= Need advice on securing network =
Hello fellow Redditors. Please give me any and all frank advice.
I have been given a new challenge, new role, new environment. And after some recent "malicious activity on the part of bad actors," security is paramount.
What is
So they have a small virtual data center, hosted offsite. Business App server, AD and DFS file server, citrix infrastructure, some citrix desktop servers. Users log in to the Citrix desktops, run their M365 and business apps, do their work. The colo hosts take care of regular backups, EP protection, helps with admin tasks, etc.
Users have MS365 accounts for email and applications. Most data is still on the FS, but some of it has started to move up to Teams/SP/OneDrive. Their is no link between the colo AD and the MS365 accounts.
Desktops at the various offices are a hot mess. The are mostly Windows 10, but their is no AD. They are essentially setup asterminals, with everyone logging in to the Citrix setup via chrome. AV is a combination of Trend (most) and Windows Defender.
**What happened**
The bad guys came in, messed about, caused some downtime. I was called in at that point. Working with the hosts, we were able to restore machines and data from backups, get back up and running, lessons learned.
**What we have done**
In the time since, we have made up for previous poor practices. Servers were all patched to current. Passwords were forced to change, ongoing. 2FA is being rolled out to all users as quickly as we can manage. The number of admin type of accounts was greatly reduced. IPS on the firewall. Aggressive protection policies. Ideally, we are doing everything reasonable to secure "the data center."
**What we need to do**
Once we have secured a perimeter around the colo DC (100% 2FA), I desperately want to secure the desktops. We have no infrastructure for onsite DCs, nor a site to site WAN. I need advice here.
Can I use existing MS365 accounts as a kind of "AD in the cloud?" I know that we can use MS accounts to log in to a Windows 10 pc - join it to our MS365 domain for lack of a better term - but I have no idea what that gives us? What kind of control, visibility? Policies?
Is there a more robust resource for this (Azure AD and if so, pros and cons? Cost?
Suggestions on wrangling these various cats (PCs) most quickly, effectively? Would like the ability to remove, monitor, force some basic policies, add/remove/enforce software and settings from a console?
Suggestions on an AV package. Half of what I read says Defender is fine. The other half seems to disagree and insist we need something third party. Im pretty sure their is not a "Defender Console" avaialble?
Given the general situation, what would anyone, everyone recommend? Thanks for the constructive feedback!
I'm assuming these MS365 accounts are all in the same tenant and you have an Azure AD that you are already managing?
This thread may help with some of your questions: httpswww.reddit.com/r/Office365/comments/jjf8j9/azure_ad_microsoft_intune_to_replace_onprem_ad/
But basically want your want to be looking at is inTune. This can apply policies (Like GPO's) to your fleet from the portal.
Defender is fine for an AV, but Microsoft Defender for Endpoints (Aka ATP) is what you want for the extra layers of security.
httpsdocs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection
Do you know how the breach occurred? Figuring that out should be part of securing the environment. Check the CISA Alert (AA20-275A) Potential for China Cyber Response to Heightened U.S.âÂÂChina Tensions for specific Citrix vulnerabilities being used by state-sponsored and other malicious actors as an example of learning how something happened to take steps to prevent it.
What is you budget in general for this exercise?
== About Community ==
Members
Online
Reddit
DEDICATED SERVERS HOSTING#1
