Check out this lively discussion between Dave Kawula, Cristal Kawula, and John O’Neil Sr. where they share essential hacks every System Administrator should know. From how to increase the efficiency of your enterprise infrastructure to automation capabilities within the systems you use.

You’ll be able to gain:

  • Actionable tips and tricks you can bring into your workplace – and make yourself the next Satya Nadella (of our organization – you can’t have it all)
  • Real-life examples of how these MVPs hacked their way to success
  • A few good quips from the speakers and a chance to ask them hard-hitting questions

With 17 MVP awards split between the three – this is a no holds barred opportunity to get to the root of success.

Dave Kawula, Cristal Kawula, John O’Neill Sr.

Dave Kawula, Cristal Kawula, and John O'Neil Sr., three of the best and most knowledgeable Microsoft MVPs, recently collaborated to offer a webinar outlining seven things sysadmins can do to safeguard and keep an eye on the systems they're responsible for. There is a ton of value in this for any sysadmin, so if you have the time, I strongly advise that you watch the entire thing. However, if you're short on time, take the next best action and review these salient elements from that presentation.

1. Have an offline, immutable backup

Attacks from ransomware like Kaseya are on the rise, and businesses that believed they were well-protected are learning otherwise. Kaseya was a particularly terrible one because it simultaneously affected thousands of enterprises and attacked backup targets as well as recovery servers in addition to production systems.

Companies are in a difficult situation when it comes to paying the ransom since, in certain situations, they can't legally do so because doing so would violate anti-terrorism legislation, but they also can't afford to pay because the value of their data is far more than the ransom. (The EU, for example, demonstrates that.)

Make that a triple bind as many businesses believe they cannot afford to put in place the strong defenses that would lessen the likelihood of being hit in the first place.

This brings us to the first piece of advice: having online backups is insufficient because more recent ransomware can also look for and damage online backups, like Kaseya did. You must create backups that are:

  1. Offline, making it more difficult for ransomware to access them
  2. Immutable, making it impossible for the malware to alter the backup
  3. Regular. Set your on-premise backup plan in accordance with how much drift the firm can tolerate in the event of a complete restore

2. Test the speed of restoration before a conflict

Even if a business does pay the ransom in response to a ransomware assault, nothing will immediately return to normal after the payment.

Following an attack, one organization experienced downtime of more than 20 days. That's more than 20 days during which no money was made—basically, money was lost.

The virus managed to access the cloud backups, rendering them unusable. They had on-premise backups, but they were only four months old and their sysadmins had turned on deduplication on their backup appliance.

Nobody ever timed how long a complete recovery and restore would take, and one of their principal restores of the only VM that had the majority of the data they needed took more than 81 hours.

Lesson learned: Deduplication can have a detrimental influence on restoration speeds even though it is great for storage efficiency.

Try a test if you're unsure of the optimal trade-off for your circumstances. Are 81 hours sufficient to restore a backup? What time would be acceptable if not? Set up your backup appliances appropriately.

3. Preventing Alert Overload

Every sysadmin is probably familiar with this scenario: it’s Patch Tuesday and you neglected to put your servers in maintenance mode—is undoubtedly familiar to every sysadmin.

Your phone suddenly starts exploding with several alerts from all over the place in the middle of the night. Receiving alerts from your servers is obviously useful, but occasionally the sheer number of warnings can seem absurd.

Ironically, receiving a high amount of messages can make it easier for you to overlook crucial ones because you become overwhelmed and perceive them all as white noise.

It's crucial to understand that, even while you do want to automate the collection and correlation of alerting, automation is not really the purpose when using Microsoft 365 Defender.

In the end, all of that is done so that us professionals—people with knowledge and training—can rapidly assess the information being offered and choose whether or not to act. The objective is to automate so that the information we do receive is timely and completely connected, not so that we can stop worrying about things.

You can filter that noise with the help of some fantastic Microsoft solutions. Take a look at Azure Sentinel's features, for instance. You can automate wisely with Sentinel, a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) system.

4. Purchase AD Connect 2

Here's one for businesses that are set up in a hybrid manner, like Hybrid AD Joined. It's critical that everyone updates to AD Connect 2, which Microsoft just released.

Although you most likely have auto-update for AD Connect enabled, this major version upgrade is not covered by the functionality of auto-upgrade. This one must be completed manually.

And it's crucial to do this since AD Connect depends on SQL Server components, and the components included in 1-point versions are outdated and about to stop receiving maintenance. With the 2.0 release, you receive the 2019 parts. That alone is a compelling argument for completing it as quickly as possible.

Obviously, if you avoid using those outdated, soon-to-be EOL devices, your security will increase.

An added tip: Microsoft has created a superb Office 365 lab kit that covers practically all aspects of contemporary desktops. It is a thorough lab guide that will bring you through a variety of features and scenarios as you set up Endpoint Manager (Intune) and Autopilot.

5. Consider using the Defender 365 Security Suite

These days, Advanced Persistent Threat Protection is a system administrator's best buddy. Traditional antivirus programs are simply insufficient to fend off the malware of today. To help you fight against a threat landscape that is constantly changing, you need sophisticated solutions.

If you don't already have it, you should consider purchasing Advanced Persistent Threat Protection for your servers, endpoints, primary network infrastructure, and cloud providers. In the Microsoft universe, it is currently known as Defender 365 Security Suite.

Launch a project straight away to analyze it. It frequently has the ability to completely halt ransomware attacks. This solution accomplishes what we discussed before with the logs—it gathers information from several sources and combines it into a single alert that empowers IT professionals to take action.

Our firms are better prepared and protected when it comes to anything security-related the faster and more informed we can be.

The best part is that there might not be any additional fees. You might already own it because Microsoft includes a sizable piece of all of it as part of the E5 license bundle. If you have an E3 license, compare the benefits it offers to E5 and do the math; E5 may end up being a better overall value.

6. Enable Cellular Port Protection

As the use of two-factor authentication increases, it's critical to be able to safeguard the second factor, which is frequently the user's smartphone.

Many individuals are unaware that stealing someone's phone number is one technique to potentially obtain personal information.

Although it may seem strange, how many individuals actually include their phone numbers at the bottom of every email they send? That is equivalent to making your phone number widely known. It's not difficult to call your cell phone company to set up a new phone and port your number to it once someone has hacked your account.

People have successfully avoided the MFA by using this technique.

Call your carrier and request that they apply port protection to the phones you control if you want to avoid this. With port protection, a password would need to be provided over the phone in order to change the phone to which a number is assigned.

7. Everyone is a Security Professional

Do you view yourself as a security expert?

Not all system administrators take this role; many of them claim to only handle day-to-day administration and not security policy creation. But that attitude needs to change given the current environment.

Whether you work as a Level 1 help desk representative or the CIO, you have a part to play in security. Help desk specialists are frequently on the front lines when it comes to reducing the threat profile across all devices and enhancing an organization's security.

They should have the power to rectify problems when they come across suspicious software or an administrative account being used on an endpoint, for example, while providing support to a user on their computer.

Teach all sysadmins to be alert for situations when security can be tightened without sacrificing functionality, such as when unnecessary services are activated, end user accounts have access rights they don't require, or server administrator accounts are being utilized for regular daily tasks.


The threat environment of today is severe, especially in terms of ransomware attacks. This article offered seven suggestions that every M365 system administrator can take to reduce the vulnerability of the systems they oversee to attacks and spare the business a lot of time, money, and hassle. Investing in a platform management suite like CoreView is an additional option to strengthen security. Visit to learn more about CoreView and to receive a free security examination.

Ready to Conquer Microsoft 365?

Request a Demo