ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    "harden" a windows workstation

    Scheduled Pinned Locked Moved Solved IT Discussion
    13 Posts 8 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Mike Davis
      last edited by

      @mike-davis said in "harden" a windows workstation:

      Came across this requirement in an audit:

      Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
      Do your workstations use a secure build? Have they been hardened to reduce their vulnerability to attacks prior to use? Provide documentation related to procedures or guidelines/checklists used as a baseline secure build configuration.

      I'm thinking it's patched up to date, firewall is on, there are no extra services running, user is not admin, and UAC is on. What else has anyone done to "harden" them?

      AV on and up to date. Maybe collecting logs somewhere?

      1 Reply Last reply Reply Quote 1
      • momurdaM
        momurda
        last edited by

        There are also the Starter GPOs in Group POlicy that have configurations for secure setups for each windows version.

        1 Reply Last reply Reply Quote 2
        • Mike DavisM
          Mike Davis
          last edited by

          I ended up pushing Third Wall http://www.third-wall.com/ out to the computers because it does a bunch of that stuff and is integrated in to ConnectWise. I already had to have connectwise running on those boxes to pull logs and send alerts so it made sense. The other thing that Third Wall did was give me a report for the auditors.

          1 Reply Last reply Reply Quote 0
          • F
            flaxking
            last edited by

            It specially mentions CM, so how about managing the state of the computer so that it you know if it is no longer in compliance?

            1 Reply Last reply Reply Quote 0
            • S
              Spiral
              last edited by

              In addition to the typical layers, I have set the software restriction policy with a default deny policy, then allowed accordingly.
              Like in:
              http://mechbgon.com/srp/

              scottalanmillerS Mike DavisM 2 Replies Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @Spiral
                last edited by

                @spiral said in "harden" a windows workstation:

                In addition to the typical layers, I have set the software restriction policy with a default deny policy, then allowed accordingly.
                Like in:
                http://mechbgon.com/srp/

                We call that "application whitelisting".

                1 Reply Last reply Reply Quote 1
                • Mike DavisM
                  Mike Davis @Spiral
                  last edited by

                  @spiral I have one client where I set that up, but only for things that want to run out of appdata. It's still a pain.

                  1 Reply Last reply Reply Quote 0
                  • C
                    ChadBrindley
                    last edited by

                    Disable Legacy Protocol Versions such as SMBv1 if possible.

                    1 Reply Last reply Reply Quote 1
                    • C
                      ChadBrindley
                      last edited by

                      Change default Administrator Username. Implement LAPS to randomize passwords.

                      1 Reply Last reply Reply Quote 1
                      • stacksofplatesS
                        stacksofplates
                        last edited by

                        You can use some SCAP tools to give you ideas of good hardening rules.

                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        • First post
                          Last post