The top-10 mistakes made when configuring enterprise IT systems

Errors in configuring IT infrastructure are a regular occurrence at large organizations — even given the most mature and competent IT and cybersecurity departments. This is evident from the weekly news of hacks on major, well-established companies, as well as the results of security audits — although these are rarely made public. The problem has also been acknowledged by U.S. regulators such as CISA and the NSA. In their new paper with recommendations prepared by both their “red” and “blue” teams after numerous audits and incident responses, they note that configuration errors highlight systemic weaknesses in large organizations — including companies with mature information security. However, the document asserts that network security teams can neutralize or mitigate these weaknesses with sufficient funding, training, and staffing. Let’s take a look at the mistakes that experts consider the most dangerous.

1 Default application configuration

Any device or application — be it a printer, mail or file server, or video conferencing system — typically has a login mechanism with default access credentials that people can forget to disable. The default settings of these devices may be very simple (e.g., admin1234, or just 1234) and thus not very secure, but often no one changes them. A typical example is a printer that has privileged network access for easy printing, along with a web-based control panel with default login credentials. Another common occurrence is Windows servers with enabled older versions of SMB or other retro protocols. Default settings and templates of Active Directory Certificate Services are also very dangerous, allowing unprivileged users to get a server certificate, elevate privileges to administrative levels, or authenticate themselves by obtaining a Kerberos TGT.

Recommended security measures:

• Implement a mandatory procedure before starting to operate any IT system: disable default accounts (such as “admin” or “guest”) or at least change their passwords.
• Enforce the use of strong passwords of 15 or more random characters.
• Apply secure settings on devices or services, following the manufacturer’s instructions for hardening and/or relevant general guidelines — such as DISA STIG.
• Implement secure ADCS configuration: disable web enrollment if possible, disable NTLM on ADCS servers, and disable subject alternative name (SAN) for UPN mapping.
• Review default permissions in ADCS templates, remove the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag from templates, and remove FullControl, WriteDacl, and Write properties from low-privilege users.
• Enable supervisor validation of any requested certificates.

2 Incorrect management of user and admin privileges

In any large network, you’ll often find excessive privileges granted to regular users (originally assigned for some temporary purpose and then never revoked), extended privileges for service accounts (applications and services), and highest privileges for administrators (who often work in this privileged mode all the time). Attackers deliberately seek out and exploit these accounts, for they make it faster and easier to take over the network.

Recommended security measures:

• Enforce the principle of least privilege.
• Implement an identity management system that includes logging the issuance and use of permissions. This makes it easier to detect unauthorized use of access rights.
• Use this system to minimize the number of administrative accounts, and reduce the overall number of accounts (by merging them properly).
• Regularly audit accounts, disable inactive ones, and remove excessive privileges.
• Restrict privileged accounts from performing mundane activities such as browsing the web and accessing email.
• Grant elevated privileges only for the duration of required tasks — even to administrators.
• Whenever possible, run services and daemons with limited privileges and access rights.

3 Insufficient internal network monitoring

Many organizations only monitor traffic coming from external hosts and selected servers, while internal network monitoring is limited to endpoint events. This makes it difficult to detect attacks and investigate incidents in a timely manner.

Recommended security measures:

• Analyze the normal daily activity of applications and services to be able to identify anomalies in access and usage. For example, administrators should regularly review access and permission lists for key services and remove suspicious or outdated accounts.
• Analyze the organization’s daily network traffic to be able to identify anomalies within it.
• Implement a SIEM system to collect and analyze telemetry from various sources, including EDR and IDS systems, network logs, and others.

4 Lack of network segmentation

Networks with different purposes and levels of importance often lack isolation from one another. Common issues include complete interconnection of networks containing classified and unclassified information, as well as IT and OT networks. In most cases, either segmentation is completely non-existent, or it’s implemented but some engineers decide it’s too inconvenient and create tunnels between networks at will (or even connect isolated networks to the internet). As a result, IT and information security department heads think that the networks are segmented when in fact they’re not.

Recommended security measures:

• Implement network segmentation if not already in place. This can involve both physical and logical (VLAN) segmentation. It’s important to ensure that infrastructure network devices have up-to-date and properly configured access control lists (ACLs) to prevent unauthorized devices from connecting to administrative, industrial, and confidential networks. We also recommend using demilitarized zones (DMZs) to reduce the accessibility of internal IT systems from the internet.
• Implement next-generation firewalls (NGFW) capable of stateful inspection and deep packet inspection, taking into account the originating application. The firewall should reject traffic differing from the standard traffic allowed within the network. Application-based traffic filtering isn’t solely based on network ports, and significantly reduces attackers’ opportunities to maliciously exploit network protocols.

5 Poor patch management culture

A systematic problem is the slow and incomplete application of patches and updates to hardware and software systems. The situation is exacerbated by the fact that many organizations, for various reasons, continue to operate hopelessly outdated systems (such as Windows XP, SAP R/3, and so on) that haven’t received any updates in a long time.

Recommended security measures:

• Systematize the patch management process, prioritizing remediation of known exploitable vulnerabilities and critical vulnerabilities.
• Automate updates as much as possible using software vendors’ auto-update systems, or — even better — by having a centralized patch management system.
• Update not only software but also hardware firmware and computer BIOS/UEFI.
• Analyze outdated systems used in the business and, if possible, plan for their retirement. If this isn’t possible, implement compensatory measures such as network isolation for legacy systems.

6 Possibility of bypassing access control

Environment and application settings often allow attacks like “pass-the-hash” and “kerberoasting” to access target resources without knowing the password.

Recommended security measures:

• Minimize the use of identical credentials across different systems to prevent attackers spreading through the network. Monitor non-standard and unsuccessful login attempts.
• Implement patch management (see point 5).
• Implement measures against PtH attacks: apply the KB2871997 updates, impose UAC restrictions on local accounts after network login, and prohibit domain users from joining the local administrators’ group on computers.
• Restrict direct communication among regular computers. They need to interact through servers.
• Use privileged accounts only on systems that require these privileges. Consider using dedicated computers for privileged administrator access.

7 Weak or misconfigured multi-factor authentication methods

A common mistake is configuring access where authentication is performed only by a smart card, but hashes for long-unused passwords are still considered valid. If hash expiration policies are not configured, attackers can operate from old accounts using the techniques mentioned in point 6.

Another common issue is MFA methods vulnerable to phishing, such as SMS codes. Attackers can obtain codes through various means — from social engineering and MFA bombing to SS7 telecom network attacks or illegitimate SIM card duplication.

Recommended security measures:

• Disable outdated authentication methods like NTLM.
• Use group policies or Windows Hello for Business settings to regularly randomize hashes for accounts accessed through smart cards.
• Consider transitioning to open authentication standards based on cloud infrastructures.
• Switch to MFA systems that are resistant to phishing.

8 Insufficient restriction of access to network folders and services

In corporate networks, it’s common to find network folders that can be accessed without authentication, or administrative repositories accessible to regular users. These often contain files with admin passwords or other sensitive information in plaintext.

Recommended security measures:

• All repositories and services should only allow access to authenticated and authorized users.
• Critical resources should be configured according to the principle of least privilege.
• Files and folders should have strict settings limiting unauthorized manipulations — especially folders containing confidential information such as keys.
• Ensure that attackers can’t modify access control lists (ACLs) at will, which would essentially override all the above measures.
• In Windows group policies, disable “anonymous enumeration of SAM accounts and share”.

9 Poor quality passwords and password policies

Many organizations allow users to have short and simple passwords. As a result, up to 80% of employee passwords can be quickly cracked using tools like Hashcat.

Recommended security measures:

• Set recommended complexity criteria for all passwords.
• Evaluate whether users can use password managers, and which ones.
• Prohibit the use of identical local administrator passwords on different computers.
• Implement high-complexity criteria for administrative passwords and passphrases on certificates/private keys.
• Implement a process and automated system to search for passwords stored in plaintext or an easily extractable format (saved passwords in browsers).

10 Lack of restrictions on code execution

Few organizations enable the “list of allowed applications” mode — where only approved applications can be run on company computers. Allowing the execution of untrusted files enables attackers to deploy various malware, escalate privileges using vulnerable drivers, and so on.

Recommended security measures:

• Enable settings that prevent the execution of applications from untrusted sources.
• Better yet, use allowlisting (also known as default deny), permitting the running of applications only from a fixed list of approved ones. Ensure that the tool implementing this policy checks digital signatures and other key file attributes rather than just focusing on names.
• Block known vulnerable applications (especially drivers) from running.
• Limit the ability to run scripting languages (such as PowerShell), check logs for the execution of approved scripts, and disallow the execution of scripting languages not used in the company’s IT systems.
• Regularly review host and perimeter security systems to ensure they’re effectively filtering spam and blocking malware from being run.