Module 8: Endpoint Hardening

This directory defines the technical security baselines for standard client workstations (Tier 2 endpoints) operating in isolated, air-gapped domains.

To prevent initial access and lateral movement, the following unitary technical hardening controls must be implemented:

Technical Hardening Controls

  1. Harden Network and Name Resolution Disables Link-Local Multicast Name Resolution (LLMNR), NetBIOS over TCP/IP, and mDNS, and secures TCP/IP parameters to prevent local credential harvesting and protocol exploits.

  2. Configure User Account Control (UAC) Policies Enforces maximum UAC security behavior, requiring credential entry on the secure desktop for administrators and automatically denying elevation prompts for standard users.

  3. Disable AutoPlay and AutoRun Turns off AutoPlay and AutoRun features across all drive types to prevent automatic execution of files and payloads from external media.

  4. Block Removable Storage Blocks read and write access to USB drives and other removable media classes to mitigate data leakage and malware propagation.

  5. Restrict Remote Desktop (RDP) Access Blocks incoming RDP connections to standard workstations by default, or restricts allowed connection sources to authorized administrative subnets with Network Level Authentication (NLA) enabled.

  6. Restrict Local Administrators Group Locks down local workstation administrative privileges, removing standard domain users and enforcing administrative segregation utilizing LAPS.

  7. Windows Defender Antivirus Baseline and Exploit Guard Configures Windows Defender Antivirus, enabling real-time scanning, behavioral monitoring, preventing local exclusion modifications, enforcing Attack Surface Reduction (ASR) rules, activating Tamper Protection, and enabling AppContainer sandbox isolation.

  8. WSUS Client Configuration Enforces update client registry baselines to ensure workstations pull OS patches and security signatures exclusively from the local, offline WSUS server.

  9. Enable Secure Boot Mandates hardware-rooted platform integrity checks, preventing bootkits, rootkits, and unauthorized bootloader modifications.

  10. Enable VBS and Credential Guard Activates Virtualization-Based Security (VBS) and Credential Guard to protect password hashes and Kerberos tickets in an isolated virtual container, mitigating LSASS dumping.

  11. Configure Windows Defender Application Control Deploys application control baselines to enforce code integrity policies, restricting the system to run only signed, authorized binaries and scripts.

  12. Enable BitLocker and Network Unlock Enforces full disk encryption with TPM and enables secure Network Unlock capabilities for standard client workstations.

  13. UEFI Firmware Security Hardening Enforces password protection, disables Compatibility Support Module (CSM)/Legacy Boot, locks boot order, and configures secure firmware update policies.

  14. Hardware Virtualization and DMA Protection Enables CPU virtualization (VT-x/AMD-V) and IOMMU (VT-d/AMD-Vi) to provide the hardware-rooted platform integrity required for VBS and Kernel DMA protection.

  15. Disable Windows Platform Binary Table (WPBT) Disables execution of binaries supplied by the Windows Platform Binary Table (WPBT) ACPI firmware table to mitigate boot-level security bypasses.

  16. Configure User Rights Assignments Restricts critical user rights assignments (URAs) such as debugging programs, token impersonation, and local logon permissions on standard client endpoints.

  17. Harden DMA and Physical Security Mitigates physical access threat vectors by disabling standby sleep states (S1-S3), disabling external DMA device enumeration under lock, blocking legacy SBP-2 device classes, and denying write access to removable drives without BitLocker protection.

  18. Configure Account Policies Enforces local and domain-wide account settings, including account lockout thresholds, lockout observation windows, smart card removal actions, and disabling reversible password encryption.

  19. Configure User Profile Restrictions Locks down user profile registry settings (HKCU) to disable toast notifications on the lock screen and block third-party application suggestions.

results matching ""

    No results matching ""