Skip to main content
California Department of Education Logo

CDE's Tips for a More Secure IT Environment

Free and low-cost cybersecurity tips to help local education agencies (LEAs) secure their information technology (IT) environments.

See Revision History for a list of updates to this web page.

Cyberattacks are getting more sophisticated and more difficult to prevent and identify. However, several free and low-cost IT security improvements can be implemented by LEAs rather quickly to disrupt the cyber kill chain External link opens in new window or tab..

California LEAs can subscribe to the California Department of Education’s (CDEs) it-security-tips mailing list by sending a blank email to to receive additional cybersecurity information.

1. Require IT Staff to Use Tiered Accounts for System Administration Purposes

The tier model for partitioning administrative privileges External link opens in new window or tab. helps to reduce elevation of privilege paths from a workstation to a server to a domain controller. The model requires IT staff to use different domain accounts for IT system administration purposes. Three tiers are described in the following example, but you could further separate out admin-level accounts if needed.

  • Use an account name ending in -t0 (to denote a “tier 0” account) when performing domain administration tasks on “tier 0” servers like domain controllers or servers that require domain administrative rights. Do not log onto a non-tier 0 sever or any workstation using a “tier 0” account.
  • Use an account name ending in -t1 (to denote a “tier 1” account) when performing administrative tasks on “tier 1” servers such as file servers, application servers, or database servers. Do not log onto a “tier 0” server or any workstation using a “tier 1” account.
  • Use an account name ending in -t2 (to denote a “tier 2” account) when performing administrative tasks on workstations. Do not log onto a server using a "tier 2" account. Furthermore, do not use a “tier 2” account as an everyday user account (e.g., web browsing, email, etc.).

The passwords for the IT staff person’s tiered accounts must be different and complex, and changed regularly.

2. Regularly Review and Limit Number of Domain Admin Accounts

By following the tier model for partitioning administrative privileges, all domain admin accounts should be a limited number of “tier 0” named accounts. Manually review the list of user accounts with domain admin privileges on a regular basis or use third-party tools to generate alerts when an account is added or deleted to/from sensitive administrative groups (e.g., domain administrators group). 

3. Do Not Allow Local Administrative Rights on Workstations

Do not allow employees (especially IT staff) to have local administrative rights on their workstations using their everyday account. IT staff can use a “tier 2” account temporarily to provide end-user support if local administrative rights are needed.

Third-party tools can provide reports on the user accounts in the local Administrators group in each workstation/server, or a script can be used for smaller organizations.

4. Implement Local Administrator Password Solution (LAPS) for Windows Domain-joined Computers

Microsoft Windows LAPS External link opens in new window or tab. sets a different, random password for the local administrator account on every computer in the domain. The password is changed on a specified interval. If needed, IT support staff can look up the administrator password in Active Directory. If there is not a common local administrator account and password on computers, the cyber attacker will have one less method to move laterally in the environment.

Note: Microsoft is working on a new version of LAPS External link opens in new window or tab. for Windows 11-based computers.

5. Block Brute Force Attacks on Local Administrator Accounts

Starting with the October 2022 Windows cumulative update for Windows 10, a local security policy is available to enable account lockouts for the built-in local Administrator accounts External link opens in new window or tab.. Without account lockout capabilities, the built-in local Administrator account can be subjected to unlimited brute force attacks to try to determine the password.

6. Use a Privileged Access Workstation to Access Tier 0 Servers

A privileged access workstation (PAW) is a dedicated secure workstation External link opens in new window or tab. used exclusively for sensitive tasks such as accessing Tier 0 servers (e.g., domain controllers).

The PAW’s configuration is hardened to protect against compromise. The PAW is typically a non-domain joined workstation with limited outbound Internet access (if any) and additional applications. A non-local admin account should be used to log onto the PAW to keep the PAW clean. Also, do not use the PAW for day-to-day activities such as browsing the Internet and accessing email.

7. Allow RDP to Tier 0 Servers from PAWs Only

Use a host-based firewall (e.g., Windows Defender Firewall) or a network-based firewall to allow remote desktop protocol (RDP, port 3389) to Tier 0 servers (e.g., domain controllers) from PAW devices only. Do not allow RDP to Tier 0 servers from non-PAW devices.

8. Restrict RDP Usage from Workstations

Most workstations do not need to initiate a remote desktop protocol (RDP) connection to another computer on the network. To reduce lateral movement possibilities, use a host-based firewall to restrict the ability for workstations to start an RDP connection where appropriate.

9. Use Filtered DNS Services

Typically, malware needs to contact a “command and control (C&C) server” to get instructions on how to attack the network and/or where to send exfiltrated data. If the malware uses Domain Name System (DNS) host names to specify the C&C server, malicious activity can be thwarted by using filtered DNS Services so that the IP address of the C&C server will not be provided to the malware.

If a subscription-based commercial DNS filtering service is not within budget, consider using a no cost option such as MS-ISAC MDBR (registration required) External link opens in new window or tab. or Quad9 External link opens in new window or tab. as a possible solution.

Furthermore, validate the egress firewall is allowing external DNS requests to only authorized DNS servers that can filter requests.

10. Require MFA for Remote Access and Cloud Apps

All employees should be required to use multifactor authentication (MFA) when remotely accessing internal network resources. In addition, MFA should be required when employees access cloud applications like Microsoft 365 services.

To combat “MFA fatigue External link opens in new window or tab.,” consider implementing number matching for MFA applications External link opens in new window or tab. (PDF). In October 2022, Microsoft released a security feature to their Authenticator product External link opens in new window or tab. to help with preventing accidental approvals of MFA requests.

11. Allow Employee User Access from the United States Only

Use conditional access policies to block access by location External link opens in new window or tab. so employees can make remote access and cloud application connections from the United States only. Grant exceptions for a limited amount of time for a specific employee given upper-level management approval.

12. Help Users Identify Email from Outside the Organization

Malicious email from outside the organization is the primary entry point for the majority of cyberattacks. You can help your users identify email originating from outside the organization by adding text to the email subject line (e.g. [EXTERNAL]) and/or adding a warning message to the body of the email.

If Microsoft Exchange is used for email purposes, there are two methods to add the external email warning External link opens in new window or tab..

13. Block Dangerous Email Attachment File Types

Inbound email containing file attachments that are “executable” should be blocked at the email gateway and/or within the email system. Examples of executable attachments are files with extensions such as .bat, .cmd, .exe, .iso, .jar, .lnk, .msi, .ps1, .vb, and .vbs. See the blocked attachments in OutlookExternal link opens in new window or tab. list for more file extensions to consider blocking.

If you use the Microsoft Exchange Online email system, use mail flow rules to block messages with executable attachmentsExternal link opens in new window or tab..

In addition to blocking executable attachments, consider blocking email containing Microsoft Office file typesExternal link opens in new window or tab. that can contain macros. Examples of macro-capable file types are .docm, .dotm, xlam, xlsb, .xlsm, .xltm, xlw, potm, .ppsm, and .pptm. Furthermore, consider blocking (or warning users about) the Office 97-2003 file types such as .doc, .xls, and .ppt since these file types can include macros.

Microsoft OneNote files can be used by threat actors External link opens in new window or tab. to hide dangerous file types. Consider blocking file attachments that begin with .one.

Although Microsoft released a patch in February 2023, consider blocking file attachments with type .rtf (Rich Text Format) to mitigate the CVE-2023-21716 vulnerability in Microsoft Word External link opens in new window or tab..

14. Block non-Port 80/443 Outbound Internet Connections

To limit data exfiltration options, use a host-based firewall, network-based firewall, or endpoint protection client product to block outbound Internet connections to non-Port 80/443 services.

15. Scan Public IP Address Range for Accessible Services and Vulnerabilities

Regularly scan your LEA’s public IP address range from outside your internal network to look for accessible services and vulnerabilities. Possible no-cost options to perform the scanning include:

16. Ensure Usage of Supported Software Versions

Once software products reach end-of-support, the software manufacturer ceases to provide security updates to their software. Ensure computers are using software that is still supported to ensure the latest security updates are available.

Important note: Windows 10 version 21H1 reached end-of-support on December 13, 2022. Also, Windows Server 2012/2012 R2 is out of support on October 10, 2023.

Use these resources to determine if software versions currently being used are still supported:

17. Have an Incident Response Plan… Test Your Backups

LEAs need to assume they will be a victim of a cyberattack. Therefore, a regularly tested incident response plan is critical. Part of the plan should require the use of system backups. Verify backups are completing successfully and stored securely. Regularly test the ability to restore systems/files from the backups.

Consider using the cyber incident response assistance and resources External link opens in new window or tab. available through the Cybersecurity & Infrastructure Security Agency. 

18. Keep Current on Cybersecurity News

Keep current on cybersecurity news by subscribing to the MS-ISAC newsletter External link opens in new window or tab. and CISA alerts External link opens in new window or tab., and by following cybersecurity experts and organizations using social media. This information may lead to zero-day mitigations and indicators of compromise that can be added to your security products/services.

In addition, LEAs cam subscribe to the CDE’s it-security-tips mailing list by sending a blank email to

19. Require Regular Cybersecurity Awareness Training for All Employees

One way to reduce the possibility of the initiation of a cyberattack is to train end users to identify malicious email and websites. The end users need to act like a human IT firewall. Regular cybersecurity awareness training and constant reminders about the need to be vigilant will help secure the IT environment.

The National Institute of Standards and Technology maintains a list of free and low cost online cybersecurity learning content External link opens in new window or tab.. Also, MS-ISAC members can obtain discounted pricing for SANS Security Awareness End User Training External link opens in new window or tab. .

Finally, if your LEA has Microsoft 365 A5 licenses or subscribes to the Office 365 Plan 2, you have access to Microsoft’s security awareness training for employees and phishing attack simulations External link opens in new window or tab..

20. Review Best Practice Resources and Advisories

Here are some additional resources that can help secure your IT environment:

Active Directory Pro
Cybersecurity & Infrastructure Security Agency
Center for Internet Security


The information presented on this web page are only tips that LEAs should consider. They have been collected from a variety of sources deemed reliable and have been consolidated on this page for the convenience of California’s LEAs. However, each LEA should consult with its own IT experts about the advantages, disadvantages, and potential consequences before deciding to implement any of these tips. The California Department of Education is not responsible for any loss, damage, liability, or other adverse or unanticipated consequence related to or resulting from the implementation of these tips.

Revision History

Questions:   Information Security and Privacy Office |
Last Reviewed: Thursday, March 9, 2023