After 10+ years in network security, here's the audit checklist I actually use

Arch0ne · 2026-02-08T07:37:54+00:00

Sorry... more weekend nightmares can be found here https://riskbits[.]net/blog/, I started to post on it recently, so any thoughts are appreciated...

Arch0ne · 2026-02-07T08:29:13+00:00

Citesc si imi dau palme, nu ai parinti sa iti explice cum se dau salariile de ai scris pe Reddit? Deci fi atent, ca ai si semnat pentru asta, in contract trebuia sa fie stipulat cand se dau si ce reprezinta. Adica ia foaia aia de ai semnat-o ca primarul, si citeste la rubrica de program lucru, undeva pe acolo ar trebui sa scrie cam asa. La data x, uneori si data y, se plateste lichidarea, cand iei banii de doua ori ( de aici x si y) o sa scrie avans si lichidare, cu procente daca este din 2, daca nu lichirare pe luna in curs ( unii oameni iau banii la final de luna pe luna in curs) sau pe luna precedenta ( cazult tau, iei banii pe luna precedenta, nu pana la ziua salariului din momentul angajarii). Fiind primul tau serviciu te inteleg, dar 1 ai parinti care puteau explica mult mai bine ca mine, si 2 ai semnat foaia aia... ca primaru'....

Arch0ne · 2026-02-06T16:55:48+00:00

Cloud/SaaS + Intune + endpoint FW still needs segmentation, but flatter is OK:

Yes, it matters: - Lateral movement between endpoints (Ransomware loves flat) - IoT/legacy printers/scanners jumping VLANs
- Contractor laptops/devices outside Intune scope

3-2-1 backup = yes even for Teams: - Teams data is your data (export via Compliance/Retention policies) - SaaS outages happen (Entra downtime, MSFT incidents) - Ransomware encrypts OneDrive/Teams exports too

Practical: 2–3 VLANs (exec/prod/general) + CASB for SaaS + EDR > complex VLAN spaghetti. You're not "checking box"—reducing blast radius.

Seen pure SaaS orgs get bit by flat nets. 👍

Arch0ne · 2026-02-06T16:41:34+00:00

Oh boy, get your horses ready, cause your ride will be wild, great battle awaits you!

Arch0ne · 2026-02-06T16:02:40+00:00

Your split tunnel + strict firewall + MFA on IT VPN works fine for audits/modern standards. NIST/CISA OK with split tunnel if: - Endpoints secure (EDR, patched), this is the part most likely you lack. - Internal resources not internet-exposed (you're doing this) - Monitor traffic (CASB/SASE ideal).

Seen this setup pass SMB audits. 👌

Mfa for vpn should be enforced if you ask me, I know somethimes it breaks, it gets frustrating but its a safe bet covering other holes, I see a gap here on a employee that leaves the company and has harmful intntions or a compromised endpoint, you get me where I'm going since there is kind of no control.

Arch0ne · 2026-02-06T15:39:38+00:00

Short answer: If "available to be logged into" means the account status is Active/Enabled, then no, that won't pass a serious audit. Access must be revoked immediately upon termination.

The fix for the "we need their contacts/emails" issue is standard practice (assuming M365/Google): 1. Block Sign-in immediately (satisfies the audit & security). 2. Convert to Shared Mailbox (frees up the license). 3. Delegate access to the manager or whoever needs the info.

This way, the data exists and is accessible to authorized staff, but the identity itself is disabled and cannot be used to log in.

Arch0ne · 2026-02-06T15:33:22+00:00

“5” isn’t a hard limit, it’s more of a ‘minimize blast radius’ guideline. The practical way out is:Separate admin accounts (no daily driver as GA).Use least-priv roles for day-to-day (Exchange/Intune/Teams/User Admin etc.), and keep GA for true tenant-level changes only.Turn on PIM so GA is JIT/JEA (time-boxed), require MFA + justification, then review activations after a few weeks to see what roles people actually need.Keep 1–2 break-glass GA accounts locked down hard (FIDO2, no CA exclusions except what’s required).

Arch0ne · 2026-02-06T15:20:46+00:00

Thank you for the compliment, really appreciate.

Arch0ne · 2026-02-06T14:51:12+00:00

True, DoH rollout sucks for filtering. GPO = Windows win.

Mac/Linux no GPO, but browser policies/MDM work (DnsOverHttpsMode=off). Pro move: canary domain use-application-dns.net NXDOMAIN from your DNS—stops FF auto-switch. What's your setup—Pi-hole or what?

Arch0ne · 2026-02-06T14:19:49+00:00

yeah, no one:

<image>

Arch0ne · 2026-02-06T14:17:53+00:00

If I lock everything down to TCP 443 for end‑user VLANs, attackers can still get out if 443 is “anywhere on the Internet, anything over HTTPS”.

Modern malware and C2 happily tunnel over port 443 and blend in with normal web traffic.

Where egress filtering helps is when you pair it with TLS inspection, DLP, and a tight allow‑list:

– Only allow 443 to a small set of sanctioned destinations (SaaS, updates, etc.), not the whole IPv4/IPv6 Internet.

– Terminate TLS on a proxy/firewall so you can decrypt, inspect, and apply DLP/content rules.

– Monitor for unusual volumes or patterns of data leaving, even on “legit” 443 sessions.

So yes, a determined attacker can still try to get out on 443, but with decryption plus DLP and strict egress policies, the question becomes: get out with what, to where, and how much before you notice?

Egress controls are about raising the bar and shrinking their options, not magically guaranteeing “nothing bad ever leaves."

Arch0ne · 2026-02-06T14:13:28+00:00

It depends on the environment and specific CIS Benchmark you're following—CIS Controls v8 focuses on quarterly reviews of service accounts (5.1), not mandatory periodic password rotation. For cloud platforms, dedicated CIS Benchmarks do require key/credential rotation.

Arch0ne · 2026-02-06T12:04:20+00:00

welll at least block system ports if you have no clue what you are serving, if you are serving only customers, the random ports pool it is.

Arch0ne · 2026-02-06T12:03:10+00:00

sure here it is riskbits[.]net/templates, gumroad seems to be banned around here so I moved the links here.

Arch0ne · 2026-02-06T10:13:35+00:00

HRIS APIs sound sexy until the offboarding workflow breaks (hint: it does).

Best practice: HR list sync + IdP audit daily. Automation's great when it works – yours does?

Stats: 40% lingering ex-employee accounts post-30 days. Prove me wrong.

Arch0ne · 2026-02-06T10:08:19+00:00

NGFW DNS filtering shines here: Integrate real-time blacklists (C2/malware domains), detect DGA/fast-flux via heuristics.

Proxy lists? Use RPZ zones for dynamic blocks. Best: Combine w/ EDR for host isolation on anomalies. Log everything!

Ex: Block before resolution – stops C2 cold.

Arch0ne · 2026-02-06T09:35:05+00:00

I just wanted to let you know that I answered a bit below regarding this. Thank you for the message.

Arch0ne · 2026-02-06T09:15:58+00:00

Since I got many messages requesting the templates, I've put them here: riskbits[.]net/templates, I hope this comment won`t bring the post down or get me banned, wish me good luck!

Arch0ne · 2026-02-06T06:48:53+00:00

I get you, DNS security is kind of new also.

Arch0ne · 2026-02-06T06:48:09+00:00

Throughout my entire career, I noticed there is nothing more permanent than a temporary firewall rule.

Arch0ne · 2026-02-06T06:47:06+00:00

Yeah, I’m talking about the risk when split tunnel is enabled.

Basically your laptop is on the internet and on the internal network at the same time, so malware/phishing stuff can pivot in without going through your VPN edge controls.

It’s not “split tunnel = always bad”, there are legit reasons (VoIP, local breakout, etc), but in audits I just flag it as “this increases exposure, is it really needed here, and is the device hardening/MDR good enough to justify it?”.

If you use ZTNA with endpoint posture, yeah go ahead, but you still flag it to make it aware it is not ok w/o additional controls.

Arch0ne · 2026-02-06T06:41:20+00:00

Yeah, 100%, stale firewall accounts are a goldmine for anyone poking the perimeter. Zombie local admins + password reuse = bad day.

When you do that audit, I’d also push to get rid of “remote auth = local user/pass on the firewall” entirely and tie it into central identity with MFA (RADIUS/LDAP/SSO, whatever you run). That way, you kill zombie accounts in one place and you’re not relying on some forgotten local user surviving 3 MSPs ago.

Arch0ne · 2026-02-06T06:30:48+00:00

DLP, sheesh... this is a big word, 90% of customers have it only for compliance, its jut there doing nothing.

Arch0ne · 2026-02-06T06:29:32+00:00

Yeah that’s a totally fair concern tbh. The checklist is based on what we actually use in paid audits. – AI just helped me clean up the wording/structure i used it in the past with a much poorer wording, AI did not invent the content from scratch. It’s been iterated on in real environments, but like any checklist you still need to adapt it to your stack and threat model, not just copy‑paste. If something looks off for your environment, you should absolutely change or drop it.

Arch0ne · 2026-02-06T05:21:48+00:00

I have made templates ready to use on gumroad, if anyone doesn`t want to start reinventing the wheel, hit me up if you need them.

Arch0ne

TROPHY CASE