Having secure endpoints is one of the biggest challenges for any organization, but there are tools available that can help secure those endpoints as well as the company/customer data on those physical devices. With the pandemic-assisted shift to a more mobile work environment, plus the prospect of a bad actor grabbing a laptop and using it to access proprietary information, it’s important to set up a standard process for endpoint security in an organization.
ITPro Today spoke to Ulf Lundh, a system deployment, security and related infrastructure IT specialist. He currently works for a local municipality in Sweden – which is equivalent to a typical county government here in the U.S. – and manages approximately 3,500 IT systems. His background and experience spans across identity and device management, using Microsoft tools such as Active Directory (AD), System Center Configuration Manager (SCCM), Microsoft Intune, and Microsoft Endpoint Manager (MEM). Currently, he directly supports all aspects of security, policy and usability for more than 3,500 endpoints, including Windows 10, Windows Server, Android and iOS mobile devices.
The focus of our discussion was to identify a handful of steps that organizations can use to insure they have secure endpoints in their organization. While these steps focus on using Microsoft Endpoint Manager (MEM), any equivalent software or service for endpoint security will have similar options available.
Step One: Map Out Physical Security Measures
Depending on the level of risk associated with the theft of an endpoint device, physical security may rely on locked doors or code/card-based entry access points. Locking down desktop/laptops using a device such as a Kensington cable lock would also prevent the easy pilfering of a device in case those physical barriers are breached.
Step Two: Deploy Encryption
Most modern enterprise devices now include security hardware as a standard feature on desktops and laptops. These chips, commonly referred to as Trusted Platform Modules (TPM), help secure endpoints through encrypting the hard drive data by hosting device specific encryption keys for hardware authentication. These encryption keys are used in combination with hashes associated with the device hardware, plus unique user identity information such as a password. Without proper credentials, no access is granted to the device. Even if the encrypted hard drive is removed from the system, it is inaccessible without the TPM hardware keys to create the verified hash. This encryption process helps to ensure the security of all data on the system hard drive and has a minimal impact on the user experience on the device in daily use.
Alternatively, Windows 10 devices without TPM chips can be encrypted for similar data protection via Bitlocker. Options are available in Bitlocker to allow auto unlocking of the encrypted hard drive once valid user credentials are provided for the system to minimize user workflow starting up their device.
TPM or Bitlocker based encryption can be mandated utilizing Group Policy on managed devices from the MEM management portal.
Step Three: Be Sure There’s a Device Lock Policy
Another area that can help secure endpoints is to mandate devices' timeouts before the system automatically locks and requires user credentials to log back in. This setting, which is managed through MEM, needs to be a balance of security and user convenience – especially with complex passwords.
Lundh also recommended user training and awareness for using keyboard shortcuts to lock devices as users step away from their desks. For example, users could type WINDOWS + L or CTRL + ALT + DELETE, then select to lock the device.
Another aspect of this approach is to allow and encourage the use of biometric logins to devices. Windows Hello on Windows 10 supports facial and fingerprint recognition for this purpose and many modern devices include one or both options. Windows Hello authentication data is encrypted and maintained only on the local device and without the matching face or fingerprint is useless.
Requiring a PIN – another Windows Hello option that is required if facial or fingerprint biometrics are used – is another method to secure device access only to authorized users. As Lundh pointed out, we have been using PIN’s on cash dispensing ATM’s for quite some time and although anything can be eventually broken, there is enough complexity in 4-to-6-digit PIN’s to make this a viable option for users. The use of any of these Windows Hello options helps with the user experience tremendously to enable more secure endpoints.
The simplicity of logging in using facial or fingerprint recognition could encourage users to lock their devices when stepping away from their desk because it will be easy to log back into them. (Besides, they’re already used to the measures from the security on their mobile phones.) Admins could also then institute shorter automatic locking of devices since it will be simpler for the user to log back in afterwards. This maintains a good balance of endpoint security and user convenience.
Step Four: Enable Two-Factor Authentication (2FA)
Enabling the use of two-factor authentication (2FA) to access Active Directory- or Azure Active Directory-based accounts is a simple step to add an extra layer of identity security in an organization. Lundh recommends beginning with text-based 2FA because it is easier for most users to understand and access.
For users with accounts that have access to more sensitive company/user data or users with privileged access to systems and services, implementing app-based 2FA or hardware-based security keys is the right approach for additional security protections.
Step Five: Sweat These Small Things
Other areas that can help secure endpoints in an organization of almost any size might be considered small in nature but add up quickly when looking at a company’s overall cybersecurity profile. These include, but are not limited to:
- Prohibit or do not install local admin accounts on user devices. These unlock access to all accounts on any device.
- Set user policies to tightest options by default, but whenever possible, give users options such as using a Windows Hello PIN, facial recognition or fingerprint as log-in options next to their password.
- Establish a policy for the maximum number of log-in attempts using any method to unlock the device. This can be adjusted to a temporary or permanent lock out based on the user and device.
- Mobile devices are more secure in many ways as they are automatically encrypted, but managing them via a system like MEM allows oversight and remote access to wipe a stolen or lost device easily.
- Plan and get all devices registered in a remote management tool to begin increasing that endpoint security profile. Have a plan for when it’s necessary to shut down and wipe devices via remote management.