ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    "harden" a windows workstation

    Scheduled Pinned Locked Moved Solved IT Discussion
    13 Posts 8 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Mike DavisM
      Mike Davis
      last edited by

      Came across this requirement in an audit:

      Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
      Do your workstations use a secure build? Have they been hardened to reduce their vulnerability to attacks prior to use? Provide documentation related to procedures or guidelines/checklists used as a baseline secure build configuration.

      I'm thinking it's patched up to date, firewall is on, there are no extra services running, user is not admin, and UAC is on. What else has anyone done to "harden" them?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403
        last edited by

        AV and AM softwares.

        Firewall configuration changes to meet the business needs (the default often doesn't pass these kinds of audits).

        1 Reply Last reply Reply Quote 0
        • Mike DavisM
          Mike Davis
          last edited by

          @DustinB3403 thanks, forgot to put AV on the list. I also forgot that Third Wall does a bunch of things I didn't list:

          local admin account renamed, disallowed Microsoft accounts, disabled Windows 10 keylogger, disabled exe from running in %appdata%, disabled office macros from internet, randsomware monitor, and alert on excessive logon failures.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Mike Davis
            last edited by

            @mike-davis said in "harden" a windows workstation:

            Came across this requirement in an audit:

            Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
            Do your workstations use a secure build? Have they been hardened to reduce their vulnerability to attacks prior to use? Provide documentation related to procedures or guidelines/checklists used as a baseline secure build configuration.

            I'm thinking it's patched up to date, firewall is on, there are no extra services running, user is not admin, and UAC is on. What else has anyone done to "harden" them?

            AV on and up to date. Maybe collecting logs somewhere?

            1 Reply Last reply Reply Quote 1
            • momurdaM
              momurda
              last edited by

              There are also the Starter GPOs in Group POlicy that have configurations for secure setups for each windows version.

              1 Reply Last reply Reply Quote 2
              • Mike DavisM
                Mike Davis
                last edited by

                I ended up pushing Third Wall http://www.third-wall.com/ out to the computers because it does a bunch of that stuff and is integrated in to ConnectWise. I already had to have connectwise running on those boxes to pull logs and send alerts so it made sense. The other thing that Third Wall did was give me a report for the auditors.

                1 Reply Last reply Reply Quote 0
                • F
                  flaxking
                  last edited by

                  It specially mentions CM, so how about managing the state of the computer so that it you know if it is no longer in compliance?

                  1 Reply Last reply Reply Quote 0
                  • S
                    Spiral
                    last edited by

                    In addition to the typical layers, I have set the software restriction policy with a default deny policy, then allowed accordingly.
                    Like in:
                    http://mechbgon.com/srp/

                    scottalanmillerS Mike DavisM 2 Replies Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @Spiral
                      last edited by

                      @spiral said in "harden" a windows workstation:

                      In addition to the typical layers, I have set the software restriction policy with a default deny policy, then allowed accordingly.
                      Like in:
                      http://mechbgon.com/srp/

                      We call that "application whitelisting".

                      1 Reply Last reply Reply Quote 1
                      • Mike DavisM
                        Mike Davis @Spiral
                        last edited by

                        @spiral I have one client where I set that up, but only for things that want to run out of appdata. It's still a pain.

                        1 Reply Last reply Reply Quote 0
                        • C
                          ChadBrindley
                          last edited by

                          Disable Legacy Protocol Versions such as SMBv1 if possible.

                          1 Reply Last reply Reply Quote 1
                          • C
                            ChadBrindley
                            last edited by

                            Change default Administrator Username. Implement LAPS to randomize passwords.

                            1 Reply Last reply Reply Quote 1
                            • stacksofplatesS
                              stacksofplates
                              last edited by

                              You can use some SCAP tools to give you ideas of good hardening rules.

                              1 Reply Last reply Reply Quote 0
                              • 1 / 1
                              • First post
                                Last post