GSO Recommendations

macOS Firewall and Gatekeeper

macOS FileVault Encryption

Windows Firewall Configuration

Windows Defender Protection

Windows Local Admin Control: Privilege Escalation and Credential Reuse Risk

Windows LAPS Configuration: Local Administrator Password Reuse Risk

Windows Attack Surface Reduction: Macro, Script and Credential Theft Protection

Windows BitLocker Encryption: Lost or Stolen Device Data Exposure

Set Anonymous Link Expiration in SharePoint: Long-Lived External Sharing Risk

Require Token Binding Protection: Token Theft and Replay Protection

Disable Persistent Browser Sessions: Long-Lived Session Exposure Risk

Require MFA to Register Security Information: MFA Reset and Registration Abuse Risk

Block High-Risk Users: Active Identity Compromise Protection

Block High-Risk Sign-Ins: Compromised Sign-In Protection

Require MFA for Azure Management: Cloud Control Plane Protection

Require MFA for Administrators: Privileged Account Takeover Protection

Enable Admin Approval for App Consent: Safer App Access Review

Disable User OAuth App Consent: Unreviewed Third-Party App Access Risk

Disable Legacy Authentication: Older Sign-In Methods Bypassing Modern Protection

Disable Device Code Flow: Device Code Phishing Protection

Phishing URL Clicked

Transport Rule Changed

Mailbox Audit Bypass

User Created and Made Admin

OAuth Phishing via First-Party Microsoft Apps

New Federated Domain Added

Excessive Authentication Failures

Session Hijack via Unusual IP Change

PST Export & eDiscovery Abuse

Power Automate Flow Created: Automation Abuse & Data Exfiltration Risk

Files Shared Externally: Data Exposure via Anonymous Links & Guest Access

Anomalous Delete Sequence: Ransomware Preparation & Data Destruction Risk

Suspicious Inbox Rules: Mail Hiding, Deletion & Persistence Risk

Mailbox Delegation Risk: Unauthorised Access & Impersonation Exposure

Inactive Guest Users: Forgotten External Access Risk

Guest Users with Risky Access: External Identity Exposure Risk

Break-Glass Accounts: Emergency Access Without Monitoring or Guardrails

Legacy Authentication Exposure: Older Protocols Bypassing Modern Sign-In Protection

Unprotected Admin Portals: Privileged Access Without Strong Controls

Conditional Access Exclusions: Intended Exceptions Creating Long-Term Bypass Risk

Conditional Access MFA Bypass Paths: Users Can Access Without Expected MFA

Intune Policy Coverage Gaps: Device Configuration & Compliance Blind Spots

Devices Overview: Unmanaged & Stale Device Exposure Risk

Open Defender Incidents: Active Threat Investigation & Response Risk

Dormant Apps: Forgotten Application Access & Credential Exposure Risk

Apps with Admin Roles: Privileged Service Principal Abuse Risk

Apps with Risky Permissions: OAuth Data Access & Persistence Risk

Risky Inbox Forwarding Rules: Data Exfiltration & Post-Compromise Persistence

Dormant Users: Stale Account Access & Persistence Risk

Users with Risky MFA Settings: Account Compromise & Lateral Movement Risk

Admins with Risky MFA Settings: Privileged Account Takeover Risk

External Email Forwarding Rules: Data Exfiltration & Persistence Risk