"harden" a windows workstation



  • Came across this requirement in an audit:

    Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
    Do your workstations use a secure build? Have they been hardened to reduce their vulnerability to attacks prior to use? Provide documentation related to procedures or guidelines/checklists used as a baseline secure build configuration.

    I'm thinking it's patched up to date, firewall is on, there are no extra services running, user is not admin, and UAC is on. What else has anyone done to "harden" them?



  • AV and AM softwares.

    Firewall configuration changes to meet the business needs (the default often doesn't pass these kinds of audits).



  • @DustinB3403 thanks, forgot to put AV on the list. I also forgot that Third Wall does a bunch of things I didn't list:

    local admin account renamed, disallowed Microsoft accounts, disabled Windows 10 keylogger, disabled exe from running in %appdata%, disabled office macros from internet, randsomware monitor, and alert on excessive logon failures.



  • @mike-davis said in "harden" a windows workstation:

    Came across this requirement in an audit:

    Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
    Do your workstations use a secure build? Have they been hardened to reduce their vulnerability to attacks prior to use? Provide documentation related to procedures or guidelines/checklists used as a baseline secure build configuration.

    I'm thinking it's patched up to date, firewall is on, there are no extra services running, user is not admin, and UAC is on. What else has anyone done to "harden" them?

    AV on and up to date. Maybe collecting logs somewhere?



  • There are also the Starter GPOs in Group POlicy that have configurations for secure setups for each windows version.



  • I ended up pushing Third Wall http://www.third-wall.com/ out to the computers because it does a bunch of that stuff and is integrated in to ConnectWise. I already had to have connectwise running on those boxes to pull logs and send alerts so it made sense. The other thing that Third Wall did was give me a report for the auditors.



  • It specially mentions CM, so how about managing the state of the computer so that it you know if it is no longer in compliance?



  • In addition to the typical layers, I have set the software restriction policy with a default deny policy, then allowed accordingly.
    Like in:
    http://mechbgon.com/srp/



  • @spiral said in "harden" a windows workstation:

    In addition to the typical layers, I have set the software restriction policy with a default deny policy, then allowed accordingly.
    Like in:
    http://mechbgon.com/srp/

    We call that "application whitelisting".



  • @spiral I have one client where I set that up, but only for things that want to run out of appdata. It's still a pain.



  • Disable Legacy Protocol Versions such as SMBv1 if possible.



  • Change default Administrator Username. Implement LAPS to randomize passwords.



  • You can use some SCAP tools to give you ideas of good hardening rules.


Log in to reply