Automating Desktop Hardening Requirements

By Zach DeMeyer Posted January 29, 2020

Hardening systems can be a fairly straightforward task, but performing the process manually can be a pain for IT admins. That’s why organizations concerned about new requirements should look for solutions to automate desktop hardening.

But before we talk about finding the right solution, let’s discuss what needs to be solved in the first place.

What is Desktop Hardening?

Desktop hardening is the practice of reducing the number of attack vectors that can affect an individual system. Often, IT admins harden their system fleets by deploying patches to each system’s kernel, the bridge between the application and hardware levels of a computer. Other examples of desktop hardening include installing firewall and antivirus software, debloating or uninstalling unused software, encrypting data when and wherever possible, and more.

In practice, IT admins need to exercise several forms of desktop hardening to ensure the best results. Each step adds up, taking an admin anywhere from hours to weeks to manually harden each individual system in their organization. Since desktop hardening is an extensive time commitment, it sparks the need for an automation solution.

Example: Major Telecom Desktop Hardening Requirements

The following high-level overview will help major telecom partners and resellers contextualize new hardening requirements and start planning how to address their automation solution needs. Once you’ve established baselines for your evaluation, we recommend looking to specific policy and command executions for granular detail about each requirement. 

Access Control

First and foremost for any desktop hardening endeavor is access control. IT admins need to ensure that only the right people are accessing critical company resources. Technically, access control falls out of the scope of traditional desktop hardening, but when considered as a holistic way to increase endpoint security, the practice makes a lot of sense. Additionally, this requirement is a standard across most compliance regulations, so organizations should always consider some form of access control to secure their systems.

A good way to start is to enforce strong password policies, ensuring that end users are creating credentials that are difficult to compromise, and taking extra care to avoid weak or reused passwords that might be used in a credential stuffing attack. Piggybacking on this concept, multi-factor authentication (MFA) is one of the most secure ways to safeguard identities and make sure that a user is who they say they are.

Authorize Access

Authorizing access is another key facet of the desktop hardening requirements. Admins need to meticulously manage which users have access to what resources — akin to the principle of least privilege applied to user management.

By controlling who has access to a resource, IT admins can limit the amount of overall contact with said resource, especially if it pertains to critical company data. That way, in the case of an external breach or insider attack, a set of credentials is only as good as the resources it has access to, curbing the amount of havoc the attacker can wreak. This even goes as deep as restricting resource access within a business’s hours of operations, an especially important practice for organizations with Point of Sale (POS) systems. 

Audit Actions

With steps in place to make sure the right people have access to the right things, admins then need a solution to monitor their environment to check for other vulnerabilities. By auditing system activities, IT organizations can keep minute-by-minute tabs on their users’ actions.

Among the most important aspects to audit, admins need to have insights into user account updates, especially password changes. Additionally, admins must audit to see what software a system has installed, including when the software was downloaded and where it was downloaded from.

If an anomaly is spotted in any of these aspects, IT organizations can make educated decisions about how to address the problem. This can range anywhere from suspending a user to even quarantining the system itself to ensure security. As such, auditing is critical to compliance regulations beyond the new hardening requirements. 

Threat Protection

Protecting endpoints themselves shifts from the more holistic, identity-centric hardening approach directly into the hardware-focused definition. There are a number of steps that admins must take to protect their system fleets from threats. These range from checking if a system has updated patches to investing in firewall and antivirus software and everything in between.

Although many of these seem straightforward, the challenge for IT admins is deploying each individual facet. Without the proper tooling, some systems may fall through the cracks, exposing an organization to attacks.

Information Protection

The last of the hardening requirements pertains to protecting data stored on a system and ensuring that said data cannot be compromised in any way, digitally or physically. As such, encryption, such as protecting data at rest through full disk encryption (FDE), is crucial. Like with threat protection, IT admins need a way to automate encryption in as many places as possible.

Beyond encryption, other security measures such as setting screen lock times are important to keep bad actors from interfacing directly with an unattended system. A major part of this practice involves creating a security training regimen for end users. That way, in any situation where information might be at risk, such as a phishing attempt, employees are prepared to recognize threats.

Automating Desktop Hardening with JumpCloud

With all of these requirements in mind, finding the right solution to automate these needs may seem daunting. Thankfully, JumpCloud® Directory-as-a-Service® covers much of these desktop hardening requirements from a single cloud solution.

What is JumpCloud?

JumpCloud is the first cloud directory service, unifying identity and access management in one tool and providing user access to virtually all modern IT resources with a single set of credentials. As such, JumpCloud is a key tool for meeting hardening requirements, as well as many industry compliance regulations.

With JumpCloud, IT admins can tightly control what resources their users can access and how they access them. This includes enforcing strong password requirements, MFA, VLAN tagging for network access, and more.

IT organizations can leverage JumpCloud Policies to enforce security settings at scale across Windows®, Mac®, and Linux® system fleets. Some Policies include screen lock, FDE, system update/patch controls, and many more, all configurable from the cloud.

Additionally, admins can use JumpCloud’s premium System Insights feature to query system fleets for information on operating system, most recent patches, browser versions, battery life, storage capacity, and much more. Armed with this info, admins can make informed decisions about which systems need direct hardening efforts and which ones are operating below peak efficiency.

Learn More

Interested in automating desktop hardening requirements for your organization? Contact us; we’d be happy to talk about how JumpCloud can fill your needs.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts