I love it when a tech speaker lays out an overwhelming topic so clearly that it starts to feel approachable. That’s how I felt during a recent ITPro Today webinar with Orin Thomas on security configuration management for Windows endpoints in the enterprise.

I’ve gone through Orin’s webinar and pulled out many of the items into a checklist that you can use as a starting point. It’s obviously not a complete checklist. That’s why I’m calling it a “starter kit.”

You can use it to see how your company stacks up on these essential items. Then you can take steps to address any shortcomings and toward building a comprehensive checklist to help make your organization more secure.

Organization-Wide Checklist

These items apply to all Windows 10 endpoints the entire organization.

□ Managing All Systems

You can check this box if every endpoint is managed. This is often done with software such as Microsoft System Center Configuration Manager (ConfigMgr) and Intune. However, many effective solutions are available.

□ Monitoring and Correcting Configuration Drift Regularly

You can check this box if every endpoint in your organization is monitored (ideally, at least daily) for compliance with company endpoint configuration policy. Deviations must be tracked and corrected quickly.

Per-Windows 10 System Security Checklist

These items apply to every endpoint individually. The “per-machine” checklist. As you go through it, you may recognize a need for policies you haven’t thought of before.

□ Device Guard Enabled

Check this if the system is running Device Guard. You can also check it if your company policy does not require this system to run Device Guard.

Device Guard uses hardware-based code integrity checking, virtualization and other security techniques to ensure the integrity of the operating system. Unless there are specific reasons to allow exceptions such as compatibility, every company should require use of Device Guard on all systems.

□ Credential Guard Enabled

Check this if the system is running Credential Guard. You can also check it if your company policy does not require this system to run Credential Guard.

Credential guard mitigates credential-theft attacks which attempt to gain access to credentials stored in memory or caches. Unless there are specific reasons to allow exceptions such as compatibility, every company should require use of Credential Guard on all systems.

□ Application Guard Enabled

Check this if the system is running Application Guard. You can also check it if your company policy does not require this system to run Application Guard.

If using Microsoft Edge (or IE), Application Guard can allow IT to define trusted or untrusted resources. When browsing to untrusted resources, the session is virtualized (isolated Hyper-V container) to protect the host. This works for websites, cloud resources and internal networks. However, most companies allow non-Microsoft browsers, which are not secured by Application Guard.

□ Application Control Enabled

Check this if the system is running Application Control. You can also check it if your company policy does not require this system to run Application Control.

Application Control restricts what applications, code, scripts and MSIs can run. It also restricts PowerShell (Constrained Language Mode).

□ Exploit Guard Enabled

Check this if the system’s Exploit Guard settings are in line with company policy.

Exploit Guard is a collection of features to prevent exploits around browsing, applications, attack surface reduction, network protection and folder access. Most apply system-wide, but some can be customized for different applications. Your company should have a policy defined for each of these settings for the system and for each application.

□ Attack Surface Reduction Applied

Check this if your company has a policy for Attack Surface Reduction and the endpoint complies with it. Below are some suggestions provided by Orin. A full list, however, is really up to you!

Block executable content from email client and webmail

Block Office applications from creating child processes

Block Office applications from creating executable content

Block Office applications from injecting code into other processes

Block JavaScript and VBScript from launching downloaded executable content

Block execution of potentially obfuscated scripts

Block Win 32 API calls from Office macros

□ Pre-boot Environment Locked Down

Check this box is you have ensured that:

No one can modify BIOS/UEFI settings without a password.

The device will not boot via PXE or from USB without authorization.

□ Storage Protected from Offline Attack

Check this box if all hard disks, SSD and other form of storage are encrypted. This prevents scenarios where people remove storage and access it elsewhere. Microsoft provides BitLocker. Many third-party options are available as well.

□ Unneeded Services Disabled

Check this box if all unneeded services are disabled per company policy. Windows ships with services that most companies do not need and do not want running. This is both a check for pre-existing services (OOBE) and rogue services.

□ Local Accounts Locked Down

Check this box if a system’s local accounts are in line your company’s policy of what local accounts and groups should exist as well as which ones should have which privileges. Solutions like Microsoft’s Local Administrator Password Solution (LAPS) can help.

□ Windows Firewall Secured

Check this box if the local firewall blocks outbound traffic by default and whitelists exceptions.

□ Applications Hardened

Check this box if all applications are hardened per company policy. Few applications are hardened in their default configuration. For example, for Microsoft Office you should only allow trusted macros to run and block browser extensions. Hardening is typically a combination of common sense and vendor guidelines.

□ Windows Fully Updated

Check this box if all of the latest security patches for Windows have been applied.

□ Applications Fully Updated

Check this box if all applications are updated to the current security patching level.

□ Firmware Fully Updated

Check this box if firmware on all systems is up to date.

□ Secure Authentication Used

Check this box if authentication best practices are set up per company policy.

Like so much in security, it’s a deep topic. Orin suggests as things to consider:

Picture password policy sign on disabled

PIN sign on disabled

Password policies set to something like:

10 Chars minimum

90 days maximum age

Credential caching group policies set:

Only one previous logon stored in cache where DC isn’t available

Passwords for network authentication are not stored

Biometric or two-factor authentication used

Authentication allowed only during authorized hours

Device recently inspected for keyloggers

IPSec implemented on local networks

□ Browsers Hardened

Check this item if your browsers are hardened. Specific hardening will depend on your browsers and environment. As an example, here are some things you might harden with Microsoft Edge.

Configure Edge …

Disable Flash

Disable Developer Tools

Enable Do Not Track

Enable Pop Up Blocker

Enable Windows Defender Smart Screen

Prevent users and apps from accessing dangerous websites

How Many Items Did You Check?

In all likelihood, you were not able to check most of this items. If you were, please tweet me (@itsystemsman) about it!

This blog merely scratches the surface of what your organization needs to put in a complete endpoint security checklist. However, it’s an important list of basics that should be covered if they’re not already.

If you’d like to get a lot more detailed information from Orin on endpoint security, you can view the full webinar on demand: SecOps Strategies for the Windows Endpoint.