CDE's Tips for a More Secure IT Environment

See Revision History for a list of updates to this web page.

Cyberattacks are getting more sophisticated and more difficult to prevent and identify. However, several free and low-cost IT security improvements can be implemented by LEAs rather quickly to disrupt the cyber kill chain .

California LEAs can subscribe to the California Department of Education’s (CDEs) it-security-tips mailing list by sending a blank email to join-it-security-tips@mlist.cde.ca.gov to receive additional cybersecurity information.

1. Require IT Staff to Use Tiered Accounts for System Administration Purposes

The tier model for partitioning administrative privileges  helps to reduce elevation of privilege paths from a workstation to a server to a domain controller. The model requires IT staff to use different domain accounts for IT system administration purposes. Three tiers are described in the following example, but you could further separate out admin-level accounts if needed.

• Use an account name ending in -t0 (to denote a “tier 0” account) when performing domain administration tasks on “tier 0” servers like domain controllers or servers that require domain administrative rights. Do not log onto a non-tier 0 sever or any workstation using a “tier 0” account.
• Use an account name ending in -t1 (to denote a “tier 1” account) when performing administrative tasks on “tier 1” servers such as file servers, application servers, or database servers. Do not log onto a “tier 0” server or any workstation using a “tier 1” account.
• Use an account name ending in -t2 (to denote a “tier 2” account) when performing administrative tasks on workstations. Do not log onto a server using a "tier 2" account. Furthermore, do not use a “tier 2” account as an everyday user account (e.g., web browsing, email, etc.).

The passwords for the IT staff person’s tiered accounts must be different and complex, and changed regularly.

2. Regularly Review and Limit Number of Domain Admin Accounts

By following the tier model for partitioning administrative privileges, all domain admin accounts should be a limited number of “tier 0” named accounts. Manually review the list of user accounts with domain admin privileges on a regular basis or use third-party tools to generate alerts when an account is added or deleted to/from sensitive administrative groups (e.g., domain administrators group). 

3. Do Not Allow Local Administrative Rights on Workstations

Do not allow employees (especially IT staff) to have local administrative rights on their workstations using their everyday account. IT staff can use a “tier 2” account temporarily to provide end-user support if local administrative rights are needed.

Third-party tools can provide reports on the user accounts in the local Administrators group in each workstation/server, or a script can be used for smaller organizations.

4. Implement Local Administrator Password Solution (LAPS) for Windows Domain-joined Computers

Microsoft Windows LAPS sets a different, random password for the local administrator account on every computer in the domain. The password is changed at a specified interval. If needed, IT support staff can look up the administrator password in Active Directory. If there is not a common local administrator account and password on computers, the cyber attacker will have one less method to move laterally in the environment.

Note: Microsoft is working on a new version of LAPS for Windows 11-based computers.

5. Block Brute Force Attacks on Local Administrator Accounts

Starting with the October 2022 Windows cumulative update for Windows 10, a local security policy is available to enable account lockouts for the built-in local Administrator accounts . Without account lockout capabilities, the built-in local Administrator account can be subjected to unlimited brute force attacks to try to determine the password.

6. Use a Privileged Access Workstation to Access Tier 0 Servers

A privileged access workstation (PAW) is a dedicated secure workstation used exclusively for sensitive tasks such as accessing Tier 0 servers (e.g., domain controllers).

The PAW’s configuration is hardened to protect against compromise. The PAW is typically a non-domain joined workstation with limited outbound Internet access (if any) and additional applications. A non-local admin account should be used to log onto the PAW to keep the PAW clean. Also, do not use the PAW for day-to-day activities such as browsing the Internet and accessing email.

7. Allow RDP to Tier 0 Servers from PAWs Only

Use a host-based firewall (e.g., Windows Defender Firewall) or a network-based firewall to allow remote desktop protocol (RDP, port 3389) to Tier 0 servers (e.g., domain controllers) from PAW devices only. Do not allow RDP to Tier 0 servers from non-PAW devices.

8. Restrict RDP Usage from Workstations

Most workstations do not need to initiate a remote desktop protocol (RDP) connection to another computer on the network. To reduce lateral movement possibilities, use a host-based firewall to restrict the ability for workstations to start an RDP connection where appropriate.

9. Use Filtered DNS Services

Typically, malware needs to contact a “command and control (C&C) server” to get instructions on how to attack the network and/or where to send exfiltrated data. If the malware uses Domain Name System (DNS) host names to specify the C&C server, malicious activity can be thwarted by using filtered DNS Services so that the IP address of the C&C server will not be provided to the malware.

If a subscription-based commercial DNS filtering service is not within budget, consider using a no cost option such as MS-ISAC MDBR (registration required) or Quad9 as a possible solution.

Furthermore, validate the egress firewall is allowing external DNS requests to only authorized DNS servers that can filter requests.

10. Require MFA for Remote Access and Cloud Apps

All employees should be required to use multifactor authentication (MFA) when remotely accessing internal network resources. In addition, MFA should be required when employees access cloud applications like Microsoft 365 services.

To combat “MFA fatigue ,” consider implementing number matching for MFA applications (PDF). In October 2022, Microsoft released a security feature to their Authenticator product  to help with preventing accidental approvals of MFA requests.

11. Allow Employee User Access from the United States Only

Use conditional access policies to block access by location  so employees can make remote access and cloud application connections from the United States only. Grant exceptions for a limited amount of time for a specific employee given upper-level management approval.

12. Help Users Identify Email from Outside the Organization

Malicious email from outside the organization is the primary entry point for the majority of cyberattacks. You can help your users identify email originating from outside the organization by adding text to the email subject line (e.g. [EXTERNAL]) and/or adding a warning message to the body of the email.

If Microsoft Exchange is used for email purposes, there are two methods to add the external email warning .

13. Block Dangerous Email Attachment File Types

Inbound email containing file attachments that are “executable” should be blocked at the email gateway and/or within the email system. Examples of executable attachments are files with extensions such as .bat, .cmd, .exe, .iso, .jar, .lnk, .msi, .ps1, .vb, and .vbs. See the blocked attachments in Outlook list for more file extensions to consider blocking.

If you use the Microsoft Exchange Online email system, use mail flow rules to block messages with executable attachments.

In addition to blocking executable attachments, consider blocking email containing Microsoft Office file types that can contain macros. Examples of macro-capable file types are .docm, .dotm, xlam, xlsb, .xlsm, .xltm, xlw, potm, .ppsm, and .pptm. Furthermore, consider blocking (or warning users about) the Office 97-2003 file types such as .doc, .xls, and .ppt since these file types can include macros.

Microsoft OneNote files can be used by threat actors to hide dangerous file types. Consider blocking file attachments that begin with .one.

Although Microsoft released a patch in February 2023, consider blocking file attachments with type .rtf (Rich Text Format) to mitigate the CVE-2023-21716 vulnerability in Microsoft Word .

14. Block non-Port 80/443 Outbound Internet Connections

To limit data exfiltration options, use a host-based firewall, network-based firewall, or endpoint protection client product to block outbound Internet connections to non-Port 80/443 services.

15. Scan Public IP Address Range for Accessible Services and Vulnerabilities

Regularly scan your LEA’s public IP address range from outside your internal network to look for accessible services and vulnerabilities. Possible no-cost options to perform the scanning include:

• Nmap (“Network Mapper”) - open-source utility for network discovery and security auditing.
• Cybersecurity and Infrastructure Security Agency (CISA) Cyber Hygiene Services - weekly scheduled vulnerability scans with associated reports.

16. Ensure Usage of Supported Software Versions

Once software products reach end-of-support, the software manufacturer ceases to provide security updates to their software. Ensure computers are using software that is still supported to ensure the latest security updates are available.

Important note: Windows Server 2012/2012 R2 reached end-of-support on October 10, 2023.

Use these resources to determine if software versions currently being used are still supported:

• Windows 10 release information
• Windows Server release information
• Windows Server End of Support: Key Dates
• How to Block Windows 11 Update in Windows 10
• Apple security updates
• Adobe products and technical support periods

17. Have an Incident Response Plan… Test Your Backups

LEAs need to assume they will be a victim of a cyberattack. Therefore, a regularly tested incident response plan is critical. Part of the plan should require the use of system backups. Verify backups are completed successfully and stored securely. Regularly test the ability to restore systems/files from the backups.

Consider using the cyber incident response assistance and resources  available through the Cybersecurity & Infrastructure Security Agency. 

18. Keep Current on Cybersecurity News

Keep current on cybersecurity news by subscribing to the MS-ISAC newsletter  and CISA alerts , and by following cybersecurity experts and organizations using social media. This information may lead to zero-day mitigations and indicators of compromise that can be added to your security products/services.

In addition, LEAs cam subscribe to the CDE’s it-security-tips mailing list by sending a blank email to join-it-security-tips@mlist.cde.ca.gov.

19. Require Regular Cybersecurity Awareness Training for All Employees

One way to reduce the possibility of the initiation of a cyberattack is to train end users to identify malicious email and websites. The end users need to act like a human IT firewall. Regular cybersecurity awareness training and constant reminders about the need to be vigilant will help secure the IT environment.

The National Institute of Standards and Technology maintains a list of free and low cost online cybersecurity learning content . Also, MS-ISAC members can obtain discounted pricing for SANS Security Awareness End User Training .

Finally, if your LEA has Microsoft 365 A5 licenses or subscribes to the Office 365 Plan 2, you have access to Microsoft’s security awareness training for employees and phishing attack simulations .

20. Review Best Practice Resources and Advisories

Here are some additional resources that can help secure your IT environment:

Active Directory Pro

• Top 25 Active Directory Security Best Practices

Center for Internet Security (CIS)

• Nationwide Cybersecurity Review security program self-assessment
• CIS Critical Security Controls - prioritized set of actions
• The Cost of Cyber Defense: CIS Controls Implementation Group 1

Cybersecurity & Infrastructure Security Agency (CISA)

• How Can I Protect Against Ransomware?
• Current security issues, vulnerabilities, and exploits
• Phishing Infographic (PDF)
• Partnering to Safeguard K-12 Organizations from Cybersecurity Threats
• CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
• Phishing Guidance: Stopping the Attack Cycle at Phase One

Microsoft

• Best Practices for Securing Active Directory
• Securing Domain Controllers Against Attack
• How to prevent lateral movement attacks using Microsoft 365 Defender

U.S. Department of Education

• Cybersecurity Resources for K-12 Districts and Higher Education Institutions

21. Report Cyberattacks

California Education Code 35265 – 35267 requires school districts, county offices of education, and charter schools to report cyberattacks impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center (Cal-CSIC) within the Governor’s Office of Emergency Services. The Cal-CSIC Reporting Cyberattacks flyer (PDF) provides guidance on how to report cyberattacks.

Disclaimer

The information presented on this web page are only tips that LEAs should consider. They have been collected from a variety of sources deemed reliable and have been consolidated on this page for the convenience of California’s LEAs. However, each LEA should consult with its own IT experts about the advantages, disadvantages, and potential consequences before deciding to implement any of these tips. The California Department of Education is not responsible for any loss, damage, liability, or other adverse or unanticipated consequence related to or resulting from the implementation of these tips.

Revision History

• January 2, 2024
  • Added CIS Critical Security Controls and The Cost of Cyber Defense: CIS Controls Implementation Group 1 to the Review Best Practice Resources and Advisories section.
• October 19, 2023
  • Added Phishing Guidance: Stopping the Attack Cycle at Phase One to the Review Best Practice Resources and Advisories section.
• August 30, 2023
  • Added Cal-CSIC Reporting Cyberattacks flyer (PDF) to the Report Cyberattacks section.
  • Added Cybersecurity Resources for K-12 Districts and Higher Education Institutions to the Review Best Practice Resources and Advisories section.
• March 8, 2023
  • Added recommendation to block email attachments with type .rtf (Rich Text Format) to the Block Dangerous Email Attachment File Types section.
  • Added CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks to the Review Best Practice Resources and Advisories section.
• January 25, 2023
  • Added Partnering to Safeguard K-12 Organizations from Cybersecurity Threats to the Review Best Practice Resources and Advisories section.
• January 23, 2023
  • Added Nationwide Cybersecurity Review security program self-assessment  to the Review Best Practice Resources and Advisories section.
  • Added SANS Security Awareness End User Training   to the Require Regular Cybersecurity Awareness Training for All Employees section.
  • Added recommendation to block email attachments that start with .one (Microsoft OneNote file format) to the Block Dangerous Email Attachment File Types section.
• December 9, 2022
  • Added Phishing Infographic (PDF) to the Review Best Practice Resources and Advisories section.
  • Corrected "Office 97-2013 file types" to "Office 97-2003 file types" in the Block Dangerous Email Attachment File Types section.
• December 5, 2022: Original release.