I love it when a tech speaker lays out an overwhelming topic so clearly that it starts to feel approachable. That’s how I felt during a recent IT Pro Today webinar with Orin Thomas on security configuration management for Windows endpoints in the enterprise.
I’ve gone through Orin’s webinar and pulled out many of the items into a checklist that you can use as a starting point. It’s obviously not a complete checklist. That’s why I’m calling it a “starter kit.”
You can use it to see how your company stacks up on these essential items. Then you can take steps to address any shortcomings, and take steps toward building a comprehensive checklist to help make your organization more secure.
These items apply to all Windows 10 endpoints the entire organization.
□ Managing All Systems
You can check this box if every endpoint is managed. This is often done with software such as Microsoft System Center Configuration Manager (ConfigMgr) and Intune. However, many effective solutions are available.
□ Monitoring and Correcting Configuration Drift Regularly
You can check this box if every endpoint in your organization is monitored (ideally at least daily) for compliance with company endpoint configuration policy. Deviations must be tracked and corrected quickly.
Per-Windows 10 System Security Checklist
These items apply to every endpoint individually. The “per-machine” checklist. As you go through it, you may recognize a need for policies you haven’t thought of before.
□ Device Guard Enabled
Check this if the system is running Device Guard. You can also check it if your company policy does not require this system to run Device Guard.
Device Guard uses hardware-based code integrity checking, virtualization, and other security techniques to ensure the integrity of the operating system. Unless there are specific reasons to allow exceptions such as compatibility, every company should require use of Device Guard on all systems.
□ Credential Guard Enabled
Check this if the system is running Credential Guard. You can also check it if your company policy does not require this system to run Credential Guard.
Credential guard mitigates credential-theft attacks which attempt to gain access to credentials stored in memory or caches. Unless there are specific reasons to allow exceptions such as compatibility, every company should require use of Credential Guard on all systems.
□ Application Guard Enabled
Check this if the system is running Application Guard. You can also check it if your company policy does not require this system to run Application Guard.
If using Microsoft Edge (or IE), Application Guard can allow IT to define trusted or untrusted resources. When browsing to untrusted resources, the session is virtualized (isolated Hyper-V container) to protect the host. This works for websites, cloud resources, and internal networks. However, most companies allow non-Microsoft browsers, which are not secured by Application Guard.
□ Application Control Enabled
Check this if the system is running Application Control. You can also check it if your company policy does not require this system to run Application Control.
Application Control restricts what applications, code, scripts, and MSIs can run. It also restricts PowerShell (Constrained Language Mode).
□ Exploit Guard Enabled
Check this if the system’s Exploit Guard settings are in line with company policy.
Exploit Guard is a collection of features to prevent exploits around browsing, applications, attack surface reduction, network protection, and folder access. Most apply system-wide, but some can be customized for different applications. Your company should have a policy defined for each of these settings for the system and for each application.
□ Attack Surface Reduction Applied
Check this if your company has a policy for Attack Surface Reduction and the endpoint complies with it. Below are some suggestions provided by Orin. A full list, however, is really up to you!
- Block executable content from email client and webmail
- Block Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block execution of potentially obfuscated scripts
- Block Win 32 API calls from Office macros
□ Pre-boot Environment Locked Down
Check this box is you have ensured that:
- No one can modify BIOS/UEFI settings without a password
- The device will not boot via PXE or from USB without authorization
□ Storage Protected from Offline Attack
Check this box if all hard disks, SSD, and other form of storage are encrypted. This prevents scenarios where people remove storage and access it elsewhere. Microsoft provides BitLocker. Many third-party options are available as well.
□ Unneeded Services Disabled
Check this box if all unneeded services are disabled per company policy. Windows ships with services that most companies do not need and do not want running. This is both a check for pre-existing services (OOBE), and rogue services.
□ Local Accounts Locked Down
Check this box if a system’s local accounts are in line your company’s policy of what local accounts and groups should exist as well as which ones should have which privileges. Solutions like Microsoft’s Local Administrator Password Solution (LAPS) can help.
□ Windows Firewall Secured
Check this box if the local firewall blocks outbound traffic by default and whitelists exceptions.
□ Applications Hardened
Check this box if all applications are hardened per company policy. Few applications are hardened in their default configuration. For example, for Microsoft Office you should only allow trusted macros to run, and block browser extensions. Harding is typically a combination of common sense and vendor guidelines.
□ Windows Fully Updated
Check this box if all of the latest security patches for Windows have been applied.
□ Applications Fully Updated
Check this box if all applications are updated to the current security patching level.
□ Firmware Fully Updated
Check this box if firmware on all systems is up to date.
□ Secure Authentication Used
Check this box if authentication best practices are set up per company policy.
Like so much in security, it’s a deep topic. Orin suggests as things to consider:
- Picture password policy sign on disabled
- PIN sign on disabled
- Password policies set to something like:
- 10 Chars minimum
- 90 days maximum age
- Credential caching group policies set:
- Only one previous logon stored in cache where DC isn’t available
- Passwords for network authentication are not stored
- Biometric or two-factor authentication used
- Authentication allowed only during authorized hours
- Device recently inspected for keyloggers
- IPSec implemented on local networks
□ Browsers Hardened
Check this item if your browsers are hardened. Specific hardening will depend on your browsers and environment. As an example, here are some things you might harden with Microsoft Edge.
- Configure Edge …
- Disable Flash
- Disable Developer Tools
- Enable Do Not Track
- Enable Pop Up Blocker
- Enable Windows Defender Smart Screen
- Prevent users and apps from accessing dangerous websites
How Many Items Did You Check?
In all likelyhood, you were not able to check most of this items. If you were, please tweet me (@itsystemsman) about it!
This blog merely scratches the surface of what your organization needs to put in a complete endpoint security checklist. However, it’s an important list of basics that should be covered if they’re not already.
If you’d like to get a lot more detailed information from Orin on endpoint security, you can view the full webinar on demand: SecOps Strategies for the Windows Endpoint.