Workflow Templates for Systems Administration: Quarterly Network Security Review

Identity & Access Review

Audit Entra ID conditional access policies

Pull the conditional access policy export and confirm legacy authentication is blocked org-wide. Watch for policies scoped to 'All users' that exclude break-glass accounts only — exclusion creep is the most common drift between quarters.

Verify MFA coverage on privileged accounts

Run the Entra ID auth methods report against the Tier 0 / Tier 1 admin groups (Global Admin, Privileged Role Admin, Domain Admin equivalents). Service accounts and break-glass accounts are intentional exceptions; document them. Any human admin without phishing-resistant MFA (FIDO2, Windows Hello, certificate) is a finding.

Remediate MFA gaps before continuing

Open a P1 ticket per affected admin: enroll FIDO2 key or migrate to Windows Hello, revoke active sessions, and confirm enrollment in the auth methods report before closing. Do not proceed with the rest of the review until Tier 0 is clean.

Run access review on Tier 0 groups

Use Entra ID Access Reviews (or manual export) on Domain Admins, Enterprise Admins, Global Administrators, and any custom roles with delegated admin rights. Each member must be re-attested by a named approver — no rubber-stamping. Members not attested in 7 days get removed.

Disable accounts inactive 90+ days

Pull the lastSignInDateTime report from Entra ID and AD lastLogonTimestamp. Cross-reference HR's active employee list — terminations that didn't trigger offboarding land here. Disable (do not delete) and tag the account with the date for audit retention.

Confirm legacy basic-auth is blocked

Check the Entra ID sign-in logs filtered on legacy auth protocols (IMAP, POP, SMTP AUTH, MAPI, EWS basic). Any successful legacy sign-ins bypass MFA entirely and are the most common preventable breach vector. Block at the conditional access layer, not just at the mailbox.

Firewall & Network Segmentation

Audit edge firewall rule base for any-any rules

Export rules from FortiGate / Palo Alto / Meraki MX. Flag any rule with source 'any' and destination 'any', overly broad service objects, or rules with hit count zero over the last quarter (candidates for removal). Document the business justification on every retained permit rule.

Validate VLAN segmentation against network diagram

Walk the diagram against switch configs. Verify guest, IoT, voice, and corporate VLANs cannot route to one another except through documented firewall rules. Flat networks expand PCI scope and ransomware blast radius — this is where segmentation drift hides.

Close unused ports from last vulnerability scan

Pull the most recent Nessus or Qualys external scan. Any open port without a corresponding firewall justification gets closed or filtered. Pay attention to RDP (3389), SMB (445), and management interfaces exposed externally — these are top ransomware entry points.

Update firmware on edge devices

Check vendor advisories for FortiGate, Palo Alto, Cisco ASA / Meraki, SonicWall. Apply within the maintenance window with a documented rollback plan. Edge device CVEs are routinely exploited within days of disclosure — quarterly is the floor, not the ceiling.

Detection & Response Posture

Verify EDR agent coverage on all endpoints

Reconcile CrowdStrike / SentinelOne / Defender for Endpoint console against the asset inventory in your RMM and Intune. Servers without an EDR agent are the most common gap — Linux file servers and ESXi hosts especially. Open a ticket per uncovered device.

Check IDS/IPS signature freshness

Confirm threat-intel feeds and signature definitions on the IPS, EDR, and email gateway are current. Auto-update doesn't mean auto-verified — a feed that silently failed two weeks ago is invisible until you check.

Confirm penetration test cycle status

Most SOC 2 / PCI / HIPAA programs require an external pen test annually. Check the engagement schedule against the current date — if the next test falls in this quarter, flag it now to give the vendor lead time and the team scope-prep room.

Schedule penetration test with vendor

Reach out to the contracted pen test vendor with the current scope: in-scope IP ranges, web apps, social-engineering rules of engagement, blackout windows. Confirm the rules of engagement document is signed before the test starts, not after.

Run ransomware tabletop exercise

Walk the IR team through a scripted scenario — encrypted file shares discovered Monday morning, backup vendor portal also impacted. Confirm playbook contacts are current (legal, cyber insurance, FBI field office) and the immutable backup chain is reachable from a clean environment.

Review last quarter's IR tickets for patterns

Pull SEV1 / SEV2 tickets from ServiceNow / Jira / ConnectWise for the last 90 days. Group by root cause — phishing clicks, exposed services, misconfigured permissions. Repeat themes drive next quarter's awareness training and detection-engineering backlog.

Encryption & Key Management

Verify TLS 1.2+ on all public endpoints

Run an SSL Labs (or internal equivalent) scan against the external-facing hostname list. TLS 1.0/1.1 and weak cipher suites still slip in via legacy load balancers and forgotten subdomains. Cert expiration dates in the next 60 days get renewal tickets opened today.

Audit BitLocker recovery key escrow

Pull the BitLocker recovery key inventory from Intune / Entra ID. Every encrypted endpoint must have its recovery key escrowed; a TPM-locked laptop with no escrowed key is a brick during recovery. FileVault PRK escrow on macOS fleet gets the same treatment.

Rotate service account credentials in PAM

Use CyberArk / BeyondTrust / Delinea to rotate non-managed service account passwords on the quarterly schedule. Coordinate with the application owners — service accounts hardcoded in legacy app configs will break on rotation if not refreshed first. Document any exceptions with a remediation date.

Confirm backup immutability and offsite copy

Check Veeam / Datto / Rubrik for the 3-2-1 chain: at least one immutable copy (object-lock on S3, hardened repository, or air-gapped tape), kept in a separate trust boundary from production. A backup writable from production is a backup ransomware will encrypt alongside the source.

Logging & SIEM Health

Validate log ingestion from critical sources

For Sentinel / Splunk / QRadar, confirm last-event timestamps for domain controllers, firewalls, EDR, M365 audit, identity provider, and DNS. A source that stopped sending two weeks ago is the SIEM equivalent of a tree falling unwitnessed in a forest.

Open P1 ticket for missing log sources

Per source: file a P1 with the agent / connector owner, document the gap window in the audit log, and note compliance impact (SOC 2 CC7, HIPAA audit controls, PCI 10.x). Do not close the quarterly review until ingestion is restored or the gap is formally accepted by the security owner.

Tune SIEM rules with high false-positive rate

Pull rule-trigger metrics for the last 90 days. Rules firing more than ~20 times per week without a real incident drive analyst fatigue and missed real alerts. Tune thresholds, add suppression for known-benign sources, or retire rules with documented justification.

Test alert routing through on-call tool

Trigger a synthetic SEV1 alert and confirm the page lands on the current on-call rotation in PagerDuty / Opsgenie. Verify escalation policy walks to the secondary if the primary doesn't ack within the SLA. Stale rotations and disabled phone numbers are common silent failures.

File quarterly review report with findings

Compile findings, remediation tickets opened, exceptions accepted, and metric trends quarter-over-quarter. Share with the IT director and security stakeholders; archive in IT Glue / Hudu / Confluence for the next SOC 2 evidence pull.