5.5 Workstations & Endpoints

Configuration Standards:
- a. Disable Windows Management Instrumentation (WMI), PowerShell, and Secure Shell (SSH) on workstations. SSH may be temporarily enabled by a DTC technician for troubleshooting and disabled upon task completion.
- b. Enable SSH on servers for secure remote management.
- Incident Response Integration:
  - c. Deploy Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) agents across all compute resources.
  - d. Ensure continuous monitoring and analysis of endpoint activities to detect and respond to potential threats.
  - e. Facilitate collaboration between EDR/MDR solutions and the Security Operations Center (SOC) to coordinate rapid incident response and remediation effortsVPN Clients
• VPN Clients and Roaming Content Filtering

o. g. Deploy appropriate VPN clients or DNS roaming agents on laptops to filter content and protect users from malicious activity.
User Lockout Policy:
- h. Trigger a 5-minute lockout period after 10 failed login attempts.
Screen Lock Policy:
- i. Activate screen lock after 12 hours of inactivity.
Software Maintenance:
- j. Deploy operating system patches according to the schedule. See Technical Controls
- k. Install drivers according to the schedule. See Technical Controls
- l. Deploy essential third-party applications according to the schedule. See Technical Controls
- m. Install Line of Business (LOB) applications according to the schedule. See Technical Controls.
Application Allowlist Blocklist:
- n. DTC does not enforce application allowlisting or blocklisting unless ~~consulted~~explicitly ~~with!~~consulted. ~~Any applications~~Applications deployed by the client isare the ~~responsibility~~client's ofresponsibility. ~~the~~However, ~~client.~~we Weare ~~can~~happy ~~work~~to ~~together though~~collaborate and take appropriate action ~~to resolve these situations~~ if the client ~~has~~provides a documented allowlist and ~~blocklist.~~blocklist
- o. Microsoft Co-Pilot is disabled by default on all Windows Endpoints.

Technical Controls:

Control ID	Description	Tools/Methods
a	Disable WMI, PowerShell, and SSH on workstations; enable SSH temporarily for troubleshooting.	NinjaOne RMM, Microsoft Windows PowerShell, SOP
b	Enable SSH on servers for secure remote management.	NinjaOne RMM
c	Deploy Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) agents across all compute resources.	NinjaRMM, Blackpoint SNAP Agent
d	Ensure continuous monitoring and analysis of endpoint activities to detect and respond to potential threats.	Blackpoint SNAP Agent
e	Facilitate collaboration between EDR/MDR solutions and the Security Operations Center (SOC) to coordinate rapid incident response and remediation efforts.	Blackpiont SNAP Agent
f	Deploy relevant VPN Clients for clients remote access.	ZeroTier, Cloudflare WARP
g	Deploy relevant VPN Clients or DNS Roaming Agents on laptops to filter content and protect the user from triggering malicious activity.	DNSFilter Roaming Agent
h	Implement a 5-minute lockout after 10 failed login attempts.	NinjaOne RMM
I	Activate screen lock after 12 hours of inactivity.	NinjaOne RMM
j	Deploy operating system patches as per schedule.	NinjaOne RMM, Windows OS Patching
k	Install drivers according to the deployment schedule.	NinjaOne RMM, Windows Driver Patching
l	Deploy essential third-party applications per schedule.	NinjaOne RMM, WIndows 3rd Party Patching
m	Install Line of Business (LOB) applications as scheduled.	NinjaOne RMM, Client Specific SOP
n	Application Allowlist blocklist	N/A
o	Microsoft Windows Co-Pilot is disabled by default on all Windows Endpoints	NinjaOne RMM