Workstation Domain Policies
Workstation domain policies relate to any computing device used by an end user. Devices are often a user’s desktop or laptop computer. A workstation can be any user device that accesses data, such as a smartphone.
These devices might not be operating within a protected office or data center. Encryption is a common method used to protect workstations, laptops, and other devices. By encrypting a device’s hard drive, you protect the data, even if the device is lost or stolen. The encryption approach unencrypts the data when the device validates the user’s credentials, such as a user ID and password. If the device is lost or stolen and the wrong credentials are entered, the device can then wipe out its data. If someone scans the hard drive without logging in to the device, the data remains encrypted and protected. For some devices, a signal can be sent to the device to wipe its data in the event the device is lost or stolen.
Mobile devices, by their nature, are distributed. This means policies need to address unique monitoring and patching challenges in a distributed environment. How you connect, monitor, and patch a mobile device is a different challenge than doing the same from a desktop in an office or a server in a data center. These challenges are covered in more detail in the next section.
Control Standards
Control standards for workstations establish core security requirements to harden these devices. The standards define how to manage the devices in a distributed environment, and they need to clearly communicate what responsibilities users have versus the responsibilities central administrators have. Workstation policies are often aligned to functional responsibilities.
A Malicious Code Protection standard, for example, is a central responsibility. The standard tries to keep a workstation free from viruses and other malware. The policy is a preventive and detective control. It tries to prevent an infection by installing scanning software. It also requires the user to detect and report symptoms of an infection. Examples of some control statements in this type of policy are as follows:
- Anti-malware software must be used on all devices connected to the organization’s network. IT staff is responsible for ensuring that all devices have an approved version of anti-malware software installed. They are also responsible for ensuring a mechanism is in place to keep malware definitions current.
- No executable software, regardless of the source, may knowingly be installed without prior IT staff approval.
- IT staff must verify that all software is free of malicious code before installation.
- Users must not intentionally disable anti-malware software without prior approval.
- IT staff must scan data that will be transferred from the organization’s network to a customer. Scanning must indicate that the data is free of malicious code before the transfer may occur.
The Malicious Code Standard is a good example of a policy that protects devices. TABLE 10-1 outlines other workstation-related control standards. This is not an exhaustive list. This table depicts common control standards that focus on protecting and managing workstation devices. Notice the sheer breadth of policies required to properly secure a workstation.
| TYPE OF CONTROL STANDARD | DESCRIPTION |
|---|---|
| Access control for portable and mobile systems | Establishes restrictions for employer-owned portable and mobile workstations such as laptops and tablets |
| Acquisitions | Describes security controls for acquiring new devices. This standard might include minimum hardware requirements for security such as cryptographic co-processors. |
| Configuration management control | Defines the requirements for approving changes to a workstation. This includes configuration and patch management. |
| Device identification and authentication | Defines how the network identity of the devices will be established. |
| Session lock | Defines the requirements to prevent access to the workstation after a defined period of inactivity. The session lock remains in effect until the user reauthenticates to the workstation. |
| Software use | Describes installation of software on workstations. Also describes methods to protect the organization from unapproved software being installed. This usually includes who can install software and the process for approving new software. |
| System use notification | Describes the onscreen display of system notification messages. This is common to establish a legal notice that you are accessing a protected system. Examples of messages are:
|
| Unsuccessful logon attempts | Defines a limit on the number of consecutive invalid access attempts such as three failed logons within 10 minutes per user. Also describes actions the workstation will take when the limit is exceeded, such as locking the account. |
| Disposal | Describes the proper method of disposing of workstation assets. This includes the wiping of the hard drive and disposal of the physical machine. |
| Bring your own device (BYOD) | Defines which (if any) personal devices employees are allowed to use to store and access company data. Some companies prohibit using personal devices to access company data. When a company does allow a personal device, it’s often the individual’s own smartphone, used to access company emails. This will be discussed in more detail in the following section. |
Baseline Standards
With core policies defined, the focus then turns to how to configure the devices. Baseline standards provide the specific technology requirements for each device. IT staff use documented procedures to implement baseline standards. These configurations by devices ensure the following:
- Secure connectivity for remote devices
- Virus and malware protection
- Patch management capability
- Backup and recovery
- Hardening of the device
- Encryption of the hard drive as needed
This is not an exhaustive list; however, it does depict the configuration considerations for each workstation. This is especially important given the distributed nature of workstations.
You can find a variety of these baseline standards from different organizations around the world. The Center for Internet Security (CIS) offers Security Configuration Benchmarks. These benchmarks include examples for the private sector, government agencies, and educational institutions. You can download the benchmarks from http://cisecurity.org/en-us/?route=downloads.benchmarks. CIS also offers auditing tools to its members to assess compliance with these benchmarks.
The following are examples of baseline documents you may need to prepare:
- Host hardening standards for each workstation product family, such as Microsoft Windows, UNIX, Mac OS, and smartphones
- Virus scanner configuration standards
- Patch management agent standards
- Automated backup standards for workstations
- Wireless security standards
TIP
It is important to use industry best practices when developing baseline standards. These industry best practices standards allow you to defend to regulators the choices being made and to gain from others’ experience. It is more efficient to modify an existing standard than to create your own from scratch.
Procedures
For each baseline standard, you need a related procedure document. That does not mean every device configuration requires a unique procedure. Many of these configuration activities reuse the same procedure. The key to these procedures is to ensure that the administrators know how to access and apply the baseline configuration. If the tools and methods are substantially different, the process may be unique enough to require its own procedure.
Technical TIP
Monitoring is important whenever baseline standards are implemented. Once configuration baselines are applied, you need to ensure these controls stay in place. One way to achieve this is through monitoring software. Many packages are on the market. Some take a snapshot or signature of the baseline configuration. This monitoring software can detect when devices that are not compliant with the baseline are added to the network or when the baseline security configuration has been changed.
An example of a procedure is a configuration procedure for workstations. This procedure provides the explicit settings for configuration files such as registries. This process might cover Windows, UNIX, Mac OS, and other desktop operating systems.
Guidelines
Guidelines for implementing control standards are useful to planners and managers. It’s important to understand the difference between a guideline and a standard. A guideline is a strong recommendation. A standard is a required control. A guideline recognizes that there are many acceptable ways to approach a problem, but provides one approach considered acceptable to the organization. The following guideline documents are useful when dealing with workstations:
- Acquisition Guidelines—Recommendations for sources to acquire new workstations, such as preferred vendors.
- Guidelines on Active Content and Mobile Code—Describe the threats and countermeasures over active content. These include a discussion on mobile code such as JavaScript and ActiveX controls. Furthermore, they describe the security expectations for the development or use of such code.