The SMB Security Audit Checklist (What Actually Matters)

I've done security audits for SMBs for over a decade. Most "audit checklists" out there are either enterprise-focused overkill or generic compliance fluff that misses the stuff that actually gets you breached.

This is the checklist I actually use. It focuses on the 20% of controls that prevent 80% of breaches.

The 80/20 of SMB Security

Let's be honest: most SMBs don't have the budget or staff for a 200-point security assessment. You need to focus on what matters. Here's the reality:

80% of breaches come from phishing, unpatched systems, or weak/stolen credentials
90% of ransomware enters through email or exposed RDP
Most attackers are opportunistic — they go for easy targets, not hard ones

So your audit should focus on closing those easy attack paths first.

1. Network Perimeter

This is where most breaches start. Your internet-facing attack surface needs to be locked down.

Firewall Configuration

Review all inbound rules — can you justify every open port?
Look for "any/any" rules (red flag)
Check for rules older than 2 years that might be stale
Verify default deny is in place for inbound traffic
Review outbound rules — most companies don't filter egress (they should)

Remote Access

RDP exposed to internet? Fix this immediately. This is ransomware bait.
VPN configuration — is MFA required?
Split tunneling — is it enabled? Should it be?
Check for shadow IT remote access tools (TeamViewer, AnyDesk on user machines)

DNS & Web Filtering

DNS filtering in place? (Cloudflare Gateway, Cisco Umbrella, etc.)
Known malware domains blocked?
DNS query logging enabled?

2. Identity & Access Management

Compromised credentials are involved in most breaches. This section is critical.

Admin Accounts

List all Domain Admin accounts — who has them and why?
Are admins using separate admin accounts (not their daily driver)?
When was the last admin password rotation?
Are there service accounts with Domain Admin? (common finding)

MFA Coverage

Email — MFA enabled?
VPN — MFA required?
Cloud admin portals (M365, Azure, AWS) — MFA enforced?
RDP (if used internally) — MFA or network restrictions?

Offboarding

Get a list of terminated employees from HR
Cross-reference with Active Directory — any accounts still enabled?
Check cloud services separately (they're often missed)

3. Endpoint Security

Antivirus/EDR

AV/EDR installed on 100% of endpoints? Or are there gaps?
Definitions current?
Exclusions reviewed? (attackers love hiding in excluded folders)

Patching

OS patch compliance — what percentage are current?
Third-party apps (Adobe, Java, browsers) — often forgotten
Critical CVEs from the last 90 days — are they patched?

Local Admin Rights

Who has local admin on their workstation?
Do they actually need it?
Is LAPS (Local Admin Password Solution) deployed?

4. Backup & Recovery

Backups are your last line of defense against ransomware. They need to work.

3-2-1 rule: 3 copies, 2 different media, 1 offsite
Immutable/air-gapped backup: Do you have one? Ransomware encrypts connected backups.
Last restore test: When? If never, it doesn't count as a backup.
RTO/RPO: Does the business know how long recovery takes?
Backup account security: Separate credentials? Not domain-joined?

5. The Stuff People Always Miss

These are findings I see on almost every audit:

Egress Filtering

Most companies filter what comes IN but not what goes OUT. If malware can't call home, it can't do much damage. Block unnecessary outbound ports.

Network Segmentation

Flat networks are an attacker's dream. If someone compromises a workstation, can they reach the domain controller? The backup server? They shouldn't be able to.

Service Account Hygiene

Service accounts with passwords like "CompanyName2019!" and Domain Admin rights. I see this constantly. Audit them.

DNS Logging

Most companies don't log DNS queries. This is a goldmine for detecting compromise. Turn it on.

Physical Security

Server room unlocked? USB ports enabled on public kiosks? Visitor sign-in logs? Often overlooked.

Common Findings (Every. Single. Time.)

After hundreds of audits, these show up more often than not:

Service accounts with Domain Admin + weak passwords
No egress filtering on the firewall
Backups exist but have never been tested
Former employees with active accounts
"Temporary" firewall rules that are 5 years old
RDP exposed to the internet (still!)
No MFA on VPN
Local admin rights for everyone

Making It Actionable

An audit is useless if it doesn't lead to action. For each finding:

Severity: Critical / High / Medium / Low
Effort: Quick win / Project / Major initiative
Owner: Who's responsible for fixing it?
Deadline: When will it be done?

Start with Critical + Quick Win items. You'll get the most security improvement for the least effort.

Want the Full Checklist?

I've packaged my complete audit checklist into a ready-to-use Excel template with scoring, prioritization, and a professional report format.

Get the Template →

Final Thoughts

Security audits don't have to be complicated. Focus on the basics that actually prevent breaches:

Lock down your perimeter (especially RDP)
Enforce MFA everywhere
Patch your systems
Test your backups
Clean up admin access

Do these well, and you'll be more secure than 90% of SMBs out there.

Questions? Find me on u/Arch0ne or Ionut-Robert Sandu.