Enterprise Endpoint Security Guide

📋 In This Guide

1. Endpoint Security Maturity Model
2. Antivirus & EDR Selection
3. Windows Hardening Baseline
4. Linux Server Hardening
5. Patch Management Automation
6. BitLocker & Full Disk Encryption
7. Application Control & USB Policy
8. EDR Alerting & Response Playbook

Endpoints — laptops, desktops, and servers — are the most frequently compromised entry points in enterprise networks. According to industry threat intelligence, over 70% of successful breaches originate at an endpoint: a phishing email opened on a laptop, an unpatched vulnerability exploited on a server, or malware introduced via an uncontrolled USB drive.

Endpoint security is not a single product — it is a layered strategy combining hardened OS configuration, automated patching, encryption, application control, and continuous detection and response. This guide walks through building that layered defense systematically, from the foundational baseline up to active threat response.

1 Endpoint Security Maturity Model

Before deploying tools, assess where your organization currently sits on the endpoint security maturity scale. This determines the right starting point and prioritization — organizations at Level 1 should not jump to Level 4 tooling before the foundational controls are in place.

Maturity Levels

Level 1 — Basic 25% coverage

Antivirus installed, Windows Defender enabled, manual patching when remembered. No centralized management. Most organizations start here.

Level 2 — Managed 50% coverage

Centralized AV management, WSUS/patch server deployed, Group Policy enforced, BitLocker on laptops, basic logging enabled.

Level 3 — Hardened 75% coverage

EDR deployed, application whitelisting, USB control policies, CIS benchmarks applied, automated patch compliance reporting, SIEM log forwarding.

Level 4 — Proactive 90%+ coverage

Threat hunting, automated EDR response playbooks, Zero Trust device trust posture, privileged access workstations (PAW), hardware attestation (TPM), continuous compliance scoring.

✅ Start Here: If you are currently at Level 1 — prioritize in this exact order: (1) Enable and centrally manage Windows Defender via Intune or Group Policy, (2) Deploy WSUS or a cloud patch solution and enforce weekly patching, (3) Enable BitLocker on all laptops. These three steps alone eliminate the majority of endpoint risk at minimal cost. Add EDR and application control once the baseline is solid.

2 Antivirus & EDR Selection

Traditional antivirus relies on signature matching — it only detects known malware. Endpoint Detection and Response (EDR) adds behavioral analysis, process monitoring, memory scanning, and threat hunting capabilities — detecting attacks that bypass signatures entirely. Modern enterprise environments need EDR, not just AV.

EDR Platform Comparison

Platform	Best For	Key Strength	India Pricing	Management
Microsoft Defender for Endpoint P2	Microsoft 365 environments	Native OS integration, no agent overhead, included in M365 E5	₹450–₹600/user/month (M365 E5)	Microsoft Intune / Defender Portal
CrowdStrike Falcon	Enterprise, large scale	Industry-leading threat intelligence, lightweight agent	₹1,200–₹2,000/endpoint/year	Cloud-based Falcon console
SentinelOne Singularity	Automated response focus	Autonomous AI response — quarantine and rollback without analyst	₹800–₹1,400/endpoint/year	Cloud-based S1 console
Sophos Intercept X	SMB to mid-market	Deep learning AV + EDR, strong ransomware rollback	₹600–₹900/endpoint/year	Sophos Central (cloud)
FortiEDR	Fortinet ecosystem	Tight integration with FortiGate and FortiSIEM	₹700–₹1,100/endpoint/year	FortiEDR Cloud or on-prem
Windows Defender (built-in)	Budget-constrained orgs	Free, good detection rates, centrally managed via GPO/Intune	Free	GPO, Intune, or SCCM

✅ Pro Tip: For organizations already using Microsoft 365 Business Premium or E3/E5 — Microsoft Defender for Endpoint is included at no extra cost and delivers genuine EDR capabilities. Before purchasing a third-party EDR, check your existing Microsoft licensing — many organizations are unknowingly paying for duplicate protection when Defender for Endpoint P1 or P2 is already included in their Microsoft 365 subscription tier.

3 Windows Hardening Baseline

Windows out-of-the-box is configured for maximum compatibility, not maximum security. Applying a hardening baseline — either CIS Benchmark Level 1 or Microsoft Security Baseline — significantly reduces the attack surface without impacting day-to-day usability.

Critical Group Policy Hardening Settings

# Apply via Group Policy Management Console (GPMC)
# Or via PowerShell with LGPO tool for standalone machines

# ── Account Policy ──────────────────────────────────────
Computer Config → Windows Settings → Security Settings → Account Policy

  Password Policy:
    Minimum password length:           14 characters
    Password complexity:               Enabled
    Password history:                  24 passwords remembered
    Maximum password age:              90 days
    Minimum password age:              1 day

  Account Lockout Policy:
    Account lockout threshold:         5 invalid attempts
    Account lockout duration:          15 minutes
    Reset account lockout counter:     15 minutes

# ── Local Policies ───────────────────────────────────────
  Audit Policy — enable ALL of these:
    Audit account logon events:        Success, Failure
    Audit account management:          Success, Failure
    Audit logon events:                Success, Failure
    Audit object access:               Failure
    Audit policy change:               Success, Failure
    Audit privilege use:               Failure
    Audit process tracking:            No auditing (too noisy for most)
    Audit system events:               Success, Failure

  User Rights Assignment:
    Deny log on locally:               Add Guest account
    Deny log on through RDP:           Add Guest account
    Allow log on through RDP:          Remove "Everyone" — add specific group only

# ── Security Options ──────────────────────────────────────
  Interactive logon — Do not display last user name:   Enabled
  Network access — Do not allow anonymous enumeration: Enabled (both settings)
  Network security — LAN Manager auth level:           Send NTLMv2 only, refuse LM & NTLM
  UAC — Behavior of elevation prompt (admins):         Prompt for credentials on secure desktop
  UAC — Run all administrators in Admin Approval Mode: Enabled

Windows Defender Configuration via PowerShell

# Run as Administrator on each endpoint (or deploy via GPO/Intune)

# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Enable cloud-delivered protection (highest detection rate)
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples

# Enable network protection (blocks malicious URLs at kernel level)
Set-MpPreference -EnableNetworkProtection Enabled

# Enable controlled folder access (ransomware protection)
Set-MpPreference -EnableControlledFolderAccess Enabled

# Set scan schedule (daily at 2 AM)
Set-MpPreference -ScanScheduleDay Everyday
Set-MpPreference -ScanScheduleTime 120

# Enable tamper protection (prevents disabling Defender)
# Note: Must be set via Intune or Defender portal — not PowerShell
# Intune: Endpoint Security → Antivirus → Windows Security Experience
#         → Tamper Protection: Enabled

# Verify settings
Get-MpPreference | Select-Object -Property *Protection*, *Monitoring*

⚠️ Warning: Enabling Controlled Folder Access (ransomware protection) will initially block legitimate applications from writing to protected folders — including some line-of-business apps, backup agents, and scripts. Before enforcing it organization-wide, run it in audit mode first: Set-MpPreference -EnableControlledFolderAccess AuditMode. Review the audit logs for 1–2 weeks, add allowed applications, then switch to Enabled mode.

4 Linux Server Hardening

Linux servers are increasingly targeted — attackers know that many organizations apply rigorous endpoint security to Windows desktops but leave Linux servers with default configurations. The CIS Benchmark for Ubuntu/RHEL provides a comprehensive, auditable hardening baseline.

Ubuntu Server Hardening Checklist

# ── SSH Hardening (/etc/ssh/sshd_config) ───────────────
PermitRootLogin no                  # Never allow root SSH login
PasswordAuthentication no           # Key-based auth only
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
X11Forwarding no
MaxAuthTries 3
LoginGraceTime 30
AllowUsers deploy sysadmin          # Whitelist specific users only
Protocol 2
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-256,hmac-sha2-512
KexAlgorithms curve25519-sha256,diffie-hellman-group14-sha256

# Apply changes
sudo systemctl restart sshd

# ── UFW Firewall ─────────────────────────────────────────
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 10.10.0.0/24 to any port 22    # SSH — internal only
sudo ufw allow 443/tcp                             # HTTPS if web server
sudo ufw enable
sudo ufw status verbose

# ── Automatic Security Updates ───────────────────────────
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
# Edit /etc/apt/apt.conf.d/50unattended-upgrades:
# Unattended-Upgrade::Automatic-Reboot "false";
# Unattended-Upgrade::Mail "sysadmin@enterweb.in";

# ── Disable Unused Services ───────────────────────────────
sudo systemctl disable avahi-daemon cups bluetooth
sudo systemctl stop avahi-daemon cups bluetooth

# ── Kernel Hardening (/etc/sysctl.d/99-hardening.conf) ───
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.disable_ipv6 = 1           # If IPv6 not used
kernel.randomize_va_space = 2                # ASLR — full randomization
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

sudo sysctl --system     # Apply without reboot

Linux Audit & Intrusion Detection

auditd: Linux kernel audit framework — logs file access, privilege escalation, and command execution. Install: sudo apt install auditd audispd-plugins
AIDE (Advanced Intrusion Detection Environment): File integrity monitoring — creates a baseline hash database and alerts on unauthorized file changes. Critical for server OS files
Fail2ban: Automatically bans IPs with repeated failed SSH/web login attempts — blocks brute-force attacks. Install: sudo apt install fail2ban
Lynis: Security auditing tool — scans system configuration against CIS benchmarks and generates a hardening score with specific recommendations
ClamAV: Open-source antivirus for Linux — run weekly scans on file servers and mail servers to detect malware in user-uploaded files

5 Patch Management Automation

Unpatched vulnerabilities are the leading cause of successful ransomware attacks. The average time from vulnerability disclosure to active exploitation is now under 14 days — meaning organizations that patch monthly are exposed for up to 30 days after a critical vulnerability is published.

Patch Management Architecture

Inventory: Know every endpoint — deploy an agent-based inventory tool. No patching strategy works without a complete, accurate asset list
Classification: Triage patches by severity — Critical (CVSS 9+) must be deployed within 72 hours, High (7–8.9) within 7 days, Medium within 30 days
Test ring: Deploy patches to a pilot group of 5–10% of devices first — catch breaking changes before organization-wide rollout
Production ring: Deploy to remaining devices in waves — 25% on Day 3, 50% on Day 5, remaining 25% on Day 7
Compliance reporting: Generate weekly patch compliance report — flag any device more than 30 days behind on critical patches
Exception management: Document and track all patch exceptions — legacy systems that cannot be patched must have compensating controls (network isolation, enhanced monitoring)

Windows WSUS + PowerShell Patch Compliance Check

# Check Windows Update compliance on a single machine (PowerShell)
$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$Searcher = $UpdateSession.CreateUpdateSearcher()
$Results = $Searcher.Search("IsInstalled=0 and Type='Software'")

Write-Host "Missing Updates: $($Results.Updates.Count)"
$Results.Updates | ForEach-Object {
    [PSCustomObject]@{
        Title    = $_.Title
        Severity = $_.MsrcSeverity
        Size     = [math]::Round($_.MaxDownloadSize / 1MB, 2)
    }
} | Sort-Object Severity | Format-Table -AutoSize

# Run against multiple machines via Invoke-Command:
$Computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
Invoke-Command -ComputerName $Computers -ScriptBlock {
    $US = New-Object -ComObject Microsoft.Update.Session
    $SR = $US.CreateUpdateSearcher()
    $R = $SR.Search("IsInstalled=0")
    [PSCustomObject]@{
        Computer       = $env:COMPUTERNAME
        MissingUpdates = $R.Updates.Count
        CriticalCount  = ($R.Updates | Where-Object {$_.MsrcSeverity -eq "Critical"}).Count
    }
} | Export-Csv -Path "patch-compliance-$(Get-Date -Format 'yyyy-MM-dd').csv" -NoTypeInformation

✅ Pro Tip: Use Microsoft Intune (cloud) or SCCM (on-premises) for enterprise patch management rather than relying on WSUS alone. Intune provides real-time patch compliance dashboards, deployment rings, and automatic remediation — and it manages both domain-joined and Azure AD-joined devices including remote laptops that never connect to the office network. WSUS only works when devices are on the corporate network or VPN.

6 BitLocker & Full Disk Encryption

Full disk encryption ensures that a stolen or lost laptop is worthless to an attacker — all data is cryptographically inaccessible without the encryption key. BitLocker on Windows and LUKS on Linux are the standard enterprise solutions for this control.

BitLocker Deployment via Group Policy

# Group Policy Path:
# Computer Config → Admin Templates → Windows Components → BitLocker Drive Encryption

# Operating System Drives:
  Require additional authentication at startup:         Enabled
    - Allow BitLocker without compatible TPM:           Disabled (require TPM)
    - Configure TPM startup:                            Do not allow TPM
    - Configure TPM startup PIN:                        Require startup PIN with TPM
    - Configure TPM startup key:                        Do not allow startup key with TPM
    - Configure TPM startup key and PIN:                Do not allow startup key and PIN

  Choose drive encryption method and cipher strength:   Enabled
    - OS drives:   XTS-AES 256-bit
    - Fixed drives: XTS-AES 256-bit
    - Removable:    AES-CBC 128-bit (compatibility)

  Choose how BitLocker-protected OS drives can be recovered:
    Allow data recovery agent:                          Enabled
    Save BitLocker recovery info to AD DS:              Enabled
    Do not enable BitLocker until recovery info stored: Enabled ← Critical

# PowerShell — Enable BitLocker with TPM + PIN
$SecurePin = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" `
  -EncryptionMethod XtsAes256 `
  -TpmAndPinProtector `
  -Pin $SecurePin

# Backup recovery key to Active Directory
Backup-BitLockerKeyProtector -MountPoint "C:" `
  -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorId

# Check status
Get-BitLockerVolume -MountPoint "C:" | Select-Object MountPoint, EncryptionPercentage, VolumeStatus

🚨 Critical: Never enable BitLocker without first configuring recovery key backup to Active Directory or Azure AD — and set the policy to "Do not enable BitLocker until recovery information is stored." If a user forgets their PIN and the recovery key is not backed up, the device data is permanently inaccessible — there is no bypass, no Microsoft support call that can recover it. Test the recovery process on at least 3 devices before deploying organization-wide.

7 Application Control & USB Policy

Application control (whitelisting) prevents unauthorized software from executing — blocking malware, pirated software, and shadow IT applications. USB device control prevents data exfiltration and malware introduction via physical media.

Windows Defender Application Control (WDAC)

# Create a WDAC policy — allow only Microsoft-signed + specific app publishers
# Step 1: Generate a base policy from the current system's installed apps
New-CIPolicy -Level Publisher `
  -FilePath "C:\Policies\BasePolicy.xml" `
  -UserPEs `
  -MultiplePolicyFormat

# Step 2: Convert to binary format
ConvertFrom-CIPolicy -XmlFilePath "C:\Policies\BasePolicy.xml" `
  -BinaryFilePath "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"

# Step 3: Enable audit mode FIRST — logs blocked apps without enforcing
# Edit BasePolicy.xml — change  to include:
# Enabled:Audit Mode

# Step 4: After 2 weeks of audit review, switch to enforce mode:
# Remove the Audit Mode option from XML, recompile and deploy

# Deploy via GPO:
# Computer Config → Admin Templates → System → Device Guard
# → Deploy Windows Defender Application Control: Enabled
# → Point to policy file path on SYSVOL share

USB Device Control via Group Policy

# Block ALL removable storage (most secure)
# Computer Config → Admin Templates → System → Removable Storage Access

  All Removable Storage classes — Deny all access:     Enabled

# OR — More granular: allow specific approved USB devices only
# Requires Intune or third-party DLP tool for device ID whitelisting

# Block USB via Registry (for standalone machines):
reg add "HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR" /v Start /t REG_DWORD /d 4 /f
# Value 4 = disabled, Value 3 = enabled (manual)

# Allow read-only (users can read USB but not write/copy to it):
# Computer Config → Admin Templates → System → Removable Storage Access
  Removable Disks — Deny write access:                 Enabled
  Removable Disks — Allow read access:                 Enabled

⚠️ Warning: A blanket USB block will create immediate helpdesk tickets from users who use USB drives for legitimate purposes — presentations, file transfers with clients, peripheral devices. Before deploying, survey your user base for legitimate USB use cases, create an exception process for approved devices, and communicate the policy change with at least 2 weeks notice. A USB policy that gets bypassed or disabled due to user pressure provides no security benefit.

8 EDR Alerting & Response Playbook

An EDR tool generates alerts — but alerts without a response process are just noise. Every organization deploying EDR needs a documented response playbook defining who does what when an alert fires, how severity is classified, and what the containment and investigation steps are.

Alert Severity Classification

Severity	Example Triggers	Response Time	First Action
🔴 Critical	Ransomware detected, lateral movement, credential dumping (Mimikatz), C2 callback	Immediate — <15 min	Isolate endpoint from network immediately
🟡 High	Malware blocked, suspicious PowerShell, privilege escalation attempt	<1 hour	Investigate process tree, check for persistence
🟢 Medium	PUA detected, suspicious script, unusual network connection	<4 hours	Review alert context, check user activity
⚪ Low	Known tool flagged, false positive likely, policy violation	Next business day	Log, review in weekly batch, tune detection rule

Incident Response Playbook — Ransomware Detected

Isolate immediately: In EDR console → select affected device → Network Isolation (keeps EDR connection active but blocks all other traffic). Do NOT manually disconnect network cable — keeps forensic connection alive
Preserve evidence: Take a memory dump and disk image before any remediation — required for forensics and insurance claims
Identify patient zero: Review EDR process tree — find the initial execution vector (email attachment, browser download, RDP, USB)
Check lateral movement: Review authentication logs for the 24 hours before detection — look for unusual logins from the affected machine to other systems
Check for persistence: Review scheduled tasks, registry run keys, startup folders, and installed services created in the same timeframe
Scope the blast radius: Identify all systems the compromised user account authenticated to — they may also be compromised
Notify stakeholders: Inform IT management, CISO, and legal — if customer data is involved, activate the data breach notification process
Remediate: Reset affected user credentials, revoke active sessions, wipe and reimage the endpoint from known-good image, restore data from pre-incident backup
Post-incident review: Document timeline, root cause, and control gaps — update detection rules and security awareness training content

✅ Pro Tip: Run a tabletop incident response exercise every 6 months — gather your IT team, present a realistic ransomware or data breach scenario, and walk through the playbook without actually executing it. Tabletop exercises consistently reveal gaps in the playbook (missing contacts, unclear ownership, unavailable tools) that are discovered and fixed in a low-pressure environment rather than discovered during an actual incident at 2 AM on a Sunday.

Need Help Hardening Your Endpoints?

EnterWeb IT Firm deploys and manages enterprise endpoint security programs — from Windows hardening baselines and EDR deployment to patch management automation and incident response playbook development. We assess your current maturity and build a prioritized roadmap to Level 3 and beyond.

Schedule Free Security Assessment View Cybersecurity Services