Workstation configuration management is a compliance-must today, but I hate doing anything just for the sake of compliance. After all we’re in business to do business - not just be compliant.
Group policy is great place to start with configuration management. Group Policy allows you to automate 80% of the configuration tasks that need to be managed on endpoints with fraction of the effort it would take to manage endpoints individually. But the remaining 20% can’t be ignored and can easily eat up all the time you save with Group Policy.
Those remaining areas of configuration management that Group Policy can’t handle are important because with any compliance requirement my goal is to achieve compliance as efficiently as possible and hopefully glean some business and/or security value as well.
Configuration management for workstations offers all forms of value: compliance, business and security. To begin with, workstation configuration management is receiving more and more scrutiny from compliance regulations. We are seeing more and more compliance mandates that target the desktop specifically, such as Federal Desktop Core Configuration and Office of Management and Budget M-06-16 Mandate.
Moreover, workstations are the initial infection host for today’s threats and the first step in protecting workstations is ensuring their configuration is secure and that their attack surface has been reduced as much as possible.
So as you can see, workstation configuration management is a great place to start to lower your risk against today’s biggest threats and make progress on compliance issues.
In this webinar I will stand up for group policy as the “right” way to configure the bulk of workstation security settings. But for endpoint configuration management to be secure, efficient and compliant, group policy is only part of the answer.
I will discuss the need for status visibility and reporting, so that you can verify and demonstrate compliance to the auditors and regulators.
In addition, there are many areas that group policy does not address; I’ll provide multiple examples of commands and configuration tweaks commonly required to secure endpoints for which there’s no corresponding settings within group policy. We will take a look at workarounds for handling these unsupported areas of configuration management. For example, we will discuss startup and logon scripts and ways to build logic into these scripts so that you can gauge their coverage across your many endpoints and their success or failure.
Another issue is the fact workstation configuration is different than server configuration because the vectors, risks and usage scenarios are different. Most servers simply run services and little happens on the desktop with little to no contact with the Internet. Servers are for the most part touched by the more skilled and security savvy hands of administrators. The focus with servers is on incoming connections. Workstation, on the other hand, are the opposite. Workstations interact with less skilled, less security aware end-users. Workstations constantly come into contact with content from the Internet and instead of running background service processes they are executing interactive programs in a desktop session with applications that both communicates with the Internet and internal resources. So the number of risk vectors and security settings is much higher than typical internal servers.
I will cover all of the issues and more to help you gain compliance while also reaping business and security value at the same time. Lumension is the sponsor and I think you will benefit from learning how their endpoint security solution builds on group policy to provide visibility and support for areas not handled by group policy. Please join me for this real training for free (TM) event.