Endpoint Management Configuration Requirements

On this page

1. Endpoint protection
2. Endpoint hardening
3. Endpoint management
4. Monitoring

1. Endpoint protection

1.1 GC users accessing GC systems or sensitive information use GC-owned and GC-managed endpoint devices that support applicable User and Workpoint Profiles. An endpoint includes laptops, tablets, desktops, mobile phones, servers and virtual machines that are deployed on-premises or in the cloud.

1.2 Identify GC-owned and GC-managed endpoint devices using certificate-based device authentication.

1.3 Implement access controls to prevent unauthorized devices from being granted access to GC networks, information systems, or sensitive information and data.

1.4 Encrypt data at rest through the use of cryptographic safeguards approved by the Cyber Centre, including full-disk encryption, as set out in Portable Data Storage Requirements.

1.5 Encrypt data in transit using the Cyber Centre’s approved cryptographic safeguards when communicating sensitive information over less trusted networks such as the Internet or other external networks.

1.6 Configure endpoints to use GC-approved domain name system (DNS) resolvers that conform to Domain Name System (DNS) Services Management Configuration Requirements.

1.7 Protect endpoints against both known and unknown malicious activity with appropriate host-based protections, including:

• 1.7.1 Cyber defence security services that detect and respond to anomalous behaviour, including those offered through Cyber Centre’s host-based sensors in dynamic mode;
• 1.7.2 A host-based firewall to limit both inbound and outbound network connections to approved set of applications and services; and
• 1.7.3 On-device reputational site-filtering and malware detection software that is configured with:
  • 1.7.3.1 Up-to-date signatures and heuristic detection capabilities to detect, isolate and defeat malicious code;
  • 1.7.3.2 Advanced threat detection, including detection of fileless malware;
  • 1.7.3.3 Engine and definition files that are checked for currency and updated at least daily; and
  • 1.7.3.4 Automatic and regular scheduled scanning that is configured for all fixed disks and removable media.

1.8 Ensure that host-based protections are tamper-resistant to prevent malware or unauthorized users from disabling or modifying security controls.

2. Endpoint hardening

2.1 Deploy standard operating environment baselines that use operating systems and applications configured with the latest releases of supported, up-to-date and tested versions of software.

2.2 Harden operating systems and applications to provide only essential capabilities in accordance with the Cyber Centre’s Top 10 IT Security Actions: Number 4 Harden Operating Systems and Applications (ITSM.10.090). This includes configurations that:

• 2.2.1 Disable all non-essential services, ports or functionality of systems, devices and applications; and
• 2.2.2 Remove or disable unnecessary accounts from systems and change passwords for default accounts.

2.3 Implement application control to restrict the execution of executables, software libraries, scripts and installers to an approved set that is configured to generate event logs for failed execution attempts.

2.4 Implement device access control to prevent unauthorized devices from being connected.

2.5 Disable automatic execution features for removable media.

3. Endpoint management

3.1 Use a centralized endpoint management solution to:

• 3.1.1 Maintain an up-to-date inventory of endpoints, including versions and patch histories of applications, drivers, operating systems and firmware;
• 3.1.2 Apply and manage device configurations on all endpoints; and
• 3.1.3 Assess the hardware, software and specific configuration settings on each endpoint, record this data in one or more repositories, and make that information available to other systems.

3.2 Actively patch all operating systems, software applications, hardware and firmware installed on endpoint devices in accordance with the GC’s Patch Management Guidance to mitigate known software flaws and vulnerabilities.

4. Monitoring

4.1 Configure logging on endpoints, in accordance with the GC’s Event Logging Guidance, to improve the ability to detect and identify anomalous behaviours.

4.2 Forward event logs that are protected from unauthorized modification and deletion using the Cyber Centre’s approved cryptographic safeguards to a central logging facility for processing, storage, monitoring and analysis.