1. Disable or rename Administrator account
1a. Create an alternate service account
1b. Discover where it’s being used (search for computernames, scheduled tasks, services)
1c. Reconfig existing services and scheduled tasks to use the alternative service account
2. Audit members of Domain Admins and Enterprise Admins
2a. Create report to include these columns: username, name, lastLoginDC, lastLoginComputernames, created, isActive, lastChanged, lockedOut, passwordLastChanged, passwordNeverExpires, isServiceAccount, emailAddress
2b. Contact each domain admin user to mitigate
2c. Coordinate with SysAdmins and Helpdesk to reconfig scheduled tasks, services, printers, and other devices with complex passwords
3. Audit user accounts to enforce password complexity
3a. Create report of user accounts that do not pass standardized complexity requirements
3b. Coordinate with SysAdmins and Helpdesk to contact each user to mitigate weak passwords
4. Implement security monitoring tools
4a. Deploy Tenable.io
4b. Coordinate with SysAdmins to resolve ‘high risk’ vulnerabilities per system scan reports
4c. Review security reports and mitigation progress periodically
5. ….
6. …
7. …
8. …
9. …
10. …
# Sample script to collect active user accounts with PasswordNeverExpires set to True
$usersAuditReport='C:\Scripts\Audits\usersAuditReport.csv'
$domainObjects=@(
@{domain='intranet';dc='dc02-intranet.kimconnect.com';username='intranet\domainadmin';password='SOMECOMPLEXPASSWORD'}
)
$command={
$filter='PasswordNeverExpires -eq "True" -and Enabled -eq "True"'
$matchedUsers=Get-ADUser -Filter $filter -Properties SamAccountName,GivenName,sn,EmailAddress,created,modified,PasswordLastSet,LockedOut,PasswordNeverExpires,LastLogon
return $matchedUsers
}
$results=@()
foreach ($domainObject in $domainObjects){
$adminUsername=$domainObject.username
$adminPassword=$domainObject.password
$encryptedPassword=$(ConvertTo-SecureString $adminPassword -AsPlainText -Force)
$adminCredential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminUsername,$encryptedPassword
$session=new-pssession -computername $domainObject.dc -credential $adminCredential
if($session.State -eq 'Opened'){
$result=invoke-command -session $session -scriptblock $command|select * -ExcludeProperty PSComputerName,RunspaceId,PSShowComputerName,ObjectClass,ObjectGUID,SID
$results+=$result
remove-pssession $session
}else{
write-warning "Unable to connect to $($domainObject.domain)"
}
}
$null=mkdir (split-path $usersAuditReport -parent) -force
$results|Export-Csv -Path $usersAuditReport -NoTypeInformation