The Security Baseline Every MSP Should Run on Day One of Client Onboarding

You Are Inheriting Every Security Problem the Last IT Provider Left Behind

Every time you onboard a new MSP client, you are taking ownership of an environment you did not build. That environment has users with weak passwords, admin accounts that should have been disabled years ago, unpatched systems, and security configurations that range from "mostly fine" to "actively dangerous."

Most MSPs onboard clients by deploying their RMM agent, setting up monitoring, and moving on. The security assessment happens later, if it happens at all. By then you have already taken responsibility for an environment you do not fully understand.

This is how MSPs get burned. A client gets breached in the first 90 days, and the finger points at you because you are now the IT provider. The breach was caused by a problem that existed before you showed up, but nobody documented the state of things when you took over.

The fix is a standardized Day One security baseline that you run for every new client before you do anything else. Here is what it should include.

The Day One Security Baseline Checklist

1. Identity and Access Audit

This is the single most important thing to check on Day One. Most breaches start with compromised credentials, and most compromised credentials exist because of poor access hygiene.

What to check:

• **All user accounts:** Get a full list of every account in Active Directory, Microsoft 365, or Google Workspace. Compare it against the client's actual employee roster. Look for accounts that do not match any current employee.
• **Admin accounts:** Identify every account with administrative privileges. There should be very few. If you find 10 admin accounts for a 20 person company, that is a problem.
• **MFA status:** Check which accounts have MFA enabled and which do not. Every account should have MFA. No exceptions.
• **Dormant accounts:** Flag any account that has not logged in within the last 45 days. These are attack surface you can eliminate immediately.
• **Shared accounts:** Identify any accounts being shared between multiple people. Each person should have their own credentials.
• **Service accounts:** Document any service accounts, what they are used for, and whether they have excessive permissions.
• **Former employee accounts:** Cross-reference with HR. Any account belonging to someone who no longer works there should be disabled immediately.

What to document: Screenshot of admin account list, MFA adoption percentage, dormant account count, and any shared or orphaned accounts found.

2. Endpoint Security Assessment

What to check:

• **Antivirus/EDR coverage:** Is there endpoint protection on every device? What product? Is it current? Is tamper protection enabled?
• **Operating system versions:** Are all devices running supported operating systems? Flag any Windows 10 machines approaching end of life, any Server 2012/2016 instances, or any macOS versions that are no longer receiving security updates.
• **Patch status:** When was the last time patches were applied? Are there critical patches outstanding? How many days behind is the average device?
• **Encryption:** Is disk encryption (BitLocker or FileVault) enabled on every endpoint? Is it enforced or optional?
• **Device inventory:** Count every device. Laptops, desktops, servers, mobile devices. Compare against what the client thinks they have. There are always surprises.

What to document: Device count, OS version distribution, patch compliance percentage, encryption coverage, and EDR deployment status.

3. Email Security Review

What to check:

• **SPF, DKIM, DMARC records:** Are they configured? Is DMARC set to enforce (quarantine or reject) or just monitoring (none)?
• **Mail flow rules:** Are there any suspicious forwarding rules that send copies of email to external addresses? This is a common indicator of a previous compromise.
• **External forwarding:** Is auto-forwarding to external domains allowed at the tenant level?
• **Spam filtering:** What is in place? Default Exchange Online Protection, or an additional layer like Defender for Office 365?
• **Phishing simulation history:** Has anyone ever run a phishing simulation? What were the click rates?

What to document: DMARC policy status, any suspicious mail flow rules found, external forwarding configuration, and spam filter product in use.

4. Network and Firewall Review

What to check:

• **Firewall rules:** Review the ruleset. Look for overly permissive rules (any-any), rules that have been in place for years with no documentation, and ports that should not be open to the internet.
• **Remote access:** How are people connecting remotely? VPN, RDP, RMM? Is RDP exposed directly to the internet? (If yes, this is a critical finding.)
• **Network segmentation:** Is the guest WiFi on the same network as the production environment? Are IoT devices segregated?
• **DNS filtering:** Is there any DNS-level filtering in place to block known malicious domains?

What to document: Open ports, remote access methods, segmentation status, and any critical findings like exposed RDP.

5. Backup and Recovery Validation

What to check:

• **Backup solution:** What is backing up data? Is it running? When was the last successful backup?
• **Recovery testing:** Has anyone ever tested a restore? When? What was restored?
• **Offsite/immutable copies:** Are backups stored offsite or in an immutable format that ransomware cannot encrypt?
• **RPO and RTO:** What is the expected Recovery Point Objective and Recovery Time Objective? Does the current backup solution actually meet those targets?
• **Backup scope:** Is everything critical being backed up? Servers, cloud data (M365 mailboxes, SharePoint, OneDrive), databases?

What to document: Backup product, last successful backup date, last tested restore date, offsite/immutable status, and any gaps in backup scope.

6. Compliance Quick Scan

What to check:

• **Regulatory requirements:** What industry is the client in? Healthcare (HIPAA), financial services (PCI DSS, SOC 2), defense contracting (CMMC)? Do they know what compliance requirements apply to them?
• **Existing policies:** Do they have written security policies? Incident response plan? Acceptable use policy? Data classification policy?
• **Previous audits:** Have they been audited before? Were there findings? Were they remediated?
• **Cyber insurance:** Do they have a cyber insurance policy? When does it renew? What controls does the carrier require?

What to document: Applicable compliance frameworks, existing policy documents, previous audit findings, and cyber insurance status.

How to Run This in Under 2 Hours

This sounds like a lot, but with the right tools most of it can be done in a single session:

Hour 1: Identity and email (automated)

Connect to Microsoft 365 or Google Workspace. Pull the user list, MFA status, admin accounts, and dormant accounts automatically. Check DMARC/SPF/DKIM with an online tool. Review mail flow rules in the admin center.

Hour 2: Endpoints, network, and backup (semi-automated)

Deploy your RMM agent to get device inventory, OS versions, and patch status. Check the firewall remotely. Verify backup status in whatever backup product they use. Run the compliance quick scan as a conversation with the client contact.

Deliverable: Day Zero Baseline Report

Compile everything into a one-page summary with a traffic light system:

• **Green:** Control is in place and functioning
• **Yellow:** Control exists but has gaps
• **Red:** Control is missing or critically deficient

This report serves three purposes:

1. **Protects you legally.** It documents the state of things when you took over. Any problems that existed before you are clearly recorded.

2. **Sells remediation work.** Every red and yellow item is a project you can quote. Most new clients need $5,000 to $15,000 in remediation work to reach baseline.

3. **Sets the relationship tone.** You are not just "the IT guy." You are a security-first MSP that takes things seriously.

The Remediation Revenue Opportunity

The Day One baseline is not just a protective measure. It is a revenue generator.

Average Day One remediation per client: $5,000 to $15,000

This is project revenue on top of your monthly managed services agreement. Most clients expect some initial work when switching IT providers. They are already budgeting for it. If you do not scope it, you end up doing it for free as part of "onboarding."

What Happens When You Skip the Baseline

Every MSP has a horror story about this. You onboard a client, skip the thorough assessment because you are busy, and three weeks later something breaks or gets breached. Now you are dealing with:

• **An incident you did not cause but own.** You are the IT provider now. The client does not care that the problem predates you.
• **No documentation of the inherited state.** You cannot prove the problem existed before you took over.
• **Remediation work you are doing for free.** Because you did not scope it upfront, you are eating the cost of fixing problems that should have been quoted as a project.
• **A damaged client relationship.** The client expected things to get better when they switched to you. Instead, things broke.

The Day One baseline takes 2 hours. Skipping it can cost you hundreds of hours and a client relationship.

Making It Repeatable

The key to scaling this is standardization. Every new client gets the same baseline, run the same way, with the same deliverable:

1. **Create a template.** Build a standard Day Zero Baseline Report template that your techs fill in for every new client. Same sections, same format, every time.

2. **Automate what you can.** Connect to M365 and pull identity data automatically. Use your RMM for endpoint inventory and patch status. The less manual work, the more consistent the results.

3. **Set expectations in the sales process.** Tell prospects during the sales cycle that your onboarding includes a comprehensive security baseline. This differentiates you from competitors who just deploy an agent and call it done.

4. **Quote remediation before you start.** Use the baseline findings to scope and quote remediation work. Get approval and payment before you start fixing things.

Key Takeaways

1. **Run the baseline before you deploy anything.** Document the state of things on Day One so you have a record of what you inherited.

2. **Check identity first.** MFA status, dormant accounts, admin sprawl. This is where most breaches start and it takes 15 minutes with the right tools.

3. **Every finding is a billable project.** The baseline pays for itself through remediation revenue.

4. **Standardize the process.** Same checklist, same template, every client. Your techs should be able to run this without thinking.

5. **Set the tone early.** A thorough Day One assessment tells the client you take security seriously. That sets the foundation for selling compliance and security services later.

The MSPs who run a proper Day One baseline close more remediation projects, have fewer inherited incidents, and build stronger client relationships from the start.

*Want to automate your Day One security baseline? Start your free trial of Nuronus — connect Microsoft 365, run an automated security assessment, and get MFA status, dormant accounts, admin privileges, and compliance gaps across all your clients in minutes.*

#MSP #MSPOnboarding #SecurityBaseline #ClientOnboarding #ManagedServiceProvider #CyberSecurity #SecurityAssessment #MSPSecurity #DayOneAssessment #ComplianceForMSPs #RiskAssessment #EndpointSecurity #MFA #IdentitySecurity