Endpoint hardening (best practices)
Endpoint hardening: If you were to tell the average person that you were going to be performing this task for your organization, they'd probably ask if you were a blacksmith. However, in this case, we're going to talk about creating defenses for our systems instead of offenses.
Endpoints are everywhere now: mobiles, laptops, toasters, the list goes on and on. Because these endpoints almost always have their own independent web connections, we need to make sure that they are locked down as much as possible to prevent them from being remotely damaged or being used as a staging ground for attacks into our network. Endpoint hardening is essentially turning off and/or blocking as much as possible on the device without affecting required functions.
Learn Network Security Fundamentals
There are a number of things we can do right off the bat that are part of standard practices, but in the context of endpoint hardening, they deserve a refresher.
Hardening the software
We can start off with Strong Password Requirements and/or Two-Factor Authentication (2FA). While the specifics for strong passwords can vary from organization to organization, the simplest implementation is using a passphrase instead of strictly a password — more along the lines of a favorite song lyric, a movie quote, a passage from your favorite book and so on. Then combine this with upper and lowercase characters, numbers and symbols.
Once you have this passphrase, it will need to be regularly changed so that if it does become compromised, it is only valid for so long. 2FA significantly improves even a basic password because it also requires that the user have something on them in addition to something that they know. For mobile devices, having a strong PIN is just as important, as it is still one of the best defenses against someone just grabbing it and immediately having access.
What we can also do when it comes to passwords is disable the built-in local Administrator account, and change the username to something else. This will prevent a significant number of utilities that attempt to gain access to this user account simply by brute force.
In addition to locking down the local Admin account, please make sure that the user that has been assigned the device does not run regularly as a local admin themselves. It defeats the purpose if the user can just run everything without restrictions on their own account anyway.
Regularly update all available programs. This means more than just Microsoft Windows and Office, as vulnerabilities in programs like Adobe Acrobat Reader that just sit in the background can be just as critical as issues in Windows itself.
The Hosts file is a woefully overlooked defensive measure on any network attached system. Acting as a first check in most DNS lookups, if a known bad address is placed into this file with an IP address of 127.0.0.1 (home), it can quickly prevent a number of attack vectors by just stopping the programs from being able to phone home. Some antivirus/anti-malware programs specifically lock the hosts file to prevent tampering with this file, so if you are going to use another piece of software or a reputable blocklist to populate the file, you may need to temporarily disable this before reactivating the protections.
This brings us to two pillars of computer security — antivirus/anti-malware and firewalls. Most AV applications designed for large organizations can update multiple times per day, which is tremendously useful if there is a large threat in the wild. Firewalls also can help filter traffic on unusual ports as part of their standard policies and all incoming traffic unless it is explicitly allowed. In addition to this, however, they can also block all outgoing traffic by default if you so choose and then only allow what is specifically permitted.
Hardening the hardware
There are a considerable number of utilities that allow users to attempt to bypass restrictions via a bootable USB stick. This can be prevented via the use of Windows Security Settings and BIOS/UEFI settings by simply disabling the use of USB ports. An important thing to remember for BIOS is that users can still attempt to try to remove this setting, so be sure to password-protect BIOS/UEFI to continue to have these restrictions remain.
We mentioned encrypted traffic before, but full disk encryption is critical now as a defense against offline attacks on endpoints. Without encryption, it is possible to remove a hard disk from a laptop, plug it in to another system and then just read the contents of the drive with a similar concept available for mobile devices. While you may not necessarily get the same experience as the regular user, it's still possible to access the raw data. When the disk is encrypted however, access to the data is severely limited.
Finally, when we have all of these changes in place, we need a method to be able to audit our endpoints to make sure that the settings remain as we expect them to be. Depending on the device, the owner and how critical security is to our organization, we could have regular device check-ins scheduled from every few days down to every 30 minutes at a time if our solution supports it.
In case of failed check-ins or a compromise in the lockdown settings, organizations will have to figure out how they want to handle a possible dilemma: do they want reporting only so that they can investigate further as to how someone broke the standards? Do they need it to be immediately fixed in order to make sure there are no further threats? Do they want to trigger an automatic wipe of the device? Or perhaps a combination — an immediate report, an attempted fix and a remediation check after the fact?
Learn Network Security Fundamentals
Endpoint hardening is extremely important in an age where more and more users are working remotely and potentially have access to company data from any location around the clock. By helping to make sure that the devices they are accessing that data on are more secure, we can better protect our users, our organizations and ourselves from data theft.
Sources
- Systems Hardening, BeyondTrust
- Endpoint Hardening - Why It is Essential for Cyber Security, Automox
- Simplifying Endpoint Hardening, Defense & Response, Dark Reading
- 2020 Endpoint Hardening Checklist - Top 8, Automox
- How to choose a secure password, Norton
- Acrobat Reader: Security Vulnerabilities, CVE Details
- Block all outbound traffic in Windows Firewall, ghacks.net
- Managing secure locations for a device, IBM
Network Security Fundamentals
Learn the fundamentals of networking and how to secure your networks with seven hands-on courses. What you'll learn:- Models and protocols
- Networking best practices
- Wireless and mobile security
- Network security tools
- And more
In this Series
- Endpoint hardening (best practices)
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
