Simple checklists for basic security controls. They don't replace a pentest, but they help with basic hygiene.
Active Directory - Basics
- SMB signing enabled on all systems
- LLMNR and NetBIOS disabled
- LAPS implemented for local admin accounts
- Kerberos delegation properly configured
- Tiering model for admin accounts
Web Applications - Basics
- HTTPS everywhere (no HTTP redirect without HSTS)
- Security headers (CSP, X-Frame-Options, etc.)
- Proper session handling
- Rate limiting on authentication endpoints
- Server-side input validation
Cloud - Basics
- MFA for all admin accounts
- Least privilege principle for IAM roles
- No publicly accessible S3/Blob buckets
- Audit logs enabled
- Regular access rights review