I love it when a tech speaker lays out an overwhelming topic so clearly that it starts to feel approachable. That’s how I felt during a recent IT Pro Today webinar with Orin Thomas on security configuration management for Windows endpoints in the enterprise.
I’ve gone through Orin’s webinar and pulled out many of the items into a checklist that you can use as a starting point. It’s obviously not a complete checklist. That’s why I’m calling it a “starter kit.”
You can use it to see how your company stacks up on these essential items. Then you can take steps to address any shortcomings, and take steps toward building a comprehensive checklist to help make your organization more secure.
These items apply to all Windows 10 endpoints the entire organization.
You can check this box if every endpoint is managed. This is often done with software such as Microsoft System Center Configuration Manager (ConfigMgr) and Intune. However, many effective solutions are available.
You can check this box if every endpoint in your organization is monitored (ideally at least daily) for compliance with company endpoint configuration policy. Deviations must be tracked and corrected quickly.
These items apply to every endpoint individually. The “per-machine” checklist. As you go through it, you may recognize a need for policies you haven’t thought of before.
Check this if the system is running Device Guard. You can also check it if your company policy does not require this system to run Device Guard.
Device Guard uses hardware-based code integrity checking, virtualization, and other security techniques to ensure the integrity of the operating system. Unless there are specific reasons to allow exceptions such as compatibility, every company should require use of Device Guard on all systems.
Check this if the system is running Credential Guard. You can also check it if your company policy does not require this system to run Credential Guard.
Credential guard mitigates credential-theft attacks which attempt to gain access to credentials stored in memory or caches. Unless there are specific reasons to allow exceptions such as compatibility, every company should require use of Credential Guard on all systems.
Check this if the system is running Application Guard. You can also check it if your company policy does not require this system to run Application Guard.
If using Microsoft Edge (or IE), Application Guard can allow IT to define trusted or untrusted resources. When browsing to untrusted resources, the session is virtualized (isolated Hyper-V container) to protect the host. This works for websites, cloud resources, and internal networks. However, most companies allow non-Microsoft browsers, which are not secured by Application Guard.
Check this if the system is running Application Control. You can also check it if your company policy does not require this system to run Application Control.
Application Control restricts what applications, code, scripts, and MSIs can run. It also restricts PowerShell (Constrained Language Mode).
Check this if the system’s Exploit Guard settings are in line with company policy.
Exploit Guard is a collection of features to prevent exploits around browsing, applications, attack surface reduction, network protection, and folder access. Most apply system-wide, but some can be customized for different applications. Your company should have a policy defined for each of these settings for the system and for each application.
Check this if your company has a policy for Attack Surface Reduction and the endpoint complies with it. Below are some suggestions provided by Orin. A full list, however, is really up to you!
Check this box is you have ensured that:
Check this box if all hard disks, SSD, and other form of storage are encrypted. This prevents scenarios where people remove storage and access it elsewhere. Microsoft provides BitLocker. Many third-party options are available as well.
Check this box if all unneeded services are disabled per company policy. Windows ships with services that most companies do not need and do not want running. This is both a check for pre-existing services (OOBE), and rogue services.
Check this box if a system’s local accounts are in line your company’s policy of what local accounts and groups should exist as well as which ones should have which privileges. Solutions like Microsoft’s Local Administrator Password Solution (LAPS) can help.
Check this box if the local firewall blocks outbound traffic by default and whitelists exceptions.
Check this box if all applications are hardened per company policy. Few applications are hardened in their default configuration. For example, for Microsoft Office you should only allow trusted macros to run, and block browser extensions. Harding is typically a combination of common sense and vendor guidelines.
Check this box if all of the latest security patches for Windows have been applied.
Check this box if all applications are updated to the current security patching level.
Check this box if firmware on all systems is up to date.
Check this box if authentication best practices are set up per company policy.
Like so much in security, it’s a deep topic. Orin suggests as things to consider:
Check this item if your browsers are hardened. Specific hardening will depend on your browsers and environment. As an example, here are some things you might harden with Microsoft Edge.
In all likelyhood, you were not able to check most of this items. If you were, please tweet me (@itsystemsman) about it!
This blog merely scratches the surface of what your organization needs to put in a complete endpoint security checklist. However, it’s an important list of basics that should be covered if they’re not already.
If you’d like to get a lot more detailed information from Orin on endpoint security, you can view the full webinar on demand: SecOps Strategies for the Windows Endpoint.