// Controls Desk
The Controls Desk.
One control per page. Each one drawn from regulator and framework guidance — NCSC, NIST, CIS, CISA, ACSC, ISO, MITRE — and pinned to the named incidents in the catalogue the control would have changed the outcome of. Sorted by ease against impact, with the quick wins first. Vendor-neutral by policy.
- Phishing-resistant MFA on every privileged account Hardware keys or platform authenticators on admin, cloud-root, HR-system, CRM and customer-data accounts. SMS one-time codes do not count as MFA against a serious adversary.
- Quarterly tested backup restores, with the recovery clock measured Backups exist at most large organisations. Tested restores do not. The single difference between a six-day outage and a six-hour outage is whether the runbook has actually been run.
- Disable LLMNR, NetBIOS-NS and mDNS on Windows networks Three legacy name-resolution protocols on Windows let any attacker on the LAN poison hostname lookups and harvest hashes from any user that mistypes a server name. Disable them.
- Block Office macros from any document originating outside the organisation VBA macros in inbound Office documents have been the preferred ransomware delivery vehicle for a decade. Microsoft now blocks them by default. Reverse the default at your peril.
- Set DMARC to p=reject, with DKIM and SPF aligned A reject-policy DMARC record stops attackers spoofing your domain to your suppliers, customers and staff. The configuration is free and the regulators are unanimous.
- Protective DNS — block command-and-control and known-bad domains at the resolver Almost every modern intrusion phones home over DNS. A protective resolver that blocks known-bad domains breaks the chain after initial access, often before the operator notices.
- Patch internet-facing services within 14 days of disclosure Every system that answers an unsolicited connection from the internet is patched inside fourteen days of vendor disclosure. The clock starts at disclosure, not at scheduled change window.
- Workload-based segmentation so a single intrusion can't spread laterally A flat workload network is one bad day from a NotPetya. Workload-level policy enforcement — identity-aware, application-aware — is the single biggest blast-radius limit in the catalogue.
- Active Directory tier-0 hardening — protected accounts, no SPNs on privileged users, monitored sensitive groups AD remains the highest-blast-radius identity tier in most enterprises. A small set of hardening configurations turns the most reliable lateral-movement playbooks into observable, blockable failures.
- Application allowlisting on high-value endpoints On a server, on a privileged-access workstation, on a SCADA controller, the answer to 'what should run here' is finite, knowable and short. Allowlist it. Block everything else.
- Centralised log collection with bulk-export anomaly alerting The most common dwell-time signal in the catalogue is a bulk-query or bulk-export pattern that nobody alerted on. Collect the logs, retain them, and alert when they tell you what's happening.
- Maintain a critical-third-party register, with exit plans for each Most large breaches start at a vendor you wouldn't have called critical. Maintain a register of who can hurt you, what data they hold, and how you survive when they fail.
- Just-in-time privilege elevation, not standing admin Standing admin rights on a privileged account give the attacker the same window the legitimate admin has. Just-in-time elevation collapses that window to minutes.
- Privileged Access Workstations for tier-0 administration Domain admins and cloud-tenant root holders should not be checking email and admining the directory from the same laptop. Separate the device, separate the trust tier.
— no entries in this quadrant yet