5.5 Workstations & Endpoints
5.5 Workstations & Endpoints
-
Configuration Standards:
-
a. Disable Windows Management Instrumentation (WMI), PowerShell, and Secure Shell (SSH) on workstations. SSH may be temporarily enabled by a DTC technician for troubleshooting and disabled upon task completion.
-
b. Disable PowerShell Remoting on servers.
-
c. Enable SSH on servers for secure remote management.
-
-
Security Agents:
-
d. Deploy Managed Detection and Response (MDR) or Endpoint Detection and Response (EDR) agents.
-
e. Install VPN clients where applicable.
-
f. Deploy DNS content filtering agents on laptops.
-
-
User Lockout Policy:
-
g. Trigger a 5-minute lockout period after 10 failed login attempts.
-
-
Screen Lock Policy:
-
h. Activate screen lock after 12 hours of inactivity.
-
-
Software Maintenance:
-
i. Deploy operating system patches according to the [Patch Schedule Link].
-
j. Install drivers as per the [Driver Schedule Link].
-
k. Deploy essential third-party applications following the [Essential Apps Schedule Link].
-
l. Install Line of Business (LOB) applications according to the [LOB Apps Schedule Link].
-
Technical Controls:
| Control ID | Description | Tools/Methods |
|---|---|---|
| a | Disable WMI, PowerShell, and SSH on workstations; enable SSH temporarily for troubleshooting. | |
| b | Disable PowerShell Remoting on servers. | |
| c | Enable SSH on servers for secure remote management. | |
| d | Deploy MDR/EDR agents on endpoints. | |
| e | Install VPN clients where applicable. | |
| f | Deploy DNS content filtering agents on laptops. | |
| g | Implement a 5-minute lockout after 10 failed login attempts. | |
| h | Activate screen lock after 12 hours of inactivity. | |
| i | Deploy operating system patches as per schedule. | |
| j | Install drivers according to the deployment schedule. | |
| k | Deploy essential third-party applications per schedule. | |
| l | Install Line of Business (LOB) applications as scheduled. |