This article is a template for you to copy and modify to fit your business needs. The security baseline described here is for a business.
Scope
This document described the baseline security posture of business workstations. A workstation is either a desktop computer or laptop or similar. A workstation is not a smart phone or tablet computer. For each section below, there is a second paragraph with an explanation and/or example of why the policy applies.
Operating system version
The business should decide on which versions of the operating system is accepted for installation. The version should be one that the intended staff member is trained to operate. The choice should also consider capabilities to comply with the requirements of this document.
A staff member should not be asked to use software they’re not trained to use. The result could be misuse or no use of the system. It’s often smart to wait until staff have experienced the use of a given operating system outside of work (such as at home) and have therefore trained themselves to use the software sufficiently well.
System software updates
The operating system must be configured to check for, download and install security updates immediately. Other updates including bug fixes and feature updates should be configured to install one week after release date to ensure adequate time for vendor testing and re-distribution. If an update server is available on the business network, it should be the source of workstation operating system updates.
All modern operating systems have in-built software update systems. Use them to apply security updates as soon as they are released by vendors. This helps prevent zero-day (and other) attacks.
Third party software updates
Software not included in system updates should be configured individually to automatically check for, download and install without delay. Examples of such software include Java, Adobe Acrobat, web browsers and device drivers.
3rd party software is often not included in system controlled updates. These applications are also significant ways hackers attempt to access remote and local systems.
User permissions
Management of user permissions must be controlled by the central authentication service. Users should be granted the least permissions possible for them to complete their work. Staff should not be able to log into workstations using local credentials.
Granting users more access than they need can result in system changes that will lower the security level of the workstation and take it out of compliance with this policy document.
Network data storage
Workstations should be configured to access network based data storage locations to allow staff to store and share information.
Users must have access to a personal storage area where only they have access and a departmental storage area where they can share information with other similarly responsible staff.
System backups
Workstations should not have backups configured. All workstation backups should be disabled.
Backups to portable devices is a security risk as those devices can be taken off-site by staff, cleaners or trespassers. Backing up workstations to the network can unexpectedly increase disk space usage and cause outages. If backups are required for workstations, ensure their is sufficient resources to accommodate them.
Document backups
Documents should be stored on network storage locations and not on the local disks. Staff should be trained to use the network storage locations. Office applications should be configured to store documents on network storage locations by default.
By storing documents on the network, the business can be sure all information created by staff is included in backups.
Disk encryption
All workstations that leave the business office must have disk-level encryption enabled. The password for system initiation should be sufficiently difficult to guess.
To the business, a lost workstation is matter of procurement and inconvenience. It should not be a matter of security in terms of loss of business information (because the data is backed up on the network storage servers) or unauthorised exposure to business data (because the disk is encrypted and therefore only accessible to authorised users).
Portable data storage devices
Portable storage devices such as USB disks must be prevented. Optical disks can be used but only for reading and not for writing. This helps prevent confidential data from leaving the business computer systems.
Exceptions can be made if white-listing software is installed controlling which USB storage devices are usable by which staff. By preventing unidentified (non-white-listed) USB disks, business computer systems are further protected from malware.
Internet access
Internet access must be controlled by the use of a Proxy. The Proxy must be used while the workstation is in inside the business office.
Modern web browsers can be configured to detect and use proxy servers using DNS or configured through the use of enforced policies (such as Group Policies). Proxy’s go a long way to blocking unacceptable files, performing antivirus scans on inbound files and also controlling who can access what and when.
Antivirus
Antivirus software should be installed with capabilities to identify, report back to a central server, block and remove malware including spyware and crypto-ware. Antivirus software should be configured to update automatically and run daily full-disk scans inclusive of all local disks. Network locations should be excluded from disk scans.
The actual time of the daily scan can be chosen and does not have to happen on boot/login. Scheduling for lunch time or afternoon may help staff work more optimally.
Host-based firewall
All modern operating systems come with host-based firewalls enabled by default. The choice has to be made to use either the operating systems built-in firewall of the antivirus firewall (if installed). Choose the option that has reporting of violations and is centrally configurable.
Host-based firewalls protect individual workstations from threats on the local network. If one workstation becomes infected with malware, it may be less effective in its goal if other systems are protected at the network level.
Portability
Workstations with wireless network capabilities should be permitted to move about the office but staff should be discouraged from doing work while connected to the network via a wireless network. The workstation should be configured to join only the approved business wireless network and not rogue or other wireless networks.
Wireless networks are less stable than physical networks. Operating systems can be configured to join wireless networks without administrative permissions. If this is the case, a workstation should be joined to a malicious wireless network or a wireless network configured by by staff who have attached their own access point to the business network.