Information Security: Endpoint Protection Standard

Original Issuance Date: February 17, 2022

Effective Date: February 17, 2023

1. Purpose of Procedures

The purpose of this procedure is to provide a formal structure for the deployment and management of endpoint protection systems and controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.

2. Responsible UW System Officer

Associate Vice President for Information Security

3. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions.

4. Procedures

A. Standards

I. Endpoint Malware Protection Requirements

All file systems must be scanned periodically for malware. Anti-malware software must be actively running in a mode which automatically takes corrective action when possible and must not be capable of being disabled temporarily or permanently by end users.
All endpoint protection software must be actively managed, including ensuring the latest versions of the endpoint protection software are periodically updated and associated definition files are updated within 24 hours of release.
Any endpoint which has been found to be actively infected with malicious and/or unauthorized software which cannot be neutralized by the endpoint’s malware protection software must be isolated from the rest of the network until appropriately triaged.

II. Operating Systems

Endpoints with Operating Systems that have reached the end-of-life support shall not be permitted to connect to the UW’s networks. Special-purpose endpoints that cannot be updated to supported Operating Systems may be permitted by the institutional IS Designee to connect to UW’s networks if sufficient controls are implemented to segregate the system(s) from the rest of the network.

III. Principle of Least Privilege

End user and/or Administrator access on endpoints must be implemented in accordance with the principle of least privilege. Administrator access on workstations shall only be provided to end users that need such access to perform their job functions.

IV. Unattended Endpoints

Endpoints must activate a screen lock after 15 minutes of inactivity. Special-purpose endpoints designed for controlling laboratory instrumentation, endpoints designated for public access, or digital signage are exempt from screen lock if sufficient controls are in place to prevent unauthorized access.

V. Endpoint Configuration Items

To the extent possible, all endpoints must:

Have their host firewall enabled.
Have remote access protocols such as RDP and SSH disabled by default. Protocols may be enabled as needed if sufficient controls are in place to prevent unauthorized access.
Have macros disabled by default within all installed software applications and/or productivity suites. Macros may be enabled for trusted documents as needed.