<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

Workstation Security Policy Best Practices

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Some might say that workstations are a necessary evil. Users with varying degrees of technical and security aptitude are using them 24/7, communicating with the world and taking care of business. With workstations being an indispensable part of business, comes a substantial security burden, especially for your information technology staff.

In the workstation security policy, you will define rules intended to reduce the risk of data loss/exposure through workstations.

Often, information security best practices are used synonymously with “Oh, that’s just common sense.” But remember that in security - and perhaps life in general - there’s no such thing as common sense. Spell out these best practices clearly and with as much detail as possible.

Define “workstation”

At a high level, a workstation is a device - be it personal or company-owned - that contains company data. This includes desktops and laptops, as well as mobile devices.

Require centralized management

As a general rule, to secure your network, you need to know what’s on it. A centralized management tool allows you to inventory your workstations, as well as standardize the configuration of them remotely. This way, if you learn about a new configuration setting to harden further or secure your environment, you can quickly push it to all machines in minutes. In Microsoft environments, Group Policy is a standard tool used to define user, security, and networking policies at the machine level.

Require an operating system baseline

Ensure that the workstation operating systems are no more than one generation older than the current. Otherwise, you risk systems falling out of support, or, perhaps worse yet, no longer receiving critical security patches from the vendor. Microsoft keeps an up-to-date lifecycle document to keep in your browser bookmarks, and Apple provides similar documentation.

Require workstation encryption

As defined in your encryption policy, data should be encrypted at rest. A program such as BitLocker will provide full disk encryption for Windows systems, and FileVault can be used in the same way on Macs.

Require that workstations are locked when not in use

A strong password policy helps prevent workstations from getting compromised, but that policy is little help if employees don’t lock their workstations when they leave their desks. In case someone forgets to lock the workstation manually, sysadmins can enforce a technical control to do this automatically after a period of idle time. Configuring a password-protected screen saver (or a basic screen lock) is effective access control to enforce on workstations as well as other information systems, such as network servers.

Define that workstations must be used for authorized business purposes only

With all the hours they clock on their workstations, it’s natural for employees to treat company devices like personal property. They might play games, use services that stream music and movies, or start running applications used to store and share personal files. Your workstation security policy should remind users that company property is to be used only for work-related purposes and that all activities and data stored on the device can be monitored, changed, or deleted at any time. Some organizations even choose to limit wireless network access so that workstations can only be joined to access points that use encryption.

Loss or destruction of devices should be reported immediately

In the event of a workstation or any other company asset being lost or stolen, users need clear instructions and a contact person/department so the incident can be reported and handled correctly. You may wish to include verbiage that reminds users how time-sensitive the handling of such issues can be. For instance, a statement such as “Please report missing devices as soon as possible so IT can attempt to wipe the device. This will also help us protect the company’s data, integrity, and reputation.”

Require laptops and desktop devices to have the latest version of antivirus software that has been approved by IT

If you’re running a centralized antivirus solution, ensure that part of your standard operating procedures includes doing a scheduled check to make sure all endpoints have AV, and that it is adequately updated on a regular basis. Most commercial solutions also let you run a report that highlights any machines missing protection or current virus definitions.

Require endpoints to have their operating system patched monthly

A fundamental part of good workstation security is to keep machines patched with security updates and fixes from the manufacturer. In a Windows environment, Microsoft provides guidance for leveraging Group Policy to configure workstations for automatic updates. Be aware that depending on the configuration you enforce, users may have the option to defer patches for extended periods of time, which may inadvertently cause violations of the workstation security policy.

Require endpoints to have 3rd party applications (Adobe, Java, browsers, etc.) to be patched monthly

Keeping 3rd party applications up to date is also part of a healthy workstation configuration. However, you cannot only follow a “patch everything” approach as you might with the operating system updates. You need to have a solid understanding of the applications in your network and any versions that may need to stay static. For example, certain Web-based applications may rely on a particular version of Java, and if you patch workstations to the latest version, the Web application may break for users.

Deploy physical safeguards

Technical safeguards are essential for workstations that reside in your office spaces, but if you have employees who work from home most of the time, controlling physical access to their workstations becomes a significant concern as well. Consider providing employees with cable locks for workstations to deter physical theft. You might also want to offer privacy screen filters for monitors, which are especially crucial for HIPAA security. Finally, protect workstations from loss of data, power drops, and surges by using power strips, surge protectors, and battery backup systems.

Reinforce workstation controls with policies

Make sure that any physical or technical controls are reinforced with the appropriate complementary policies, such as an acceptable use policy and a portable workstation encryption policy. Without this framework in place, it’s difficult to take disciplinary action against employees who are in non-compliance with your policies. Employees need some freedom and flexibility in the way they use workstations to get work done.

However, at the end of the day, workstations are a company asset that store and transmit incredibly valuable and sensitive information. Create a clear and concise workstation security policy to ensure workstations are used as safely, securely, and productively as possible.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Automating access to cloud environments
Managing Access to Ephemeral Infrastructure At Scale
Managing a static fleet of strongDM servers is dead simple. You create the server in the strongDM console, place the public key file on the box, and it’s done! This scales really well for small deployments, but as your fleet grows, the burden of manual tasks grows with it.
Illustration of an technical employee who is offboarding from their employer.
All Offboard! The 2024 Tech Staff Offboarding Checklist
Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.
User Provisioning: How To Automate & Manage Credentials
How We Automate User Provisioning & Keep Track of Credentials
There are a number of ways to automate user provisioning but the real challenge lies in keeping track of those credentials.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.