01
Why Your IT Foundation Matters
Most businesses build IT reactively โ adding tools as needs arise, fixing problems after they occur. Businesses that stay secure as they grow do the opposite: they build a foundation designed to be secure from the start.
This checklist covers the core setup that De4sec implements for every new client. Done correctly, it takes 2โ5 days for a business of 1โ20 staff.
A properly configured IT environment costs less than one hour of downtime from a ransomware event.
02
Identity & Access Management
Microsoft 365 Setup
โCreate tenant with custom domain โ not @outlook.com
โAssign licences by role โ not everyone needs E3
โConfigure tenant region, timezone, and compliance settings
Multi-Factor Authentication
โEnable MFA for every user โ no exceptions
โUse Microsoft Authenticator app, not SMS where possible
โDisable legacy auth protocols (SMTP Auth, IMAP, POP3 where not required)
โCreate a break-glass admin account for emergencies
Conditional Access
โRequire MFA for all cloud app access
โBlock legacy authentication protocols
โRequire compliant device for sensitive data access
โFlag logins from unexpected countries
Admin Separation
โDedicated admin accounts separate from daily-use accounts
โAdmin accounts have no mailbox and are never used for browsing
โApply Privileged Identity Management (PIM) for Just-in-Time admin access
03
Device & Endpoint Security
Microsoft Intune
โEnrol all Windows and macOS devices
โConfigure compliance policies โ encryption, OS version, screen lock
โDeploy Microsoft Defender for Endpoint baseline
โCreate device groups for ring-based update rollout
Encryption
โEnable BitLocker (Windows) via Intune policy
โEnable FileVault (macOS) via Intune
โConfirm keys are escrowed to Entra ID โ not just local
Endpoint Protection Baseline
โDefender real-time protection enabled on all devices
โTamper protection enabled
โCloud-delivered protection and auto-sample submission enabled
โAttack surface reduction rules configured
โWeb content filtering applied
Wi-Fi
โSeparate SSIDs for business, guest, and IoT/POS
โBusiness Wi-Fi on WPA3 or WPA2-Enterprise
โGuest Wi-Fi isolated from business network
โDefault router admin credentials changed
Segmentation
โVLAN separation for POS/payment systems
โFirewall rules: deny by default, allow by exception
โUnused ports and services disabled
Email Authentication
โSPF record published
โDKIM configured and signing all outbound email
โDMARC at p=quarantine minimum, reporting to monitored mailbox
05
Backup & Disaster Recovery
The most common finding in our assessments: backups that have never been tested.
Backup Scope
โMicrosoft 365 mailboxes (requires third-party tool)
โSharePoint and OneDrive content
โOn-premise servers and NAS
โCritical application databases
Backup Configuration
โDaily automated backups
โ30-day minimum retention (90 days preferred)
โOffsite or separate cloud region copy
โImmutable or ransomware-protected storage
Recovery Testing
โTest restore within 30 days of initial setup
โQuarterly restore tests โ document results
โDocument RTO and RPO for business
Microsoft 365 Monitoring
โUnified audit log enabled
โSign-in monitoring โ alert on impossible travel
โMicrosoft Secure Score above 60% for SMB baseline
โDefender alerts reviewed weekly
Endpoint Monitoring
โIntune device compliance reports reviewed
โPatch compliance report monthly โ target 95%+
โDefender incidents reviewed and resolved
Incident Response Contacts
โWho to call if incident occurs โ documented
โWhat to do in first 30 minutes if ransomware suspected
โPrinted copy kept off-site
