Windows Endpoint Hardening / Security Baseline Enforcement
planned
M
Mayer Kahan
I’d like to see Huntress ESPM expand into Windows endpoint hardening checks and remediation/enforcement.
The idea is to help MSPs baseline and harden devices against common attack paths by validating security best practices such as:
- Secure Boot status
- TPM 2.0 status
- SMBv1 enabled/disabled status
- Local Security Authority protection / LSASS protected process
- Virtualization-based Security
- HVCI / Memory Integrity / Core Isolation
- Credential Guard
- Firmware protection
- Memory access protection / Kernel DMA protection
- Microsoft Vulnerable Driver Blocklist
- UAC best-practice configuration
Individually, these settings are not a huge deal but together they create meaningful endpoint defense. They also give MSPs a much clearer way to identify endpoints that are technically “protected” by EDR but still poorly hardened at the Windows security configuration layer.
Chris Bisnett
marked this post as
planned
This is absolutely something we're going to add. The goal is to include the hardening that will satisfy security frameworks like CIS Benchmarks and Essential Eight.
In addition to identifying which settings need to be enabled, we're also going to try and identify any potential impact of enabling the settings so it's clear where you may cause user interruptions.
J
Jon Sale
This would be fantastic especially if we could also choose specific hardening based on business needs fore example medical/HIPAA.