Security Best Practices by BGD e-GOV CIRT

Password Policy best practices

• Create a strong, complex and long password.
• Use multi-factor authentication for login where possible.
• Avoid save password in browser.

Generic best practices

Backup best practices

• Keep regular verified and labeled backup following 3-2-1 backup rule.
• Encrypt Backup Data.
• Perform regular tests by restoring backup periodically.

Active Directory best practices

• Limit the use of Domain Admins and other Privileged Groups.
• Secure the domain administrator account.
• Disable the local administrator account (on all computers)
• Limit local administrative access for all domain users in end devices.
• Enable audit policy settings with group policy to monitor malicious activities.
• Monitor Active Directory events to detect compromise and abnormal behavior.
• Find and remove unused user and computer accounts.

Email Server best practices

• Keep email servers up to date.
• Limit administrative access to internal users.
• Deploy multi-factor authentication for users.
• Harden the OS hosting email server.
• Harden the email application.
• Monitor email servers to detect abnormal activities.
• Deploy host-based firewalls.
• Use SSL certificates when dealing with external services.
• Configure email server to protect your domain against spoofing, spam, email forgery and other attacks.

Network & Security Devices Best Practices

• Place your network and security devices in proper order based on your environment.
• Keep network and security devices OS and relevant security patch up to date.
• Use certificate based SSH authentication.
• Restrict administrative port from untrusted network.
• Ensure Network and security devices hardening for secure access control complying AAA.
• Make sure security devices policy is complying with organization strategy.
• Network and security devices session and system log need to be preserved in separate repository.
• Ensure Periodic backup of configuration and security policy.