Securint endpoints is hard. Between user account management, patch management, and secure physical access, there are so many things that can go wrong.
Below are some potential baselines considerations for endpoint protection of Windows machines:
- Make sure the machine is part of a patch management routine
- Use the Microsoft Security Baseline Recommendations and, where possible, apply them by Group Policy Object
- Always grant least priviledges to your users. If applications required local admin rights, please work with the vendor to identify how that window of user rights can be restricted.
- Enable application control. This not only helps keep your patch surface small, it also helps identify what the machine's purpose is and what corallary threat vectors are. See if AppLocker or the app whitelisting in Device Guard help you establish a baseline posture/practice.
- PowerShell is great but does it need to installed in all machines? Can you run it only in "Constrained Language" mode?
- Tighetn up macro security in Microsoft Office documents. You can do this trough a GPO whereby a user has to intentionally bring a document out of "protected" mode.
- Use DNS to your your advantage: be it OpenDNS or other providers, there are more and more ways to prevent malicous traffic from reaching your endpoints. These small steps can help protect your endpoints from malicious activity such as ransomware.