Mitigation Measures

SHAMOOL-01

Best practices for mitigation

  • Mitigation measures system owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.
  • Maintain strong passwords and ensure password policy rules are enforced and admin password values are changed periodically.
  • Disable credential caching for all desktop devices with particular importance on critical systems such as servers and restrict the number of cached credentials for all portable devices
  • Configure all standard user accounts to prevent the execution and installation of any unknown or unauthorized software
  • Restrict account privileges only to services required for nominal daily duties and enforce the concept of separation of duties
  • Disable web and email capabilities on administrative accounts because compromise of admin accounts is one vector that allows malicious activity to become truly persistent in a network environment
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Ensure all network operating systems, web browsers, and other related network hardware and software remain updated with all current patches and fixes.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • Consider prohibiting hosts within the production environment or DMZ from sharing an Active Directory enterprise with hosts on other networks. Each environment should have separate forests within Active Directory, with no trust relationships allowed between the forests if at all possible. If necessary, the trust relationships should be one-way with the low integrity environment trusting the higher integrity environment.
  • Maintain a good back-up strategy.