If the TPM validation succeeds, the user sign in experience is the same as a standard logon, which is why implementing BitLocker start-up PIN should be highly considered, when encrypting the workstation drives. Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. By utilizing a start-up pin, data on the encrypted volume cannot be accessed without entering the PIN. Unlocking the BitLocker drive should be done with the TPM chip and a start-up PIN. The Operating System disk should be encrypted with BitLocker XTS-AES 128-bit as minimum and should be protected by the Recovery Key stored in the TPM chip and in Active Directory. The TPM chip works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. BitLocker provides the most protection when used together with a TPM chip version 1.2 or later. BitLocker provides encryption for full drives, operating system drives and portable drives.īitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. Wherever confidential data is stored, it must be protected against unauthorized access. When users travel, their organization’s confidential data travels with them. If Lenovo is being utilized as hardware, one approach could be a simple PowerShell script, or fancier tools such as Lenovo Think BIOS Config Tool. Hardening and configuration can, and will, be done in different focus areas, involving:Įvery modern workstation client comes with a feature rich UEFI implementation, which allows to enable or disable settings, which could leave the workstation in an unhealthy and lesser secure state.īy possessing and maintaining a UEFI security baseline shielded and protected with an administrative password, we can ensure that all the necessary UEFI settings are in place, which allows us to leverage from features such as Secure Boot and VBS (Virtualization-based Security).Īll unnecessary features and settings in the UEFI should be disabled, and at minimum:Įnforce administrative password upon booting into UEFI or “boot options”Īn UEFI baseline could be standardized and deployed with different techniques and models, depending on hardware. Keeping and maintaining a secure and healthy workstation is a layered approach. This blog post explains multiple ways to achieve an acceptable security posture, including Group Policies, Hardware Hardening and security software implementation combined with configuration.īy deviating from following recommendations, you will implicitly accept a decrease in your workstation security, thus making it significantly easier for an attacker to compromise it.īased on knowledge and from what I actually see at our clients, compromising a workstation with its typical “out of box” configuration would be a breeze for any non-sophisticated attacker, and from there it could be a painless journey to escalate their privileges and continue their lateral movement and compromise your entire infrastructure. The intention of this blog post is to describe the minimal required technical configurations that will help to protect against known modern attacks from organized crime, nation state sponsored groups, and other advanced persistent threats. They will then try to escalate their privileges through numerous techniques, such as exploiting an un-patched workstation, which leaves the machine in an unhealthy state, misconfigured services from third party applications, DLL Hijacking and more.īy standardizing and hardening the workstations with a security baseline through policies, configurations, and smart decisions, we can keep the endpoints secure and the attackers at bay. Keeping a high security posture on enterprise workstations, is one of the strongest methods to secure and shield your data and intellectual property, against modern attacks.Īttackers strive to gain access to workstations typical through phishing, which then gives them the opportunity to deploy malware.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |