Workstation Security Standard

by | Mar 30, 2025 | 0 comments

Knowledge Base Article outlining Workstation Endpoint Security Hardening Standard.

Mac

Casper Management Framework

  • Agent installed at first image (Casper Imaging used to deploy new machines)
  • LaunchAgent installed at first image to verify Casper enrollment, and re-enroll as needed
  • Regular policy check-in set to every hour
  • Full inventory update run daily

Antivirus

  • Sophos installed on all Macs at first image (set to auto update)
  • Smart group in Casper to look for Macs without Sophos or needing repair
    • Product version
    • Primary update server
    • ParentAddress router configuration
  • Policy in Casper to re-install Sophos as needed

Encryption

  • FileVault 2 installed on all Macs at first image
  • Smart group in Casper to look for Macs without encryption
    • Boot drive encryption check
    • Provides encryption status (not encrypted, encrypting, pending encryption, decrypted, encrypted)
  • Policy in Casper to force encryptions as needed

Password Configuration

  • All Macs are bound to AD
  • Passwords and PINs used to authenticate to any network, compute, storage, or cloud service
    • Passwords must be at least 12 characters long
    • Passwords must consist of at least three of the following: upper case letters, lower case letters, numbers and special characters
    • PINs must be at least 4 numbers long
    • Passwords must be changed every 90 days

Session Timeout/Lock

  • Auto-login not enabled
  • Login screen restricted by FileVault 2
  • ScreenSaver & wake from sleep force lock
  • ScreenSaver set to engage at 15 minutes
  • Local accounts only – no guest access

Windows

LanDesk Management Framework

  • Agent installed at first image
  • Inventory policy check-in set to once a day and on IP change
  • Distribution and Patch policy set to check-in When user logs in (once per login) When IP changes and every 2 hours there after.

Antivirus

  • Sophos installed on all PCs at first image (set to auto update)
  • LADESK software distribution policy set for deployment to any system detected not running Sophos

Encryption

  • BitLocker (MBAM 2.5) Configured at time of deployment

Password Configuration

  • All PCs are bound to AD
  • Passwords and PINs used to authenticate to any network, compute, storage, or cloud service
    • Passwords must be at least 12 characters long
    • Passwords must consist of at least three of the following: upper case letters, lower case letters, numbers and special characters
    • PINs must be at least 4 numbers long
    • Passwords must be changed every 90 days

Session Timeout/Lock

  • Controlled by Group Policy
  • Screensaver set to engage at 15 minutes

 

Related Knowledge Articles

Leave A Comment

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Search

Lastest Post

Master Outlook KA

Master Outlook KA

Apr 7, 2025

You can download the Help Desk Outlook Master Knowledge Articles directly from this site to access comprehensive support documentation for common Outlook-related issues. These master articles cover a wide range of topics, including setup instructions, troubleshooting...

Master Outlook KA

Master ShareFile KA

Apr 7, 2025

The Help Desk ShareFile Master Knowledge Articles are available for download to provide detailed guidance on using and troubleshooting ShareFile. These master articles include instructions for account setup, file sharing, permission management, and resolving common...

Master Outlook KA

How to Create an Email in Outlook

Apr 4, 2025

Objective This guide provides step-by-step instructions to create and send an email in Microsoft Outlook with accompanying screenshots for clarity. Step 1: Open Microsoft Outlook Open the Outlook application on your computer or navigate to the Outlook Web App. Ensure...

Category

Active Directory Password