Reducing the attack surface area

NSGs and firewalls help you to manage authorized requests to the environment. However, the environment should not be overtly exposed to security attacks. The surface area of the system should be optimally enabled to achieve its functionality, but disabled enough that attackers cannot find loopholes and access areas that are opened without any intended use, or opened but not adequately secured. Security should be adequately hardened, making it difficult for any attacker to break into the system.

Some of the areas that should be configured include the following:

• Remove all unnecessary users and groups from the operating system.
• Identify group membership for all users.
• Implement group policies using directory services.
• Block script execution unless it is signed by trusted authorities.
• Log and audit all activities.
• Install malware and anti-virus software, schedule scans, and update definitions frequently.
• Disable or shut down services that are not required.
• Lock down the filesystem so only authorized access is allowed.
• Lock down changes to the registry.
• A firewall must be configured according to the requirements.
• PowerShell script execution should be set to restricted or RemoteSigned.
• Enable enhanced protection through Internet Explorer.
• Restrict the ability to create new users and groups.
• Remove internet access and implement jump servers for RDP.
• Prohibit logging into servers using RDP through the internet. Instead, use site-to-site VPN, point-to-site VPN, or express route to RDP into remote machines from within the network.
• Regularly deploy all security updates.
• Run the security compliance manager tool on the environment and implement all of its recommendations.
• Actively monitor the environment using the Security Center and Operations Management suite.
• Deploy virtual network appliances to route traffic to internal proxies and reverse proxies.
• All sensitive data, such as configuration, connection strings, and credentials, should be encrypted.