Skip to content Skip to footer

Workstation Security Standard

Knowledge Base Article outlining Workstation Endpoint Security Hardening Standard.

Mac

Casper Management Framework

  • Agent installed at first image (Casper Imaging used to deploy new machines)
  • LaunchAgent installed at first image to verify Casper enrollment, and re-enroll as needed
  • Regular policy check-in set to every hour
  • Full inventory update run daily

Antivirus

  • Sophos installed on all Macs at first image (set to auto update)
  • Smart group in Casper to look for Macs without Sophos or needing repair
    • Product version
    • Primary update server
    • ParentAddress router configuration
  • Policy in Casper to re-install Sophos as needed

Encryption

  • FileVault 2 installed on all Macs at first image
  • Smart group in Casper to look for Macs without encryption
    • Boot drive encryption check
    • Provides encryption status (not encrypted, encrypting, pending encryption, decrypted, encrypted)
  • Policy in Casper to force encryptions as needed

Password Configuration

  • All Macs are bound to AD
  • Passwords and PINs used to authenticate to any network, compute, storage, or cloud service
    • Passwords must be at least 12 characters long
    • Passwords must consist of at least three of the following: upper case letters, lower case letters, numbers and special characters
    • PINs must be at least 4 numbers long
    • Passwords must be changed every 90 days

Session Timeout/Lock

  • Auto-login not enabled
  • Login screen restricted by FileVault 2
  • ScreenSaver & wake from sleep force lock
  • ScreenSaver set to engage at 15 minutes
  • Local accounts only – no guest access

Windows

LanDesk Management Framework

  • Agent installed at first image
  • Inventory policy check-in set to once a day and on IP change
  • Distribution and Patch policy set to check-in When user logs in (once per login) When IP changes and every 2 hours there after.

Antivirus

  • Sophos installed on all PCs at first image (set to auto update)
  • LADESK software distribution policy set for deployment to any system detected not running Sophos

Encryption

  • BitLocker (MBAM 2.5) Configured at time of deployment

Password Configuration

  • All PCs are bound to AD
  • Passwords and PINs used to authenticate to any network, compute, storage, or cloud service
    • Passwords must be at least 12 characters long
    • Passwords must consist of at least three of the following: upper case letters, lower case letters, numbers and special characters
    • PINs must be at least 4 numbers long
    • Passwords must be changed every 90 days

Session Timeout/Lock

  • Controlled by Group Policy
  • Screensaver set to engage at 15 minutes

 

Related Articles
0 Comments

There are no comments yet

Leave a comment

Your email address will not be published. Required fields are marked *