Skip to main content

5.5 Workstations & Endpoints

5.5 Workstations & Endpoints

  • Configuration Standards:

    • a. Disable Windows Management Instrumentation (WMI), PowerShell, and Secure Shell (SSH) on workstations. SSH may be temporarily enabled by a DTC technician for troubleshooting and disabled upon task completion.

    • b. Disable PowerShell Remoting on servers.

    • c. Enable SSH on servers for secure remote management.

  • Security Agents:

    • d. Deploy Managed Detection and Response (MDR) or Endpoint Detection and Response (EDR) agents.

    • e. Install VPN clients where applicable.

    • f. Deploy DNS content filtering agents on laptops.

  • User Lockout Policy:

    • g. Trigger a 5-minute lockout period after 10 failed login attempts.

  • Screen Lock Policy:

    • h. Activate screen lock after 12 hours of inactivity.

  • Software Maintenance:

    • i. Deploy operating system patches according to the [Patch Schedule Link].

    • j. Install drivers as per the [Driver Schedule Link].

    • k. Deploy essential third-party applications following the [Essential Apps Schedule Link].

    • l. Install Line of Business (LOB) applications according to the [LOB Apps Schedule Link].

Technical Controls:

Control ID Description Tools/Methods
a Disable WMI, PowerShell, and SSH on workstations; enable SSH temporarily for troubleshooting. Group Policy Objects (GPO); Configuration Management Tools; Manual enable/disable procedures.
b Disable PowerShell Remoting on servers. GPO; PowerShell scripts; Configuration Management Tools.
c Enable SSH on servers for secure remote management. SSH server configuration; GPO; Configuration Management Tools.
d Deploy MDR/EDR agents on endpoints. MDR/EDR solutions (e.g., Microsoft Defender for Endpoint, CrowdStrike); Deployment scripts.
e Install VPN clients where applicable. VPN solutions (e.g., Cisco AnyConnect, OpenVPN); Deployment scripts; Configuration policies.
f Deploy DNS content filtering agents on laptops. DNS filtering solutions (e.g., Cisco Umbrella, OpenDNS); Deployment scripts; Configuration policies.
g Implement a 5-minute lockout after 10 failed login attempts. Account lockout policies configured via GPO; Security baseline policies.
h Activate screen lock after 12 hours of inactivity. Screen saver timeout policies configured via GPO; Configuration Management Tools.
i Deploy operating system patches as per schedule. Windows Server Update Services (WSUS); Patch management tools (e.g., SCCM); Automated deployment scripts.
j Install drivers according to the deployment schedule. Driver management tools; Deployment scripts; Configuration Management Tools.
k Deploy essential third-party applications per schedule. Software deployment tools (e.g., SCCM, Intune); Deployment scripts; Application catalogs.
l Install Line of Business (LOB) applications as scheduled. Software deployment tools; Deployment scripts; Configuration Management Tools.
Back to top