Hardening a single Windows PC for CMMC

A sytlized image of a laptop with a turtle shell cover as a metaphor for a hardened windows PC for CMMC

Government contractors that handle –store, process, or transmit– Controlled Unclassified Information (CUI) must implement the National Institutes of Standards and Technology (NIST) 800-171 standard to protect that CUI.  The NIST 800-171 standard includes dozens of technical configuration requirements for IT components, such as workstations, that handle CUI.  Contractors in the Defense Industrial Base (DIB) that handle CUI face the additional Cybersecurity Maturity Model Certification (CMMC) Level 2 requirements, in which a 3rd party must assess the implementation of the NIST 800-171 standard.  That assessment includes verification of those technical configurations.  Micro businesses in the DIB that only handle CUI on a workstation or two will find CMMC compliance very costly if they opt for managed security solutions.  This post describes Totem Tech’s approach to securely configuring –aka “hardening”– a single Windows PC to meet the technical requirements in NIST 800-171, which will help the organization pass the scrutiny of a CMMC Level 2 assessment.  With some intermediate-level Windows administration skill, a micro business owner can follow our guidance and adequately secure his/her Windows PC to handle CUI.  And what’s more, at less than $1000 per year, our approach won’t break the bank.  

We discuss the approach at a high-level in this post, but you can download a detailed hardening guide at the bottom of the post.  The downloadable guide breaks down the potential costs of configuring a laptop according to our recommendations.

General principles behind hardening a Windows workstation

While modern Windows operating systems include many security features “out of the box”, they aren’t by default configured according to many tenets of cybersecurity, including, but not limited to:

  • Least privilege — only provide a user the least amount of privilege needed to do their job
  • Least function — install the minimum set of applications necessary to do the job
  • Encryption for data confidentiality and integrity — ensure the secrecy of data and protect it from harmful modification
  • Allow-by-exception (allowlisting) — ensure only applications that are needed for the job are allowed to run
  • Multifactor authentication — ensure a user is required to input more than just a password to get access to the system
  • Security monitoring — “hunt” for anomalous activity that may indicate adversarial compromise

One has to make some configuration changes and / or install additional security-focused applications to ensure a Windows PC abides all those tenets.  

Configuration changes include modifications to the Windows registry, for example to set logon warning banners, and to local security policies, for example to set password and lockout policies.  

Security-focused applications include event log collection, aggregation, review, and analysis tools, as well as application allowlisting tools.

However, to “harden” a Windows PC to meet the “adequate security” requirements for CUI as established in the NIST 800-171, many configuration changes must be applied, and several security-focused applications should be installed.  Let’s explore in more detail how we approach that hardening.

Totem Tech's approach to Windows PC hardening for CMMC

Our high-level approach to hardening a Windows PC so it will adequately protect CUI and pass inspection under a CMMC Level 2 assessment is shown in the following toggle sections.  Note that at the bottom of this post you can download a hardening guide that explains each task in more detail, as well as provides links to useful sites and security application downloads, and highlights potential costs.  

Microsoft really wants you setup a Windows PC using Microsoft email accounts, but you don’t have to.  Not doing so will help prevent CUI from “spilling” into the M365 cloud services.  

By default, the first account you setup in a new Windows OS has administrative privileges.   However, you’re required by several NIST 800-171 controls to perform “day-to-day” work as a non-administrative user, so you’ll need to set a separate account up for that. This accords with the principle of Least Privilege.

When you’re finished with the rest of the hardening tasks outlined below, turn on Windows MFA unlock so that you’re forced to provide multiple factors of authentication when you log into the PC. 

Microsoft Windows operating systems come pre-installed with a bunch of software and applications that you probably don’t need to do your job (unless part of your job is to play Xbox games on your laptop…).  Since NIST 800-171 requires all software to be patched, getting rid of unnecessary software makes your patching job easier.  But more importantly, in accordance with the principle of Least Function, overabundant software and application loadouts are a playground for exploitative adversaries.  We want to make their job as hard as possible, so get rid of the playground.

Once you have all unnecessary software uninstalled, only install the absolute minimum software applications you need to do your job. Think about it this way: the more bells and whistles you put on the laptop, the harder it is to manage; when you only need a minivan to do the job, don’t drive an 18-wheeler.  As an example: use the default Windows Edge browser if you can get away with it; avoid installing Chrome or Firefox.  

You’ll need to ensure data at rest (stored) on your PC is encrypted.  This is true for any removeable media / portable storage devices you use to store or backup data on, such as USB flash drives or portable hard drives.  Since we’re talking backup, you’ll want to buy a separate drive to backup your PC’s data on, or maybe even to be the primary storage location of CUI data.

Kindly enough, Microsoft includes a nice drive encryption tool in the Windows operating system: BitLocker.  You’ll want to engage BitLocker on all drives on your PC, including removable ones.   

As we mentioned above, despite the fact that “under the hood” Windows has several default security configurations, it can be –and according to NIST 800-171 must be– made much more secure by adding and tweaking some configurations. 

We recommend applying the Microsoft Windows Security Baseline, and then editing the Local Security Policy to establish password and account lockout policies in accordance with NIST 800-171.  Then edit the Windows registry to configure a logon warning banner. 

Lastly, ensure the Windows User Account Control (UAC) is configured to its strictest setting, to force you to use the administrator account to perform privileged actions.

Windows comes installed with the Windows Defender endpoint protection application, but unless you plan on using M365 Defender and Intune subscription services to really beef it up (which you probably don’t want to mess with) you’ll need to supplement with some third-party tools.  A nice aspect of Defender is the built-in firewall, so no matter what supplemental applications you install, make sure the Defender firewall is operating in its default state, blocking all inbound connections.

As an affordable additional endpoint protection suite of tools, we recommend PC Matic Pro for SMB.  PC Matic includes additional malware protection, vulnerability scanning, and application allowlisting features all-in-one. 

NIST 800-171 has a whole set of requirements –the “Audit and Accountability” family– that require you to monitor the Windows operating system and applications for adversarial activity.  This monitoring is tricky to do yourself without outsourcing to a Managed Security Service Provider (MSSP) that has a Security Operations team.  But we’ve found a nice solution in Manage Engine’s EventLog Analyzer, which can be installed on and monitor a single workstation.  Make a plan to check the tool for alerts at least once a day.  Also, to make sure you can accurately trace adversarial activities, be sure to set the Windows Network Time Protocol (NTP) time server to time.nist.gov as an authoritative time source for event log timestamps.

As an additional resource to monitor the PC for adversarial activity, apply for and install the NSA’s free PDNS filter.  While not explicitly required by NIST 800-171 or CMMC, PDNS will block your hardened PC’s access to known malicious websites. 

Lastly, install a free script blocker in your browser, such as uBlock Origin or NoScript to help block unwanted code from executing as you visit websites. 

Wrapping Up

There you have an overview of how we approach hardening a Windows PC for handling CUI.  We must note that we’ve only outlined here what we do to for the technical hardening of a PC; we haven’t addressed any organizational policies or business processes behind maintaining or re-configuring the PC down the road.  Your organization will not pass a CMMC Level 2 assessment just by following this guide.  So don’t mistake this post as a blueprint for a NIST 800-171 organizational cybersecurity program or System Security Plan (SSP).  If you’d like to learn more about building such a cybersecurity program to meet the CMMC requirements, we suggest you participate in one of our CMMC Readiness Workshops.  

For more detail with specific instructions on some of the tasks and cost breakdown, download the free guide from the form below.  If you feel like you don’t have the technical chops to follow the guide, no worries, contact us and we can help walk you through it or even do it for you. 

Good Hunting!

–Adam

Download our free Hardening a PC for CMMC guide

Like this post? Share it!

Get notified when new blogs are published!

Protect Your Business. Train Your Organization.

If you have any questions, please don’t hesitate to contact us.
Let us know how we can help!
logo
Simplifying your cybersecurity through consulting, compliance training, cybersecurity compliance software, and other cybersecurity services.
Contact Us

(385) 492-3405

[email protected]

Veteran Owned Small Business

Copyright © 2024 Totem Technologies, LLC
All rights reserved. Privacy Policy.

Facebook Twitter Youtube Linkedin