- Patch the operating system on all PCs and Servers. Windows security updates should be applied and Windows Update should be set to download and install automatically. [Preventative]
- Update Microsoft Office with all available updates. Set Windows Update to also update any other Microsoft products. [Preventative]
- Update all web browsers. Preferred browser would be 64 bit Google Chrome Enterprise as it is fairly secure by default and includes its own sand-boxed Flash player and PDF viewer. [Preventative]
- Update Adobe Flash to most current version or remove if using Chrome as advised above. Update Adobe Reader to most current version or remove if using Google Chrome. [Preventative]
- Remove Java. If you must run Java, update to most current version but seriously consider removing Java. [Preventative]
- Raise the level of User Access Control (UAC) to the highest level – requiring Admin account to install or modify the system. [Preventative]
- Users must not be Local Admin on their PC. [Preventative]
- Enable Windows firewall on all PCs and servers. Only enable ports and applications both inbound and outbound as required (block inbound by default minimum). [Preventative]
- Implement a backup solution for all user data. Restore must be tested periodically. Ideally, versioning or offline snapshots should be enabled to protect against ransomware. [Preventative]
- All mobile devices should be updated to latest version of OS and device pass codes must be set (at least 6 digits). [Preventative]
Bonus Items
- Install antivirus / anti-malware software on PCs and servers. Any IPS / IDS functionality would be good to apply. Solution should be set to update signatures automatically. [Preventative / Detective]
- Bitlocker hard drive encryption should be enabled and enforced via GPO.[Preventative]
- Application whitelisting using AppLocker with trusted publishers or hashes of known good applications. [Preventative]
- Install SYSMON on all PCs and Servers. Configure for logging process creation, command line execution parameters, process creation, optionally network events. [Detective]
- Turn on Windows Event logging for critical events see SANS Detecting Security Incidents Windows Event Logs. [Detective]