Recently I received a couple of questions regarding proper corporate security for a small business and a couple of friends. It made me decide to make a write up of some advice to create a certain level and form of security, with minimal investment and low maintenance. And at the same time, realize a reasonable level of security that fits SOHO (Small Offices / Home Offices).

This write up is aimed at system administrators or similar knowledge.
For the firewall rules, I only looked at the basic rules, to make the examples less complex.

Be aware this is not a definitive guide. And there is more then this list to create a proper environment, that is safe and manageable. But it can give you a head start for your network or for your customers.

One can achieve security with a combination of security measures and sanitation.
– Perimeter (firewall)
– Device management
– Maintenance

Perimeter (firewall)

First of all, your firewall is the most important factor to create a secure network.
A couple of ground rules:

  • Always make sure it’s still supported and up to date.
    Regularly check this!
  • Limit outgoing DNS to your upstream DNS service provider.
    • For example with OpenDNS:
      Allow: from 192.168.1.* to 208.67.222.123, 208.67.220.123, TCP port 53
      Block: from * to *, TCP port 53
    • Or if you have your own local DNS service running, limit it to that server:
      Allow: from 192.168.1.10 to 208.67.222.123, 208.67.220.123, TCP port 53
      Block: from * to *, TCP port 53
  • Take a look at limiting the following ports in the same manner:
    • Port 19/UDP – Debugging
    • Port 25/TCP – SMTP
    • Port 68/UDP – DHCP
    • Port 123/UDP – NTP
    • Port 135/TCP – NetBIOS
    • Port 139/TCP – NetBIOS
    • Port 445/TCP – NetBIOS
    • Port 465/TCP – SMTP
    • Port 520/UDP – RIPv1
    • Port 587/TCP – SMTP
    • Port 1900/UDP – Universal Plug and Play (UPnP)
    • Port 2525/TCP – SMTP
    • Port 3479/TCP TWRPC protocol (remote management)
    • Port 7547/TCP CPE WAN Management Protocol (CWMP)
    • Port 61001/TCP Internet Protocol Detail Record (IPDR)
  • SMTP ports to your mail service provider.
    TCP Port 25, 587, 465, and 2525
    For Office 365:
    https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
  • If you can, buy a better firewall with malware scanning.
    For example:
    • Fortigate ATP Bundle
    • Cisco Meraki MX series + Advanced malware protection
    • Sophos SG serie with TotalProtect

Network design

  • For growing companies, design a bigger subnet to start with
    Lots of times, growing companies need to revert to complex multiple subnets design, because they started with a limited subnet. My advice: Start with a bigger subnet than you need to. And if you want to use VLAN’s (yes, you want to do this!), you can easily line up the VLAN’s with your subnet. For example:
    • 10.00.10.0/22 for VLAN 10
    • 10.12.34.0/22 for VLAN 1234
    • etc
  • If you are using web-facing services or servers, put them in a proper double firewalled DMZ.
    More then once, I see that the concept of a DMZ is not used like it could be. A different subnet is used and it’s not shielded well enough from the local network. The whole idea behind a DMZ is the notion that the service inside the DMZ could be compromised. That happens… So you want to secure your network for such events.
    See this example, with both a regular LAN network and a separate DMZ:
    In the image 3 separate firewalls are displayed, this can be configured into a single firewall.
Proper DMZ example

In this example, there are 3 firewalls:

Firewall 1:
Regular LAN network, nothing special
See previous advise regarding firewall rules

Firewall 2:
Entry firewall for the DMZ, internet site facing.
Only allows HTTP and HTTPS traffic to the web server.
Allow: from *, TCP port 80,443 to 10.02.10.20, TCP port 80, 443
Block: from * to *

Firewall 3:
Exit firewall for the DMZ, LAN facing.
Only allows a database connection and perhaps and RDP connection to a management server.
Limited on IP and port, for example:
Allow: from 10.02.10.20, TCP port * to 10.01.01.50, TCP port 1434
Block: from * to *

Now, should the web server get compromised, letting a hacker get full control over it.
It is still very limited in what it can do. It can now only talk over a certain port to the database server.

  • Configure DHCP:
    • Set DNS service to OpenDNS
      https://www.opendns.com/home-internet-security/
    • Time service:
      pool.ntp.org
      Or country specific, in this case The Netherlands:
      nl.pool.ntp.org

Device management

Just a few tips:

  • Patch regularly and check it.
    For Windows, push a GPO and configure it locally, to always install the latest Windows updates.
  • Prevent local admin access, or use a different accounts especially for those jobs
  • Install proper antivirus software with a management solution.
    Take a look at Sophos or Sophos home, I’m really positive about them.
  • Patch third party apps regularly.
    Run Ninite or chocolatey daily. Or take a look at the Ninite Pro offering.
  • If you have a Office 365 subscription, manage them with InTune!
  • Take a subscription for your users for a password management tool, such as 1password.
  • If you are using Windows servers, regularly run the best practice analyzer:
    https://docs.microsoft.com/en-us/windows-server/administration/server-manager/run-best-practices-analyzer-scans-and-manage-scan-results

Cloud Services

  • If you use Office 365, make sure it’s scanned for viruses, including phishing links.
  • Limit applications
  • Enable basic security configuration including MFA (and disable legacy authentication)
  • Use a different admin account then your regular account
  • Configure Microsoft best practices, take a regular look at the secure score.