Skip to main content

5.5 Workstations & Endpoints

5.5 Workstations & Endpoints

  • Configuration Standards:

    • a. Disable Windows Management Instrumentation (WMI), PowerShell, and Secure Shell (SSH) on workstations. SSH may be temporarily enabled by a DTC technician for troubleshooting and disabled upon task completion.

    • b. Disable PowerShell Remoting on servers.

    • c. Enable SSH on servers for secure remote management.

  • Security Agents:

    • d. Deploy Managed Detection and Response (MDR) or Endpoint Detection and Response (EDR) agents.

    • e. Install VPN clients where applicable.

    • f. Deploy DNS content filtering agents on laptops.

  • User Lockout Policy:

    • g. Trigger a 5-minute lockout period after 10 failed login attempts.

  • Screen Lock Policy:

    • h. Activate screen lock after 12 hours of inactivity.

  • Software Maintenance:

    • i. Deploy operating system patches according to the schedule. See Technical Controls

    • j. Install drivers according to the schedule. See Technical Controls

    • k. Deploy essential third-party applications according to the schedule. See Technical Controls

    • l. Install Line of Business (LOB) applications according to the schedule. See Technical Controls.

  • Application Allowlist Blocklist:
    • DTC does not enforce application allowlisting or blocklisting unless consulted with! Any applications deployed by the client is the responsibility of the client. We can work together though and take action to resolve these situations if the client has a documented allowlist and blocklist.

Technical Controls:

Control ID Description Tools/Methods
a Disable WMI, PowerShell, and SSH on workstations; enable SSH temporarily for troubleshooting. DTC'sNinjaOne RMM, Microsoft Windows PowerShell, Internet Access, SOP
b Disable PowerShell Remoting on servers. DTC'sNinjaOne RMMRMM, Internet Access
c Enable SSH on servers for secure remote management. DTC'sNinjaOne RMMRMM, Internet Access
d Deploy MDR/EDR agents on endpoints. DTC'sNinjaOne RMM, Blackpoint SNAP AgentAgent, Internet Access
e Install VPN clients where applicable. DTC'sNinjaOne RMM, Cloudflare WARP, ZeroTierZeroTier, Internet Access
f Deploy DNS content filtering agents on laptops. DTC'sNinjaOne RMM, DNSFilter Roaming AgentAgent, Internet Access
g Implement a 5-minute lockout after 10 failed login attempts. DTC'sNinjaOne RMMRMM, Internet Access
h Activate screen lock after 12 hours of inactivity. DTC'sNinjaOne RMMRMM, Internet Access
i Deploy operating system patches as per schedule. DTC'sNinjaOne RMM, Internet Access, SOP
j Install drivers according to the deployment schedule. DTC'sNinjaOne RMM, Internet Access SOP
k Deploy essential third-party applications per schedule. DTC'sNinjaOne RMM, Internet Access, SOP
l Install Line of Business (LOB) applications as scheduled. DTC'sNinjaOne RMM, Internet Access, SOP
j. Application Allowlist blocklist N/A
Back to top