Skip to main content

5.2 Compute Resources

5.2 Compute Resources

  • Role-Based Access Control (RBAC):

    • a. DTC retains and manages credentials for Built-In Administrator, Domain Administrator, and dtcadminaccounts.

    • b. DTC creates unique administrator accounts for client-designated decision-makers, granting local or full administrative privileges as specified.

    • c. Decision-makers are permitted to retain access to Domain Administrator credentials.

    • d. Upon termination of services, all compute resource credentials managed by DTC are released to the client.

  • Server Console and Shell Protections:
    • Remote Desktop Protocol (RDP):

      • e. Configured to accept connections only from:

        • The server itself (localhost).

        • Directly attached non-public networks.

        • Designated management networks, if they exist.

    • PowerShell Remoting:

      • f. Configured to accept connections only from:

        • The server itself (localhost).

        • Directly attached non-public networks.

        • Designated management networks, if they exist.

    • Windows Management Instrumentation (WMI):
      • g. Enabled to facilitate system management and monitoring.

    • Windows Firewall:

      • h. Disabled by default; configurable based on client requirements.

    • Server Message Block (SMB) 1.0:

      • i. Disabled unless explicitly required by specific applications to mitigate security vulnerabilities.

    • Secure Shell (SSH):

      • j. Enabled to provide secure remote access and management.

    • Network Tunnel Agent:

      • k. May be deployed for DTC management purposes or to facilitate client remote network access.

  • Administrator Account Credentials Rotation:

    • l. Credentials for both the built-in Administrator and dtcadmin accounts are automatically rotated under the following conditions:

      • At system boot.

      • Upon user sign-in.

      • On a weekly basis.

    • m. These credentials are randomized with a minimum length of 16 characters to enhance security.

  • Data Protections:

    • n. All data protections for local data volumes and directly attached data volumes adhere to the policies outlined in section 5.3 Storage. This ensures consistent application of encryption, media disposal, backup encryption, and immutability standards across all storage mediums.

  • Incident Response Integration:

    • o. Deploy Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) agents across all compute resources.​

    • p. Ensure continuous monitoring and analysis of endpoint activities to detect and respond to potential threats.​

    • q. Facilitate collaboration between EDR/MDR solutions and the Security Operations Center (SOC) to coordinate rapid incident response and remediation efforts.​

Technical Controls:

Control ID Description Tools/Methods
a Retain and manage credentials for Built-In Administrator, Domain Administrator, and dtcadmin accounts. NinjaRMM, IT Glue
b Create unique administrator accounts for client-designated decision-makers with specified administrative privileges. Active Directory, Entra ID, Google Workspace
c Permit decision-makers to retain access to Domain Administrator credentials. Active Directory, IT Glue
d Release all compute resource credentials managed by DTC to the client upon termination of services. Microsoft 365 Mail Encryption, IT Glue, 1Password
e Configure Remote Desktop Protocol (RDP) to accept connections only from the server itself, directly attached non-public networks, and designated management networks. NinjaRMM, Microsoft Windows Group Policy
f Configure PowerShell Remoting to accept connections only from the server itself, directly attached non-public networks, and designated management networks. NinjaRMM, Microsoft Windows Group Policy
g Enable Windows Management Instrumentation (WMI) for system management and monitoring. NinjaRMM, Microsoft Windows Group Policy
h Disable Windows Firewall by default; configurable based on client requirements. NinjaRMM, Microsoft Windows Group Policy
i Disable SMB 1.0 unless required by specific applications to mitigate security risks. NinjaRMM, Microsoft Windows Group Policy
j Enable SSH to facilitate secure remote access and management. Microsoft Windows OpenSSH Server & Client, NinjaRMM, Microsoft Windows Group Policy
k Deploy network tunnel agents for DTC management or client remote access as needed. NinjaRMM, Windows or Linux Server, DTC Probe Appliance, Cloudflared, ZeroTier
l Credentials for both the built-in Administrator and dtcadmin accounts are automatically rotated NinjaRMM
m These credentials are randomized with a minimum length of 16 characters to enhance security. NinjaRMM
n All data protections for local data volumes and directly attached data volumes adhere to the policies outlined in section 5.3 Storage. This ensures consistent application of encryption, media disposal, backup encryption, and immutability standards across all storage mediums. NinjaRMM
o

Deploy Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) agents across all compute resources.​

 NinjaRMM, Blackpoint SNAP Agent
p

Ensure continuous monitoring and analysis of endpoint activities to detect and respond to potential threats.​

 Blackpoint SNAP Agent
q

Facilitate collaboration between EDR/MDR solutions and the Security Operations Center (SOC) to coordinate rapid incident response and remediation efforts.​

 Blackpoint SNAP Agent

No comments to display

Back to top