Endpoint Protection Standard (EPS) — Guidance
Future revision: This page is under review and will be revised in the near future.
This page helps NC State IT groups comply with security requirements per NC State University Rule 08.00.18 — Endpoint Protection Standard (EPS). All NC State IT groups are responsible for complying with all requirements stated in the EPS rule per their areas of responsibility.
This page provides the following context and guidance for each security requirement:
- Impact
- References
- Best Practices for Windows, Mac OS, and Linux endpoints. Please note that with the exception of Approved CMSs, Best Practices for Linux endpoints will be available in the future.
NOTE: Please read and understand the EPS Rule before continuing.
[oit-panel header=”Approved CMSs” headertype=”h2″ type=”collapsible” openclosed=”closed” border=”border”]
Impact
NC State requires an inventory of all endpoints to verify that all resources and data are protected consistently from ongoing threats and risks. An approved Configuration Management Systems (CMS) provides the university with the ability to respond to ongoing threats, vulnerabilities, and attacks in an efficient and timely manner.
References
- Approved CMSs
- IT Exception Request Form (to request CMS approval)
- NC State OIT Security Home Page
- NIST Resources for Higher Ed
- NIST Cyber Security Framework
- Higher Education and National Security: The Targeting of Sensitive, Proprietary, and Classified Information on Campuses of Higher Education
- Cyber Criminals Target Higher Ed
Best Practices
Windows
Join all endpoints to WolfTech AD to benefit from System Center Configuration Manager (SCCM) automatically. All supported OSs have a default security baseline enabled in WolfTech AD.
- See Windows Security Baselines for details.
macOS
Enroll all macOS endpoints in NC State’s implementation of Jamf Pro, the approved Configuration Management System (CMS). Jamf Pro includes automatic daily inventory updates.
- Enroll your Apple endpoints in Jamf Pro.
- For details, see Jamf Pro for NC State.
Linux
[/oit-panel]
[oit-panel header=”Antivirus and Anti-Malware” headertype=”h2″ type=”collapsible” openclosed=”closed” border=”border”]
Impact
The university must take proactive measures to protect its resources (including data and users) from known vulnerabilities. Therefore, NC State requires an antivirus and anti-malware solution to provide prevention, detection and effective responses to ongoing threats and attacks.
References
- Guide to Malware Incident Prevention and Handling for Desktops and Laptops
- REG 08.00.10 – Antivirus Software Requirements
- NC State Antivirus Resources
Best Practices
Windows
- Install System Center Endpoint Protection (SCEP) for automatic antivirus and anti-malware protection.
- Join all endpoints to WolfTech AD, which has the SCCM agent installed automatically and activates SCEP by default. See NC State Microsoft Endpoint Protection for details.
- The recommended default exceptions from Microsoft are included by default. See Microsoft Windows Defender for details.
macOS
Install DetectX Swift and make sure you enable Apple’s built-in Security XProtect, SIP, and GateKeeper.
- See DetectX Setup In Jamf Pro for details.
Linux
Future; see EPS — Phases of Implementation for details.[/oit-panel]
[oit-panel header=”Authentication” headertype=”h2″ type=”collapsible” openclosed=”closed” border=”border”]
Impact
Requiring an ID and one or more additional factors for endpoint logins protects against unauthorized access to university data. Requiring periodic reauthentication protects against unauthorized use of unattended endpoints.
References
- NC State Password Standard
- System Access Request (SAR) Overview
- System Access Removal Procedure
- Two-Factor Authentication (2FA) at NC State
- A Framework for Multi-mode Authentication: Overview and Implementation Guide
- Shibboleth at NC State
Best Practices
Windows
Join all endpoints to WolfTech AD to benefit from the requirement to authenticate by default. All domain authentication is logged on the domain controllers.
macOS
Install a computer-level Computer Configuration Profile that disables automatic login from Login Options.
- See Jamf Pro Policy Cheat Sheet to set up this profile in the approved CMS.
Linux
Future; see EPS — Phases of Implementation for details.[/oit-panel]
[oit-panel header=”Sensitive Information Identification & Remediation (SIIR)” headertype=”h2″ type=”collapsible” openclosed=”closed” border=”border”]
Impact
Scanning university resources for sensitive data can reduce any disclosure of data that could negatively impact and damage the university.
References
Best Practices
Windows
- Join all endpoints to WolfTech AD, which has Spirion installed by default.
- Develop and follow a business process to automate scanning and alerts.
macOS
Develop and follow a business process to install Spirion.
- See Jamf Pro Policy Cheat Sheet to create a policy to install the latest version of Spirion Identity Finder available from the Jamf Pro packages distribution.
Linux
Future; see EPS — Phases of Implementation for details.[/oit-panel]
[oit-panel header=”Software Inventory” headertype=”h2″ type=”collapsible” openclosed=”closed” border=”border”]
Impact
Maintaining a software inventory is critical when mitigating an identified risk or threat and, therefore, is required for effective and timely patching.
References
Best Practices
Windows
Join all endpoints to WolfTech AD to have SCCM collect a hardware and software inventory by default.
macOS
Enroll your Apple endpoints with Jamf Pro. Jamf Pro includes automatic daily inventory updates.
Linux
Future; see EPS — Phases of Implementation for details.[/oit-panel]
[oit-panel header=”Future Guidance” headertype=”h2″ type=”collapsible” openclosed=”closed” border=”border”]Guidance for the following EPS security controls will be documented in the future. See EPS — Phases of Implementation for details.
- Least Privilege Access
- Encrypted Network Communication
- Host-based Firewall
- Full Disk Encryption (with university key escrow)
- Web Reputation Filtering
- File Integrity Monitoring
- Application Control
[/oit-panel]