Endpoint Protection Standard (EPS) — Guidance

This page helps NC State IT groups comply with security requirements per NC State University Rule 08.00.18 — Endpoint Protection Standard (EPS). All NC State IT groups are responsible for complying with all requirements stated in the EPS rule per their areas of responsibility.

This page provides the following context and guidance for each security requirement:

  • Impact
  • References
  • Best Practices for Windows, Mac OS, and Linux endpoints. Please note that with the exception of Approved CMSs, Best Practices for Linux endpoints will be available in the future.

NOTE:  Please read and understand the EPS Rule before continuing.

Impact

NC State requires an inventory of all endpoints to verify that all resources and data are protected consistently from ongoing threats and risks.  An approved Configuration Management Systems (CMS) provides the university with the ability to respond to ongoing threats, vulnerabilities, and attacks in an efficient and timely manner.

References

Best Practices

Windows

Join all endpoints to WolfTech AD to benefit from System Center Configuration Manager (SCCM) automatically. All supported OSs have a default security baseline enabled in WolfTech AD.

macOS

Enroll all macOS endpoints in NC State’s implementation of Jamf Pro, the approved Configuration Management System (CMS). Jamf Pro includes automatic daily inventory updates.

Linux

Impact

The university must take proactive measures to protect its resources (including data and users) from known vulnerabilities. Therefore, NC State requires an antivirus and anti-malware solution to provide prevention, detection and effective responses to ongoing threats and attacks.

References

Best Practices

Windows

  • Install System Center Endpoint Protection (SCEP) for automatic antivirus and anti-malware protection.
  • Join all endpoints to WolfTech AD, which has the SCCM agent installed automatically and activates SCEP by default. See NC State Microsoft Endpoint Protection for details.
  • The recommended default exceptions from Microsoft are included by default. See Microsoft Windows Defender for details.

macOS

Install DetectX Swift and make sure you enable Apple’s built-in Security XProtect, SIP, and GateKeeper.

Linux

Future; see EPS — Phases of Implementation for details.

Impact

Requiring an ID and one or more additional factors for endpoint logins protects against unauthorized access to university data. Requiring periodic reauthentication protects against unauthorized use of unattended endpoints.

References

Best Practices

Windows

Join all endpoints to WolfTech AD to benefit from the requirement to authenticate by default. All domain authentication is logged on the domain controllers.

macOS

Install a computer-level Computer Configuration Profile that disables automatic login from Login Options.

Linux

Future; see EPS — Phases of Implementation for details.

Impact

Scanning university resources for sensitive data can reduce any disclosure of data that could negatively impact and damage the university.

References

Best Practices

Windows

  • Join all endpoints to WolfTech AD, which has Spirion installed by default.
  • Develop and follow a business process to automate scanning and alerts.

macOS

Develop and follow a business process to install Spirion.

  • See Jamf Pro Policy Cheat Sheet to create a policy to install the latest version of Spirion Identity Finder available from the Jamf Pro packages distribution.

Linux

Future; see EPS — Phases of Implementation for details.

Impact

Maintaining a software inventory is critical when mitigating an identified risk or threat and, therefore, is required for effective and timely patching.

References

Best Practices

Windows

Join all endpoints to WolfTech AD to have SCCM collect a hardware and software inventory by default.

macOS

Enroll your Apple endpoints with Jamf Pro. Jamf Pro includes automatic daily inventory updates.

Linux

Future; see EPS — Phases of Implementation for details.

Guidance for the following EPS security controls will be documented in the future. See EPS — Phases of Implementation for details.

  • Least Privilege Access
  • Encrypted Network Communication
  • Host-based Firewall
  • Full Disk Encryption (with university key escrow)
  • Web Reputation Filtering
  • File Integrity Monitoring
  • Application Control