Endpoint Security

Public workspace security

Description Shared workspace endpoints are physically protected from tampering with or removing the hardware. Specification Public and/or shared workspaces are periodically reimaged, and do not have autologon. Browsers on public...

Screen lock

Description When a workstation is left unattended, the session/screen is locked automatically after a maximum of 15 minutes and the user prompted for re-authentication. Specification Centrally managed via AD policy.

Memory protection

Description Endpoints have appropriate protections to prevent attacks on memory. Specification Endpoint OS needs to have Address Space Layout Randomization (ASLR) enabled. Endpoint OS needs to use executable-space protection, preferably...

Local privileged accounts

Description Regular end-users do not have privileged access to endpoints continuously, including but not limited to the ability to modify organisationally managed system settings, changes to environment variables, directly modify...

Anti-Malware protection

Description Regular end-users do not have privileged access to endpoints continuously, including but not limited to the ability to modify organisationally managed system settings, changes to environment variables, directly modify...

Scripts and Executables

Description Unless necessary for executing job responsibilities, by default user endpoints do not allow the execution of scripts and executables. If the function necessitates this access, it will be documented...