GDL-3000.07F: Secure Endpoints: Deployment and Configuration Guidelines

Guideline Summary

Intended Audience: University personnel responsible for deploying and maintaining endpoints 

Guideline Owner: Director of Information Security 

Introduction and Scope

University Endpoints should be deployed and configured in a secure manner. Using best practices is critical to ensuring workstations, servers, networking equipment, and internet of things (IoT) devices are resilient to attack from adversaries and from unintentional user mistakes. 

This guideline applies to systems used to conduct University business, or that are connected to the University network. It does not apply to academic, research, and test systems in an isolated environment. 

Physical and Environmental Security 

Hardware should be physically secured in such a manner to prevent theft or tampering. Workstations, laptops, network equipment, and IoT devices should be secured with a cable or other device or placed in a locked and secured area. On-premises servers handling confidential data or that are part of an enterprise/mission critical system should be housed in the University Data Center. 

System Network Placement 

Security considerations should be used to determine a device’s location on the University network. During system builds, systems should be placed on networks that are segmented from the University’s production networks. Internet-available systems should be segmented from internal networks. Systems with confidential data should be placed on internally segmented networks with appropriate access control lists applied. 

Secure Configurations 

Windows, Mac, or Linux systems should be Active Directory domain joined, placed in the correct organizational unit (OU) and device groups, and have an asset description identifying the asset’s function (e.g., workstation for department X, lab machine for department X, or server providing X service). 

Devices should require authentication processes and mechanisms commensurate with the level of risk associated with the network segment, device, and data. See Information Technology Services (ITS) guideline GDL-3000.07B: Authentication and Access Security Controls

Endpoint software, operating systems, and firmware should be configured with security baselines provided by a vendor or regulatory body. The baselines should include at a minimum: 

  1. Disabling unnecessary functionalities such as scripts, drivers, features, subsystems, file systems, and services.

  1. Changing default or initial passwords.

  1. Configuring secure operating system and application settings. 

  1. Deploying and enabling only necessary services and software. 

Security Baseline configurations should be documented, and controls should be put in place to ensure settings are not inadvertently or maliciously changed. 

System technicians and users should take reasonable precautions to keep malware and other unauthorized software off of University workstations and servers. See ITS guideline GDL-3000.07G: Endpoint Malware and Threat Protection Guidelines. 

Controls should be in place to prevent unauthorized computer connections and information flows. This includes using firewalls, encrypted remote access protocols [e.g., Secure Shell (SSH) or Remote Desktop Protocol (RDP)], and private Internet Protocol (IP) address space. 

Remote access to University devices should have the following security controls: 

  1. Access permissions should be configured at the least privilege necessary for a user to do their job.
  2. Non-console administrative access should be encrypted using current industry standard protocols and verified using an authenticated system vulnerability scan. See ITS guideline GDL-3000.07E: System Vulnerability Management Guidelines.
  3. Idle sessions should prompt for re-authentication after 30 minutes.
  4. Remote access sessions should require multi-factor authentication (MFA). 

Software Installation 

Technicians should control software installation by maintaining a list of authorized software and instructing users to recognize the presence of unauthorized software. Custodians should also periodically check for unauthorized software, remove it, and initiate enforcement or education as appropriate. Where feasible, system administrative or other access that would facilitate the installation of software on computers should be limited. 

End users should inform technicians when they need to install a new piece of software or upgrade an unmanaged existing piece of software. Also, they should only download and install software when all of the following conditions are met: 

  1. The user has notified the system administrator or help desk of the installation.
  2. The software has not been identified as malware (e.g., virus, worm, trojan, spyware, adware, or pest) by reputable anti-malware vendors or researchers.
  3. The software is a supported and patched version.
  4. The software does not compromise system security or privacy.
  5. The software does not facilitate the use of computers for inappropriate purposes (e.g., participation in distributed denial-of-service attacks, or use of University-owned computers for non-University business).
  6. Peer-to-peer (P2P) file-sharing applications may not be installed on University-owned computers unless pre-approved for a legitimate business or academic use.

System Maintenance 

Technicians should ensure all systems have a maintenance and patching window and personnel assigned to review, fix, or mitigate any vulnerabilities. For web applications, technicians should ensure there is a yearly dynamic (pen-testing) security scan. 

If software and/or hardware has an end-of-life date, technicians should create and execute a plan for replacement no later than six months prior to the end-of-life date. 

Business owners should ensure that resources to support the system, both financial and human, exist. 

Automated Configuration Management 

Systems should be managed by a configuration management system (e.g., Microsoft Configuration Manager, Microsoft Intune, Jamf, or Puppet) to ensure compliant deployment, configuration, and maintenance.

Change Management 

For any system or application change that carries substantial risk or that has enterprise or broad impact, technicians and managers should follow ITS procedure PRO-3000.07H: Change and Release Management Procedure.

Training 

System administrators should do ongoing training in their areas of responsibility.
 

For the complete guideline, click “Full Document” tab at top of page.

FULL DOCUMENT

Intended Audience: University personnel responsible for deploying and maintaining Endpoints

Guideline Owner: Director of Information Security

1. Definitions

Endpoint

Any server, workstation, or mobile device managed by the University or connected to the University’s network.

Security Baseline

A minimum set of Security Controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection (NIST Computer Security Resource Center).

Security Control

The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information (NIST SP 800-171 Rev. 2).

System Custodian

An individual responsible for the technical management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They implement the best practices defined by the System Steward and perform operational duties.

System Steward

An individual responsible for management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They may create and enforce management and access policies. They are often referred to as Business Owners.

2. Introduction

University Endpoints should be deployed and configured in a secure manner. Using best practices is critical to ensuring workstations, servers, networking equipment, and Internet of Things (IoT) devices are resilient to attack from adversaries and from unintentional user mistakes.

3. Scope

This guideline applies to systems used to conduct University business or that are connected to the University network. It does not apply to academic, research, and test systems in an isolated environment.

4. Physical and Environmental Security

OCIO 141.10: 3

Hardware should be physically secured in such a manner to prevent theft or tampering.

  1. Workstations, laptops, network equipment, and IoT devices should be secured with a cable or other device, or placed in a locked and secured area.
  2. On-premises servers handling Category 3 or 4 data or that are part of an enterprise system and/or mission critical system should be housed in an ITS-managed data center.

5. System Network Placement

OCIO 141.10: 5.1.1(1)

Security considerations should be used to determine a device’s location on the University network.

  1. During system builds, systems should be placed on networks that are segmented from the University’s production networks.
  2. Internet-available systems should be segmented from internal networks.
  3. Systems with confidential data should be placed on internally segmented networks with appropriate access control lists applied.

6. Secure Configurations

OCIO 141.10: 5.1.1(7)

6.1 Domain Join

Servers and workstations should be Active Directory domain joined, placed in the correct organizational unit (OU) and device groups, and have an asset description identifying the asset’s function (e.g., workstation for department X, lab machine for department X, or server providing X service). This requirement is for systems with Windows, Mac, or Linux operating systems.

6.2 Authentication and Access Requirements

OCIO 141.10: 5.1.3(1)

Devices should require authentication processes and mechanisms commensurate with the level of risk associated with the network segment, device, and data. See Information Technology Services (ITS) guideline GDL-3000.07B: Authentication and Access Security Controls.

6.3 Security Baselines

OCIO 141.10: 5.1.1(2)

Endpoint software, operating systems, and firmware should be configured with Security Baselines.

  1. Device Security Baselines should be based on either a vendor-provided configuration (e.g., Microsoft or Red Hat Linux) or with a baseline provided by the Center for Internet Security (CIS),  or a Department of Defense (DOD) Secure Technical Implementation Guide (STIG). Other baselines are permittable when approved by the Information Security Office.
  2. Baselines should include:
    1. Disabling unnecessary functionalities such as scripts, drivers, features, subsystems, file systems, and services.
    2. Changing default or initial passwords.
    3. Deploying and enabling only necessary services and software.
    4. Configuring secure operating system and application settings.
    5. Configuring a password-protected screen lock for 15 minutes.
  3. Security Baseline configurations should be documented. Documentation may include the settings stored in configuration management systems.
  4. Controls should be put in place to ensure Security Baseline settings are not inadvertently or maliciously changed.

6.4 Endpoint Malware and Threat Protection

OCIO 141.10: 5.7(1), 5.7(2)

System technicians and users should take reasonable precautions to keep malware and other unauthorized software off of University workstations and servers. Malware and threat protection should be deployed and enabled as detailed in ITS guideline GDL-3000.07G: Endpoint Malware and Threat Protection Guidelines.

6.5 System Networking Configuration

Controls should be in place to prevent unauthorized computer connections and information flows.

  1. Any device firewalls/Internet Protocol (IP) filtering capabilities should be enabled and configured (e.g., Windows firewall or Linux IP tables).
  2. Remote access protocols [e.g., Secure Shell (SSH) or Remote Desktop Protocol (RDP)] on systems should be restricted to permitted IP addresses, ports, and users. Only secure, current encryption protocols and ciphers should be used.
  3. Network interfaces should be configured with private IP address space.

6.6 Removal of Unnecessary Services and Software

OCIO 141.10: 5.1.1(2)

To reduce attack surfaces, System Custodians should use appropriate Security Baselines, deployment methods, and maintenance processes to limit unnecessary software or services from running on systems.

6.7 System Remote Access

OCIO 141.10: 6.4(4), 6.4(6), 6.4(7)

Remote access to University devices should have the following Security Controls:

  1. Access permissions should be configured to the least privilege necessary for a user to do their job.
  2. Any non-console administrative access should be encrypted using industry standard protocols such as SSH, Virtual Private Network (VPN), RDP, or Transport Layer Security (TLS) version 1.2 or later. Acceptable encryption protocols and ciphers should be verified using an authenticated system vulnerability scan. See ITS guideline GDL-3000.07E: System Vulnerability Management Guidelines.
  3. Idle sessions should prompt for re-authentication after 30 minutes.
  4. Remote access sessions should require multi-factor authentication (MFA).

7. Software Installation

7.1 System Custodians

OCIO 141.10: 7.1(2)

System Custodians should control software installation by:

  1. Maintaining a list of authorized software.
  2. Instructing users in how to recognize the presence of unauthorized software and how to avoid installing it.
  3. Periodically checking for unauthorized software, removing it, and initiating enforcement or education as appropriate.
  4. Limiting system administrative or other access where possible that would facilitate the installation of software on computers.

7.2 End Users

End users should:

  1. Inform System Custodians when they need to install a new piece of software or upgrade an unmanaged existing piece of software. Administrative access is not needed to install all software (e.g., “plugins” or “controls”).
  2. Only download, open, execute, or install software (including “shareware,” public domain programs, software updates, or other executable files) when all of the following conditions are met:
    1. The user has notified the system administrator or help desk of the installation.
    2. The software has not been identified as malware (e.g., virus, worm, trojan, spyware, adware, or pest) by reputable anti-malware vendors or researchers.
    3. The software is a supported and patched version.
    4. The software does not compromise system security or privacy.
    5. The software does not facilitate the use of computers for inappropriate purposes (e.g., participation in distributed denial-of-service attacks or use of University-owned computers for non-University business).
    6. Peer-to-peer (P2P) file-sharing applications may not be installed on University-owned computers unless pre-approved for a legitimate business or academic use.

8. System Maintenance

OCIO 141.10: 1.5(1), 7.4

System Custodians should ensure all systems have the following:

  1. A maintenance and patching window. See ITS guideline GDL-3000.07D: System Patching Guidelines.
  2. Personnel assigned to review, fix, or mitigate any vulnerabilities.
  3. For systems with web applications, a yearly dynamic (pen-testing) security scan. For PCI-related applications, this must be done quarterly.
  4. A plan to replace or upgrade systems if the current software and/or hardware has an end-of-life date. The plan should be executed no later than six months prior to the end-of-life date.

System Stewards should ensure all systems have the financial and human resources to support the system.

9. Automated Configuration Management

OCIO 141.10: 1.5(1), 8.2(1)

Systems should be managed by a configuration management system (e.g., Microsoft Configuration Manager, Microsoft Intune, Jamf, or Puppet) to ensure compliant deployment, configuration, and maintenance.

10. Change Management

For any system or application change that carries substantial risk or that has enterprise or broad impact, technicians and managers should follow ITS procedure PRO-3000.07H: Change and Release Management Procedure.

11. Training

OCIO 141.10: 2(5)

System administrators should do ongoing training in their areas of responsibility.

12. Authority

  1. University policy POL-U3000.07 - Securing Information Systems

  2. Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards

13.References

  1. NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

  2. OCIO 141: Securing Information Technology Assets

  3. Information Technology Services (ITS) procedure PRO-3000.07H: Change and Release Management Procedure

  4. ITS guideline GDL-3000.07G: Endpoint Malware and Threat Protection Guidelines

  5. ITS guideline GDL-3000.07D: System Patching Guidelines

  6. ITS guideline GDL-3000.07C: Data Classification Guidelines

Change Log

Revised

Version

Author

Approver

Change

07/30/2021

1.0

Beth Albertson

ITS Standards & Guidelines Committee

Original Version

10/17/2022

2.0

Beth Albertson

ITS Standards & Guidelines Committee

Added OCIO references in sections 7 & 9