Even with well-trained users, technical controls are essential. Assume a threat actor will eventually gain initial access — your infrastructure must limit lateral movement, protect privileged credentials, and ensure recovery is possible without paying a ransom. Your reference architecture should be designed with these critical items in mind.
External Firewalls
Your perimeter firewall is the first line of defense. Modern next-generation firewalls (NGFW) provide intrusion detection/prevention, application-layer filtering, and threat intelligence feeds that block known malicious IPs and domains.
Key practices: disable unused ports and protocols, require VPN for all remote access, implement geo-blocking if your business doesn’t operate internationally, and audit firewall rules quarterly to remove stale exceptions. Default-deny policies should be standard — only explicitly permitted traffic passes.
Internal Firewalls
Network segmentation limits an attacker’s ability to move laterally after initial compromise. Separate your network into zones by function and trust level: user workstations, servers, management interfaces, IoT devices, and guest networks should not have unrestricted communication.
Microsegmentation takes this further by controlling traffic between individual workloads. Zero Trust principles apply here — no implicit trust based on network location. East-west traffic (server to server) should be inspected and restricted, not just north-south (in/out of the network). For instance, a database server should only allow access to its database from the specific server where the associated application is hosted.
Admin Authentication
Compromised administrative credentials are the keys to the kingdom. Attackers specifically target domain admins, backup operators, and service accounts with elevated privileges.
Mitigations: use dedicated admin accounts separate from daily-use accounts, enforce phishing-resistant Multi-Factor Authentication (hardware tokens or FIDO2) for all privileged access, implement Privileged Access Management (PAM) with just-in-time elevation, and monitor for anomalous admin account usage. Admin workstations should be hardened and isolated from general network traffic.
User Access and Authentication
DNS filtering, web proxies, and browser isolation can block known malicious sites and limit exposure. Keep browsers and operating systems updated — most drive-by exploits target outdated software.
Email gateway filtering, DMARC/DKIM/SPF authentication, attachment sandboxing, and a clear process for reporting suspicious messages. Make reporting easy and never punish users for false positives.
Where possible, enforce phishing-resistant Multi-Factor Authentication (hardware tokens or FIDO2). SMS-based MFA is vulnerable to SIM swapping and interception. App-based authenticators or hardware tokens are significantly more resistant to phishing.
End Devices
Workstations, laptops, and mobile devices are the most common entry points. Endpoint Detection and Response (EDR) solutions provide visibility and automated response capabilities beyond traditional antivirus.
Additional controls: application whitelisting to prevent unauthorized executables, disabling unnecessary services (particularly RDP and SMBv1), enforced patch management with short deployment windows, and device compliance checks before granting network access. Require device encryption and remote wipe capability for mobile devices.
Personal Devices and BYOD
Network segmentation is critical. If employees connect personal devices to corporate networks or access company data (email, file shares, and other internal tools) from personal phones and laptops, those devices become part of your attack surface. Unmanaged devices may lack current patches, run no endpoint protection, or be shared with family members.
- Devices enrolled in Mobile Device Management (MDM) with enforced policies — device encryption, current OS, approved endpoint protection — can be permitted on a corporate mobile VLAN with access to internal resources.
- Devices without MDM enrollment should be restricted to the guest network with internet access only and no connectivity to internal systems including email.
This creates a clear boundary: if you want corporate access from a personal device, you accept corporate control. If you don’t want MDM on your personal phone, you can still get Wi-Fi for company-permitted personal use.
Snapshots
Storage-level snapshots provide rapid recovery points but are only useful if attackers can’t delete or encrypt them. Immutable snapshots — configured so they cannot be modified or removed for a defined retention period — are essential.
Snapshot management should be out-of-band: the credentials and interface used to manage snapshots should be completely separate from your production Active Directory. If an attacker compromises your domain, they should not automatically gain access to your snapshot infrastructure. Test restoration regularly.
Backups
Backups are your last line of defense, but ransomware operators know this and target backup infrastructure first. The 3-2-1 rule is foundational: three copies of data, on two different media types, with one copy offsite. Some recommend going even further with a 3-2-1-1-0 model, adding requirements to have an off-line copy and regular restore testing.
Critical additions: at least one backup copy must be immutable (WORM — Write Once Read Many) or air-gapped (physically disconnected), backup system credentials must not be tied to production AD. Restoration must be tested regularly, because an untested backup is not a reliable backup. Document your recovery procedures and practice them.