One of the most vulnerable parts of your infrastructure is the desktop and laptop computers that your end users use. These devices can be responsible for bringing in viruses or malware or causing your organization to lose sensitive data that can subject your organization to all sorts of headaches. In this guide, I’ll cover the practices I use when securing end user desktop and laptop systems.

Even in the age of BYOD (Bring Your Own Device) and things such as the Windows Store in Windows 8+ that give end users more control over their devices, maintaining some level of control over the endpoints that your organization owns is still important for security reasons. Following are some of the things I do as best practices when securing an organization’s desktop and laptop systems.

Be transparent to the end user ^

If you’re implementing any of the technologies in this article for the first time, I highly encourage you to communicate the changes to your end users and make sure they know how the changes will impact them. Letting them know about the changes and how they will benefit the organization will go a long way toward gaining acceptance.

You should also strive to keep the changes as unobtrusive to the end user as possible. You want users to know the changes are there, but the changes shouldn’t be so drastic that they impact the performance of the users’ computers and their ability to get their work done. The worst thing you can do is implement a security change that users circumvent because the change prevents them from doing their job.

Inventory management and MDM ^

You can’t secure what you don’t know about. Running a product such as System Center Configuration Manager, LANDesk, Altiris, or some other systems management platform not only lets you inventory all of your assets but also gives you the ability to manage other aspects of your endpoints, such as software updates, antivirus, and firewalls. If a device walks away, either through loss or theft, having access to its model and serial number can be helpful to law enforcement and insurance companies if you insure your devices.

For your mobile devices, a Mobile Device Management (MDM) solution is a must for maintaining those devices that are on the go and not regularly connected to the corporate network. Products such as Microsoft’s Intune are a great option for managing those systems and can also integrate with SCCM.

Antivirus/Antimalware ^

This is really a no-brainer, right? Sure, Windows 8 and 10 come with Windows Defender built in to the OS, but are end users going to call their IT person or the Help Desk every time they get a notice on their computer that the antivirus application has performed an action? My experience is that most end users won’t until it impacts their ability to work.

I highly recommend using an antivirus/antimalware product that allows you to manage the application on the endpoint rather than something like the built-in Windows Defender that doesn’t send feedback to IT.

Enterprise antivirus applications check in (usually through an agent) with a central server that IT can use to control the configuration, control updates, and monitor the solution. And, it’s really nice to set up email alerts for system infections. Who wants to have to run a report on a system every day when you can just have it emailed to you?

Firewall ^

Another no-brainer. Personally, I’m a fan of the built-in firewall in Windows 7+. It handles both inbound and outbound filtering and supported IPv6 before most of the third-party products out there did. Using the built-in firewall also gives you the benefit of being able to control it through either Group Policy or System Center Configuration Manager.

Disk encryption ^

Disk encryption is no longer just for mobile devices. Encrypting the hard drives of your endpoints is a must now. Even if you’re using technologies such as Folder Redirection to keep data off computers, sensitive data can still end up in Offline Files, temp directories, and other non-standard locations for data storage, such as folders in the user’s profile.

File Explorer showing a BitLocker encrypted OS disk, data disk, and removable drive

File Explorer showing a BitLocker encrypted OS disk, data disk, and removable drive

What if your users don’t have access to sensitive data? You should still seriously consider encrypting all devices regardless of form factor—even if the device is stationary and physically locked down. An attacker or malicious employee can use an offline attack to reset the local Administrator password and access the computer with that local Administrator account. Once After the system has been compromised, it can be used to steal the credentials of anyone logging in to the computer and all sorts of other malicious activity if it is connected to your corporate network.

Application whitelisting/blacklisting ^

One of my favorite new features that was included in Windows 7 when it was released is AppLocker. AppLocker is an application control service that allows IT to whitelist (allow) and/or blacklist (deny) executables, scripts, Windows Installers (MSI files), Windows Store/Universal apps (in Windows 8+), and even DLL files from running on endpoints.

With AppLocker (or other third-party solutions), you can allow only selected software to run based on criteria such as file location, digital signature, or file hash. Even if you set a policy that allows all software to run by default, you can still blacklist/block applications that your users shouldn’t be using with the same location, digital signature, or file hash settings.

AppLocker blocking an unauthorized application from running - This program blocked by group policy

AppLocker blocking an unauthorized application from running (program is blocked by group policy)

Windows and third-party updates ^

Even if you’ve locked down a computer to the point of being barely usable (which I don’t recommend), missing updates can still allow an attacker to compromise the computer. Smaller organizations can simply use Windows Update to automatically update systems. Larger organizations can use Windows Server Update Services (WSUS) or systems management products such as System Center Configuration Manager for pushing out updates for Windows, Office, and other Microsoft products.

Third-party updates are just as important (if not more important!) than Windows and Office updates. Adobe Flash and Oracle Java both have a bad track record when it comes to security and usually need to be patched as soon as the updates are released to the public. Configuration Manager is capable of publishing third-party updates using the System Center Update Publisher or via plugins from third-party vendors.

Enhanced Mitigation Experience Toolkit (EMET) ^

Last, but certainly not least, is the Enhanced Mitigation Experience Toolkit. EMET is a utility from Microsoft that helps prevent an attacker or malicious user from exploiting vulnerabilities in applications.

EMET can enable Windows features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and other enhanced security features for applications that don’t specifically request them based on how the vendor or programmer designed them. This can act as an additional safety net to protect applications that may have unknown security issues or known security issues that, for whatever reason, can’t be patched.

Conclusion ^

I hope this best practices guide can serve as a starting point for improving the security of your organization’s desktop and laptop endpoints. If you’re getting ready to start a project or make changes to an existing solution, we’d love to hear about in the 4sysops forums or in the comments section below!

  1. Melvin Backus 7 years ago

    Really good stuff and we’re working towards most of it already if it isn’t in place. While not specifically tied to any of these, it is a new wrench in the works, particularly with BYOD is the Windows 10 removal of the NAP agent. We actually went to great lengths to setup and configure our Windows VPN with NAP so that we could deploy VPN access to users even on their own devices and still validate that they had up to date AV definitions, firewalls enabled, etc. It took a while to track down all the requirements for the configuration but we got it setup and it’s been working really well. Using CMAK allowed us to configure user machines to be NAP capable by simply deploying a preconfigured profile. With Windows 10 though, no joy. Any possible recommendations for a 3rd party tool to handle the BYOD stuff? We can use our enterprise AV to handle domain machines if needed. My research so far has been unsuccessful.

    • Author
      Kyle Beckman 7 years ago

      NAP wasn’t widely adopted which is what probably led to it being removed from Windows 10. Your best bet is probably going to be an MDM solution where you can monitor those devices for compliance.

    • Author
      Kyle Beckman 7 years ago

      The release notes for Windows Server 2016 Technical Preview 3 were made available yesterday and there’s more bad news for the NAP fans. The DHCP Server role no longer supports NAP:

  2. Joseph Moody 7 years ago

    Good article Kyle! I would also like to add that managing user permissions is a must (as in no local administrators).

    • Author
      Kyle Beckman 7 years ago

      I considered adding that, but there are so many ways to work around not having Admin rights these days. If you’re not securing the OS disk, restricting applications, or keeping 3rd party apps updated, getting Admin on the box is trivial.

  3. daven 7 years ago

    I’d like to add that web filtering and spam filtering is crucial to keeping endpoints secure. We had websense when i got here, and its good but pricey. There are more affordable options. Now we use century links fortiguard cloud filtering. The setup was lousy but it works well. Reporting sucks, however [websense reporting is, once you get it down, excellent]. We use symantec spam filter. The setup is also lousy on that, but it works very, very well. Good filtering has cut down on A LOT of endpoint issues for me.

    I’ll also add that a lot of managed AV products have their own firewall and I prefer to manage av/firewall as a package. We use Kaspersky Endpoint at work and it’s very granular in what it can do for application control and hardware control. It integrates excellently with outlook and saves me trouble calls on emails that make it through the spam filter. It has some basic web category filtering built in, and i just apply that to laptop policies so i have some extra level of protection outside the office for users.

    kaspersky can also do patch management [windows and 3rd party apps], disk encryption, and remote support if you get the advanced license. we love, really love kaspersky endpoint.

    • Author
      Kyle Beckman 7 years ago

      Spam filtering typically isn’t configured on the endpoint, so I didn’t include it. I work in a HigherEd environment where filtering is… complicated. Filtering can be helpful, but it is getting harder and harder to fully implement because of mobile devices that don’t live on the corporate LAN and BYOD devices that aren’t owned by the organization.

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account