Manualshelf

Intel Unite Solution - Enterprise Deployment Guide

ManualsBrandsHP ManualsDesktopsHP EliteDesk 800 65W G3 Desktop Mini PC
51525354555657585960
Intel UniteĀ® Solution Enterprise Deployment Guide v3.1.7 57 of 83
9 OS and PC Security Controls
9.1.1 Minimum Security Standards (MSS)
It is recommended that all devices running the Intel Unite application are met with your default
organization MSS standards, have an agent installed for patching, and an antivirus / IPS / IDS and other
necessary control as per the MSS specification (McAfee suite for Anti Malware, IPS, IDS was tested for
compatibility).
9.1.2 Machine Hardening
Machine Unified Extensible Firmware Interface (UEFI) could be locked to boot the Windows boot loader
only (so that boot from a USB disk / DVD will not work), Execute disable bit could be enabled, IntelĀ® Trusted
Execution Technology could be enabled, and settings can be locked with a password.
Windows OS Hardening: As a baseline, the system is running with non-elevated user rights. It is also
recommended to remove unused software from the OS including unnecessary pre-installed software and
Windows components (PowerShell, Print and Document services, Windows location provider, XPS services).
GUI subsystem lock: Since the systems uses a non-touch screen only without keyboard or mouse, it makes
it harder to break out of the GUI subsystem. To prevent an attacker from attaching a HID device (USB
keyboard/mouse) it is recommended to programmatically block Alt+Tab, Ctrl+Shift+Esc, and the Charms
bar.
9.1.3 Other security controls
It is recommended to lock the machine user account per specific machine account in Active Directory. If the
deployment includes a high number of units, user accounts can be locked per a designated floor of a
specific building.
Machine ownership: Each machine is recommended to have an identified owner. In case the machine goes
offline for an extended period the identified owner will get notified.
Beyond the security mechanisms provided by the Intel vPro platform and the Intel Unite software itself, it is
recommended to harden the Microsoft* Windows* OS per Microsoft's guidelines for machine hardening, for
reference, please consult the Microsoft Security Compliance Manager* (SCM) in the following link:
https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
Note: information in the link contains a wizard based hardening tool, including hardening best known
methods and relevant documentation.