6 endpoint practices that block ransomware.
Not 50. Six. Each one materially reduces ransomware risk. None of them are exotic. All of them are skipped by most SMBs.
The ransomware-prevention guides on the internet are too long. They are written to demonstrate thoroughness, not to be implemented. Here are the six practices that, in our experience, actually move the needle.
1. MFA on everything
Email, remote access, admin accounts, backup-system access, vendor portals. Phishing-resistant MFA (Authenticator app or hardware key) for admins. The Sophos 2025 Active Adversary Report attributes 41% of root causes to compromised credentials. Microsoft's public telemetry shows MFA blocks over 99% of automated credential attacks. Cheapest, highest-impact control.
2. EDR on every endpoint
Not antivirus. EDR — behavioural detection. The 56% of attacks that "logged in instead of breaking in" leave no signature for AV. EDR catches what AV cannot. Add MDR for 24/7 monitoring if you do not have on-call IT staff.
3. Patch on a documented cadence
Windows updates within 14 days of Patch Tuesday. Critical CVEs on internet-facing systems same-week. Third-party software (Chrome, Adobe, Java where relevant) on the same cadence. The Sophos 2025 case studies include a customer breached three times in 14 months via a VPN with 14-year-old firmware. Patches existed.
4. Remove local admin rights
Standard-user accounts for daily work; a separate admin account (with MFA) for elevation. Stops ransomware that needs admin to encrypt at scale. Stops the casual install of compromised software. Operationally: use Windows LAPS for local-admin password rotation.
5. Disable unneeded services
RDP exposed to the internet — disable, or behind a VPN with MFA. SMBv1 — disabled. PowerShell execution policy — set to constrained or restricted by Group Policy where possible. Office macros from the internet — blocked by default. Each of these has been the proximate cause of major SMB ransomware events in the last 24 months.
6. Backups the attacker cannot reach
Immutable, air-gapped, or both. Object-lock cloud storage. Backup credentials separate from production credentials. Restore-tested monthly. Without immutable backup, an attacker with domain admin destroys your backups before encryption — every time.
What we do not include in the six
Application allowlisting (operationally heavy for typical SMBs). Network segmentation (high-value but harder to retrofit). Decoy/honeypot tooling (specialised). USB-device control (depends on threat model). All of these are valuable in the right context — but the six above carry most of the protection for most SMBs.
What 4UIT builds
The standard onboarding checklist deploys all six within 60 days: MFA enforced, Sophos Intercept X EDR on every endpoint, Windows Update for Business with documented cadence, local admin removed (LAPS managing the residual), services hardened by Group Policy, immutable backup with monthly restore drill. Customers who deploy this rarely see ransomware progress past initial access.
More on our EDR/XDR offering or talk to us.
Sources: Sophos 2025 Active Adversary Report.
// Frequently asked questions
What is the single most effective ransomware control?
MFA on every privileged account, including remote access. Per Sophos' 2025 Active Adversary Report, compromised credentials caused 41% of analysed cases. Microsoft's public telemetry has consistently shown MFA blocks over 99% of automated credential attacks.
Should we remove local admin rights?
Yes. Most ransomware needs admin privileges to encrypt at scale. Standard-user-by-default with a separate admin account for elevation cuts the impact of a single user click dramatically.
Do we need EDR if we have MFA and patching?
Yes. MFA stops credential abuse; patching closes known holes; EDR detects what gets through anyway. They are complementary, not alternatives.
How often should Windows be patched?
Microsoft releases patches on the second Tuesday of each month (Patch Tuesday). Out-of-band patches arrive for critical issues. We apply within 14 days of release for most systems, same-week for critical CVEs on internet-facing systems.
What is application allowlisting?
A control that only permits known-approved executables to run; everything else is blocked by default. Strong protection against ransomware payloads but operationally heavy. Suitable for high-risk environments (healthcare clinical workstations, finance) more than typical office use.