Best Practices for Workstation Domain Compliance

Workstation Domain computers and devices provide local computing resources and often provide initial access into your organization’s shared resources. It is important to maintain a secure Workstation Domain for the security of the locally stored information as well as to keep other domains secure. Allowing Workstation Domain components to be unsecure increases the vulnerability for other domains you access from workstations. There are many strategies for keeping the Workstation Domain secure. Each organization should customize its Workstation Domain policies, procedures, and guidelines for its specific set of requirements. Here are general guidelines and best practices to attain and maintain compliance with norms in various industries within the Workstation Domain:

• Require unique user accounts for each person. Do not allow multiple people to use the same user account.

  • Require user accounts to be domain accounts centrally managed versus using local machine accounts.

  • Limit user account privileges such as limiting who is an administrator on the workstation.

• Require strong passwords and train users on the importance of keeping passwords private. Require users to change passwords at a specified interval, such as every 90 days.

• If one person performs duties of several roles, create a unique user account for each role.

• If using DAC, assign object permissions for all shared objects to grant access only to necessary subjects.

• If using MAC, establish simple standards for assigning security classifications to objects.

• Create a backup schedule that minimizes the amount of work that would be lost if a disaster destroyed the computer just before the next backup.

• Document procedures for labeling, transporting, storing, and reusing backup media.

• Document the steps necessary to restore your system from a backup after data loss.

• Test your recovery procedure at least every six months.

• Test the power outage operation of your UPS at least monthly.

• Conduct informal monthly audits that include creating monthly baselines.

• Check for anti-malware software and signature database updates daily.

• Scan for operating system and application updates at least weekly.

• Audit users, groups, and access permissions/data classification at least quarterly.

  • Require full disk encryption for laptops and removable media.

  • Ensure machine images are updated with the current workstation security configurations.

  • Automatically backup data from the workstation.

  • Lock workstation screen after so many minutes of idle time.

  • Secure the workstation bios with a password.

  • Disable guest accounts.

  • Disable user account after so many invalid login attempts.

  • Ensure workstation security patches are applied on a timely basis, including malware detection signatures for virus scanning software.

Although this list of best practices is not exhaustive, it is a good foundation to keep Workstation Domain computers and devices secure.