Don’t overlook the importance of making sure your workstations are as secure as possible. Here is a list of the top things to consider when deploying workstations.
Keep a list of all workstations, just like the server list, that includes who the workstation was issued to and when its lease is up or it’s reached the end of its depreciation schedule. Don’t forget those service tags!
Track where your workstations are by making sure that each user’s issued hardware is kept up-to-date.
It’s very helpful when looking at logs if a workstation is named for the user who has it. That makes it much easier to track down when something looks strange in the logs.
You’ll probably assign IP addresses using DHCP, but you will want to make sure your scopes are correct and use a GPO to assign any internal DNS zones that should be searched when resolving flat names.
Since your users are logged on and running programs on your workstations, and accessing the Internet, they are at much higher risk than servers, so patching is even more important. Make sure all workstations are fully up-to-date before they are deployed, update your master image frequently, and ensure that all workstations are being updated by your patch management system.
Here’s how to handle workstation antivirus: 100% coverage of all workstations; workstations check a central server for updates at least every six hours, and can download them from the vendor when they cannot reach your central server. All workstations report status to the central server, and you can push updates when needed - Easy.
Consider using a host intrusion prevention or personal firewall product to provide more
defense for your workstations, especially when they are laptops that frequently connect
outside the corporate network.
Like servers, pick one remote access method and stick to it, banning all others. The more ways to get into a workstation, the more ways an attacker can attempt to exploit the machine. Ensure that only authorized users can access the workstation remotely, and that they must use their unique credential, instead of some common admin/password combination.
Consider deploying power saving settings through GPO to help extend the life of your hardware, and save on the utility bill. Make sure that you have Wake-On-LAN compatible network cards so you can deploy patches after hours if necessary.
All workstations should be domain joined so you can centrally administer them with unique credentials.
Use a script to create random passwords, and store them securely where they can be retrieved in an emergency.
Set appropriate memberships in either local administrators or power users for each workstation.
Organize your workstations in Organizational Units and manage them with Group Policy as much as possible to ensure consistent management and configuration.
Validate that each workstation reports to your antivirus, patch management and any other consoles before you turn it over to the user, and then audit frequently to ensure all workstations report
You probably won’t perform regular full backups of your workstations, but consider folder redirection or Internet based backups to protect critical user data.
There is no excuse for letting any laptop or portable drive out of the physical confines of the office without encryption in place to protect confidential data. Whether you use Bitlocker, TrueCrypt, or hardware encryption, make is mandatory that all drives are encrypted.
Perform regular vulnerability scans of a random sample of your workstations to help ensure your workstations are up to date. These server deployment tips will go a long way in helping you secure your servers
against all threats. Good luck in your continued fight to protect your company’s network from attack!
Interested in learning more? Get our free guide on how to Prevent IP blacklisting. Download now