In this emerging age of cloud computing, it's easy to remain focused on the server side of the security equation. However, with crafty cyber criminals running rampant and the continued rise of APTs (advanced peristent threats), securing end-user systems remains critical. Hackers and other troublemakers have a variety of ways by which to turn a PC a perfect access point for wreaking havoc, be it via an outsider exploiting an unpatched vulnerability or an insider taking advantage of unncecessarily elevated privileges to swipe valuable information.
For an IT admin, it can be easy to overlook a critical step in making PCs, workstations, and laptops safe. Using this checklist as a guide should prove helpful in tackling the task.
- Are strong password policies used (at least 10 character minimums, maximum of 90-day changes, forced complexity, and so on)?
- Is a password-protected screensaver enabled with a reasonable inactivity timeout set?
- Are weak password hashes and weak authentication protocols, such as LAN Manager and NTLM Version 1.0, disabled?
- Are secure file and folder permissions used?
- Does the end-user log on with a least-privilege account when not performing admin-level tasks?
- Are group memberships set to least privilege?
- Is unnecessary software removed?
- Is unnecessary autorun software prevented from autostarting?
- Are unneeded services/daemons stopped or removed?
- Are insecure programs (for example, TFTP) removed?
- Is the browser securely configured?
- Is all software -- including the OS and all applications -- fully patched?
- Is up-to-date antimalware (antivirus, host-based firewall, antispam, and more) installed?
- If firewall is used, are rules appropriately set (that is, deny by default, allow by exception)?
- If wireless is used, are strong wireless protocols such as WPA2, EAP-TLS, and so on enforced?
- If using cloud-based email, is it connected using HTTPS?