Endpoint hardening (best practices)
Endpoint hardening: If you were to tell the average person that you were going to be performing this task for your organization, they’d probably ask if you were a blacksmith. However, in this case, we’re going to talk about creating defenses for our systems instead of offenses.
Endpoints are everywhere now: mobiles, laptops, toasters, the list goes on and on. Because these endpoints almost always have their own independent web connections, we need to make sure that they are locked down as much as possible to prevent them from being remotely damaged or being used as a staging ground for attacks into our network. Endpoint hardening is essentially turning off and/or blocking as much as possible on the device without affecting required functions.
There are a number of things we can do right off the bat that are part of standard practices, but in the context of endpoint hardening, they deserve a refresher.
Hardening the software
We can start off with Strong Password Requirements and/or Two-Factor Authentication (2FA). While the specifics for strong passwords can vary from organization to organization, the simplest implementation is using a passphrase instead of strictly a password — more along the lines of a favorite song lyric, a movie quote, a passage from your favorite book and so on. Then combine this with upper and lowercase characters, numbers and symbols.
Once you have this passphrase, it will need to be regularly changed so that if it does become compromised, it is only valid for so long. 2FA significantly improves even a basic password because it also requires that the user have something on them in addition to something that they know. For mobile devices, having a strong PIN is just as important, as it is still one of the best defenses against someone just grabbing it and immediately having access.
What we can also do when it comes to passwords is disable the built-in local Administrator account, and change the username to something else. This will prevent a significant number of utilities that attempt to gain access to this user account simply by brute force.
In addition to locking down the local Admin account, please make sure that the user that has been assigned the device does not run regularly as a local admin themselves. It defeats the purpose if the user can just run everything without restrictions on their own account anyway.
Regularly update all available programs. This means more than just Microsoft Windows and Office, as vulnerabilities in programs like Adobe Acrobat Reader that just sit in the background can be just as critical as issues in Windows itself.
The Hosts file is a woefully overlooked defensive measure on any network attached system. Acting as a first check in most DNS lookups, if a known bad address is placed into this file with an IP address of 127.0.0.1 (home), it can quickly prevent a number of attack vectors by just stopping the programs from being able to phone home. Some antivirus/anti-malware programs specifically lock the hosts file to prevent tampering with this file, so if you are going to use another piece of software or a reputable blocklist to populate the file, you may need to temporarily disable this before reactivating the protections.
This brings us to two pillars of computer security — antivirus/anti-malware and firewalls. Most AV applications designed for large organizations can update multiple times per day, which is tremendously useful if there is a large threat in the wild. Firewalls also can help filter traffic on unusual ports as part of their standard policies and all incoming traffic unless it is explicitly allowed. In addition to this, however, they can also block all outgoing traffic by default if you so choose and then only allow what is specifically permitted.
Hardening the hardware
There are a considerable number of utilities that allow users to attempt to bypass restrictions via a bootable USB stick. This can be prevented via the use of Windows Security Settings and BIOS/UEFI settings by simply disabling the use of USB ports. An important thing to remember for BIOS is that users can still attempt to try to remove this setting, so be sure to password-protect BIOS/UEFI to continue to have these restrictions remain.
We mentioned encrypted traffic before, but full disk encryption is critical now as a defense against offline attacks on endpoints. Without encryption, it is possible to remove a hard disk from a laptop, plug it in to another system and then just read the contents of the drive with a similar concept available for mobile devices. While you may not necessarily get the same experience as the regular user, it’s still possible to access the raw data. When the disk is encrypted however, access to the data is severely limited.
Finally, when we have all of these changes in place, we need a method to be able to audit our endpoints to make sure that the settings remain as we expect them to be. Depending on the device, the owner and how critical security is to our organization, we could have regular device check-ins scheduled from every few days down to every 30 minutes at a time if our solution supports it.
In case of failed check-ins or a compromise in the lockdown settings, organizations will have to figure out how they want to handle a possible dilemma: do they want reporting only so that they can investigate further as to how someone broke the standards? Do they need it to be immediately fixed in order to make sure there are no further threats? Do they want to trigger an automatic wipe of the device? Or perhaps a combination — an immediate report, an attempted fix and a remediation check after the fact?
Endpoint hardening is extremely important in an age where more and more users are working remotely and potentially have access to company data from any location around the clock. By helping to make sure that the devices they are accessing that data on are more secure, we can better protect our users, our organizations and ourselves from data theft.
- Systems Hardening, BeyondTrust
- Endpoint Hardening – Why It is Essential for Cyber Security, Automox
- Simplifying Endpoint Hardening, Defense & Response, Dark Reading
- 2020 Endpoint Hardening Checklist – Top 8, Automox
- How to choose a secure password, Norton
- Acrobat Reader: Security Vulnerabilities, CVE Details
- Block all outbound traffic in Windows Firewall, ghacks.net
- Managing secure locations for a device, IBM