Endpoint Defense Playbook: Lock Down Devices

Table of Contents: 

• Why Endpoint Hardening is Important:
• What Device Hardening Includes:
• Automate Endpoint Hardening: 
• Adding a Custom Script to NinjaOne:
• Five Ways to Automate Device Hardening:
  • Deploy Device Security Configurations on Device Setup
  • Enable Device Firewalls and Block Outbound Connections
  • Enable, Expand, and Parse Logs
  • Create a Local Admin Account and Automate Password Rotation
  • Detect and Remove Potentially Malicious Software
• Resources
• Glossary

Why Endpoint Hardening is Important:

At its core, endpoint (i.e., device) hardening is the overarching concept of reinforcing security at the device level. Because securing your endpoints is fundamental to every other security action you take, the investment you make in it will have larger ROI than almost anything else. If you don’t do it well, every other solution and step you take will have to be better, work harder, and have fewer gaps.

Unfortunately, according to Microsoft’s 2022 Digital Defense Report, many organizations aren’t taking the basic steps needed to support comprehensive endpoint hardening. Below are a few examples of key issues that have been negatively impacting cyber resiliency: 

While advanced security measures are important, it’s critical to remember that the fundamentals still need work. In the same report, Microsoft found that basic security "hygiene" protects against 98% of attacks. By implementing good security practices, you can start building up those layers of security and give bad actors fewer opportunities to attack.

The chart below highlights the technical cybersecurity recommendations of major English-speaking governments for small and medium-sized businesses. Investments here (many of which are device hardening recommendations) provide the greatest value.

What Device Hardening Includes:

Device hardening includes any changes you’d make to a device that helps improve the device’s security.

Here are a few examples:

Account Access Protection

• Enable and enforce MFA.
• Remove extraneous accounts.
• Change default administrator accounts.
• Enforce least privilege access across user accounts.
• Block end-users from installing apps.
• Enforce strong passwords.

Device Configuration

• Enable secure boot.
• Disable USB.
• Encrypt disks.
• Block net calls from applications (notepad, wscript, cscript, etc.).
• Reduce port exposure.
• Enable and expand logging.
• Disable insecure protocols like SMBv1, Telnet, and HTTP.
• Password-protect BIOS/UEFI.

Software Management

• Remove potentially malicious apps.
• Remove unsupported software.
• Deploy antivirus / EDR.
• Deploy password management solutions.
• Enable firewall.
• Remove old executables.
• Prevent end users from installing apps.

Auditing

• Audit device hardening.

Note that this is not an exhaustive list, but a starting point for organizations looking for next steps in their endpoint hardening process. Not every device hardening activity will be applicable to every environment and many need to be adapted to your own environment. When improving endpoint security, remember that baselines are constantly changing, so security approaches should always be evaluated and refreshed on a regular basis.

It’s also important to note that there are a number of critical actions that you may take to bolster your organization’s security, but are not included in endpoint hardening, including:

• Identity and access management.
• Advanced security solutions (SIEM, advanced AV, etc.).
• Security awareness training for end users.
• Network strategy.
• Cloud application security.
• Mobile threat defense.

All of these actions are crucial to ensuring security, but don’t specifically target security at the device level.

Automate Endpoint Hardening: 

Before we get into some examples of how organizations can use NinjaOne to strengthen and simplify their approach to endpoint hardening, let’s talk a little more about automation.

In general, IT automation:

• Reduces the potential for human error.
• Reduces the time investment in manual tasks.
• Reduces costs.
• Standardizes device management and service delivery.
• Improves IT employee satisfaction.
• Improves the end-user experience.
• Helps to support compliance.

By taking advantage of the benefits of automation, the endpoint hardening process becomes much simpler, more efficient, and cheaper in the long run. Additionally, since processes are set to run automatically, organizations can more quickly limit exposure to any potential vulnerabilities. The less time a device is exposed, the better off it’ll be.

Within NinjaOne, there are various mechanisms that help organizations easily execute an automated IT workflow. In the next section, we’ll be demonstrating five examples of how organizations can utilize NinjaOne’s automation tools to improve device security, including:

• Scheduled automations — When you want to take action against devices in a policy at a specific time(s).
• Scheduled tasks — When you want to take action against devices in a group at a specific time(s).
• Script result conditions — When you want to regularly check information on a device and take action based on the returned results.
• Condition triggered script — When you want to respond immediately to a state change on
  a device.
• Custom field triggered script — When you need information NinjaOne doesn’t collect by default or for multi-step / complex automations.

Related Documentation: 

• Policies: Scheduled Automations
• Scheduled Tasks
• Policies: Condition Configuration
• Custom Fields and Documentation: CLI and Scripting

Adding a Custom Script to NinjaOne:

Because so many automations need to be customized to individual environments, custom scripts are critical to automation in NinjaOne. As such, it’s important to know how to add new scripts to your Automation Library within the NinjaOne platform. To add a new script, you have a few different options. You can either:

• Add a new script using the script editor.
• Import a new script using the template library.
• Import a new script from your computer.

For those looking for help with custom scripts, the Script Share folder in our Dojo (our NinjaOne customer community) is full of scripts uploaded by fellow NinjaOne users.

Click here for more scripting/automation documentation. 

Five Ways to Automate Device Hardening:

This list of methods is not exhaustive, but a good snapshot of what you can do within the NinjaOne console to help automate and support endpoint hardening.

Deploy Device Security Configurations on Device Setup

In this example we’ll use the scheduled tasks mechanism to automate outside of policies.

When setting up new devices, you can use tools that are automatically built into recent versions of Windows to improve device security. In this example, we’re using BitLocker, which is included on every Windows 10 and 11 workstation. With NinjaOne, you can natively track the status of BitLocker, find devices that have BitLocker disabled, and re-enable it using a custom script.

(If you do not already have the script to enable BitLocker added to your console, use the instructions in our Automation Library article to add the script to your library. For this demonstration, we used this community PowerShell script. NinjaOne recommends naming it "Enable BitLocker" to easily find it during the scheduling process.)

In the NinjaOne console, open the Devices tab on the left-hand side and use the Additional Filters + option to sort by BitLocker Status. For detailed instruction, please see Device Search Grid.

After filtering your desired endpoints, you can create a dynamic group with those that have BitLocker disabled. For detailed instruction, please see Search and Grouping.

Once your dynamic group is created, it will always show up-to-date information. As you enable BitLocker on these devices, the devices will fall out of this group. As you onboard new endpoints that don’t have BitLocker enabled, they’ll automatically show up in this group. Remember the name of the group you’ve created because we’ll be searching for it in a minute.

You’ll likely want to add some automated remediation to this process; to do that, please refer to our Scheduled Tasks article.

Once you have the "Enable BitLocker" script added to your library, you'll be able to search for it when adding scripts/automations to the scheduled task. This is what the available script list looks like:

With the task schedule set and automation selected, go to Targets and add a new target on the right side. You can choose from organization, device, or group. In this case, we’ll select Group and search for the "BitLocker Disabled" dynamic group that was created earlier.

Other examples of using dynamic groups with scheduled automations include disabling mass storage devices, setting UAC, etc. Within the Template Library in the NinjaOne console, you’ll find a number of ready-to-go automation templates.

Enable Device Firewalls and Block Outbound Connections

In this example we’ll use custom fields and policy conditions to detect a device state and trigger an automation. 

To check on the status of the device firewall in NinjaOne, we’ll focus on the custom field and scheduled automations mechanisms. Custom fields can be used in a variety of ways; in this particular method, it will store the output of a PowerShell script.

To add a new custom field, please refer to Custom Fields: Device Role Fields. 

Create a new custom field labeled "Firewall Status" and "Text" as the Field Type. After you click Create additional configuration options display, giving you the option to change technician access levels, script read and write capabilities, API read and write capabilities, a label, and additional text.

Set the Scripts Permissions to "Read/Write" and click Save. You may want the Technician field set to "Read Only":

Now, navigate to a policy that you would like to add this custom field to. (If you’re unfamiliar with policy setup, check out the NinjaOne policy efficiency webinar or the NinjaOne Dojo article.)

Use the scheduled automation instructions to add the automation in the policy. If you have not yet added a custom script for checking your firewall status, please follow the instructions to add a new script. Click Save to add the scheduled script to your policy.

Next, open the Conditions tab and add a new condition. When selecting a condition, choose "Custom Fields" from the dropdown.

Two different options display under the Condition dropdown. Click Add next to "Custom field value must meet all conditions" to generate two new dropdowns. 

In the first dropdown, select the "Firewall Status" custom field you created. In the second dropdown, select "contains". Below those two dropdowns, type "false" in the text field (meaning the firewall is disabled). 

Click Apply, and then click Add to the right of "Automations" in the Condition modal. Search for and select the "Set-WindowsFirewall" to apply to the condition. 

To enhance firewall protection, you can also add a custom script to block outbound network communications. 

Within that custom script, add the desired applications you’d like to block internet access to. For example, it’s unlikely that Windows calculator or Notepad will need internet access (but can be faked and used as vectors of attack), so you can add them to the list of any applications within the custom script itself. For this example, we used this Block Outbound NetConns for win32 PowerShell script. (This is not an official NinjaOne script, so please test extensively before using!)

Once added to the Automation Library, you can add it to the same Check Firewall condition that you added the Set-WindowsFirewall script to.

Enable, Expand, and Parse Logs

In this example we’ll trigger an automation on device setup to change a device configuration.

Device configuration is only as good as the information that you’re getting from it, which is where event logs come in. Logs help you understand what’s happening on the device and certain logs may need to be expanded so you can get an accurate view of the health and security of your environment.

Before we take any additional steps, you’ll want to add a new custom script to your library specifically for expanding those event logs. You can use our Script Share folder or other community-provided scripts for this purpose. **Disclaimer — NinjaOne does not verify or test the scripts posted in these articles. We recommend testing all custom scripts on a small set of devices prior to running them on a broad scale.**

Once you have your custom Expand Event Logging script added to the Automation Library, return to your chosen policy page and open the Scheduled Automations tab.

This example uses the "Run Once Immediately" cadence, running on all of the devices within your chosen policy. The "Run Once Immediately" schedule runs when devices are online, when offline devices come back online, and on any new online device that joins the policy.

Once you’ve chosen your preferred schedule, add your Expand Event Logging custom script on the right side. From there, you can apply this scheduled script and it will run immediately.

In addition to expanding logs, monitoring your event viewer from privilege escalation is another way to add a layer of endpoint security. 

Add a new condition from the Conditions tab within the policy and choose "Windows Event" to add a source and specific Event IDs that you want to monitor.

Once any of the Event IDs trigger, you’ll be alerted to any changes for a particular user and be able to take action. There is no specific remediation in this guide, but you do have the option to add remediation into the automation steps using custom fields.

Create a Local Admin Account and Automate Password Rotation

In this example we’ll trigger an automation on device setup, then run a regular automation to change an admin password. There is built-in functionality in Windows that you can take advantage of in NinjaOne to help with password rotation and protection. Create a custom script for this purpose and add it to a scheduled automation in your chosen policy, and then set it to run on your desired schedule.

For this, go back to your Global Custom Fields menu (Administration > Devices) and add a new field. In this new field, label it the same name that you set in the password rotation custom script (i.e.,   "localAdminPassword" by default) and select the "Secure" field type from the dropdown.

A "secure" custom field is specifically built for securely handling credentials — it is not visible in plain text, requires MFA to view, and is fully encrypted. There is also auditing to see who has access to the "secure" custom field that’s been added.

Once you click Create, you’ll see additional dropdown fields. You’ll want to set the Automations dropdown to "Write Only" and set the Technician dropdown to "Read Only" because this script creates a service account, generates a random alphanumeric character string as the password, and adds it as a "secure" custom field. Once the password is generated, the script will write the password back into the "secure" custom field.

This means that you don’t have standardized passwords across the board and can go into the individual device to see the localAdminPassword under the Custom Fields tab on the device dashboard (image 24).

Detect and Remove Potentially Malicious Software

In this example, we’ll use a policy condition to detect a state change (software installed) and trigger an automation to remediate the issue.

You can use NinjaOne’s automation tools to easily detect and remove malicious or unwanted software from endpoints. Before you create the software detection condition, you’ll need to add an Uninstall Application custom script to the NinjaOne Automation Library. You can use our Script Share folder or other community-provided scripts for this purpose. **Disclaimer — NinjaOne does not verify or test the scripts posted in these articles. We recommend testing all custom scripts on a small set of devices prior to running them on a broad scale.**

Once you’ve added that custom script, go back into the policy that you want to update and open the Conditions tab. Add a new condition and choose "Software" from the Condition dropdown. Select "Exists" from the resulting Presence dropdown and enter the name of the software that you’d like to detect into the Names field. 

If you add asterisks around the software name, it will pull in anything that uses that name in the software title—not just exact matches.

Click Apply and then add the automation on the right side of the Condition configuration modal. 

To ensure you’re fully remediating your issues, test and confirm that this PowerShell script or uninstaller will successfully remove the application before deploying fully.

Resources

Endpoint hardening is essential, and with proper automation it can be easy to implement and maintain. If you’ve been looking for a tool to help you automate your IT workflow, get access to a free NinjaOne trial here:

https://www.ninjaone.com/freetrialform/ 

We’ve also put together a list of a few security frameworks you can use when securing your network and devices:

• NIST Guide to General Server Security
• CIS Benchmarks for Microsoft Windows Desktop
• MITRE ATT&CK Security Knowledge Base

Glossary

See below for definitions of the acronyms used throughout this article. For more definitions, please see NinjaOne Terminology.