Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

• Remove unnecessary write permissions on sensitive files and directories.
• Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder.
• Properties.
• Security tab.
• Adjust permissions for NTFS ACLs.

• Disable anonymous access to shared folders.
• Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access. On Linux, apply: chmod 750 /etc/sensitive.conf `chown root:admin /etc/sensitive.

• Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

• Enable auditing to track permission changes or unauthorized access attempts.
• Use auditd (Linux) or Event Viewer (Windows) to log activities.

• Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu. Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
• On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F.
• On Linux, monitor permissions using tools like lsattr or auditd.

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

• Implement RBAC and least privilege principles to allocate permissions securely.
• Use tools like Active Directory Group Policies to enforce access restrictions.

• Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
• Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

• Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

• Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

• Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

• Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

• CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

• Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

• Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

• sudo configuration, SELinux, AppArmor.

• Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse.

• Minimum password length (e.g., 12+ characters).
• Password complexity requirements.
• Password history (e.g., disallow last 24 passwords).
• Account lockout duration and thresholds.

• Use pam_pwquality to enforce complexity and length requirements.
• Implement pam_tally2 or pam_faillock for account lockouts.
• Use pwunconv to disable password reuse.

• Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

• Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

• Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

• Group Policy Management Console (GPMC): Enforce password policies.
• Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

• PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
• Lynis: Audit password policies and system configurations.

• Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
• Have I Been Pwned API: Prevent the use of breached passwords.
• NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled.

• Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
• Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

• Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
• Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

• Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
• Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

• Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
• Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

• Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
• Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.