CDE's Tips for a More Secure IT EnvironmentFree and low-cost cybersecurity tips to help local education agencies (LEAs) secure their information technology (IT) environments.
See Revision History for a list of updates to this web page.
Cyberattacks are getting more sophisticated and more difficult to prevent and identify. However, several free and low-cost IT security improvements can be implemented by LEAs rather quickly to disrupt the cyber kill chain .
California LEAs can subscribe to the California Department of Education’s (CDEs) it-security-tips mailing list by sending a blank email to email@example.com to receive additional cybersecurity information.
1. Require IT Staff to Use Tiered Accounts for System Administration Purposes
The tier model for partitioning administrative privileges helps to reduce elevation of privilege paths from a workstation to a server to a domain controller. The model requires IT staff to use different domain accounts for IT system administration purposes. Three tiers are described in the following example, but you could further separate out admin-level accounts if needed.
- Use an account name ending in -t0 (to denote a “tier 0” account) when performing domain administration tasks on “tier 0” servers like domain controllers or servers that require domain administrative rights. Do not log onto a non-tier 0 sever or any workstation using a “tier 0” account.
- Use an account name ending in -t1 (to denote a “tier 1” account) when performing administrative tasks on “tier 1” servers such as file servers, application servers, or database servers. Do not log onto a “tier 0” server or any workstation using a “tier 1” account.
- Use an account name ending in -t2 (to denote a “tier 2” account) when performing administrative tasks on workstations. Do not log onto a server using a "tier 2" account. Furthermore, do not use a “tier 2” account as an everyday user account (e.g., web browsing, email, etc.).
The passwords for the IT staff person’s tiered accounts must be different and complex, and changed regularly.
2. Regularly Review and Limit Number of Domain Admin Accounts
By following the tier model for partitioning administrative privileges, all domain admin accounts should be a limited number of “tier 0” named accounts. Manually review the list of user accounts with domain admin privileges on a regular basis or use third-party tools to generate alerts when an account is added or deleted to/from sensitive administrative groups (e.g., domain administrators group).
3. Do Not Allow Local Administrative Rights on Workstations
Do not allow employees (especially IT staff) to have local administrative rights on their workstations using their everyday account. IT staff can use a “tier 2” account temporarily to provide end-user support if local administrative rights are needed.
Third-party tools can provide reports on the user accounts in the local Administrators group in each workstation/server, or a script can be used for smaller organizations.
4. Implement Local Administrator Password Solution (LAPS) for Windows Domain-joined Computers
Microsoft Windows LAPS sets a different, random password for the local administrator account on every computer in the domain. The password is changed on a specified interval. If needed, IT support staff can look up the administrator password in Active Directory. If there is not a common local administrator account and password on computers, the cyber attacker will have one less method to move laterally in the environment.
Note: Microsoft is working on a new version of LAPS for Windows 11-based computers.
5. Block Brute Force Attacks on Local Administrator Accounts
Starting with the October 2022 Windows cumulative update for Windows 10, a local security policy is available to enable account lockouts for the built-in local Administrator accounts . Without account lockout capabilities, the built-in local Administrator account can be subjected to unlimited brute force attacks to try to determine the password.
6. Use a Privileged Access Workstation to Access Tier 0 Servers
A privileged access workstation (PAW) is a dedicated secure workstation used exclusively for sensitive tasks such as accessing Tier 0 servers (e.g., domain controllers).
The PAW’s configuration is hardened to protect against compromise. The PAW is typically a non-domain joined workstation with limited outbound Internet access (if any) and additional applications. A non-local admin account should be used to log onto the PAW to keep the PAW clean. Also, do not use the PAW for day-to-day activities such as browsing the Internet and accessing email.
7. Allow RDP to Tier 0 Servers from PAWs Only
Use a host-based firewall (e.g., Windows Defender Firewall) or a network-based firewall to allow remote desktop protocol (RDP, port 3389) to Tier 0 servers (e.g., domain controllers) from PAW devices only. Do not allow RDP to Tier 0 servers from non-PAW devices.
8. Restrict RDP Usage from Workstations
Most workstations do not need to initiate a remote desktop protocol (RDP) connection to another computer on the network. To reduce lateral movement possibilities, use a host-based firewall to restrict the ability for workstations to start an RDP connection where appropriate.
9. Use Filtered DNS Services
Typically, malware needs to contact a “command and control (C&C) server” to get instructions on how to attack the network and/or where to send exfiltrated data. If the malware uses Domain Name System (DNS) host names to specify the C&C server, malicious activity can be thwarted by using filtered DNS Services so that the IP address of the C&C server will not be provided to the malware.
Furthermore, validate the egress firewall is allowing external DNS requests to only authorized DNS servers that can filter requests.
10. Require MFA for Remote Access and Cloud Apps
All employees should be required to use multifactor authentication (MFA) when remotely accessing internal network resources. In addition, MFA should be required when employees access cloud applications like Microsoft 365 services.
To combat “MFA fatigue ,” consider implementing number matching for MFA applications (PDF). In October 2022, Microsoft released a security feature to their Authenticator product to help with preventing accidental approvals of MFA requests.
11. Allow Employee User Access from the United States Only
Use conditional access policies to block access by location so employees can make remote access and cloud application connections from the United States only. Grant exceptions for a limited amount of time for a specific employee given upper-level management approval.
12. Help Users Identify Email from Outside the Organization
Malicious email from outside the organization is the primary entry point for the majority of cyberattacks. You can help your users identify email originating from outside the organization by adding text to the email subject line (e.g. [EXTERNAL]) and/or adding a warning message to the body of the email.
If Microsoft Exchange is used for email purposes, there are two methods to add the external email warning .
Inbound email containing file attachments that are “executable” should be blocked at the email gateway and/or within the email system. Examples of executable attachments are files with extensions such as .bat, .cmd, .exe, .iso, .jar, .lnk, .msi, .ps1, .vb, and .vbs. See the blocked attachments in Outlook list for more file extensions to consider blocking.
If you use the Microsoft Exchange Online email system, use mail flow rules to block messages with executable attachments.
In addition to blocking executable attachments, consider blocking email containing Microsoft Office file types that can contain macros. Examples of macro-capable file types are .docm, .dotm, xlam, xlsb, .xlsm, .xltm, xlw, potm, .ppsm, and .pptm. Furthermore, consider blocking (or warning users about) the Office 97-2003 file types such as .doc, .xls, and .ppt since these file types can include macros.
Microsoft OneNote files can be used by threat actors to hide dangerous file types. Consider blocking file attachments that begin with .one.
14. Block non-Port 80/443 Outbound Internet Connections
To limit data exfiltration options, use a host-based firewall, network-based firewall, or endpoint protection client product to block outbound Internet connections to non-Port 80/443 services.
15. Scan Public IP Address Range for Accessible Services and Vulnerabilities
Regularly scan your LEA’s public IP address range from outside your internal network to look for accessible services and vulnerabilities. Possible no-cost options to perform the scanning include:
16. Ensure Usage of Supported Software Versions
Once software products reach end-of-support, the software manufacturer ceases to provide security updates to their software. Ensure computers are using software that is still supported to ensure the latest security updates are available.
Important note: Windows 10 version 21H1 reached end-of-support on December 13, 2022. Also, Windows Server 2012/2012 R2 is out of support on October 10, 2023.
Use these resources to determine if software versions currently being used are still supported:
17. Have an Incident Response Plan… Test Your Backups
LEAs need to assume they will be a victim of a cyberattack. Therefore, a regularly tested incident response plan is critical. Part of the plan should require the use of system backups. Verify backups are completing successfully and stored securely. Regularly test the ability to restore systems/files from the backups.
Consider using the cyber incident response assistance and resources available through the Cybersecurity & Infrastructure Security Agency.
18. Keep Current on Cybersecurity News
Keep current on cybersecurity news by subscribing to the MS-ISAC newsletter and CISA alerts , and by following cybersecurity experts and organizations using social media. This information may lead to zero-day mitigations and indicators of compromise that can be added to your security products/services.
In addition, LEAs cam subscribe to the CDE’s it-security-tips mailing list by sending a blank email to firstname.lastname@example.org.
One way to reduce the possibility of the initiation of a cyberattack is to train end users to identify malicious email and websites. The end users need to act like a human IT firewall. Regular cybersecurity awareness training and constant reminders about the need to be vigilant will help secure the IT environment.
The National Institute of Standards and Technology maintains a list of free and low cost online cybersecurity learning content . Also, MS-ISAC members can obtain discounted pricing for SANS Security Awareness End User Training .
Finally, if your LEA has Microsoft 365 A5 licenses or subscribes to the Office 365 Plan 2, you have access to Microsoft’s security awareness training for employees and phishing attack simulations .
Here are some additional resources that can help secure your IT environment:
Active Directory Pro
Cybersecurity & Infrastructure Security Agency
Center for Internet Security
The information presented on this web page are only tips that LEAs should consider. They have been collected from a variety of sources deemed reliable and have been consolidated on this page for the convenience of California’s LEAs. However, each LEA should consult with its own IT experts about the advantages, disadvantages, and potential consequences before deciding to implement any of these tips. The California Department of Education is not responsible for any loss, damage, liability, or other adverse or unanticipated consequence related to or resulting from the implementation of these tips.
- January 25, 2023
- January 23, 2023
- Added Nationwide Cybersecurity Review security program self-assessment to the Review Best Practice Resouces and Advisories section.
- Added SANS Security Awareness End User Training to the Require Regular Cybersecurity Awareness Training for All Employees section.
- Added recommendation to block email attachments that start with .one (Microsoft OneNote file format) to the Block Dangerous Email Attachment File Types section.
- December 9, 2022
- December 5, 2022: Original release.