Desktop computers and workstations are an indispensable part of enterprise operations and contain a wealth of information that organizations want to keep safe. However, without adequate endpoint security in place, desktops and workstations can be exploited to access corporate networks, causing irreparable damage and disrupting operations indefinitely. Thus, strong security protocols are critical not only in the centralized systems where critical data resides, but also in the endpoints that serve as entry points to an enterprise network. In this blog, we will review the ten best practices for desktop and workstation security.
What is desktop and workstation security?
In the workplace, shared desktops and workstations are computers that connect to and exchange data with a corporate network. They may hold confidential, sensitive, or protected company information, such as customer, vendor, and financial data.
To prevent data breaches arising from these endpoints, organizations implement desktop and workstation security — a component of endpoint security — which involves a set of policies, practices, and solutions that safeguard these devices from unauthorized access.
Why are desktop and workstation security important?
Given that desktop computers and workstations are common in the workplace today, they present an expansive attack surface for bad actors.
Here's a scenario to consider: if an attacker compromises the workstation of a user, the attacker can impersonate that user and access any information or applications that the user has access to on the corporate network. Even workstations of users without access to sensitive resources are vulnerable. How? Attackers, especially in advanced persistent threats (APT), are eager to start with any device as a beachhead and pivot to the rest of the network. If local admin privileges are not monitored and controlled, the attack can easily spread laterally or escalate privileges, resulting in a potentially catastrophic breach.
According to a study conducted by the Ponemon Institute, 68% of organizations came across one attack or more attacks on an endpoint (including desktops and workstations) within a 12-month period. More importantly, the same percentage of organizations also experienced an increase in endpoint attacks from the year before. This suggests that while most cyber threats have historically come through the network, the recent trend is shifting from network to endpoint-based attacks. For that reason, endpoint security, especially for desktops and workstations, cannot be overlooked in an organization’s overall security.
How to secure desktops and workstations
Below are ten best practices you should consider implementing to better secure the desktops and workstations at your organization:
(1) Centralized management
Centralized management tools allow you to update device operating systems, standardize and maintain proper device configurations throughout the usage lifecycle, and gain visibility into device status to ensure uptime and availability. This way, you can ensure that each device is properly configured, optimized, and have the latest updates and patches to address existing security vulnerabilities.
(2) Data encryption
Encryption is important to every organization today because it enables them to protect confidential data by converting it into ciphertext – a form that is unreadable without an encryption key. Encryption makes it nearly impossible for cybercriminals or other unauthorized parties to steal and misuse the data since only those with an encryption key can decipher the data and uncover the true information.
(3) Antivirus and anti-spyware
All desktops and workstations should have the latest version of antivirus and anti-spyware software that has been approved by IT. This ensures that work devices are protected against viruses and other malicious software, including keyloggers, browser hijackers, Trojan horses, worms, rootkits, spyware, adware, botnets, and ransomware. Most commercial solutions offer central management, automated updates, and scheduled reports that highlight any devices missing protection or current virus signature.
Firewalls should be turned on and configured correctly for all desktops and workstations as they shield the computer from malicious or unnecessary network traffic. When a computer is connected to the Internet, it becomes vulnerable to malware and attackers, and a firewall acts as the first line of defense to stop them from entering the system.
(5) Patch management
Patching operating systems is one of the most effective controls to prevent bad actors from gaining access to your desktops and workstations. Patches should be conducted frequently to fix known vulnerabilities and improve your organization’s security posture.
Similarly, you should also patch third-party applications to reduce the risk of cyberattacks and improve software functionality. However, you should not follow a “patch everything” approach because it can potentially create problems with other applications or components on your desktops and workstations. Instead, test new patches as much as you are able, or roll out the patch gradually to catch and minimize the damage done by any issues.
(6) Physical safeguards
Although the workforce has become more distributed, with office-based, remote, and hybrid workers, organizations can still deploy physical safeguards that enable users to protect their desktops and workstations. For example, providing employees with:
- Cable locks to deter physical theft in the office, coworking spaces, and home offices
- Privacy screen filters to protect against visual hackers
- USB port locks to prevent unauthorized data transfer and software installations
For desktops and workstations that reside in the office, organizations can implement physical access controls, and install surge protectors and battery backup systems.
(7) Technical safeguards
Strong passwords and good password hygiene help prevent desktops and workstations from getting compromised, but they are little help if employees do not lock their devices when they walk away or leave the workplace. In this case, organizations can enforce a technical control that locks employees’ devices automatically after a period of idle time. In addition, organizations can deploy a password-protected screen saver on desktops and workstations to protect unattended devices from unauthorized use and hijacks.
Additionally, to protect against credential stuffing and brute-force methods of guessing login credentials, it is a good practice for organizations to create an account lockout policy that defines the number of failed login attempts allowed before the lockout occurs.
(8) Security policies
Inappropriate use of company desktops and workstations can expose the organization to risks, such as virus attacks, system compromises, and data breaches. Therefore, it is necessary to create a clear and concise security policy to ensure desktops and workstations are used as safely, securely, and productively as possible. Organizations can also take disciplinary action against employees who are in non-compliance with such policies.
(9) End-user securing awareness training
Because end-users have always been a weak point in enterprise security, end-user security awareness training aims to educate users on the most common cyberattacks, how to access corporate resources in a secure way, and what IT policies are in place to prevent breaches. It is essential that organizations routinely invest time and resources to educate users on desktop and workstation best practices and put them into practice with effective policies.
Phishing attacks are the most common vector for data breaches. >> Learn three ways you can help your employees identify a phishing email or computer phishing attack.
(10) Device login
The first line of defense against unauthorized access to desktops and workstations is the initial login, which typically involves a username and password. When a user enters the correct credentials on the login screen, they are granted access to the device. Alternatively, if an unauthorized individual manages to obtain these credentials, they will have all the access privileges that the user has, compromising an organization’s data and systems.
Multi-factor authentication (MFA) is one of the most important best practices that every organization should deploy to prevent unauthorized access and secure endpoint logins. MFA augments the username and password with an additional layer of authentication to verify a user's identity, such as a face scan, a fingerprint, or a one-time password sent to the user’s registered phone or email. In this way, before someone can log into a workstation, they will need to possess the login credential and the additional factor, and the chances of both being compromised are low.
Given that MFA provides a high level of identity assurance, organizations should enable MFA for all endpoint logins, self-service password resets, and account unlocks to prevent fraudulent takeovers. When organizations go about enforcing MFA, providing flexible authentication methods is crucial to avoid frustrating users, who may find security workarounds that can create vulnerabilities and undermine the effectiveness of MFA.
PortalGuard Desktop for Windows & MacOS
With PortalGuard Desktop, you can easily secure desktops and workstations while creating a consistent and intuitive login experience for both Windows and MacOS users with unmatched security and flexibility. With support for on-premises and cloud / IDaaS, you can deploy to fit your specific needs.
Here is what you should know about PortalGuard Desktop:
Key Features & Capabilities
Desktop Multi-Factor Authentication
- MFA driven from central security policy
- Flexibility for administrators to select and require specific security policies
- Ability to enforce MFA for users and admins with access to remote desktops
- Supports secure authentication for remote admins, local admins, and remote users
Desktop Self-Service & Enrollment
- Allows self-service password reset with multiple MFA options, including Identity-Bound Biometrics, hardware tokens, OTPs, and more
- Ease of use for employees to reset passwords directly from the login screen
- Reduces downtime for the IT team by empowering the user with the tools to complete password recovery quickly and securely on their own
- PortalGuard Desktop is part of the award-winning identity and access management (IAM) platform, PortalGuard, which offers the widest range of flexible options for multi-factor authentication, single sign-on, and self-service password reset. PortalGuard is also the only IAM platform on the market offering Identity-Bound Biometric authentication methods that use a unique, centralized biometric identity to verify the person requesting access to the device, system, or application.
Learn More About PortalGuard Desktop
Interested in learning more about PortalGuard Desktop? Download the PortalGuard Desktop data sheet for a full overview, product specs, and features.
We encourage you to reach out directly if you'd like to speak to our team to discuss securing your Windows and MacOS workstations with multi-factor authentication, passwordless authentication with Identity-Bound Biometrics, or tailored authentication adapted to your work environment.