshta, and regsvr32); walkthrough for using
Windows Firewall to restrict programs from
making outbound requests

Utilize the Windows Firewall to block malicious

remote access and lateral movement
Resource: Walkthrough

Restrict or monitor Windows Management

Instrumentation (WMI)
Resources: Examples of defensive WMI event
subscriptions; walkthrough for setting a fixed port
for WMI (and blocking it if remote WMI isn’t
necessary)

Use highest user account control (UAC) enforcement

levels whenever feasible (including enabling Admin
Approval Mode for built-in admin account)
Resources: Walkthrough for Windows 10;
walkthrough for older systems
Securing Microsoft Office
Malicious Office documents continue to be one of the most popular
and successful delivery vehicles for malware. The key to mitigating that
threat is to disable or restrict the following features:

Disable or restrict macros

Resources: Walkthrough for Office 2016; Group
Policy Administrative Template files (ADMX/ADML)

Disable or restrict Object Linking and Embedding (OLE)

Resources: Walkthrough for blocking activation of
OLE packages via registry changes; walkthrough for
blocking activation of OLE / COM components in
Office 365 via registry change; walkthrough for
disabling data connections and automatic update of
Workbook Links via the Trust Center

Disable Dynamic Data Exchange (DDE)

Resources: Walkthrough for disabling Dynamic
Data Exchange Server Lookup / Launch via registry
changes; walkthrough for disabling via the Trust
Center
Detect & Respond 67% of SMBs suffered a

to Security cyber attack in 2018 at an

average cost of $383,365
per attack.

Incidents 2018 STATE OF CYBERSECURITY IN

SMALL & MEDIUM SIZE BUSINESSES
REPORT

It’s not enough to work on preventing attacks. You also need to have
the right capabilities and policies in place to identify, contain,
investigate, and remediate compromises quickly.

NOTE: There are basic things you can do here, but the advanced end of
the spectrum often involves utilizing complex tools, combing through
logs, and providing 24/7 monitoring/response capabilities. Depending
on your expertise, bandwidth, and requirements, you may need to
consider outsourcing.

Monitoring
Real-time monitoring and alerting is key to identifying potential
security incidents as quickly as possible. The trick is balancing visibility
with prioritization and noise reduction. Otherwise, you risk suffering
alert fatigue and feeling like you’re drinking from a firehose.

Establish a network performance baseline so you

can identify anomalies

Use your RMM and/or SIEM to configure

centralized network and endpoint monitoring*
360-degree monitoring, no setup
required
Create standard monitoring and alert settings*
Gain deep, actionable visibility across
you can apply across workstations, servers, etc.
your entire network. Track changes.
Set alerts. Monitor a host of real-time
Prioritize alerts by establishing classifications*
data. All within a crisp, intuitive UI.
based on severity (critical, high, low) and create
notification policies for each Learn more
 Develop standard operating procedures for
addressing most critical and most common alerts

Reduce noise by eliminating alerts that lack severity

and aren’t actionable

Monitor key Windows Event IDs* that could indicate

malicious activity
No more guessing when it comes
Resources: Lists here and here
to creating alerts
Forget having to memorize Event IDs.
Consider utilizing an endpoint detection and response
Out-of-box alert templates make it
(EDR) solution
easy to ensure you’re getting notified
of critical events.
Enable and configure the right system logs to assist in
your own or outsourced digital forensics and incident Learn more
response (DFIR)
Resource: Cheat sheets for Windows

Store logs in a central, isolated location

Determine if you need to outsource management of

all or some of the above to a managed detection and
response (MDR) provider

Creating an Incident
Response Plan
When a security incident does occur you need to be able to act quickly
under pressure. That takes clear guidelines and effective planning.

Define what constitutes a security incident

Establish roles, responsibilities, and procedures for

responding to incidents, including disaster recovery
 Identify escalation options should incident require
more extensive/expert response and recovery than
you can provide

Have a plan for communicating internally, with

customers, authorities, and the public (if necessary)

Understand compliance requirements regarding

incident disclosure and reporting
Resources: HIPAA Breach Notification Rule; GDPR
data breach notifications FAQ

Run fire drills

Get More Done

Confidently and Securely
with NinjaRMM
Find out how NinjaRMM makes it easier for MSPs to protect
themselves and their customers with:

Deep visibility across your entire network from a single pane of glass
360-degree monitoring and real-time alerting
Secure remote access for disruption-free management and remediation
Automated patch management
Detailed asset inventory and compliance reporting
Seamless backup and endpoint security integration

LEARN MORE

Contact Us Today
(888) 542-8339 | [email protected] | www.ninjarmm.com