Netier Master Baseline Framework

Document ID: NET-FW-MBF-001

Version: 1.0

Effective Date: 2026-03-26

Next Review: 2026-09-26

Owner: Netier — GRC / Security Operations

Classification: Internal

Document Relationship

This document (Master Baseline Framework) defines the strategic framework — what Netier aims to achieve, which frameworks apply, and at what tier. For prescriptive configuration details (exact settings, policies, and deployment instructions per technology), see the companion Netier Technical Configuration Framework.

1. Executive Summary & Strategy

This document serves as the overarching Technical and Operational Baseline for Netier. It establishes a unified "Gold Standard" based on the Australian Signals Directorate (ASD) Information Security Manual (ISM) and Essential Eight (E8) Maturity Level 3.

From this peak standard, configurations are scaled into productised tiers (Essential, Professional, Enterprise) to provide clients with a secure-by-design baseline and a clear pathway to higher regulatory compliance. This framework governs all evidence gathering and tooling deployments (e.g., Netier Compliance Engine (planned — ISM scanner operational), NinjaOne).

2. Master Compliance & Framework Mapping

All technical controls and operational policies detailed in this baseline trace back to the following regulatory and security frameworks:

3. Technical Baselines & Configurations

3.1 Identity & Access Management (M365, Entra ID, Active Directory)

* Global Block: Block Legacy Authentication globally.

* Geo-Fencing: Block all non-AU logins (exceptions via strict PIM approval).

* MFA Enforcement: Phishing-resistant MFA (FIDO2/Windows Hello) mandatory for all user access.

* Device Trust: Require devices to be marked as 'Compliant' in Intune for corporate data access.

* Implement Privileged Identity Management (PIM) with Just-In-Time (JIT) access for all Global/Exchange/SharePoint admins.

* Strict Tier 0/1/2 administrative isolation for on-premise Active Directory.

* Deploy Windows Local Administrator Password Solution (LAPS) to all endpoints and servers.

3.2 Endpoint & Server Security

3.3 Network Perimeter (Firewalls, Switches, Wireless)

3.4 Email Security, Web Posture & Deliverability

* Enforce DMARC at p=reject for all managed domains.

* Strict SPF and DKIM alignment configuration.

* Inbound Advanced Threat Protection (ATP) and AI-driven phishing filtering.

* Enforce Cloudflare Web Application Firewall (WAF) in strict block mode for public assets.

* Mandatory TLS 1.2+ (TLS 1.3 preferred) for all web traffic.

* Continuous monitoring of web performance (PageSpeed) and network latency (Speedtest) to ensure Operational Level Agreements (OLAs) are met.

4. Operational Policies & Governing Plans

The technical controls above are orchestrated and maintained through the following foundational plans. (Note: Automated gathering of evidence for these plans will be integrated into the Netier Compliance Engine toolchain — planned; external ISM scanner operational, full evidence automation in development).

4.1 Incident Response Plan (IRP)

4.2 Business Continuity Plan (BCP)

4.3 Disaster Recovery Plan (DRP)

4.4 Supply Chain Management (SCM)

5. Standard Operating Procedures (SOPs)

Each technical baseline and operational plan is supported by detailed, step-by-step SOPs that engineers follow during deployment and maintenance. SOPs are maintained in the SOPs/ directory.

| TCF Section | Baseline | Implementing SOP | Document ID |

|-------------|----------|-----------------|-------------|

| 1.0 Infrastructure & Compute | Endpoint & Server Baseline | SOP: Infrastructure & Compute | NET-SOP-INFRA-001 |

| 2.0 Identity & Cloud Workspaces | M365 & Entra ID Baseline | SOP: Identity, CA & Cloud Security | NET-SOP-IDM-001 |

| 3.0 Endpoint Protection & Control | Endpoint & Server Baseline | SOP: Endpoint Protection | NET-SOP-EP-001 |

| 4.0 Vulnerability Management | Endpoint & Server Baseline | SOP: Vulnerability Management | NET-SOP-VULN-001 |

| 5.0 Security Awareness & Training | Operational Plans Baseline | SOP: Security Awareness | NET-SOP-SAT-001 |

| 6.0 Endpoint Management (MDM) | M365 & Entra ID Baseline | SOP: Endpoint Management MDM | NET-SOP-MDM-001 |

| 7.0 Networking & Perimeter | Network Perimeter Baseline | SOP: Networking & Perimeter | NET-SOP-NET-001 |

| 8.0 Backup & Disaster Recovery | Operational Plans Baseline | SOP: Backup & DR | NET-SOP-BDR-001 |

| 9.0 Remote Monitoring & Management | Endpoint & Server Baseline | SOP: RMM / NinjaOne | NET-SOP-RMM-001 |

| 10.0 Knowledge Management | Operational Plans Baseline | SOP: Knowledge Management | NET-SOP-KM-001 |

Netier Technical Configuration Framework

Purpose: This document serves as the master index and prescriptive configuration guide for every technology in the Netier MSP stack. It dictates the exact settings, policies, and configurations required to meet the Netier "Gold Standard" (ISM/Essential Eight ML3) and defines how those settings scale down across the Essential, Professional, and Enterprise deployment tiers.

>

Relationship to Master Baseline: The Netier Master Baseline Framework defines the strategic framework and compliance mapping. This document provides the prescriptive, technology-specific configurations that implement that strategy.

Document ID: NET-FW-TCF-001

Version: 1.0

Effective Date: 2026-03-26

Next Review: 2026-09-26

Owner: Netier — GRC / Security Operations

Classification: Internal

1.0 Infrastructure & Compute

Implementing SOP: NET-SOP-INFRA-001

1.1 Windows Server (On-Premise & IaaS)

* Critical/High: Installed within 48 hours of release.

* Standard: Installed weekly.

1.2 Hypervisors (VMware / Hyper-V)

2.0 Identity & Cloud Workspaces

Implementing SOP: NET-SOP-IDM-001

2.1 Microsoft 365 & Entra ID

Enterprise Tier*: Phishing-resistant MFA (FIDO2/Windows Hello) enforced.

* Block legacy authentication protocols (POP3, IMAP, SMTP).

* Require MFA for administrative roles.

* Block sign-ins from high-risk locations/anonymous IPs.

* Require compliant or hybrid-joined devices for access to SharePoint/OneDrive (Professional/Enterprise tiers).

2.2 Defender for Office 365

* SPF hard fail (-all).

* DKIM signing enabled for all primary and alias domains.

* DMARC policy set to p=reject or p=quarantine.

3.0 Endpoint Protection & Control

Implementing SOP: NET-SOP-EP-001

3.1 Application Whitelisting (ThreatLocker / AppLocker / WDAC)

Primary tool: ThreatLocker (deployed on all managed endpoints). Where ThreatLocker is not deployed (e.g., air-gapped environments, client policy restrictions), use AppLocker (Windows Pro/Enterprise) or WDAC (Windows Defender Application Control) as the application control mechanism. The same default-deny policy intent applies regardless of tooling.

* PowerShell, Command Prompt, and cscript.exe restricted from interacting with network shares and downloading executables from the internet.

* Office applications restricted from spawning child processes (e.g., PowerShell).

3.2 Endpoint Detection and Response (Sophos MDR / Defender for Endpoint)

4.0 Vulnerability Management

Implementing SOP: NET-SOP-VULN-001

4.1 Tenable Nessus / ConnectSecure

* External perimeters: Weekly authenticated scans.

* Internal networks: Monthly authenticated scans.

5.0 Security Awareness & Training

Implementing SOP: NET-SOP-SAT-001

5.1 uSecure (or equivalent)

6.0 Endpoint Management (MDM / UEM)

Implementing SOP: NET-SOP-MDM-001

6.1 Microsoft Intune

6.1.1 Windows 10/11

* Minimum OS version enforced.

* BitLocker enforced (256-bit AES).

* Antivirus active and up to date.

* Firewall enabled.

* Implement CIS Windows 10/11 Benchmarks (Level 1 minimum).

* Auto-lock screen after 15 minutes of inactivity.

* Disable consumer features (Xbox app, consumer OneDrive).

6.1.2 macOS

* Minimum OS version enforced.

* FileVault enforced.

* System Integrity Protection (SIP) enabled.

* Gatekeeper enabled.

* Implement CIS Apple macOS Benchmarks.

* Require password immediately after sleep or screen saver begins.

6.1.3 iOS / iPadOS

* Jailbreak detection enforced.

* Minimum OS version enforced.

* Enforce 6-digit alphanumeric passcode.

* Prevent unmanaged apps from reading managed contacts/data.

* Disable Siri while locked.

6.1.4 Android

* Root detection enforced.

* Minimum OS version enforced.

* Google Play Protect enabled.

* Android Enterprise (Work Profile) mandatory for BYOD.

* Enforce complex PIN.

* Block screen capture within the Work Profile.

* Block copy/paste from Work Profile to personal profile.

6.1.5 Linux (Ubuntu / RHEL)

* Minimum kernel version.

* Disk encryption (LUKS) enforced.

* SSH root login disabled.

* sudo access restricted and logged.

* Automated security updates (e.g., unattended-upgrades) configured for critical patches.

7.0 Networking & Perimeter

Implementing SOP: NET-SOP-NET-001

7.1 Firewalls (WatchGuard / Fortinet)

* IKEv2 or SSL VPN enforced (PPTP/L2TP blocked).

* MFA enforced for all VPN authentications via RADIUS/SAML integration.

7.2 DNS Security (Cloudflare / Cisco Umbrella)

8.0 Backup & Disaster Recovery

Implementing SOP: NET-SOP-BDR-001

8.1 Data Backup (Veeam / AFI.ai / Dropsuite)

8.2 AFI.ai (Cloud Workspace Backup)

9.0 Remote Monitoring & Management (RMM)

Implementing SOP: NET-SOP-RMM-001

9.1 NinjaOne

* OS and third-party application patching driven by SLA (aligned with Essential Eight).

* Automated pre-deployment reboot and post-deployment verification.

* Offline alerts for critical infrastructure (Servers, Firewalls, Switches).

* Disk space, CPU, and Memory utilization thresholds.

* Security service state monitoring (e.g., EDR/Antivirus service stopped).

10.0 Knowledge Management & Documentation

Implementing SOP: NET-SOP-KM-001

10.1 Confluence

* Segregated spaces for Internal SOPs, Client Documentation, and Compliance Frameworks.

* Strict Permission Schemes applied per space (e.g., restricted access for sensitive client credentials or security configurations).

M365 & Entra ID Security Baseline

Document ID: NET-BL-M365-001

Version: 1.0

Effective Date: 2026-03-26

Next Review: 2026-09-26

Owner: Netier — GRC / Security Operations

Classification: Internal

1. Overview

This document defines the strict configuration standards for Microsoft 365 and Entra ID environments managed by Netier. It aligns with the ASD ISM, Essential Eight (E8) ML3, and CIS Controls.

2. Entra ID (Azure AD) Configuration

2.1 Authentication & MFA (E8 ML3)

2.2 Conditional Access (CA) Policies

The following CA policies are mandatory:

2.3 Privileged Identity Management (PIM)

2.4 Break Glass (Emergency Access) Accounts

3. Microsoft Intune Configuration

* BitLocker encryption mandatory.

* Antivirus/EDR active and up to date.

* OS version within N-1 of current release.

* Device is active (check-in within last 30 days).

* Deploy CIS/ASD ISM hardened Windows 11 baselines.

* Disable LLMNR and NetBIOS.

* Disable SMBv1.

* Configure LAPS for local administrator management.

3.1 Application Control (E8 ML3)

4. Microsoft Defender for Office 365

Endpoint & Server Security Baseline

Document ID: NET-BL-EP-001

Version: 1.0

Effective Date: 2026-03-26

Next Review: 2026-09-26

Owner: Netier — GRC / Security Operations

Classification: Internal

1. Overview

This document dictates the security controls for all Windows Server, Active Directory, and endpoint environments managed by Netier, directly mapping to Essential Eight (E8) ML3, ASD ISM, and ISO 27001.

2. Active Directory (On-Premises / Hybrid)

3. Application Control (E8 ML3)

4. Vulnerability & Patch Management (NinjaOne SLA)

* Critical/High: Deployed within 48 hours of release.

* Standard: Deployed within 14 days.

5. Endpoint Detection & Response (EDR)

* Tamper protection enabled.

* Cloud-delivered protection enabled.

* Automated investigation and remediation enabled (Full/Active mode).

* Block executable files from running unless they meet prevalence, age, or trusted list criteria.

* Block credential stealing from the Windows local security authority subsystem (LSASS).

* Block Office applications from creating executable content.

* Block untrusted and unsigned processes that run from USB.

6. Protocol & Authentication Hardening

Network Perimeter & Infrastructure Baseline

Document ID: NET-BL-NET-001

Version: 1.0

Effective Date: 2026-03-26

Next Review: 2026-09-26

Owner: Netier — GRC / Security Operations

Classification: Internal

1. Overview

This standard details the physical and virtual network perimeter security configurations for Netier managed clients, aligning with NIST CSF, ASD ISM, and PCIDSS.

2. Firewall & Gateway Configuration

3. Network Segmentation (Micro-segmentation)

Networks must be segregated into distinct VLANs with strict inter-VLAN routing controls:

4. Network Access Control (NAC)

5. Network Device Management

6. Remote Access

Email Security, Web Posture & Deliverability Baseline

Document ID: NET-BL-EMAIL-001

Version: 1.0

Effective Date: 2026-03-26

Next Review: 2026-09-26

Owner: Netier — GRC / Security Operations

Classification: Internal

1. Overview

This baseline covers external-facing assets, focusing on email authentication, deliverability, and web application security. It integrates controls across Cloudflare, Valimail, PowerDMARC, Sendmarc, Postmaster, and performance metrics (Speedtest/PageSpeed), aligning with ISM, CIS, and Privacy Act requirements.

2. Email Authentication & Deliverability

Netier mandates a strict email authentication framework to prevent spoofing and ensure high deliverability rates.

2.1 Sender Policy Framework (SPF)

2.2 DomainKeys Identified Mail (DKIM)

2.3 Domain-based Message Authentication, Reporting, and Conformance (DMARC)

2.4 Inbound Email Protection (Microsoft Defender for Office 365)

3. Web Posture & Security (Cloudflare)

All public-facing web applications and sites must be protected via Cloudflare (or equivalent Enterprise WAF).

3.1 Web Application Firewall (WAF)

3.2 Encryption & Transport

3.3 Performance Metrics (OLAs)

Performance is considered a security/availability metric.

Operational Policies & Governing Plans

Document ID: NET-BL-OPS-001

Version: 1.0

Effective Date: 2026-03-26

Next Review: 2026-09-26

Owner: Netier — GRC / Security Operations

Classification: Internal

1. Overview

This document outlines the required structure and mandates for Netier's core operational policies. These policies govern the technical baselines and provide the administrative controls required for ISO 27001, SOCI Act, DISP, and SOC II.

2. Incident Response Plan (IRP)

* ACSC (ASD): Critical cyber security incidents affecting national infrastructure (SOCI) or defence (DISP) must be reported to the ACSC within 12 hours of becoming aware (s30CD). Other significant incidents within 72 hours (s30CE).

* OAIC: Notifiable Data Breaches (NDB) under the Privacy Act must be reported within 72 hours of confirmation.

3. Business Continuity Plan (BCP)

* MTPD: Maximum Tolerable Period of Disruption (defined per service tier).

* RTO/RPO: Recovery Time Objective and Recovery Point Objective.

4. Disaster Recovery Plan (DRP)

* Immutable, offline, or offsite backups are mandatory.

* Backups must be protected from domain/tenant compromise (separate authentication plane).

* Backups must be encrypted at rest (AES-256) and in transit, with encryption keys managed securely and separately from the primary infrastructure.

* Enterprise Tier: Quarterly full restoration tests.

* Professional Tier: Bi-annual restoration tests.

* Essential Tier: Annual restoration tests.

5. Supply Chain Management (SCM)

SOP: Infrastructure & Compute Hardening

Document ID: NET-SOP-INFRA-001
Version: 1.0
Effective Date: 2026-03-26
Next Review: 2026-09-26
Owner: Netier — Security & Cloud Engineering
Classification: Internal
TCF Section: 1.0
Review Cycle: Quarterly or after vendor portal/product changes

Table of Contents

Windows Server 2022 Hardening

Prerequisites

Step-by-Step Instructions

1. Apply CIS Level 1 Baseline via GPO

- Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy:

- Minimum password length: 14 characters

- Password complexity: Enabled

- Minimum password age: 1 day

- Maximum password age: 365 days (or per client policy)

- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy:

- Audit logon events: Success, Failure

- Audit account logon events: Success, Failure

- Audit object access: Failure

- Audit policy change: Success, Failure

- Audit privilege use: Failure

- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment:

- Deny access to this computer from the network: Local account and member of Administrators group (for workstations)

- Deny log on through Remote Desktop Services: Guests, Local account (standard users per RDP section below)

# Import CIS GPO backup (run on DC or GPMC workstation)
Import-GPO -BackupGpoName "CIS-WS2022-L1-Baseline" -Path "C:\CIS-Benchmarks\GPOBackup" -TargetName "CIS-WS2022-L1-Baseline" -CreateIfNeeded

Link to Servers OU
New-GPLink -Name "CIS-WS2022-L1-Baseline" -Target "OU=Servers,DC=contoso,DC=local" -LinkEnabled Yes

Force GP update on remote server
Invoke-GPUpdate -Computer "SERVER01" -Force -RandomDelayInMinutes 0

2. Enable Credential Guard

   # Check VBS readiness

   Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object -Property AvailableSecurityProperties, VirtualizationBasedSecurityStatus, SecurityServicesRunning
   

- AvailableSecurityProperties must include 1 (Hypervisor support) and 3 (Secure Boot).

- If VBS is not running, enable in BIOS: Intel VT-x/AMD-V, Secure Boot, TPM 2.0.

- Navigate to Computer Configuration > Policies > Administrative Templates > System > Device Guard.

- Turn On Virtualization Based Security: Enabled

- Select Platform Security Level: Secure Boot and DMA Protection

- Credential Guard Configuration: Enabled with UEFI lock

- Secure Launch Configuration: Enabled

- Navigate to Microsoft Intune admin center > Endpoint security > Account protection.

- Create profile: Windows 10/11 and later > Account protection.

- Set Credential Guard: Enable with UEFI lock.

- Assign to the appropriate device group.

# Enable Credential Guard via registry (reboot required)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v LsaCfgFlags /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v RequirePlatformSecurityFeatures /t REG_DWORD /d 3 /f

Verify after reboot
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object SecurityServicesRunning
Should return "1" (Credential Guard) or "1, 2" (Credential Guard + HVCI)

3. Enable LSA Protection (RunAsPPL)

- Computer Configuration > Policies > Administrative Templates > System > Local Security Authority

- Configure LSASS to run as a protected process: Enabled (Enabled with UEFI Lock)

# Enable LSA Protection
reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v RunAsPPL /t REG_DWORD /d 2 /f

Verify LSA Protection is active (after reboot)
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA" -Name RunAsPPL
Value of 2 = Enabled with UEFI lock; Value of 1 = Enabled without UEFI lock

Verification Checks

Rollback

   reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v LsaCfgFlags /t REG_DWORD /d 0 /f

   reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 0 /f
   

   # Download from Microsoft, run with -Disable flag

   .\DG_Readiness_Tool_v3.6.ps1 -Disable -CG
   

Local Administrator Password Solution (LAPS)

Prerequisites

Step-by-Step Instructions

1. Configure LAPS via GPO (On-Premises AD)

   Import-Module LAPS

   Update-LapsADSchema
   Set-LapsADComputerSelfPermission -Identity "OU=Servers,DC=contoso,DC=local"
   

- Computer Configuration > Policies > Administrative Templates > System > LAPS

- Configure password backup directory: Enabled > Active Directory (or Azure Active Directory for cloud-only)

- Password Settings:

- Password complexity: Large letters + small letters + numbers + specials

- Password length: 24 characters

- Password age (days): 14

- Post-authentication actions:

- Grace period (hours): 1 (forces reset within 1 hour of password use)

- Actions: Reset password and logoff managed account

- Name of administrator account to manage: Leave default (built-in Administrator RID 500) or specify custom local admin name

2. Configure LAPS via Intune (Entra ID)

- Backup Directory: Backup the password to Azure AD only (or both for hybrid)

- Password Age Days: 14

- Administrator Account Name: leave blank for built-in RID 500

- Password Complexity: Large + small letters + numbers + special characters

- Password Length: 24

- Post Authentication Actions: Reset password and logoff the managed account

- Post Authentication Reset Delay (hours): 1

3. Retrieving LAPS Passwords

# On-premises AD - retrieve LAPS password
Get-LapsADPassword -Identity "SERVER01" -AsPlainText

Entra ID - retrieve via Microsoft Graph
Connect-MgGraph -Scopes "DeviceLocalCredential.Read.All"
Get-LapsAADPassword -DeviceIds "device-object-id" -IncludePasswords -AsPlainText

4. Post-Use Password Reset (Mandatory Within 1 Hour)

After any use of a LAPS-managed credential, the post-authentication action will trigger automatically. To force immediate rotation:

# Force immediate LAPS password rotation
Reset-LapsPassword -Identity "SERVER01"

Invoke via Intune for cloud-managed devices
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceLocalCredentials/{id}/rotateLocalAdminPassword"

Verification Checks

Rollback

   $password = ConvertTo-SecureString "TempP@ssw0rd!" -AsPlainText -Force

   Set-LocalUser -Name "Administrator" -Password $password
   

Hypervisor Management Security

Prerequisites

Step-by-Step Instructions

1. Restrict Management VLAN Access

- Allow: Management VLAN (e.g., 10.0.10.0/24) to vCenter TCP/443, ESXi TCP/443, Hyper-V TCP/5985-5986 (WinRM)

- Deny: All other VLANs to management interfaces

config firewall policy
    edit 100
        set srcintf "VLAN_MGMT"
        set dstintf "VLAN_HYPERVISOR"
        set srcaddr "Mgmt-Admins"
        set dstaddr "vCenter-Server" "ESXi-Hosts"
        set action accept
        set service "HTTPS"
        set logtraffic all
    next
end

2. AD-Integrated MFA for vCenter

- Install Duo Authentication Proxy on a management server.

- Configure vCenter to use the Duo RADIUS proxy as secondary authentication.

- Test MFA prompt on vCenter login.

3. AD-Integrated MFA for Hyper-V Manager

- Navigate to Entra admin center > Protection > Conditional Access > Policies > New policy.

- Name: Require MFA for Hyper-V Administration.

- Assignments > Users: Select the Hyper-V Admins group.

- Assignments > Target resources > Cloud apps: Windows Remote Management (WinRM) or apply to All cloud apps scoped to admin users.

- Conditions > Client apps: Browser, Mobile apps and desktop clients.

- Grant > Require multifactor authentication.

4. VM Tools Auto-Update (VMware)

# Connect to vCenter
Connect-VIServer -Server vcenter.contoso.local

Enable auto-upgrade on all VMs
Get-VM | ForEach-Object {
    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec
    $spec.tools = New-Object VMware.Vim.ToolsConfigInfo
    $spec.tools.toolsUpgradePolicy = "upgradeAtPowerCycle"
    $_.ExtensionData.ReconfigVM($spec)
}

Verify
Get-VM | Select-Object Name, @{N='ToolsUpgradePolicy';E={$_.ExtensionData.Config.Tools.ToolsUpgradePolicy}}

Verification Checks

Rollback

RDP Restrictions

Prerequisites

Step-by-Step Instructions

1. Enforce Network Level Authentication (NLA)

- Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security

- Require use of specific security layer for remote (RDP) connections: Enabled > SSL

- Require user authentication for remote connections by using Network Level Authentication: Enabled

- Set client connection encryption level: High

# Enable NLA via registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SecurityLayer" -Value 2
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "MinEncryptionLevel" -Value 3

2. Disable RDP for Standard Users

- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

- Deny log on through Remote Desktop Services: Add Domain Users group (or the broadest standard user group).

- Allow log on through Remote Desktop Services: Add only Remote Desktop Admins (a dedicated AD security group for authorized RDP users) and Domain Admins.

# Verify who can RDP
(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication").UserAuthentication
Check Remote Desktop Users group membership
Get-LocalGroupMember -Group "Remote Desktop Users"

3. Restrict RDP Source Subnets (Jumphost/VPN Only)

- Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall > Inbound Rules

- Modify the built-in Remote Desktop - User Mode (TCP-In) rule:

- Scope tab > Remote IP address: Only these IP addresses

- Add the jumphost IP(s) and VPN subnet(s):

- Jumphost: e.g., 10.0.10.50

- VPN subnet: e.g., 10.0.200.0/24

# Restrict RDP to specific subnets via Windows Firewall
Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -RemoteAddress @("10.0.10.50", "10.0.200.0/24") -Enabled True

Verify the rule
Get-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" | Get-NetFirewallAddressFilter

4. Configure RDP Session Timeouts

In the RDP-Hardening GPO:

- Set time limit for disconnected sessions: Enabled > 1 hour

- Set time limit for active but idle sessions: Enabled > 30 minutes

- End session when time limits are reached: Enabled

Verification Checks

Rollback

   Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -RemoteAddress Any

   

SMB Hardening

Prerequisites

Step-by-Step Instructions

1. Disable SMBv1

   # Enable SMBv1 auditing

   Set-SmbServerConfiguration -AuditSmb1Access $true -Force

   # Check audit logs for SMBv1 connections
   Get-WinEvent -LogName "Microsoft-Windows-SMBServer/Audit" | Where-Object { $_.Id -eq 3000 } | Format-Table TimeCreated, Message -AutoSize
   

   # Disable SMBv1 server

   Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

   # Remove SMBv1 feature entirely
   Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
   # Or via DISM
   dism /online /Disable-Feature /FeatureName:SMB1Protocol
   

- Computer Configuration > Policies > Administrative Templates > Network > Lanman Server

- Create a registry preference: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 = 0 (DWORD)

2. Enforce SMB Signing

- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

- Microsoft network server: Digitally sign communications (always): Enabled

- Microsoft network client: Digitally sign communications (always): Enabled

- Microsoft network server: Digitally sign communications (if client agrees): Enabled

- Microsoft network client: Digitally sign communications (if server agrees): Enabled

# Enforce SMB signing on server side
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force

Enforce SMB signing on client side
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

Enable SMB encryption (recommended where supported)
Set-SmbServerConfiguration -EncryptData $true -Force

Verify configuration
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol, RequireSecuritySignature, EncryptData
Get-SmbClientConfiguration | Select-Object RequireSecuritySignature

3. Additional SMB Hardening

# Disable SMB guest fallback (prevents NTLM relay to guest shares)
Set-SmbClientConfiguration -EnableInsecureGuestLogons $false -Force

Restrict anonymous access to named pipes and shares
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RestrictNullSessAccess" -Value 1

Verification Checks

Rollback

   Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

   Set-SmbServerConfiguration -EnableSMB1Protocol $true -Force
   

   Set-SmbServerConfiguration -RequireSecuritySignature $false -Force

   Set-SmbClientConfiguration -RequireSecuritySignature $false -Force
   

Backup Integration

Prerequisites

Step-by-Step Instructions

1. Configure Veeam Daily Image Backup

- Name: [ClientCode]-DailyImage-Servers

- Virtual Machines: Add all production VMs from vCenter/Hyper-V inventory.

- Storage: Select the hardened (immutable) repository.

- Retention: 14 daily restore points, 4 weekly, 12 monthly (adjust per client contract).

- Enable inline deduplication and compression: Yes (Optimal).

- Guest Processing: Enable application-aware processing (VSS) for SQL, Exchange, AD.

- Schedule: Daily at 20:00 (or client-specified maintenance window).

- Enable immutability: Set to 7 days minimum on the hardened repository.

2. Configure Immutable Storage

# On the Linux repository server (Ubuntu 22.04)
Veeam configures immutability via XFS reflink + chattr +i
Verify immutability is working:
sudo lsattr /mnt/veeam-repo/backups/
Files should show 'i' attribute (immutable)

# Connect to Veeam
Connect-VBRServer -Server "veeam.contoso.local"

Check repository immutability settings
Get-VBRBackupRepository | Select-Object Name, Type, @{N='Immutable';E={$_.GetImmutabilitySettings().Enabled}}, @{N='ImmutableDays';E={$_.GetImmutabilitySettings().Period}}

Check last backup job status
Get-VBRBackupSession | Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-1)} | Select-Object JobName, Result, CreationTime, EndTime

3. Backup Monitoring and Alerting

- Add condition: Windows Event Log > Log: Application, Source: Veeam, Event ID: 0 (job completion), Level: Error/Warning.

- Action: Create ticket in ConnectWise Manage via integration.

- Veeam Console > Options > Notifications > Email Notifications

- SMTP server, recipient: alerts@netier.com.au

- Notify on: Failure and Warning (not Success, to reduce noise).

Verification Checks

Rollback

Master Verification Checklist

Windows Server Hardening

LAPS

Hypervisor Management

RDP

SMB

Backup

Document History

Standard Operating Procedures: Identity, Conditional Access & Cloud Workspace Security

Document ID: NET-SOP-IDM-001
Version: 1.1
Effective Date: 2026-03-26
Next Review: 2026-09-26
Owner: Netier — Security & Cloud Engineering
Classification: Internal
TCF Section: 2.0
Review Cycle: Quarterly or after any Microsoft portal change
Applies to: All Netier-managed Microsoft 365 / Entra ID tenants

Table of Contents

- Block Legacy Authentication

- Block Non-AU Logins (Geo-Fencing)

- Require Compliant Device

- Require MFA for All Users

- Sign-in Risk Policy

- User Risk Policy

Break Glass Accounts

Break glass accounts must be created BEFORE any Conditional Access policies are deployed. These accounts provide emergency access if CA policies, MFA, or PIM malfunction.

Prerequisites

Step-by-Step Instructions

- Username: BreakGlass1@

- Display Name: Break Glass 1 — DO NOT DELETE

- No group memberships at creation

- Assign the Global Administrator role directly (not via PIM)

- Sign in as the break glass account at https://mysignins.microsoft.com

- Navigate to Security info > + Add sign-in method > Security key

- Follow the on-screen prompts to register the FIDO2 key

- Store each key in its designated safe (BG1 = on-site, BG2 = off-site)

- Navigate to Entra Admin Center > Identity > Monitoring & health > Diagnostic settings > + Add diagnostic setting.

- Export SignInLogs to a Log Analytics workspace.

- Create an alert rule: Azure Monitor > Alerts > + Create alert rule.

- Condition: SigninLogs | where UserPrincipalName in ("BreakGlass1@...", "BreakGlass2@...") | where ResultType == 0

- Action group: email Netier SOC distribution list

- Severity: Sev 0 (Critical)

# Requires Microsoft.Graph module
Connect-MgGraph -Scopes "User.ReadWrite.All","RoleManagement.ReadWrite.Directory"

$passwordProfile = @{
    # Generate a cryptographically secure 30-character password
    Password = -join ((48..57) + (65..90) + (97..122) + (33,35,36,37,38,42,64) |
        Get-Random -Count 30 | ForEach-Object { [char]$_ })
    # IMPORTANT: Record this password immediately in a sealed envelope for the physical safe.
    # Do NOT use GUIDs or predictable patterns for break glass credentials.
    ForceChangePasswordNextSignIn = $false
}

foreach ($i in 1..2) {
    $user = New-MgUser 

        -DisplayName "Break Glass $i - DO NOT DELETE" 
        -UserPrincipalName "BreakGlass$i@<tenantdomain>" 

        -PasswordProfile $passwordProfile 
        -AccountEnabled 

        -MailNickname "BreakGlass$i"

    # Assign Global Admin role (Graph SDK v2+)
    $roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Global Administrator'"
    New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $user.Id 
        -RoleDefinitionId $roleDefinition.Id -DirectoryScopeId "/"
}

Verification Checks

Rollback

If a break glass account is compromised:

Conditional Access Policies

Exclusion Group Setup

Before creating individual policies, create a single exclusion group for break glass accounts:

Block Legacy Authentication

Legacy authentication protocols (POP3, IMAP, SMTP AUTH, Exchange ActiveSync basic auth) bypass MFA and are the most common vector for password spray attacks. This policy blocks them globally with no exceptions.

Prerequisites

Step-by-Step Instructions

- Users: Include > All users

- Users: Exclude > Select users and groups > SG-CA-BreakGlass-Exclusions

- Target resources: Include > All cloud apps

- Client apps > Configure: Yes

- Select: Exchange ActiveSync clients and Other clients

- Deselect: Browser, Mobile apps and desktop clients

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

$params = @{
    DisplayName = "BLOCK - Legacy Authentication"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Users = @{
            IncludeUsers = @("All")
            ExcludeGroups = @("<BreakGlass-Group-Id>")
        }
        Applications = @{
            IncludeApplications = @("All")
        }
        ClientAppTypes = @("exchangeActiveSync", "other")
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("block")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Verification Checks

Rollback

Block Non-AU Logins (Geo-Fencing)

This policy blocks all sign-ins originating from outside Australia. Exceptions for travel or offshore workers require PIM approval and an IP whitelist entry.

Prerequisites

Step-by-Step Instructions

- Navigate to Entra Admin Center > Protection > Conditional Access > Named locations > + Countries location.

- Name: Allowed Countries — Australia

- Select: Australia

- Determine location by: IP address (recommended for accuracy)

- Click Create

- Navigate to Entra Admin Center > Protection > Conditional Access > Policies > + New policy.

- Name: BLOCK — Non-AU Sign-ins

- Assignments:

- Users: Include > All users

- Users: Exclude > SG-CA-BreakGlass-Exclusions

- Target resources: Include > All cloud apps

- Conditions:

- Locations > Configure: Yes

- Include: Any location

- Exclude: Selected locations > Allowed Countries — Australia

- Access controls > Grant: Select Block access

- Enable policy: Report-only (switch to On after 7-day monitoring)

- Click Create

- User raises a ticket requesting temporary access from a specific country

- A PIM-eligible admin activates their role (see PIM section)

- Create a new named location for the traveller's IP range or country

- Create a time-limited exclusion (or use a dedicated security group for travellers)

- Set a calendar reminder to remove the exception on the return date

- Document the exception in the ticket

# Create named location
$locationParams = @{
    "@odata.type" = "#microsoft.graph.countryNamedLocation"
    DisplayName = "Allowed Countries - Australia"
    CountriesAndRegions = @("AU")
    IncludeUnknownCountriesAndRegions = $false
}
$location = New-MgIdentityConditionalAccessNamedLocation -BodyParameter $locationParams

Create policy
$policyParams = @{
    DisplayName = "BLOCK - Non-AU Sign-ins"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Users = @{
            IncludeUsers = @("All")
            ExcludeGroups = @("<BreakGlass-Group-Id>")
        }
        Applications = @{
            IncludeApplications = @("All")
        }
        Locations = @{
            IncludeLocations = @("All")
            ExcludeLocations = @($location.Id)
        }
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("block")
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $policyParams

Verification Checks

Rollback

Require Compliant Device

Access to SharePoint Online, Exchange Online, and Microsoft Teams requires the device to be enrolled in Intune and marked as Compliant. This prevents data access from unmanaged personal devices.

Prerequisites

Step-by-Step Instructions

- Users: Include > All users

- Users: Exclude > SG-CA-BreakGlass-Exclusions

- Target resources: Include > Select apps:

- Office 365 Exchange Online

- Office 365 SharePoint Online (this covers OneDrive as well)

- Microsoft Teams

- Client apps > Configure: Yes

- Select: Browser, Mobile apps and desktop clients

- Select Require device to be marked as compliant

- For multiple controls: Require all the selected controls

$policyParams = @{
    DisplayName = "REQUIRE - Compliant Device for M365 Workloads"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Users = @{
            IncludeUsers = @("All")
            ExcludeGroups = @("<BreakGlass-Group-Id>")
        }
        Applications = @{
            IncludeApplications = @(
                "00000002-0000-0ff1-ce00-000000000000",  # Exchange Online
                "00000003-0000-0ff1-ce00-000000000000",  # SharePoint Online
                "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe"   # Teams (NOTE: Exchange Online and SharePoint Online targets already cover
                # most Teams data access via backend APIs. This explicit Teams app ID
                # covers Teams-specific features like chat, calls, and meetings that
                # don't route through EXO/SPO. Alternative: replace all three with
                # the Office 365 meta-app: IncludeApplications = @("Office365"))
            )
        }
        ClientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("compliantDevice")
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $policyParams

Verification Checks

Rollback

Require MFA for All Users

All users must authenticate with phishing-resistant MFA (FIDO2 security keys or Windows Hello for Business). This replaces legacy MFA per-user settings and Security Defaults.

Prerequisites

Step-by-Step Instructions

- Navigate to Entra Admin Center > Protection > Authentication methods > Policies.

- FIDO2 security key: Enable > Target: All users (or a pilot group initially)

- Windows Hello for Business: Enable > Target: All users

- Microsoft Authenticator: Enable (as fallback during transition, plan to disable push/OTP once FIDO2/WHfB adoption is complete)

- Navigate to Entra Admin Center > Protection > Conditional Access > Policies > + New policy.

- Name: REQUIRE — MFA for All Users (Phishing-Resistant)

- Assignments:

- Users: Include > All users

- Users: Exclude > SG-CA-BreakGlass-Exclusions

- Target resources: Include > All cloud apps

- Conditions: Leave all at Not configured (applies to all conditions)

- Access controls > Grant:

- Select Require authentication strength

- Choose Phishing-resistant MFA (built-in strength that includes FIDO2 and Windows Hello)

- Enable policy: Report-only (switch to On after 7-day monitoring)

- Click Create

- Direct users to https://mysignins.microsoft.com to register their security keys

- For Windows Hello, ensure devices are joined or registered to Entra ID and WHfB policy is deployed via Intune

$policyParams = @{
    DisplayName = "REQUIRE - MFA for All Users (Phishing-Resistant)"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Users = @{
            IncludeUsers = @("All")
            ExcludeGroups = @("<BreakGlass-Group-Id>")
        }
        Applications = @{
            IncludeApplications = @("All")
        }
    }
    GrantControls = @{
        Operator = "OR"
        AuthenticationStrength = @{
            Id = "00000000-0000-0000-0000-000000000004"  # Phishing-resistant MFA
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $policyParams

Verification Checks

Handling Service Accounts and App Registrations

Service accounts, app registrations, and headless integrations cannot perform interactive MFA. Each must be handled explicitly — never silently excluded.

Maintain a Service Account Register (spreadsheet or CW Configuration) with:

Audit requirement: ISO 27001 A.5.18 and ISM-1833 require documented justification for every access exception. An undocumented exclusion is a nonconformity.

Phased Deployment (Critical — Prevents User Lockout)

Do NOT enforce phishing-resistant MFA immediately. Users need time to register FIDO2 keys or Windows Hello. Enforcing before registration is complete will lock out all users without phishing-resistant credentials.

- Change from Require multifactor authentication to Require authentication strength > Phishing-resistant MFA.

Rollback

Sign-in Risk Policy

Uses Entra ID Protection to evaluate sign-in risk in real time. High-risk sign-ins are blocked. Medium-risk sign-ins require MFA re-authentication.

Prerequisites

Step-by-Step Instructions

- Users: Include > All users

- Users: Exclude > SG-CA-BreakGlass-Exclusions

- Target resources: Include > All cloud apps

- Sign-in risk > Configure: Yes

- Risk level: Select High

- Navigate to Entra Admin Center > Protection > Conditional Access > Policies > + New policy.

- Name: RISK — MFA for Medium Sign-in Risk

- Assignments: Same as above (All users, exclude break glass)

- Conditions:

- Sign-in risk > Configure: Yes

- Risk level: Select Medium

- Access controls > Grant: Select Require authentication strength > Phishing-resistant MFA

- Session controls: Set Sign-in frequency to Every time

- Enable policy: Report-only

- Click Create.

# High risk - Block
$highRiskParams = @{
    DisplayName = "RISK - Block High Sign-in Risk"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Users = @{
            IncludeUsers = @("All")
            ExcludeGroups = @("<BreakGlass-Group-Id>")
        }
        Applications = @{ IncludeApplications = @("All") }
        SignInRiskLevels = @("high")
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("block")
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $highRiskParams

Medium risk - Require MFA
$medRiskParams = @{
    DisplayName = "RISK - MFA for Medium Sign-in Risk"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Users = @{
            IncludeUsers = @("All")
            ExcludeGroups = @("<BreakGlass-Group-Id>")
        }
        Applications = @{ IncludeApplications = @("All") }
        SignInRiskLevels = @("medium")
    }
    GrantControls = @{
        Operator = "OR"
        AuthenticationStrength = @{
            Id = "00000000-0000-0000-0000-000000000004"
        }
    }
    SessionControls = @{
        SignInFrequency = @{
            Value = $null
            Type = $null
            IsEnabled = $true
            AuthenticationType = "primaryAndSecondaryAuthentication"
            FrequencyInterval = "everyTime"
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $medRiskParams

Verification Checks

Rollback

User Risk Policy

Requires users flagged as high risk (leaked credentials, impossible travel patterns) to perform a secure password change.

Prerequisites

Step-by-Step Instructions

- Users: Include > All users

- Users: Exclude > SG-CA-BreakGlass-Exclusions

- Target resources: Include > All cloud apps

- User risk > Configure: Yes

- Risk level: Select High

- Select Require authentication strength > Phishing-resistant MFA

- AND select Require password change

- For multiple controls: Require all the selected controls

- Set Sign-in frequency to Every time.

- This forces re-authentication on every sign-in, which triggers the password change requirement for existing sessions (not just new sign-ins). Without this, a compromised user's existing refresh token remains valid.

- Navigate to Entra Admin Center > Protection > Password reset > Properties.

- Self-service password reset enabled: All

- Authentication methods: require at least 2 methods

- Ensure writeback is configured if hybrid (Entra Connect > Password writeback enabled)

$userRiskParams = @{
    DisplayName = "RISK - Require Password Change for High User Risk"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Users = @{
            IncludeUsers = @("All")
            ExcludeGroups = @("<BreakGlass-Group-Id>")
        }
        Applications = @{ IncludeApplications = @("All") }
        UserRiskLevels = @("high")
    }
    GrantControls = @{
        Operator = "AND"
        BuiltInControls = @("passwordChange")
        AuthenticationStrength = @{
            Id = "00000000-0000-0000-0000-000000000004"
        }
    }
    SessionControls = @{
        SignInFrequency = @{
            Value = $null
            Type = $null
            IsEnabled = $true
            AuthenticationType = "primaryAndSecondaryAuthentication"
            FrequencyInterval = "everyTime"
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $userRiskParams

Verification Checks

Rollback

Privileged Identity Management (PIM)

PIM eliminates standing privileged access. Admins must activate their roles on-demand (just-in-time) with MFA, a justification, and (for Global Admin) peer approval.

Prerequisites

Step-by-Step Instructions

Create Dedicated Admin Accounts

- Navigate to Entra Admin Center > Identity > Users > + New user

- Username: adm-@

- No M365 productivity licences (no Exchange mailbox, no Teams, no OneDrive)

- Assign only Entra ID P2 licence

Configure PIM Role Settings

- Maximum activation duration: 4 hours (adjust per client policy)

- On activation, require: Azure MFA

- Require justification on activation: Yes

- Require ticket information on activation: Yes

- Require approval to activate: Yes

- Select approver(s): Add designated senior engineers or client IT leadership

- Allow permanent eligible assignment: No

- Expire eligible assignments after: 12 months (forces annual re-certification)

- Send notifications when members are assigned as eligible: All admins

- Send notifications when members are activated: All admins + designated SOC mailbox

- Require approval to activate: No (peer approval not required for these roles per baseline)

- All other settings remain the same (MFA, justification, ticketing)

Assign Eligible Roles

Remove Standing Access

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

$roleDefinitionId = (Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Global Administrator'").Id
$principalId = (Get-MgUser -Filter "userPrincipalName eq 'adm-thouston@<tenantdomain>'").Id

$params = @{
    Action = "adminAssign"
    RoleDefinitionId = $roleDefinitionId
    PrincipalId = $principalId
    DirectoryScopeId = "/"
    ScheduleInfo = @{
        StartDateTime = (Get-Date)
        Expiration = @{
            Type = "afterDuration"
            Duration = "P365D"
        }
    }
    Justification = "Initial PIM eligible assignment per Netier baseline"
}

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params

Verification Checks

Rollback

Local Access — LAPS

Windows Local Administrator Password Solution (LAPS) ensures every endpoint and server has a unique, automatically rotated local admin password stored securely in Entra ID.

Prerequisites

Step-by-Step Instructions

Enable LAPS in Entra ID

Configure LAPS via Intune

- Backup directory: Azure AD only (for cloud-native) or Active Directory (for hybrid)

- Password age (days): 14

- Administrator account name: Leave default (built-in Administrator) or specify a custom local admin account name

- Password complexity: Large letters + small letters + numbers + special characters

- Password length: 20 characters

- Post-authentication actions: Reset password

- Post-authentication delay (hours): 1 (reset password 1 hour after use)

Configure LAPS Permissions

Retrieving a LAPS Password

# Retrieve LAPS password
Connect-MgGraph -Scopes "DeviceLocalCredential.Read.All"
Get-MgDirectoryDeviceLocalCredential -DeviceId "<device-object-id>" -Property "credentials" |
    Select-Object -ExpandProperty Credentials

Note: Password auto-rotates after post-authentication delay

Verification Checks

Rollback

Intune Device Compliance Policy

These compliance policies define the minimum security posture required for a device to be marked "Compliant" in Entra ID (which the Conditional Access policy above relies on).

Prerequisites

Step-by-Step Instructions

Device Health:

- Require BitLocker: Require

- Require Secure Boot to be enabled on the device: Require

- Require code integrity: Require

Device Properties:

- Minimum OS version: Set to N-1 (e.g., if current is 10.0.26100, set minimum to 10.0.22631 for Windows 11 23H2 or equivalent)

System Security:

- Require a password to unlock mobile devices: Require

- Encryption of data storage on device: Require

- Firewall: Require

- Antivirus: Require

- Antispyware: Require

- Microsoft Defender Antimalware: Require

- Microsoft Defender Antimalware minimum version: Current or N-1

- Microsoft Defender for Endpoint — Require the device to be at or under the machine risk score: Clear (medium or low recommended)

Microsoft Defender for Endpoint:

- Require the device to be at or under the machine risk score: Medium (blocks high-risk devices)

- Mark device noncompliant: Immediately (0 days)

- Send email to end user: 1 day after noncompliance

- Remotely lock the device: 7 days (optional, discuss with client)

- Retire the noncompliant device: 30 days (matches check-in requirement)

- Navigate to Intune Admin Center > Devices > Compliance > Compliance policy settings.

- Mark devices with no compliance policy assigned as: Not compliant

- Compliance status validity period (days): 30

Verification Checks

Rollback

Application Control (Intune)

Application control prevents unauthorised executables and scripts from running. This section covers AppLocker/WDAC via Intune and Office macro restrictions.

Prerequisites

Step-by-Step Instructions

WDAC via Intune (Recommended for New Deployments)

# On a clean reference machine with all approved apps installed
New-CIPolicy -Level Publisher -FilePath "C:\Policies\BasePolicy.xml" 

    -UserPEs -MultiplePolicyFormat -Fallback Hash

Add the Windows default policy as a base
$defaultPolicy = "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml"
Merge-CIPolicy -PolicyPaths "C:\Policies\BasePolicy.xml", $defaultPolicy 
    -OutputFilePath "C:\Policies\MergedPolicy.xml"

Set policy to Audit mode first
Set-RuleOption -FilePath "C:\Policies\MergedPolicy.xml" -Option 3  # Audit Mode

Convert to binary
ConvertFrom-CIPolicy -XmlFilePath "C:\Policies\MergedPolicy.xml" 

    -BinaryFilePath "C:\Policies\MergedPolicy.bin"

- Check Event Viewer: Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational

- Set each path explicitly (e.g., \\fileserver\approved-macros\)

Connect-ExchangeOnline

Create strict anti-phishing policy
New-AntiPhishPolicy -Name "Netier Baseline - Anti-Phishing Strict" 
    -PhishThresholdLevel 3 

    -EnableMailboxIntelligence $true 
    -EnableMailboxIntelligenceProtection $true 

    -EnableSpoofIntelligence $true 
    -EnableFirstContactSafetyTips $true 

    -EnableSimilarUsersSafetyTips $true 
    -EnableSimilarDomainsSafetyTips $true 

    -EnableUnusualCharactersSafetyTips $true 
    -MailboxIntelligenceProtectionAction Quarantine 

    -TargetedUserProtectionAction Quarantine 
    -TargetedDomainProtectionAction Quarantine 

    -AuthenticationFailAction Quarantine

Create the rule to apply it
New-AntiPhishRule -Name "Netier Baseline - Anti-Phishing Strict" 
    -AntiPhishPolicy "Netier Baseline - Anti-Phishing Strict" 

    -RecipientDomainIs (Get-AcceptedDomain).DomainName

Set-HostedOutboundSpamFilterPolicy -Identity "Default" 
    -RecipientLimitExternalPerHour 500 

    -RecipientLimitInternalPerHour 1000 
    -RecipientLimitPerDay 1000 

    -ActionWhenThresholdReached BlockUserForToday 
    -AutoForwardingMode Automatic 

    -BccSuspiciousOutboundMail $true 
    -BccSuspiciousOutboundAdditionalRecipients "soc@netier.com.au" 

    -NotifyOutboundSpam $true 
    -NotifyOutboundSpamRecipients "soc@netier.com.au"

Verification Checks

Rollback

Master Verification Checklist

Use this checklist after completing all SOPs above. Every item should be verified for each tenant onboarded to the Netier baseline.

Break Glass & Emergency Access

Conditional Access Policies (7 policies total)

Privileged Identity Management

LAPS

Intune Device Compliance

Application Control

Defender for Office 365

Document History

SOP: Endpoint Protection & Control

Document ID: NET-SOP-EP-001
Version: 1.0
Effective Date: 2026-03-26
Next Review: 2026-09-26
Owner: Netier — Security & Cloud Engineering
Classification: Internal
TCF Section: 3.0
Review Cycle: Quarterly or after vendor portal/product changes

Table of Contents

ThreatLocker Deployment & Configuration

Prerequisites

Step-by-Step Instructions

1. Deploy ThreatLocker Agent

- Navigate to NinjaOne > Administration > Library > Scripts.

- Create a PowerShell script for deployment:

# ThreatLocker silent install (replace GROUP_KEY with client org key from portal)
$installerUrl = "https://api.threatlocker.com/updates/installers/threatlockerstubx64.exe"
$installPath = "C:\Temp\ThreatLockerInstall.exe"

New-Item -ItemType Directory -Path "C:\Temp" -Force | Out-Null
Invoke-WebRequest -Uri $installerUrl -OutFile $installPath
Start-Process -FilePath $installPath -ArgumentList "/quiet GROUPKEY=YOUR-GROUP-KEY-HERE" -Wait -NoNewWindow

Verify installation
Get-Service -Name "ThreatLockerService" | Select-Object Name, Status, StartType

2. Configure Learning Mode (Pre-Production)

3. Configure Default-Deny Application Control

After learning mode completes:

- Publisher certificate: Is the publisher trusted? (e.g., Microsoft, Adobe, vendor-specific)

- Path: Is the application in a sanctioned directory? (e.g., C:\Program Files\, C:\Windows\System32\)

- Hash: For unsigned applications, verify the hash matches a known-good version.

- Publisher certificate: Best for vendor software that updates frequently (e.g., Publisher: Microsoft Corporation, Product: *)

- Path rule: For applications in controlled directories (e.g., C:\Program Files\AppName\*)

- Hash rule: For unsigned or one-off executables (most restrictive, breaks on updates)

- ThreatLocker Portal > Organizations > [Client Org] > Settings > Application Control Mode: Secured

4. Configure Ringfencing

- Network Access: Deny access to file shares (SMB TCP/445) and internet downloads (HTTP/HTTPS TCP/80,443) unless explicitly approved.

- File Access: Deny write access to \\\ (UNC paths / network shares).

- Interaction: Deny interaction with explorer.exe launching these processes from email attachments or browser downloads.

- Child Process: Deny spawning of cmd.exe, powershell.exe, pwsh.exe, cscript.exe, wscript.exe, mshta.exe, regsvr32.exe, rundll32.exe.

- Network Access: Allow only required ports (e.g., TCP/443 for SharePoint/OneDrive). Deny direct SMB access to non-sanctioned shares.

- Registry: Deny write access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and other persistence keys.

5. Configure Elevation Control

- Default: Deny all elevation requests.

- Time-bound approvals: Enable Request Elevation for end users.

- Maximum elevation duration: 4 hours.

- Require technician approval: Yes (approval via ThreatLocker portal or email).

- Audit all elevation events: Yes (logged in Unified Audit).

- Pre-approved elevations: Create policies for known applications that require admin rights (e.g., printer installers, approved vendor setup tools).

- Set expiry: 30 days (forces re-evaluation).

- ThreatLocker Portal > Organizations > [Client Org] > Settings > Notifications

- Send elevation requests to: helpdesk@netier.com.au

Verification Checks

Rollback

   # Requires the uninstall password from ThreatLocker portal

   & "C:\Program Files\ThreatLocker\ThreatLockerStub.exe" /uninstall /quiet /password "UNINSTALL-PASSWORD"
   

Sophos MDR Onboarding & Configuration

Prerequisites

Step-by-Step Instructions

1. Deploy Sophos Endpoint Agent

# Sophos Central thin installer deployment
Replace URL with the tenant-specific download link from Sophos Central
$sophosInstallerUrl = "https://central.sophos.com/api/download/SophosSetup.exe"
$installPath = "C:\Temp\SophosSetup.exe"

New-Item -ItemType Directory -Path "C:\Temp" -Force | Out-Null
Invoke-WebRequest -Uri $sophosInstallerUrl -OutFile $installPath
Start-Process -FilePath $installPath -ArgumentList "--quiet" -Wait -NoNewWindow

Verify Sophos services are running
Get-Service -Name "Sophos*" | Select-Object Name, Status
Expected: Sophos Endpoint Defense Service, Sophos File Scanner Service, Sophos MCS Agent, etc.

2. Enable Tamper Protection

# Check Sophos tamper protection status via registry
Get-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\SAVService\TamperProtection" -Name "Enabled" -ErrorAction SilentlyContinue
Or check via Sophos CLI (if available)
& "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -status

3. Configure Centrally Managed Scan Exclusions

- Allowed exclusion types: Specific file paths, process names, or file extensions for known vendor requirements.

- Example legitimate exclusions:

- SQL Server data files: C:\Program Files\Microsoft SQL Server\MSSQL\MSSQL\DATA\.mdf

- Line-of-business app: C:\Program Files\VendorApp\engine.exe (process exclusion)

- Prohibited exclusion patterns:

- No wildcard exclusions for user profile directories (e.g., never exclude C:\Users\\Downloads\)

- No blanket folder exclusions for C:\Temp\ or %APPDATA%\

- No file extension exclusions for executable types (.exe, .dll, .ps1, .bat, .js)

- Reason for exclusion

- Vendor KB article or support ticket reference

- Review date (maximum 6 months)

4. Configure Web Control

- Block: Malicious sites (default), Phishing sites (default), Spam URLs, Anonymizer/proxy sites, Hacking sites

- Block: Unrated/uncategorized websites

- Warn: Sites with low reputation score

- Allow: Business-critical categories as identified by client

5. Configure Device Control (USB)

- Removable Storage (USB drives): Block (or Read Only if the client requires USB read access)

- Optical Drives (CD/DVD): Block (or Read Only)

- Wireless Devices (Bluetooth file transfer): Block

- Modems/Mobile broadband: Block

- Exceptions: Add specific approved USB device IDs (e.g., hardware tokens, encrypted USB drives by serial number):

- Navigate to Exceptions > Add Exception > Enter vendor ID + product ID or serial number.

- Set to Allow with Full Access.

# Test USB block - insert a USB drive and check Event Viewer
Get-WinEvent -LogName "Application" -FilterXPath "*[System[Provider[@Name='Sophos Device Control']]]" -MaxEvents 5 | Format-Table TimeCreated, Message -AutoSize

Verification Checks

Rollback

- Sophos Central > Devices > [Device] > Actions > Turn off Tamper Protection

- This generates a one-time password valid for 4 hours.

   # Must disable tamper protection first via Sophos Central

   & "C:\Program Files\Sophos\Sophos Endpoint Agent\SophosUninstall.exe" --quiet
   

Microsoft Defender for Endpoint -- ASR Rules

Prerequisites

Step-by-Step Instructions

1. Deploy ASR Rules via Intune

- Exclude approved RMM tools (e.g., NinjaOne agent path) from the PSExec/WMI rule if they use WMI for management.

- Exclude approved automation scripts from the obfuscated scripts rule if they trigger false positives.

- Document every exclusion with justification.

2. Deploy ASR Rules via GPO

- Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction

- Configure Attack Surface Reduction rules: Enabled

- Click Show and add each rule GUID with value 1 (Block) or 6 (Warn) or 2 (Audit):

BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 1
D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 1
3B576869-A4EC-4529-8536-B80A7769E899 = 1
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 1
D3E037E1-3EB8-44C8-A917-57927947596D = 1
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 1
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 1
01443614-CD74-433A-B99E-2ECDC07BFC25 = 1
9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 = 1
B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 = 1
D1E49AAC-8F56-4280-B9BA-993A6D77406C = 1
C1DB55AB-C21A-4637-BB3F-A12568109D35 = 1
7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C = 1
E6DB77E5-3DF2-4CF1-B95A-636979351E5B = 1

# Enable all ASR rules in Block mode
$rules = @(
    "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550",  # Block executable content from email
    "D4F940AB-401B-4EFC-AADC-AD5F3C50688A",  # Block Office child processes
    "3B576869-A4EC-4529-8536-B80A7769E899",  # Block Office executable content creation
    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84",  # Block Office code injection
    "D3E037E1-3EB8-44C8-A917-57927947596D",  # Block JS/VBS launching executables
    "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC",  # Block obfuscated scripts
    "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B",  # Block Win32 API from Office macros
    "01443614-CD74-433A-B99E-2ECDC07BFC25",  # Block low-prevalence executables
    "9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2",  # Block LSASS credential stealing
    "B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4",  # Block untrusted USB processes
    "D1E49AAC-8F56-4280-B9BA-993A6D77406C",  # Block PSExec/WMI process creation
    "C1DB55AB-C21A-4637-BB3F-A12568109D35",  # Advanced ransomware protection
    "7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C",  # Block Adobe Reader child processes
    "E6DB77E5-3DF2-4CF1-B95A-636979351E5B"   # Block WMI persistence
)

Set all rules to Block (1) -- use 2 for Audit during testing
$actions = @(1,1,1,1,1,1,1,1,1,1,1,1,1,1)
Set-MpPreference -AttackSurfaceReductionRules_Ids $rules -AttackSurfaceReductionRules_Actions $actions

Verify ASR rules are applied
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions
Action values: 0=Disabled, 1=Block, 2=Audit, 6=Warn

3. Monitor ASR Events

# Query ASR audit/block events from Windows Event Log
Event ID 1121 = ASR rule blocked, Event ID 1122 = ASR rule audited
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -FilterXPath "*[System[EventID=1121 or EventID=1122]]" -MaxEvents 50 | Format-Table TimeCreated, Id, Message -AutoSize

Query via Microsoft 365 Defender Advanced Hunting (in M365 Security portal)
Navigate to: security.microsoft.com > Hunting > Advanced Hunting
KQL query:
DeviceEvents
| where ActionType startswith "Asr"
| where Timestamp > ago(7d)
| summarize count() by ActionType, DeviceName
| order by count_ desc

4. Add ASR Exclusions (When Required)

# Add per-rule exclusion (example: exclude RMM agent from PSExec/WMI rule)
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\ProgramData\NinjaRMMAgent\ninjarmm-cli.exe"

Verify exclusions
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions

Verification Checks

Rollback

   # Switch LSASS rule to Audit (value 2) for investigation

   Set-MpPreference -AttackSurfaceReductionRules_Ids "9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2" -AttackSurfaceReductionRules_Actions 2
   

   Set-MpPreference -AttackSurfaceReductionRules_Ids "RULE-GUID-HERE" -AttackSurfaceReductionRules_Actions 0

   

Application Control Policy Validation (Annual Review)

Prerequisites

Step-by-Step Instructions

1. ThreatLocker Annual Ruleset Review

- Is the application still in use? Cross-reference with software inventory from NinjaOne or ConnectWise Automate.

- Is the publisher certificate still valid? Check expiry dates on certificate-based rules.

- Are there hash-only rules that could be upgraded to certificate rules? (reduces maintenance burden)

- Are there overly broad path rules? (e.g., C:\Users\\ -- these should be tightened)

- Are there entries for applications that have been decommissioned? Remove them.

2. Sophos Exclusion Review

- Is the exclusion still required? Contact the vendor or check KB articles for current requirements.

- Is the exclusion scoped appropriately? Tighten if possible (e.g., change folder exclusion to process exclusion).

- Are there any wildcard exclusions for user directories? Remove immediately unless there is exceptional documented justification with compensating controls.

3. Defender ASR Exclusion Review

   # Review ASR exclusions across all managed devices (via M365 Defender Advanced Hunting)

   # DeviceEvents
   # | where ActionType == "AsrRuleExclusionApplied"
   # | where Timestamp > ago(90d)
   # | summarize count() by FileName, FolderPath
   # | order by count_ desc
   

4. Document and Close Review

Verification Checks

Rollback

Master Verification Checklist

ThreatLocker

Sophos MDR

Defender for Endpoint ASR

Annual Review

Document History

SOP: Vulnerability Management

Document ID: NET-SOP-VULN-001
Version: 1.0
Effective Date: 2026-03-26
Next Review: 2026-09-26
Owner: Netier — Security & Cloud Engineering
Classification: Internal
TCF Section: 4.0
Review Cycle: Quarterly or after vendor portal/product changes

Table of Contents

Scanner Deployment & Configuration

Prerequisites

Step-by-Step Instructions

1. Deploy Tenable Nessus Scanner

# Silent install
Start-Process -FilePath "Nessus-10.x.x-x64.msi" -ArgumentList "/qn ADDLOCAL=ALL" -Wait

Start Nessus service
Start-Service -Name "Tenable Nessus"

Access web UI at https://localhost:8834
Complete initial setup: register license, create admin account, download plugins

# Ubuntu/Debian
sudo dpkg -i Nessus-10.x.x-ubuntu1404_amd64.deb
sudo systemctl start nessusd
sudo systemctl enable nessusd

Access web UI at https://<scanner-ip>:8834

- Register with activation code from Tenable license.

- Wait for plugin compilation (can take 30-60 minutes on first run).

- Navigate to Settings > Advanced and configure:

- Max simultaneous hosts per scan: 30 (adjust based on network capacity)

- Max simultaneous checks per host: 5

- Network timeout: 10 seconds

2. Deploy ConnectSecure Scanner

- Download the probe installer for the client environment.

- Install on a dedicated VM or the same scanner appliance.

# ConnectSecure probe installation (replace with actual download link from portal)
$probeUrl = "https://deployment.connectsecure.com/probe/ConnectSecureProbe-Setup.exe"
$installPath = "C:\Temp\CSProbeSetup.exe"

New-Item -ItemType Directory -Path "C:\Temp" -Force | Out-Null
Invoke-WebRequest -Uri $probeUrl -OutFile $installPath
Start-Process -FilePath $installPath -ArgumentList "/S /COMPANY_ID=YOUR-COMPANY-ID /COMPANY_KEY=YOUR-KEY" -Wait

Verify probe is running
Get-Service -Name "ConnectSecure*" | Select-Object Name, Status

- Navigate to ConnectSecure Portal > Assets > Scan Targets > Add Targets.

- Add all client subnets (e.g., 10.0.0.0/24, 10.0.10.0/24, 192.168.1.0/24).

3. Network Configuration

Ensure the following firewall rules are in place:

Verification Checks

Rollback

Credentialed Scan Configuration

Prerequisites

Step-by-Step Instructions

1. Create Windows Scan Service Account

# Create AD service account for vulnerability scanning
New-ADUser -Name "svc-vulnscan" 

    -SamAccountName "svc-vulnscan" 
    -UserPrincipalName "svc-vulnscan@contoso.local" 

    -Path "OU=Service Accounts,DC=contoso,DC=local" 
    -AccountPassword (ConvertTo-SecureString "GENERATE-STRONG-PASSWORD" -AsPlainText -Force) 

    -Enabled $true 
    -PasswordNeverExpires $true 

    -CannotChangePassword $true 
    -Description "Vulnerability scanner service account - Nessus/ConnectSecure"

Add to local Administrators on all targets via GPO Restricted Groups
OR add to Domain Admins (less preferred, broader than needed)
Add-ADGroupMember -Identity "Domain Admins" -Members "svc-vulnscan"

- Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups

- Add group: Administrators

- Members of this group: Add CONTOSO\svc-vulnscan

2. Configure Windows Targets for Credentialed Scanning

# Enable WinRM for credentialed scanning (if using WinRM-based scans)
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "SCANNER-IP" -Force

Enable Remote Registry (required for Nessus credentialed scans)
Set-Service -Name "RemoteRegistry" -StartupType Automatic
Start-Service -Name "RemoteRegistry"

Configure Windows Firewall for WMI (required for Nessus)
These rules may already exist but ensure they are enabled
Enable-NetFirewallRule -DisplayGroup "Windows Management Instrumentation (WMI)"
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

For non-domain environments, disable UAC remote restrictions for local admin
(Only if scan account is a local admin, not a domain admin)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1 -Type DWord

3. Configure Nessus Credential Sets

- Authentication method: Password

- Username: CONTOSO\svc-vulnscan

- Password: (retrieve from Bitwarden)

- SMB Signing: Required

- Authentication method: SSH key

- Username: svc-vulnscan

- Private key file: Upload the SSH private key

- Elevate privileges with: sudo

- Community string: (retrieve from Bitwarden, per-client)

- Version: SNMPv3 preferred (with auth and encryption)

4. Configure ConnectSecure Credential Sets

- Type: Windows/Domain

- Domain: contoso.local

- Username: svc-vulnscan

- Password: (retrieve from Bitwarden)

5. Validate Credentialed Scanning

Run a test scan against a single representative target and verify:

# After scan completes, check for "Credentialed checks: yes" in scan results
In Nessus: open scan results > click a host > look for Plugin 19506 "Nessus Scan Information"
The output should contain:
  Credentialed checks : yes
  Patch management checks : (details)

In ConnectSecure, check the scan results for the target and verify the asset shows full software inventory (only possible with authenticated scanning).

Verification Checks

Rollback

Scan Scheduling

Prerequisites

Step-by-Step Instructions

1. Weekly External Authenticated Scans

- Name: [ClientCode]-External-Weekly

- Targets: Client's external IP addresses and hostnames (e.g., 203.0.113.10, mail.contoso.com, vpn.contoso.com)

- Scanner: Select the external-facing scanner (or Tenable.io cloud scanner)

- Policy:

- Discovery > Host Discovery: Ping host, TCP scan (common ports + client-specific ports)

- Assessment > General: Enable Thorough tests and Web application tests (for external web services)

- Credentials: Add any external service credentials (web app logins, SMTP auth, etc.)

- Schedule: Weekly, every Sunday at 02:00 AEST

- Email Notifications: Send on completion to security@netier.com.au

- Navigate to Scans > External Scans > Schedule.

- Add external targets.

- Schedule: Weekly, Sunday 02:00 AEST.

2. Monthly Internal Authenticated Scans

- Name: [ClientCode]-Internal-Monthly

- Targets: All internal subnets (e.g., 10.0.0.0/24, 10.0.10.0/24, 10.0.20.0/24)

- Scanner: Internal scanner appliance

- Policy:

- Discovery > Host Discovery: Ping host, ARP (if on same subnet), TCP/UDP scan

- Assessment > General: Enable Thorough tests

- Assessment > Brute Force: Disabled (do not brute force client credentials)

- Compliance: Enable CIS benchmarks for Windows Server 2022, Windows 11 if compliance scanning is required

- Credentials: Windows domain credentials + SSH credentials (as configured above)

- Schedule: Monthly, first Saturday at 20:00 AEST

- Max scan duration: 24 hours (kill scan after this to avoid running into business hours)

- Email Notifications: Send on completion to security@netier.com.au

- Navigate to Scans > Internal Scans > Schedule.

- Add all internal target ranges.

- Schedule: Monthly, 1st Saturday 20:00 AEST.

3. Ad-Hoc Scans (Post-Patch / Emergency)

For critical vulnerability verification or post-patch validation:

# Nessus CLI - launch an ad-hoc scan (example using Nessus API)
$nessusUrl = "https://scanner-ip:8834"
$headers = @{ "X-ApiKeys" = "accessKey=YOUR_ACCESS_KEY;secretKey=YOUR_SECRET_KEY" }

Get scan ID for the internal scan template
$scans = Invoke-RestMethod -Uri "$nessusUrl/scans" -Headers $headers -Method Get
$scanId = ($scans.scans | Where-Object { $_.name -eq "[ClientCode]-Internal-Monthly" }).id

Launch the scan immediately
Invoke-RestMethod -Uri "$nessusUrl/scans/$scanId/launch" -Headers $headers -Method Post

Verification Checks

Rollback

   Invoke-RestMethod -Uri "$nessusUrl/scans/$scanId/stop" -Headers $headers -Method Post

   

CVSS-to-Priority Mapping & Ticket Workflow

Prerequisites

Step-by-Step Instructions

1. Priority Mapping Table

All vulnerabilities discovered by scanning are mapped to ConnectWise Manage ticket priorities using the following CVSS v3.1 base score ranges:

2. Configure ConnectWise Manage Workflow Rule (WF-006)

- Trigger: Ticket created on board Security - Vulnerabilities

- Conditions and Actions:

- If ticket summary contains [CRITICAL] or CVSS:9. or CVSS:10.: Set Priority to P1 - Critical, set SLA to 48 hours.

- If ticket summary contains [HIGH] or CVSS:7. or CVSS:8.: Set Priority to P2 - High, set SLA to 14 days.

- If ticket summary contains [MEDIUM] or CVSS:4. or CVSS:5. or CVSS:6.: Set Priority to P3 - Medium, set SLA to 30 days.

- If ticket summary contains [LOW] or CVSS:0. or CVSS:1. or CVSS:2. or CVSS:3.: Set Priority to P4 - Low, set SLA to 90 days.

- Additional Action: Send email notification to security@netier.com.au for all P1 tickets.

3. Configure Automated Ticket Creation

- API URL: https://api-na.myconnectwise.net/v4_6_release/apis/3.0

- Company ID: (Netier's CW company ID)

- Public Key / Private Key: (retrieve from Bitwarden: "ConnectWise Manage API - ConnectSecure")

- Board: Security - Vulnerabilities

- Ticket Prefix: [ClientCode]-VULN

- Auto-create tickets: Enabled for CVSS >= 4.0 (suppress P4/Low to avoid ticket flood; review low-severity in monthly reports)

- Deduplication: Enabled (do not create duplicate tickets for the same CVE on the same host)

# PowerShell script to export Nessus scan results and create CW tickets
Run after each scheduled scan completes

param(
    [string]$NessusUrl = "https://scanner-ip:8834",
    [string]$ScanId,
    [string]$CWApiUrl = "https://api-na.myconnectwise.net/v4_6_release/apis/3.0",
    [string]$CWCompanyId = "netier",
    [float]$MinCVSS = 4.0
)

Get scan results from Nessus API
$headers = @{ "X-ApiKeys" = "accessKey=$env:NESSUS_ACCESS_KEY;secretKey=$env:NESSUS_SECRET_KEY" }
$results = Invoke-RestMethod -Uri "$NessusUrl/scans/$ScanId" -Headers $headers -Method Get

foreach ($hostEntry in $results.hosts) {
    $hostDetails = Invoke-RestMethod -Uri "$NessusUrl/scans/$ScanId/hosts/$($hostEntry.host_id)" -Headers $headers
    foreach ($vuln in $hostDetails.vulnerabilities) {
        if ($vuln.severity -ge 2) {  # Medium and above
            $pluginDetails = Invoke-RestMethod -Uri "$NessusUrl/scans/$ScanId/hosts/$($hostEntry.host_id)/plugins/$($vuln.plugin_id)" -Headers $headers
            $cvss = $pluginDetails.info.plugindescription.pluginattributes.risk_information.cvss3_base_score

            if ([float]$cvss -ge $MinCVSS) {
                $severity = if ([float]$cvss -ge 9.0) { "[CRITICAL]" }
                    elseif ([float]$cvss -ge 7.0) { "[HIGH]" }
                    elseif ([float]$cvss -ge 4.0) { "[MEDIUM]" }
                    else { "[LOW]" }

                $cveList = $pluginDetails.info.plugindescription.pluginattributes.cve -join ", "
                $solution = $pluginDetails.info.plugindescription.pluginattributes.solution

                # Create ConnectWise ticket body
                $ticketBody = @{
                    summary = "$severity $($vuln.plugin_name) on $($hostEntry.hostname) (CVSS:$cvss)"
                    board = @{ name = "Security - Vulnerabilities" }
                    company = @{ identifier = $CWCompanyId }
                    initialDescription = @"
Vulnerability: $($vuln.plugin_name)
CVE: $cveList
Host: $($hostEntry.hostname)
CVSS v3.1 Base Score: $cvss
Nessus Plugin ID: $($vuln.plugin_id)

Solution:
$solution

Detected by: Nessus scheduled scan
Scan Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm')
"@
                } | ConvertTo-Json -Depth 4

                # POST to ConnectWise Manage API
                $cwAuthString = "$($CWCompanyId)+$env:CW_PUBLIC_KEY:$env:CW_PRIVATE_KEY"

                $cwAuthBytes = [System.Text.Encoding]::ASCII.GetBytes($cwAuthString)
                $cwAuthBase64 = [System.Convert]::ToBase64String($cwAuthBytes)
                $cwHeaders = @{
                    "Authorization" = "Basic $cwAuthBase64"
                    "Content-Type"  = "application/json"
                    "clientId"      = $env:CW_CLIENT_ID
                }

                try {
                    Invoke-RestMethod -Uri "$CWApiUrl/service/tickets" -Method Post -Body $ticketBody -Headers $cwHeaders
                    Write-Host "Ticket created: $severity $($vuln.plugin_name) on $($hostEntry.hostname)"
                } catch {
                    Write-Warning "Failed to create ticket for $($vuln.plugin_name) on $($hostEntry.hostname): $_"
                }
            }
        }
    }
}

# Download current CISA KEV catalog
$kevUrl = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
$kevData = Invoke-RestMethod -Uri $kevUrl -Method Get
$kevCVEs = $kevData.vulnerabilities | ForEach-Object { $_.cveID }

Write-Host "CISA KEV catalog loaded: $($kevCVEs.Count) known exploited vulnerabilities"

Import CVEs from latest scan export (CSV from Nessus or ConnectSecure)
$scanExportPath = "C:\VulnScans\Latest\scan_results.csv"
$scanResults = Import-Csv -Path $scanExportPath
$scanCVEs = $scanResults | Where-Object { $_.CVE -ne "" } | Select-Object -ExpandProperty CVE -Unique

Cross-reference
$kevMatches = $scanCVEs | Where-Object { $_ -in $kevCVEs }

if ($kevMatches.Count -gt 0) {
    Write-Host "n=== ALERT: $($kevMatches.Count) CISA KEV vulnerabilities found ===" -ForegroundColor Red
    foreach ($cve in $kevMatches) {
        $kevDetail = $kevData.vulnerabilities | Where-Object { $_.cveID -eq $cve }
        Write-Host "n  CVE: $cve" -ForegroundColor Yellow

        Write-Host "  Vulnerability: $($kevDetail.vulnerabilityName)"
        Write-Host "  Vendor/Product: $($kevDetail.vendorProject) / $($kevDetail.product)"
        Write-Host "  CISA Due Date: $($kevDetail.dueDate)"
        Write-Host "  Required Action: $($kevDetail.requiredAction)"
        Write-Host "  >>> AUTO-ESCALATING TO P1 <<<" -ForegroundColor Red

        # Find and escalate matching CW tickets
        # (integrate with CW API to update existing tickets to P1)
    }

    # Export KEV matches to log
    $logPath = "C:\VulnScans\Logs\KEV-Matches-$(Get-Date -Format 'yyyy-MM-dd').csv"
    $kevMatches | ForEach-Object {
        $detail = $kevData.vulnerabilities | Where-Object { $_.cveID -eq $_ }
        [PSCustomObject]@{
            CVE            = $_
            Vulnerability  = $detail.vulnerabilityName
            VendorProduct  = "$($detail.vendorProject) / $($detail.product)"
            CISADueDate    = $detail.dueDate
            RequiredAction = $detail.requiredAction
            DetectedDate   = Get-Date -Format 'yyyy-MM-dd'
        }
    } | Export-Csv -Path $logPath -NoTypeInformation
    Write-Host "nKEV match log saved to: $logPath"
} else {
    Write-Host "nNo CISA KEV matches found in scan results." -ForegroundColor Green

}

   CISA KEV ESCALATION: This vulnerability (CVE-XXXX-XXXX) is listed in the CISA Known Exploited

   Vulnerabilities catalog. Per SOP NET-SOP-VULN-001, this has been auto-escalated to P1 with a
   48-hour remediation SLA. Original CVSS score: X.X.
   Required Action: [from KEV catalog]
   CISA Due Date: [from KEV catalog]
   

# Send KEV alert email via SMTP
$smtpParams = @{
    From       = "vulnscan@netier.com.au"
    To         = "security@netier.com.au"
    Subject    = "URGENT: CISA KEV Vulnerability Detected - $($kevMatches.Count) match(es)"
    Body       = "The following CISA KEV vulnerabilities were detected in the latest scan for [ClientCode]:nn$($kevMatches -join "n")nnImmediate P1 remediation required per SOP NET-SOP-VULN-001."
    SmtpServer = "smtp.netier.com.au"
    Port       = 587
    UseSsl     = $true
    Credential = $smtpCredential
}
Send-MailMessage @smtpParams

3. Weekly KEV Catalog Sync

Schedule a Windows Task Scheduler job to download the latest KEV catalog and re-check all open vulnerability tickets:

# Create scheduled task for weekly KEV sync
Script location: C:\Scripts\Invoke-KEVCrossReference.ps1

$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\Invoke-KEVCrossReference.ps1"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At "06:00"
$settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -DontStopOnIdleEnd
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest

Register-ScheduledTask -TaskName "KEV-Weekly-CrossReference" -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Description "Weekly CISA KEV cross-reference against open vulnerability tickets"

Verification Checks

Rollback

   Disable-ScheduledTask -TaskName "KEV-Weekly-CrossReference"

   

Remediation Workflow

Prerequisites

Step-by-Step Instructions

1. Workflow Overview

SCAN --> TICKET CREATED (auto) --> ASSIGN TECHNICIAN --> REMEDIATE --> RE-SCAN --> CONFIRM FIXED --> CLOSE TICKET

Detailed workflow:

2. Triage Process

For each new vulnerability ticket:

- Review the Nessus/ConnectSecure plugin output for the specific host.

- Check if the vulnerable software version matches what is installed (credentialed scan confirmation).

- If false positive: add note to ticket with justification, set status to Closed - False Positive, and add the plugin to the scanner's false positive suppression list.

- Is the vulnerable service exposed externally? (If yes, treat as higher urgency)

- Is there a public exploit available? (Check Exploit-DB, Metasploit modules)

- Is it in the CISA KEV catalog? (If yes, auto-P1 per above section)

- Patch available: Schedule patching via NinjaOne or WSUS.

- No patch available: Implement compensating controls (e.g., disable service, restrict network access, apply WAF rule).

- Configuration issue: Implement hardening per CIS benchmark or vendor guidance.

3. Remediation Implementation

- NinjaOne > Administration > Policies > [Client Policy] > Patching > Approve the specific KB.

- Or: NinjaOne > Devices > [Device] > Patching > Install the specific update.

# Install specific Windows update on a remote server
Invoke-Command -ComputerName "SERVER01" -ScriptBlock {
    # Use PSWindowsUpdate module for simplified patch management
    Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers
    Import-Module PSWindowsUpdate

    # Search for specific KB
    $update = Get-WindowsUpdate -KBArticleID "KB5034441"

    if ($update) {
        Write-Host "Installing $($update.Title)..."
        Install-WindowsUpdate -KBArticleID "KB5034441" -AcceptAll -AutoReboot -Verbose
    } else {
        Write-Host "KB5034441 not applicable or already installed."
    }
}

# Example 1: Disable weak TLS versions (TLS 1.0 / 1.1)
$protocols = @("TLS 1.0", "TLS 1.1")
foreach ($protocol in $protocols) {
    $serverPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server"
    $clientPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client"

    New-Item -Path $serverPath -Force | Out-Null
    Set-ItemProperty -Path $serverPath -Name "Enabled" -Value 0 -Type DWord
    Set-ItemProperty -Path $serverPath -Name "DisabledByDefault" -Value 1 -Type DWord

    New-Item -Path $clientPath -Force | Out-Null
    Set-ItemProperty -Path $clientPath -Name "Enabled" -Value 0 -Type DWord
    Set-ItemProperty -Path $clientPath -Name "DisabledByDefault" -Value 1 -Type DWord
}
Write-Host "TLS 1.0 and 1.1 disabled. Reboot required."

Example 2: Disable weak cipher suites
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_CBC_SHA"
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_3DES_EDE_CBC_SHA"

Verify active TLS versions and cipher suites
[Net.ServicePointManager]::SecurityProtocol
Get-TlsCipherSuite | Select-Object Name, Protocols | Format-Table -AutoSize

# Example 3: Remediate open SMB null session
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RestrictNullSessAccess" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA" -Name "RestrictAnonymous" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA" -Name "RestrictAnonymousSAM" -Value 1

4. Re-Scan and Confirmation

After remediation is applied:

- In Nessus: create an ad-hoc scan targeting only the remediated host(s) with the same credentials.

- In ConnectSecure: trigger a manual scan for the specific asset from Assets > [Host] > Scan Now.

- Open the re-scan results and confirm the specific plugin/CVE is absent.

- If the vulnerability persists, investigate: Was the patch applied correctly? Does it require a reboot? Is there a different instance of the vulnerable software?

- Add the re-scan results as evidence (screenshot or exported PDF).

- Add internal note with: remediation action taken, date applied, re-scan date, and confirmation of resolution.

- Set ticket status to Closed - Resolved.

# Quick validation: check if a specific KB is installed
Get-HotFix -Id "KB5034441" -ComputerName "SERVER01" -ErrorAction SilentlyContinue
If no result, the patch is NOT installed

Validate TLS configuration post-remediation
Invoke-Command -ComputerName "SERVER01" -ScriptBlock {
    $tls10 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -ErrorAction SilentlyContinue
    $tls11 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -ErrorAction SilentlyContinue
    Write-Host "TLS 1.0 Enabled: $($tls10.Enabled) (should be 0)"
    Write-Host "TLS 1.1 Enabled: $($tls11.Enabled) (should be 0)"
}

Verification Checks

Rollback

   # Uninstall specific Windows update

   wusa /uninstall /kb:5034441 /quiet /norestart
   # Or via PowerShell
   Remove-WindowsUpdate -KBArticleID "KB5034441" -NoRestart
   

Evidence Collection for Compliance Reporting

Prerequisites

Step-by-Step Instructions

1. Monthly Vulnerability Report Generation

After the monthly internal scan completes:

- Navigate to Nessus > Scans > [Monthly Scan] > Report.

- Export as PDF with format: Executive Summary.

- This includes: total vulnerabilities by severity, trend comparison, top 10 vulnerabilities, and remediation progress.

- Navigate to ConnectSecure Portal > Reports > Vulnerability Report.

- Select the client organization and the most recent scan.

- Export as PDF.

- Navigate to ConnectWise Manage > Reports > Service Board Report.

- Filter: Board = Security - Vulnerabilities, Date range = last 30 days.

- Include: Ticket ID, Summary, Priority, Status, Created Date, Closed Date, SLA Compliance.

- Export as PDF or Excel.

2. Quarterly Compliance Evidence Pack

Compile the following evidence for quarterly compliance reviews:

3. Store Evidence

- Path: [Client SharePoint] > Shared Documents > IT Security > Vulnerability Management > [YYYY-QX]

- Example: Contoso SharePoint > IT Security > Vulnerability Management > 2026-Q1

- [ClientCode]_VulnScan_External_[YYYY-MM-DD].pdf

- [ClientCode]_VulnScan_Internal_[YYYY-MM-DD].pdf

- [ClientCode]_Remediation_SLA_Report_[YYYY-QX].pdf

- [ClientCode]_KEV_CrossRef_Log_[YYYY-MM-DD].txt

4. Annual Vulnerability Management Review

Once per year (aligned with the annual compliance cycle):

- Total vulnerabilities discovered vs. remediated

- Average time-to-remediate by priority

- SLA compliance rate (target: 95%+)

- Number of CISA KEV matches and remediation times

- Recurring vulnerabilities (same CVE appearing in multiple scans)

- Are scan schedules adequate?

- Are credentials working for all targets?

- Are any systems consistently unscanned?

- Is the CVSS-to-priority mapping appropriate?

Verification Checks

Rollback

Master Verification Checklist

Scanner Deployment

Credentialed Scanning

Scan Scheduling

CVSS-to-Priority Mapping

CISA KEV

Remediation Workflow

Evidence & Reporting

Document History

SOP: Security Awareness & Training

Document ID: NET-SOP-SAT-001
Version: 1.0
Effective Date: 2026-03-26
Next Review: 2026-09-26
Owner: Netier — Security & Cloud Engineering
Classification: Internal
TCF Section: 5.0
Review Cycle: Quarterly or after vendor portal/product changes

Table of Contents

1. uSecure Platform Setup & Client Tenant Onboarding

Prerequisites

Step-by-Step Instructions

- Navigate to Company > Settings > Directory Sync.

- Select Microsoft 365 / Azure AD.

- Click Authorise and sign in with the client's Global Admin or a delegated admin account with User.Read.All and Directory.Read.All Graph permissions.

- Map the required attributes: Display Name, Email, Department, Job Title.

- Set sync frequency to Daily at 02:00 AEST.

- Click Save & Test Sync. Verify the user count matches expectations.

- Navigate to Company > Users > Import.

- Download the CSV template and populate with: First Name, Last Name, Email, Department, Job Title.

- Upload the CSV and confirm the import preview.

- Navigate to Company > Settings > Notifications.

- Set the sender display name to the client's IT contact or IT Security .

- Set the reply-to address to the Netier service desk: support@netier.com.au.

- Enable notification types: Course Assignment, Course Reminder (3-day and 7-day), Simulation Sent, Policy Acknowledgement Due.

- Navigate to Company > Settings > Phishing Report Button.

- Copy the add-in manifest URL.

- In the Microsoft 365 Admin Centre (https://admin.microsoft.com) for the client tenant, go to Settings > Integrated apps > Upload custom apps.

- Paste the manifest URL and deploy to All Users or a targeted security group.

Verification Checks

Rollback

2. Baseline Security Assessment

Prerequisites

Step-by-Step Instructions

- Target: All Users (or the specific security group if a phased rollout was agreed).

- Start Date: the client's onboarding kickoff date (must be within Week 1).

- Deadline: 10 business days from start date.

- Reminders: Enable at Day 3 and Day 7.

- Navigate to Assess > Reports > Baseline.

- Check daily during the assessment window.

- If completion is below 50% at Day 5, escalate to the client primary contact via email requesting they send an internal reminder.

- Navigate to Assess > Reports > Baseline > Export.

- Download as PDF and CSV.

- Save the PDF to the client's compliance folder in SharePoint: Clients/{ClientName}/Compliance/Security Awareness/Baseline Assessment - {YYYY-MM}.pdf.

Verification Checks

Rollback

3. Monthly Automated Phishing Simulation Campaigns

Prerequisites

- IPs: Refer to https://help.usecure.io for the current IP list

- Domains: simulations.usecure.io, *.usecure.io

- Microsoft 365: Advanced Delivery policy configured for phishing simulation (Security & Compliance Centre > Email & Collaboration > Policies > Advanced Delivery > Phishing Simulation tab)

Step-by-Step Instructions

- Campaign Name: {ClientName} - Monthly Phish - {YYYY-MM} (e.g., Acme Corp - Monthly Phish - 2026-04).

- Target: All Users.

- Template Selection: Select Randomised (uSecure will assign a random template to each user from the enabled template pool). This prevents users from warning each other about identical emails.

- Template Pool: Enable at least 8 templates from the following categories, rotating quarterly:

- Credential Harvesting (e.g., "Microsoft 365 Password Expiry", "SharePoint Document Shared")

- Malicious Attachment (e.g., "Invoice Attached", "Delivery Notification")

- Link-Based (e.g., "IT Support Ticket Update", "Company Policy Update")

- Executive Impersonation (e.g., "CEO Urgent Request", "CFO Wire Transfer")

- Landing Page: Use the Netier-branded education landing page (select "Netier - Phishing Education" from the landing page library).

- Send Window: Randomised over 5 business days starting the first Monday of the month.

- Tracking Duration: 7 days from last send.

- Navigate to Simulate > Reports > Campaign Report.

- Review key metrics: Click Rate, Credential Submission Rate, Report Rate, Open Rate.

- Netier benchmark targets:

- Click Rate: below 15% (green), 15-25% (amber), above 25% (red)

- Report Rate: above 30% (green), 15-30% (amber), below 15% (red)

Verification Checks

Rollback

4. Quarterly Core Training Modules

Prerequisites

Step-by-Step Instructions

Q1 (January): Data Handling & Classification

- Module: "Handling Sensitive Data"

- Module: "Data Classification and Labelling"

- Module: "Clean Desk and Clear Screen"

Q2 (April): Password Hygiene & Authentication

- Module: "Password Best Practices"

- Module: "Multi-Factor Authentication"

- Module: "Credential Theft Awareness"

Q3 (July): Social Engineering & Phishing

- Module: "Identifying Phishing Emails"

- Module: "Social Engineering Tactics"

- Module: "Business Email Compromise"

Q4 (October): Physical Security & Incident Reporting

- Module: "Physical Security Awareness"

- Module: "Reporting Security Incidents"

- Module: "Removable Media and USB Security"

- Target: All Users (or departmental groups if client has role-specific training requirements).

- Start Date: First Monday of the quarter month.

- Deadline: 20 business days from start date.

- Reminders: Enable at Day 5, Day 10, and Day 15.

- Completion Certificate: Enabled (users receive a PDF certificate on completion).

- Check weekly via Train > Reports > Course Completion.

- At Day 10, send a reminder to the client primary contact listing users below 50% completion.

- At Day 15, escalate non-completions to the client's HR or management contact if previously agreed.

- Export the completion report as PDF and CSV.

- Save to: Clients/{ClientName}/Compliance/Security Awareness/Training Reports/Quarterly Training - {YYYY-QX}.pdf.

- Users who did not complete the assigned training are flagged and added to a ConnectWise ticket for client follow-up (see Section 5).

Verification Checks

Rollback

5. Auto-Enrollment Remedial Training & ConnectWise Integration

Prerequisites

Step-by-Step Instructions

- Navigate to the client company, then go to Settings > Automation Rules.

- Click + New Rule.

- Rule 1 — Phishing Failure Remediation:

- Trigger: User clicks a phishing simulation link OR submits credentials on a simulation landing page.

- Action: Auto-enroll user in "Identifying Phishing Emails" remedial course.

- Deadline: 10 business days from enrollment.

- Reminders: Day 3 and Day 7.

- Rule 2 — Repeat Offender Escalation:

- Trigger: User fails 2 or more phishing simulations within a rolling 90-day window.

- Action: Auto-enroll in "Advanced Phishing Defence" course AND trigger ConnectWise ticket.

- Deadline: 10 business days.

- Rule 3 — Training Non-Completion:

- Trigger: User does not complete assigned quarterly training by the deadline.

- Action: Auto-enroll in the same training course with a 5-business-day extension AND trigger ConnectWise ticket.

- Click Save for each rule.

- Navigate to Admin > Integrations > ConnectWise Manage.

- Enter the ConnectWise Manage API URL: https://au.myconnectwise.net/v4_6_release/apis/3.0.

- Enter the API Public Key and Private Key (retrieve from Netier credential vault — search "uSecure ConnectWise API").

- Set the Company ID to netier.

- Map ticket fields:

- Board: Service Desk

- Type: Security Awareness

- Subtype: Remediation Required

- Priority: Medium (escalate to High for repeat offenders)

- Status: New

- Set the Workflow ID to WF-010.

- Click Test Connection to verify, then Save.

- The ticket summary follows the format: [SAT Remediation] {UserName} - {TriggerReason} - {ClientName}.

- The ticket body includes: user details, trigger event, assigned remedial course, and deadline.

- The Netier service desk triages the ticket and confirms the client's designated contact has been notified.

- Once the user completes the remedial training, uSecure updates the ticket status to Completed via the API.

- After each monthly phishing campaign, check Settings > Automation Rules > Execution Log for the client.

- Confirm that users who clicked/submitted credentials have been auto-enrolled.

- Spot-check 2-3 users to ensure ConnectWise tickets were created for repeat offenders.

Verification Checks

Rollback

6. CyberCred Security Champions Program

Prerequisites

Step-by-Step Instructions

| Activity | Points Awarded | Frequency Cap |

|----------|---------------|---------------|

| Complete a training module | 10 per module | No cap |

| Pass a phishing simulation (no click) | 15 per campaign | Monthly |

| Report a suspicious email via Outlook button | 5 per report | 3 per day max |

| Report a real phishing email (verified by SOC) | 25 per report | No cap |

| Attend a security briefing / lunch-and-learn | 20 per event | Quarterly |

| Complete the quarterly training set on time | 30 bonus | Quarterly |

| Pass baseline assessment with score above 80% | 50 bonus | One-time |

| Refer a colleague to complete overdue training | 5 per referral | No cap |

- Bronze: 50 points — Digital badge + mention in company newsletter

- Silver: 150 points — Digital badge + small gift card ($10 value)

- Gold: 300 points — Digital badge + branded merchandise pack

- Platinum: 500 points — Digital badge + premium gift card ($50 value) + Security Champion certificate

- Diamond: 1,000 points — Digital badge + premium gift ($100 value) + Security Champion of the Year nomination + featured on cyber.netier.team Hall of Fame

- Navigate to Program Settings > Leaderboard.

- Enable Company Leaderboard (shows top 10 users within the client company).

- Enable Department Leaderboard (if client has departments mapped).

- Set leaderboard refresh frequency: Real-time.

- Enable Monthly Leaderboard Email to all participants (sent on the 1st of each month).

- Leaderboard is publicly visible at: https://cyber.netier.team/{client-slug}/leaderboard.

- Navigate to Program Settings > Integrations > uSecure.

- Enter the uSecure API key for the client tenant (retrieve from uSecure > Company > Settings > API).

- Enable event sync for: Training Completion, Simulation Result, Email Report.

- Click Test Sync and verify a recent event is pulled through.

- Navigate to Program Settings > Communications.

- Customise the launch email template with client branding.

- Schedule the launch email for the agreed program start date.

- Include: program overview, how points are earned, reward tiers, link to leaderboard.

- Review the leaderboard and verify points are accruing correctly.

- Process reward redemptions for users who reach a new tier:

- Navigate to Rewards > Pending Redemptions.

- Confirm the user's tier eligibility.

- Dispatch the reward (digital badges are automatic; physical rewards are coordinated via Netier operations).

- At the end of each quarter, generate a CyberCred summary report:

- Navigate to Reports > Quarterly Summary.

- Export as PDF and include in the client's quarterly service review pack.

Verification Checks

Rollback

7. Reporting & Compliance Evidence Extraction

Prerequisites

Step-by-Step Instructions

- Log in to uSecure Partner Portal.

- Navigate to the client company.

- Export the following reports:

- Phishing Campaign Report (Simulate > Reports > Latest Campaign): PDF and CSV.

- Training Completion Report (Train > Reports > All Courses): PDF showing completion rates for the current quarter.

- User Risk Score Report (Assess > Reports > Risk Scores): PDF showing current risk posture per user.

- Save all exports to: Clients/{ClientName}/Compliance/Security Awareness/Monthly Evidence/{YYYY-MM}/.

- Export all monthly evidence for the quarter.

- Additionally export:

- Quarterly Training Summary (Train > Reports > Quarterly Summary): aggregate completion, pass rates, remediation counts.

- Phishing Trend Report (Simulate > Reports > Trend Analysis): click rate and report rate trends over the quarter.

- CyberCred Quarterly Summary (from cyber.netier.team > Reports > Quarterly Summary).

- Remedial Training Report (Train > Reports > Remedial Courses): list of users who were auto-enrolled, completion status.

- Compile into a single compliance evidence pack PDF.

- Save to: Clients/{ClientName}/Compliance/Security Awareness/Quarterly Evidence/{YYYY-QX}/.

| Evidence Item | ISO 27001 A.6.3 | ISM-0264 | ISM-1784 | IS18 PR4 |

|---------------|-----------------|----------|----------|----------|

| Baseline assessment results | Yes | Yes | - | Yes |

| Monthly phishing simulation reports | Yes | Yes | Yes | Yes |

| Quarterly training completion reports | Yes | Yes | Yes | Yes |

| Remedial training enrollment evidence | Yes | Yes | Yes | - |

| CyberCred participation summary | Yes | - | Yes | - |

| User risk score trend | Yes | Yes | Yes | Yes |

- Export the annual summary from uSecure: Reports > Annual Summary.

- Include year-over-year trend data for: click rates, report rates, training completion, risk scores.

- Include CyberCred annual participation and tier achievements.

- Present findings and recommendations in the client's annual security review meeting.

- Save to: Clients/{ClientName}/Compliance/Security Awareness/Annual Review/{YYYY}/.

Verification Checks

Rollback

8. Master Verification Checklist

uSecure Platform Setup & Client Tenant Onboarding

Baseline Security Assessment

Monthly Automated Phishing Simulation Campaigns

Quarterly Core Training Modules

Auto-Enrollment Remedial Training & ConnectWise Integration

CyberCred Security Champions Program

Reporting & Compliance Evidence Extraction

9. Document History

SOP: Endpoint Management (MDM/UEM)

Document ID: NET-SOP-MDM-001
Version: 1.0
Effective Date: 2026-03-26
Next Review: 2026-09-26
Owner: Netier — Security & Cloud Engineering
Classification: Internal
TCF Section: 6.0
Review Cycle: Quarterly or after vendor portal/product changes

Table of Contents

1. Windows 10/11 Endpoint Hardening

Prerequisites

Step-by-Step Instructions

- Navigate to Devices > Enrollment > Windows > Windows Autopilot > Devices.

- Import hardware hashes via CSV (obtained from OEM or Get-WindowsAutopilotInfo script).

- Create an Autopilot deployment profile: Devices > Enrollment > Windows > Windows Autopilot > Deployment Profiles > + Create Profile > Windows PC.

- Settings: User-driven mode, Entra ID joined, skip privacy settings, skip EULA, hide change account options.

- Assign the profile to the Autopilot device group.

Account Policies:

- Password minimum length: 14 characters

- Password complexity: Enabled

- Account lockout threshold: 5 failed attempts

- Account lockout duration: 15 minutes

- Reset account lockout counter after: 15 minutes

Local Policies — Security Options:

- Interactive logon: Machine inactivity limit: 900 seconds (15 minutes)

- Network access: Do not allow anonymous enumeration of SAM accounts: Enabled

- Network security: LAN Manager authentication level: Send NTLMv2 response only, refuse LM & NTLM

Windows Firewall:

- Domain Profile: Firewall state ON, inbound connections BLOCK, outbound connections ALLOW

- Private Profile: Firewall state ON, inbound connections BLOCK, outbound connections ALLOW

- Public Profile: Firewall state ON, inbound connections BLOCK, outbound connections ALLOW

Audit Policies:

- Audit logon events: Success and Failure

- Audit account logon events: Success and Failure

- Audit object access: Failure

- Audit policy change: Success

Additional Hardening:

- Disable consumer experience features (Settings Catalog > Experience > Allow Windows Consumer Features: Block)

- Disable Cortana above lock screen

- Disable Windows Store for Business

- Block Microsoft accounts: Users can't add or log on with Microsoft accounts

# Connect to Microsoft Graph with Intune permissions
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"

Export existing CIS baseline for review
$profiles = Get-MgDeviceManagementDeviceConfiguration -Filter "displayName eq 'CIS-W11-L1-Baseline-ClientName'"
$profiles | Select-Object DisplayName, Id, LastModifiedDateTime

Verify profile assignment status
$profileId = $profiles[0].Id
$assignments = Get-MgDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $profileId
$assignments | Format-Table Target, Id

- Require device encryption: Yes

- Encryption method for OS drive: XTS-AES 256-bit

- Encryption method for fixed data drives: XTS-AES 256-bit

- Encryption method for removable data drives: AES-CBC 256-bit

- Startup authentication: Require TPM + PIN (6-digit minimum)

- Recovery key rotation: Enabled (rotate after key is used)

- Store recovery key in Entra ID: Required before enabling BitLocker

- Hide recovery key prompt on initial encryption: Yes

- Compatible TPM startup: Required

# Verify BitLocker status on a specific device
Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'DEVICE-NAME'" |
    Select-Object DeviceName, IsEncrypted, ComplianceState

Bulk check BitLocker compliance
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" -All |
    Select-Object DeviceName, IsEncrypted, ComplianceState |
    Where-Object { $_.IsEncrypted -eq $false } |
    Export-Csv -Path "C:\Temp\Unencrypted-Devices.csv" -NoTypeInformation

- Feature update deferral period: 14 days

- Quality update deferral period: 2 days

- Auto-restart before deadline (days): 3

- Deadline for feature updates: 7 days after deferral

- Deadline for quality updates: 2 days after deferral

- Maintenance window start: 02:00

- Maintenance window end: 06:00

- Allow user to restart before deadline: Yes

- Disable pause on Windows Update: Yes

- Navigate to Devices > Windows > Feature Updates > + Create.

- Target version: Current supported version minus one (e.g., if 24H2 is current, target 24H2 after 14-day deferral).

- Assign to the same device group.

- Search for "Max Inactivity Time Lock" under Device Lock.

- Set to 15 minutes.

Verification Checks

Rollback

2. macOS Endpoint Hardening

Prerequisites

Step-by-Step Instructions

- Enable FileVault: Yes

- Personal recovery key rotation (months): 6

- Escrow location description: Your recovery key is stored securely by Netier IT. Contact support@netier.com.au if needed.

- Number of times allowed to bypass: 0 (enforce immediately)

- Store recovery key in Intune: Yes

System Integrity Protection (SIP):

- SIP is enabled by default on macOS. Intune cannot disable it, but add a compliance check (see Section 2.3 Compliance Policy below).

Gatekeeper:

- Allow identified developers: Yes

- Enable Gatekeeper: Yes (Settings Catalog > System Policy Control > Enable Assessment: true)

Screen Lock:

- Require password after sleep or screen saver: Immediately (0 seconds)

- Maximum inactivity before screen saver: 5 minutes (300 seconds)

- Minimum password length: 14 characters

- Password complexity: Alphanumeric with symbols

Firewall:

- Enable firewall: Yes

- Enable stealth mode: Yes

- Block all incoming connections: No (allow signed apps)

Additional Hardening:

- Disable automatic login

- Disable Bluetooth sharing

- Disable Internet sharing

- Disable remote Apple events

- Show Wi-Fi status in menu bar: Yes

- Require system integrity protection: Yes

- Require FileVault: Yes

- Minimum OS version: (set to current major version minus one)

- Require device lock password: Yes

- Mark device noncompliant: Immediately

- Send email to user: After 1 day

- Retire device: After 30 days (requires Security Lead approval before action triggers)

- Install macOS updates: Install immediately after the deferral period

- Deferral period: 14 days for major updates, 2 days for security updates

- Schedule type: Update at next check-in after deferral

#!/bin/bash
macOS Compliance Quick Check — run on endpoint or via Intune shell script deployment

echo "=== macOS Security Compliance Check ==="
echo "Hostname: $(hostname)"
echo "macOS Version: $(sw_vers -productVersion)"
echo ""

FileVault Status
fv_status=$(fdesetup status)
echo "FileVault: $fv_status"

SIP Status
sip_status=$(csrutil status)
echo "SIP: $sip_status"

Gatekeeper Status
gk_status=$(spctl --status)
echo "Gatekeeper: $gk_status"

Firewall Status
fw_status=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate)
echo "Firewall: $fw_status"

Screen Lock
screensaver_idle=$(defaults -currentHost read com.apple.screensaver idleTime 2>/dev/null || echo "Not set")
echo "Screensaver Idle Time: ${screensaver_idle}s"

ask_for_password=$(defaults read com.apple.screensaver askForPassword 2>/dev/null || echo "Not set")
echo "Require Password After Screensaver: $ask_for_password (1 = Yes)"

echo ""
echo "=== Check Complete ==="

Verification Checks

Rollback

3. iOS/iPadOS Device Management

Prerequisites

Step-by-Step Instructions

- Navigate to Devices > Enrollment > Apple > Enrollment Program Tokens > {Token} > Profiles > + Create Profile > iOS/iPadOS.

- Lock enrollment profile: Yes. Supervised mode: Yes.

- Skip Setup Assistant panes: Location Services, Restore, Apple ID, Terms, Siri, Diagnostics, Display Tone, Privacy, Onboarding.

- Assign to device serial numbers in ABM.

- Navigate to Devices > Enrollment > Apple > Enrollment Types.

- Configure User Enrollment with Company Portal app.

- This creates a managed partition on the device without wiping personal data.

Passcode:

- Require passcode: Yes

- Passcode type: Alphanumeric

- Minimum passcode length: 6 characters

- Maximum minutes of inactivity before screen locks: 5

- Passcode expiration (days): 90

- Number of previous passcodes to prevent reuse: 5

- Maximum passcode attempts before wipe: 10

Jailbreak Detection:

- Block jailbroken/rooted devices: Yes (set via compliance policy — see 3.3)

Data Protection:

- Prevent unmanaged apps from reading managed contacts: Yes

- Prevent unmanaged apps from reading managed documents: Yes

- Treat AirDrop as an unmanaged destination: Yes

- Block copy/paste between managed and unmanaged apps: Yes (corporate-owned) / No (BYOD — data separation handled by App Protection Policy)

Siri:

- Block Siri while device is locked: Yes

- Block Siri dictation: No (allow when unlocked)

iCloud:

- Block iCloud backup of managed apps: Yes

- Block iCloud document sync for managed apps: Yes

- Block iCloud Keychain sync: No (personal use — BYOD) / Yes (corporate-owned)

Additional:

- Block screen capture in managed apps: Yes (corporate-owned)

- Block untrusted TLS certificates: Yes

- Force encrypted backups: Yes

- Block removing apps: Yes (supervised devices only)

- Jailbroken devices: Block

- Require device passcode: Yes

- Minimum OS version: (current major version minus one, e.g., iOS 18.0 if iOS 19 is current)

- Maximum OS version: not configured

- Require device lock: Yes

- Mark noncompliant: Immediately

- Send push notification: After 1 day

- Remotely lock device: After 7 days (jailbreak detection only)

- Send org data to other apps: Policy managed apps only

- Receive data from other apps: Policy managed apps only

- Save copies of org data: Block

- Allow user to save copies to selected services: OneDrive for Business, SharePoint only

- Cut, copy, paste between apps: Policy managed apps with paste in

- Screen capture: Block

- Encrypt org data: Require

- PIN for access: Require (4-digit minimum, allow biometric)

- Recheck access requirements after (minutes): 30

- Max PIN attempts: 5 (action: reset PIN)

- Offline grace period: 720 minutes (action: block access)

- Jailbroken/rooted devices: Block access

- Min OS version: current minus one (action: warn)

Verification Checks

Rollback

4. Android Enterprise Device Management

Prerequisites

Step-by-Step Instructions

Work Profile Settings:

- Copy/paste between work and personal profiles: Block

- Screen capture in work profile: Block

- Contact sharing from work to personal profile: Block (caller ID allowed)

- Allow widgets from work profile apps: No

- Default app permissions: Prompt

Password (Work Profile):

- Require password: Yes

- Password type: Complex (requires letter, number, symbol)

- Minimum password length: 6

- Maximum minutes of inactivity before work profile locks: 5

- Number of failed sign-ins before wiping work profile: 10

- Password expiration (days): 90

- Prevent reuse of previous passwords: 5

Root Detection:

- Rooted devices: Block (configured via compliance policy — see 4.5)

Google Play Protect:

- Require Google Play Protect verification: Yes

- SafetyNet device attestation: Check basic integrity and certified devices

- Factory reset: Block (prevent user-initiated factory reset)

- Camera: Allow (block if client requires it)

- USB file transfer: Block

- External media: Block

- NFC: Block (if not business-required)

- Screen capture: Block globally

- Add personal accounts: Block

- Rooted devices: Block

- Minimum OS version: (current major minus one, e.g., Android 14 if Android 15 is current)

- Require device lock: Yes

- Google Play Protect: Require SafetyNet attestation (basic integrity + certified)

- Require Google Play Services: Yes

- Up to date security patch: Within 30 days

- Mark noncompliant: Immediately

- Send notification: After 1 day

- Retire device (wipe work profile): After 14 days for root detection

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

List all Android devices and their compliance state
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Android'" -All |
    Select-Object DeviceName, UserDisplayName, ComplianceState,
                  IsEncrypted, AndroidSecurityPatchLevel, OsVersion |
    Export-Csv -Path "C:\Temp\Android-Compliance-Report.csv" -NoTypeInformation

Find rooted/non-compliant devices
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Android' and complianceState eq 'noncompliant'" -All |
    Select-Object DeviceName, UserDisplayName, ComplianceState |
    Format-Table -AutoSize

Verification Checks

Rollback

5. Linux (Ubuntu/RHEL) Endpoint Hardening

Prerequisites

Step-by-Step Instructions

   # Ubuntu

   curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > /tmp/microsoft.gpg
   sudo install -o root -g root -m 644 /tmp/microsoft.gpg /usr/share/keyrings/microsoft-archive-keyring.gpg
   echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/ubuntu/22.04/prod jammy main" | sudo tee /etc/apt/sources.list.d/microsoft-prod.list
   sudo apt update && sudo apt install -y intune-portal

   # RHEL 8+
   sudo dnf install -y https://packages.microsoft.com/config/rhel/8/packages-microsoft-prod.rpm
   sudo dnf install -y intune-portal
   

LUKS encryption must be configured at OS install time or via manual partition encryption. Intune can enforce a compliance check for encryption but cannot enable LUKS remotely.

   # Check LUKS encryption status

   sudo cryptsetup luksDump /dev/sda3  # adjust partition as needed
   lsblk -f | grep -i luks
   

- Navigate to Devices > Compliance > + Create Policy > Linux.

- Name: Linux-Compliance-{ClientName}.

- Require encryption: Yes.

- Assign to the Linux device group.

   sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%Y%m%d)

   sudo tee /etc/ssh/sshd_config.d/99-netier-hardening.conf << 'SSHEOF'
   # Netier SSH Hardening — NET-SOP-MDM-001
   PermitRootLogin no
   PasswordAuthentication no
   PubkeyAuthentication yes
   MaxAuthTries 3
   LoginGraceTime 60
   X11Forwarding no
   AllowTcpForwarding no
   PermitEmptyPasswords no
   ClientAliveInterval 300
   ClientAliveCountMax 2
   Protocol 2
   SSHEOF

   sudo systemctl restart sshd
   sudo systemctl status sshd
   

   ssh root@localhost  # Should be denied

   sudo sshd -T | grep -i permitrootlogin  # Should show "no"
   

   sudo tee /etc/sudoers.d/99-netier-logging << 'SUDOEOF'

   # Netier sudo logging — NET-SOP-MDM-001
   Defaults log_output
   Defaults!/usr/bin/sudoreplay !log_output
   Defaults logfile="/var/log/sudo.log"
   Defaults timestamp_timeout=5
   SUDOEOF

   sudo chmod 0440 /etc/sudoers.d/99-netier-logging
   sudo visudo -c  # Validate syntax
   

   # List current sudo users

   getent group sudo   # Ubuntu
   getent group wheel   # RHEL

   # Remove unnecessary users from sudo group (replace USERNAME)
   # sudo deluser USERNAME sudo   # Ubuntu
   # sudo gpasswd -d USERNAME wheel   # RHEL
   

   sudo apt install -y unattended-upgrades

   sudo dpkg-reconfigure -plow unattended-upgrades  # Select "Yes"

   # Configure to only auto-install security updates
   sudo tee /etc/apt/apt.conf.d/50unattended-upgrades << 'UUEOF'
   Unattended-Upgrade::Allowed-Origins {
       "${distro_id}:${distro_codename}-security";
   };
   Unattended-Upgrade::AutoFixInterruptedDpkg "true";
   Unattended-Upgrade::Remove-Unused-Dependencies "true";
   Unattended-Upgrade::Automatic-Reboot "false";
   Unattended-Upgrade::Mail "support@netier.com.au";
   UUEOF

   sudo systemctl enable --now unattended-upgrades
   

   sudo dnf install -y dnf-automatic


   sudo tee /etc/dnf/automatic.conf << 'DNFEOF'
   [commands]
   upgrade_type = security
   apply_updates = yes
   random_sleep = 3600

   [emitters]
   emit_via = email
   email_from = root@$(hostname -f)
   email_to = support@netier.com.au
   DNFEOF

   sudo systemctl enable --now dnf-automatic.timer
   

   # Ubuntu

   sudo unattended-upgrade --dry-run --debug

   # RHEL
   sudo dnf check-update --security
   systemctl status dnf-automatic.timer
   

Verification Checks

Rollback

6. Master Verification Checklist

Windows 10/11

macOS

iOS/iPadOS

Android Enterprise

Linux (Ubuntu/RHEL)

7. Document History

SOP: Networking & Perimeter

Document ID: NET-SOP-NET-001
Version: 1.0
Effective Date: 2026-03-26
Next Review: 2026-09-26
Owner: Netier — Security & Cloud Engineering
Classification: Internal
TCF Section: 7.0
Review Cycle: Quarterly or after vendor portal/product changes

Table of Contents

1. Firewall Initial Hardening (WatchGuard / Fortinet)

Prerequisites

Step-by-Step Instructions

- Set the admin passphrase (minimum 16 characters, stored in Netier credential vault under {ClientName} - WatchGuard Admin).

- Set the status passphrase (read-only access, different from admin).

- Configure the WAN interface with the client's ISP-provided IP / DHCP / PPPoE settings.

- Configure the LAN (Trusted) interface with the client's internal gateway IP.

- Navigate to Administration > Devices > + Add Device.

- Enter the serial number and activation key from the licence.

- Enable cloud management if the client has opted for WatchGuard Cloud-managed deployment.

- Navigate to Firewall > Firewall Policies.

- Confirm the implicit Deny rule exists at the bottom of the policy list (it is present by default — do NOT delete it).

- Delete or disable any pre-configured "Outgoing" allow-all rules from the factory default configuration.

- Create explicit allow rules for required traffic only:

- Outbound HTTPS (TCP 443): Trusted to Any-External

- Outbound HTTP (TCP 80): Trusted to Any-External (if required; prefer HTTPS-only where possible)

- Outbound DNS (UDP/TCP 53): Trusted to DNS filter IPs only (see Section 5)

- Outbound NTP (UDP 123): Firebox to trusted NTP servers (e.g., time.cloudflare.com, time.google.com)

- All other outbound traffic: Denied by the implicit deny rule.

- All inbound traffic: Denied unless a specific NAT/port-forward rule is required (document justification for each).

- Navigate to System > Management Access.

- Set Management IP Restrictions to allow only:

- Netier office public IP(s)

- Netier Tailscale IP range (100.64.0.0/10) if VPN-based management is used

- Disable management access from the WAN interface entirely.

- Enable HTTPS management on the Trusted interface only (port 8080 or custom).

- Disable HTTP management (force HTTPS).

- Navigate to System > Global Settings.

- Set idle timeout: 15 minutes.

- Enable login banner: Authorised access only. All activity is monitored and logged.

- Navigate to System > Logging.

- Configure log server: WatchGuard Cloud (preferred) or a local syslog server.

- Log level: Information (minimum) for all policies.

- Enable traffic logging for all Deny rules.

- Enable diagnostic logging for VPN, authentication, and system events.

- Set the admin password (minimum 16 characters, stored in Netier credential vault).

- Navigate to System > Settings and set:

- Hostname: {ClientName}-FW01

- Timezone: Australia/Sydney (or appropriate client timezone)

- Idle timeout: 15 minutes

- Login banner: Authorised access only. All activity is monitored and logged.

- Navigate to Network > Interfaces.

- Configure WAN1: ISP-provided settings.

- Configure LAN (port1 or aggregate): client internal gateway IP.

- Disable unused interfaces: Navigate to each unused interface and set Administrative Access to None.

- Navigate to Policy & Objects > Firewall Policy.

- Verify the implicit deny rule at the bottom of the policy table (ID 0, action Deny, logging enabled).

- Remove any factory-default allow-all policies.

- Create explicit allow policies (same pattern as WatchGuard above).

- Enable logging on all policies: set Log Allowed Traffic to "All Sessions" and Log Violation Traffic to enabled on the implicit deny.

# FortiGate CLI — accessed via SSH or console
config system global
    set admin-lockout-threshold 3
    set admin-lockout-duration 300
    set admin-https-redirect enable
    set admin-http-redirect enable
    set timezone 67
    set hostname "{ClientName}-FW01"
    set admintimeout 15
    set pre-login-banner enable
    set pre-login-banner-message "Authorised access only. All activity is monitored and logged."
end

Restrict management access to Netier IPs only
config system interface
    edit "wan1"
        set allowaccess ping
        # No HTTPS/SSH on WAN — management via LAN or VPN only
    next
    edit "lan"
        set allowaccess ping https ssh
        set trust-ip 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
    next
end

Create Netier management address group
config firewall address
    edit "Netier-Mgmt-IPs"
        set type iprange
        set start-ip {NETIER_PUBLIC_IP_START}
        set end-ip {NETIER_PUBLIC_IP_END}
    next
end

config system admin
    edit "admin"
        set trusthost1 {NETIER_PUBLIC_IP}/32
        set trusthost2 100.64.0.0/10
    next
end

- Check current firmware: System > Firmware.

- Policy: Maintain N-1 stable release (e.g., if 7.6.x is latest stable, run 7.4.x latest patch or 7.6.x minus one minor).

- Critical CVE patches: Apply within 48 hours of vendor advisory.

- Non-critical firmware upgrades: Apply within 30 days during a scheduled maintenance window.

- Always back up the configuration before upgrading firmware.

Verification Checks

Rollback

2. IPS/IDS Configuration

Prerequisites

Step-by-Step Instructions

- High severity signatures: Action = Block (Drop and Log)

- Critical severity signatures: Action = Block (Drop and Log)

- Medium severity signatures: Action = Block (Drop and Log)

- Low severity signatures: Action = Alarm (Log Only)

- Informational signatures: Action = Alarm (Log Only)

- Navigate to System > Subscription Services > Signature Updates.

- Set update frequency: Every 1 hour.

- Navigate to Security Services > Intrusion Prevention > Exceptions.

- Add the specific signature ID with a justification note.

- Exceptions must be reviewed quarterly and removed if the false positive no longer occurs.

- Critical severity: Action = Block

- High severity: Action = Block

- Medium severity: Action = Block

- Low severity: Action = Monitor (Log Only)

- Informational: Action = Monitor (Log Only)

- Navigate to Policy & Objects > Firewall Policy.

- Edit each policy and under Security Profiles, enable IPS and select the Netier-IPS-Sensor-{ClientName} profile.

config ips sensor
    edit "Netier-IPS-Sensor"
        config entries
            edit 1
                set status enable
                set log enable
                set severity critical high
                set action block
            next
            edit 2
                set status enable
                set log enable
                set severity medium
                set action block
            next
            edit 3
                set status enable
                set log enable
                set severity low info
                set action pass
                set log-packet enable
            next
        end
    next
end

- Navigate to System > FortiGuard > Update.

- Verify IPS definitions are updating (check last update timestamp).

- Set update schedule: Push-based (real-time from FortiGuard) or scheduled hourly.

Verification Checks

Rollback

3. VPN Configuration

Prerequisites

Step-by-Step Instructions

- PPTP: Do NOT configure any PPTP VPN tunnels. If legacy PPTP tunnels exist, migrate users to IKEv2 or SSL VPN and delete the PPTP configuration.

- L2TP without IPsec: Do NOT configure L2TP without IPsec encryption. If L2TP/IPsec is in use, migrate to IKEv2 (preferred) or SSL VPN.

- IKEv2/IPsec (preferred for site-to-site and client VPN): Strong encryption, native OS client support, best performance.

- SSL VPN (alternative for client VPN when IKEv2 is not feasible): Firewalled to specific portal URL on port 443.

- Authentication: Certificate-based (preferred) or EAP with RADIUS

- Encryption: AES-256-GCM

- Hash: SHA-384 or SHA-256

- DH Group: 20 (NIST P-384) or 21 (NIST P-521)

- SA Lifetime: 28800 seconds (8 hours)

- Encryption: AES-256-GCM

- SA Lifetime: 3600 seconds (1 hour)

- Perfect Forward Secrecy: Enabled (DH Group 20)

- Navigate to Authentication > Servers > RADIUS.

- Add the RADIUS server (NPS with Azure MFA extension):

- IP: (NPS server internal IP)

- Port: 1812

- Shared secret: (stored in Netier credential vault under {ClientName} - RADIUS Shared Secret)

- Timeout: 60 seconds (to allow for MFA prompt)

- Navigate to Authentication > Authentication Policy.

- Add the RADIUS server to the authentication chain for VPN users.

- Navigate to Authentication > Users and Groups.

- Create a group VPN-Users and add authorised users.

- Map this group to the IKEv2 VPN configuration.

- Under the IKEv2 settings, define the allowed resources (client internal subnets only).

- Do NOT route all internet traffic through the VPN unless the client specifically requires it for compliance.

- Windows: Use the native IKEv2 VPN client (Settings > Network & Internet > VPN > Add VPN).

- macOS/iOS: Use the native IKEv2 VPN client (System Settings > VPN > Add VPN Configuration).

- Distribute VPN configuration via Intune VPN profile for managed devices.

- Listen on port: 443 (or 10443 if port 443 is used for other services)

- Listen on interface: WAN1

- Restrict access: Enable Source IP restriction to known countries (AU at minimum; add others per client travel requirements)

- Server certificate: Valid publicly trusted certificate (Let's Encrypt or purchased CA cert)

- Idle disconnect timeout: 300 seconds (5 minutes)

- Authentication: SAML (preferred for Entra ID integration)

- In the Entra ID portal (https://entra.microsoft.com), navigate to Enterprise Applications > + New Application > FortiGate SSL VPN (from the gallery).

- Configure SAML SSO:

- Identifier (Entity ID): https://{firewall-fqdn}/remote/saml/metadata

- Reply URL: https://{firewall-fqdn}/remote/saml/login

- Sign-on URL: https://{firewall-fqdn}/remote/saml/login

- Download the Federation Metadata XML.

- On the FortiGate, navigate to User & Authentication > Single Sign-On > + Create New.

- Upload the Federation Metadata XML from Entra ID.

- Map the Entra ID groups to FortiGate user groups for VPN access.

- Navigate to Policy & Objects > Firewall Policy.

- Source: SSL VPN tunnel interface, VPN user group.

- Destination: Internal subnets (specific resources, not "all").

- Service: Only required services (e.g., RDP, HTTPS, SMB).

- Enable logging: All sessions.

config vpn ssl settings
    set status enable
    set servercert "{CERT_NAME}"
    set tunnel-ip-pools "SSL-VPN-Pool"
    set port 443
    set source-interface "wan1"
    set source-address "Geo-AU"
    set idle-timeout 300
    set auth-timeout 28800
    set dtls-tunnel enable
    set ssl-min-proto-ver tls1-2
end

config vpn ssl web portal
    edit "tunnel-access"
        set tunnel-mode enable
        set web-mode disable
        set split-tunneling enable
        set split-tunneling-routing-address "{CLIENT_INTERNAL_SUBNETS}"
        set ip-pools "SSL-VPN-Pool"
    next
end

Verification Checks

Rollback

4. VLAN Design & Segmentation

Prerequisites

Step-by-Step Instructions

Apply the following VLAN design for all new client deployments. Adjust VLAN IDs and subnets per the client's IP addressing plan.

Management VLAN (10):

- Allowed FROM: Netier management IPs only (via VPN or Netier office IPs)

- Allowed TO: All VLANs (for device management)

- Blocked FROM: All other VLANs

Server VLAN (20):

- Allowed FROM: Client VLAN (30) for specific services only (e.g., TCP 443, 445, 3389 to specific server IPs)

- Allowed TO: Internet for updates (via proxy/filtered DNS)

- Blocked FROM: Guest (50), IoT (60)

Client VLAN (30):

- Allowed TO: Server VLAN (20) for specific services

- Allowed TO: Internet (via DNS filter and web proxy)

- Blocked TO: Management (10), Voice (40) unless SIP client needed, Guest (50), IoT (60)

Voice VLAN (40):

- Allowed TO: SIP provider external IPs and ports (SIP TCP/UDP 5060-5061, RTP UDP 10000-20000)

- Allowed TO: Voice gateway / PBX in Server VLAN (if on-prem)

- Blocked TO: All other VLANs and general internet

Guest VLAN (50):

- Allowed TO: Internet only (HTTPS TCP 443, HTTP TCP 80, DNS UDP 53 to filtered DNS)

- Blocked TO: All internal VLANs (complete isolation)

- Rate limited: Per-client bandwidth cap (e.g., 10 Mbps down / 5 Mbps up)

- Captive portal: Enabled (acceptance of Acceptable Use Policy)

IoT VLAN (60):

- Allowed TO: Specific whitelisted outbound destinations only (e.g., cloud management portals for printers, cameras):

- Printer cloud: vendor-specific domains

- Camera NVR: Server VLAN NVR IP only

- Building management: vendor cloud portals

- Blocked TO: All internal VLANs except explicitly whitelisted

- Blocked FROM: Internet inbound (no port forwarding to IoT devices)

- All other outbound traffic: Denied

! Create VLANs
vlan 10
 name Management
vlan 20
 name Server
vlan 30
 name Client
vlan 40
 name Voice
vlan 50
 name Guest
vlan 60
 name IoT

! Trunk port to firewall
interface GigabitEthernet0/1
 description Trunk to Firewall
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40,50,60
 switchport trunk native vlan 999
 spanning-tree portfast trunk

! Access port for client workstation
interface GigabitEthernet0/10
 description Client Workstation
 switchport mode access
 switchport access vlan 30
 switchport voice vlan 40
 spanning-tree portfast
 spanning-tree bpduguard enable

! Access port for IoT device (printer)
interface GigabitEthernet0/20
 description IoT - Printer
 switchport mode access
 switchport access vlan 60
 spanning-tree portfast
 spanning-tree bpduguard enable

! Disable unused ports
interface range GigabitEthernet0/40 - 48
 shutdown
 switchport access vlan 999
 description UNUSED - DISABLED

Verification Checks

Rollback

5. DNS Filtering

Prerequisites

Step-by-Step Instructions

- Source IP: Client's public WAN IP (for IP-based identification).

- DNS-over-HTTPS endpoint: Note the unique DoH URL for this location.

- Assigned DNS IPs: Note the Cloudflare Gateway resolver IPs assigned to this location.

- Policy Name: Netier-Standard-Block-{ClientName}.

- Rule 1: Security Threats

- Selector: Security Categories

- Value: Malware, Botnet Command & Control, Phishing, Spyware, Cryptomining, DGA Domains, Newly Seen Domains

- Action: Block

- Rule 2: Content Filtering (adjust per client policy)

- Selector: Content Categories

- Value: Adult Content, Gambling, Weapons, Drugs, Questionable Content

- Action: Block

- Rule 3: Allow All Other

- Action: Allow (implicit — Cloudflare allows by default)

- Navigate to Settings > Network > Activity Logging.

- Enable DNS logging.

- Set retention: 90 days (minimum per TCF requirement).

- On the firewall DHCP server (or Windows DHCP if applicable):

- Primary DNS: Cloudflare Gateway IP 1 (from the location setup)

- Secondary DNS: Cloudflare Gateway IP 2

- Apply to all DHCP scopes: Client VLAN (30), Voice VLAN (40), Guest VLAN (50), IoT VLAN (60).

- Server VLAN (20) and Management VLAN (10): Set DNS to the Cloudflare Gateway IPs in static network configurations.

- Name: Netier-Standard-{ClientName}.

- Security Settings:

- Block: Malware, Command & Control Callbacks, Phishing, Cryptomining, Newly Seen Domains

- Content Categories:

- Block: Adult, Gambling, Weapons, Hate/Discrimination, Drugs (adjust per client)

- Application Settings:

- Block or monitor specific SaaS applications per client policy

- Navigate to Admin > Log Management.

- Enable full DNS logging.

- Set retention to 90 days.

- Configure S3 export if the client requires longer retention.

- Primary DNS: 208.67.222.222

- Secondary DNS: 208.67.220.220

- Or use the site-specific Umbrella Virtual Appliance IPs if deployed.

- Source: All internal VLANs

- Destination: Any (NOT the approved DNS filter IPs)

- Service: DNS (UDP/TCP 53)

- Action: Deny (with logging)

- Source: All internal VLANs

- Destination: Approved DNS filter IPs only

- Service: DNS (UDP/TCP 53)

- Action: Allow

- Block outbound TCP 443 to known public DoH providers (e.g., 8.8.8.8, 1.1.1.1 — unless using Cloudflare Gateway DoH directly).

- On managed endpoints, configure the browser via Intune to use the approved DoH resolver or disable DoH.

Verification Checks

Rollback

6. Configuration Backup & Change Management

Prerequisites

Step-by-Step Instructions

- Enter the device IP address (use the Management VLAN IP).

- Set the connection protocol: SSH (preferred) or HTTPS API.

- Enter the backup service account credentials (stored in Netier credential vault under {ClientName} - Network Backup Account).

- Set the device type (auto-detect or manual: WatchGuard, FortiGate, Cisco IOS, etc.).

- Frequency: Daily at 01:00 AEST.

- Retention: 90 days (minimum per TCF requirement).

- On-change backup: Enable (triggers an immediate backup when a configuration change is detected).

- Navigate to Settings > Notifications.

- Enable alerts for: Backup Failure, Configuration Change Detected, Device Unreachable.

- Send to: noc@netier.com.au and the Netier Microsoft Teams "Network Alerts" channel webhook.

- Navigate to Devices > {Device} > Backups.

- Confirm a backup entry exists with status "Success".

- Click on the backup to view the configuration content (verify it is a complete config, not a partial or error).

- Navigate to Admin > Backup Settings.

- Confirm retention is set to at least 90 days.

- Confirm SNMP credentials and SSH credentials are configured for all device types.

- Click on the device, navigate to Configuration.

- View the current configuration and diff against previous versions.

   sudo vim /etc/oxidized/router.db

   # Format: hostname:model:username:password
   # Example:
   # 10.0.10.1:fortigate:backup-svc:PASSWORD
   # 10.0.10.2:ios:backup-svc:PASSWORD
   

   sudo vim /etc/oxidized/config

   

Key settings:

   interval: 86400  # Backup every 24 hours (seconds)

   use_syslog: true
   log: /var/log/oxidized/oxidized.log
   input:
     default: ssh
     ssh:
       secure: true
   output:
     default: git
     git:
       single_repo: true
       repo: /var/lib/oxidized/configs.git