Endpoint Hardening Checklist: 25 Steps to Secure Every Device in Your Fleet

A financial services firm with 340 employees discovered during a routine penetration test that an attacker could move from a compromised marketing laptop to the payroll system in under four minutes. The path was straightforward: the laptop ran with local administrator privileges, had Remote Desktop Protocol enabled for convenience, stored cached domain credentials, and had no application control to prevent the attacker from running exploitation tools. Every one of these weaknesses existed because the device was deployed with default settings and never hardened.

Endpoint hardening is the systematic process of reducing the attack surface on every device in your fleet - laptops, desktops, servers, tablets, and phones - by disabling unnecessary features, applying secure configurations, enforcing encryption, restricting privileges, and deploying monitoring. The Center for Internet Security reports that organizations implementing CIS Benchmark hardening configurations experience 80 percent fewer successful attacks on hardened systems compared to devices running default configurations.

This checklist covers 25 specific, actionable hardening steps organized by category. Each step includes what to do, why it matters, and how to verify it is done. The checklist is designed for IT teams at companies with 50 to 500 endpoints, using a mix of Windows, macOS, and mobile devices.

Operating System Hardening (Steps 1-7)

Step 1: Disable Unnecessary Services and Features

Every operating system ships with services enabled that most business environments do not need. Each running service is a potential attack vector - code that processes input, listens on network ports, or operates with elevated privileges. On Windows, common services to disable include Print Spooler on machines that do not print, Windows Fax and Scan, Xbox services on enterprise devices, Remote Registry, and Windows Media Player network sharing. On macOS, disable AirDrop on managed devices, screen sharing if not needed, and remote login unless explicitly required.

How to implement: Use Group Policy (Windows), configuration profiles via MDM (macOS), or your endpoint management tool to create a baseline policy that disables unnecessary services across all managed devices. Document which services are disabled and why, so that troubleshooting in the future does not involve re-enabling services without understanding the security implication.

How to verify: Run a service inventory scan monthly. Compare running services against your approved baseline. Investigate any service running that is not on the approved list.

Step 2: Enable and Configure Host Firewall

Every endpoint should run a host-based firewall with a default-deny inbound policy. The host firewall is your last line of defense when network-level controls fail or when the device is outside your corporate network - which, in a remote-work environment, is most of the time.

Configure the firewall to block all inbound connections by default, allow only specific required inbound rules (such as RDP from your IT management subnet only, or file sharing within defined network ranges), allow outbound connections by default but log them for visibility, and create separate profiles for domain, private, and public networks with progressively restrictive rules.

On Windows, use Windows Defender Firewall with Advanced Security configured through Group Policy. On macOS, use the application firewall supplemented with packet filter (pf) rules deployed through your MDM.

Step 3: Enforce Automatic Updates

Unpatched vulnerabilities remain the most exploited attack vector in endpoint compromises. The average time from vulnerability disclosure to active exploitation has dropped to 15 days, while the average time to patch in enterprises remains 60 to 150 days. This gap is where most breaches occur.

Configure automatic updates for operating system patches with a maximum 48-hour delay for critical security updates and a 14-day window for non-critical updates. Use Windows Update for Business or WSUS on Windows, and Software Update policies via MDM on macOS. Establish a testing process for updates that have caused compatibility issues in the past - maintain a test group of 5 to 10 devices that receive updates 24 hours before the general population.

Step 4: Remove Local Administrator Privileges

When users run with local administrator privileges, any malware they inadvertently execute also runs with those privileges. A standard-user malware infection can damage the user's files and data. An admin-level malware infection can modify the operating system, install persistent backdoors, disable security tools, access credentials for other systems, and spread to other machines on the network.

Remove local administrator rights from all standard user accounts. Use a privilege elevation tool - Microsoft LAPS (Local Administrator Password Solution) for managing the local admin password, and a privilege management solution like CyberArk EPM, BeyondTrust, or the built-in Windows UAC with a managed elevation process - for the rare occasions when users need to perform administrative tasks.

Expect pushback from users who are accustomed to installing their own software. Address this by providing a curated self-service software catalog through your endpoint management tool, where approved applications can be installed without administrator privileges.

Step 5: Configure Account Lockout Policies

Account lockout policies prevent brute-force attacks against local accounts. Configure lockout after 5 failed attempts with a 30-minute lockout duration and a 30-minute reset counter. These settings stop automated password guessing while minimizing impact on users who genuinely mistype their password.

For domain accounts, configure the same policies through Active Directory Group Policy. Monitor lockout events centrally - a spike in lockout events for a single account or across multiple accounts can indicate an active attack.

Step 6: Disable Legacy Authentication Protocols

Older authentication protocols transmit credentials in ways that can be intercepted or replayed. Disable the following on all endpoints: NTLM v1 (use NTLMv2 only as a minimum, Kerberos preferred), WDigest authentication (stores plaintext credentials in memory on older Windows versions), LM hashes (weak password hashing algorithm), and CredSSP (unless needed for specific RDP configurations with an explicit exception). On Windows, enforce these through Group Policy under Security Settings. Verify by running credential extraction tools during your penetration test - if the tester can extract cleartext credentials from memory, WDigest or similar legacy protocols are still enabled.

Step 7: Enable Secure Boot and UEFI Protection

Secure Boot verifies that the operating system boot loader is signed by a trusted authority before execution, preventing bootkits and rootkits that modify the boot process. UEFI (Unified Extensible Firmware Interface) replaces the older BIOS with a more secure firmware interface that supports Secure Boot and measured boot sequences.

Verify that Secure Boot is enabled on all endpoints that support it - virtually all enterprise hardware manufactured after 2015 supports Secure Boot. On Windows, check via System Information (msinfo32) or through your endpoint management tool. Set a BIOS/UEFI password on all devices to prevent unauthorized changes to firmware settings.

Encryption and Data Protection (Steps 8-10)

Step 8: Enable Full Disk Encryption

Full disk encryption protects data at rest when a device is lost, stolen, or physically accessed by an unauthorized person. Without disk encryption, an attacker with physical access to a device can boot from an external drive and read all data on the internal disk, including cached credentials, email databases, and documents.

On Windows, enable BitLocker with TPM (Trusted Platform Module) and a PIN or startup key. Configure BitLocker recovery keys to be stored in Active Directory or your endpoint management tool - not given to end users, who will lose them. On macOS, enable FileVault 2 and escrow recovery keys to your MDM solution. On Linux, use LUKS (Linux Unified Key Setup) with TPM binding where supported.

Verify encryption status through your endpoint management tool. Any device that reports as unencrypted should be flagged for immediate remediation. For compliance purposes, maintain a dashboard showing encryption status across your entire fleet.

Step 9: Enable Encryption for Removable Media

If your organization allows removable media (see Step 15 for restriction options), enforce encryption on all data written to USB drives. On Windows, BitLocker To Go can encrypt removable drives and require a password for access on other machines. Configure this through Group Policy to apply automatically when a user writes to a removable drive.

This control prevents data loss when USB drives are left in conference rooms, lost in transit, or stolen. An encrypted USB drive is a minor inconvenience to replace. An unencrypted USB drive containing customer data is a breach notification event.

Step 10: Configure Data Loss Prevention on Endpoints

Endpoint DLP monitors and controls the transfer of sensitive data - credit card numbers, social security numbers, healthcare records, proprietary code - through email attachments, file uploads, clipboard operations, screen sharing, and removable media. Deploy endpoint DLP rules that detect sensitive data patterns leaving the device through any channel, block unauthorized transfers and log attempted violations, allow approved transfer methods (such as uploading to sanctioned cloud storage) while blocking unsanctioned alternatives, and alert the security team when high-severity patterns are detected.

Microsoft Purview DLP (included with Microsoft 365 E5), Symantec DLP, and Digital Guardian are common enterprise DLP solutions. Start with monitoring mode for 30 days before enabling blocking, to identify false positives and tune policies before they disrupt workflows.

Application Control and Software Management (Steps 11-14)

Step 11: Implement Application Allowlisting

Application allowlisting permits only approved applications to execute on the endpoint. Every other executable - including malware, unauthorized tools, and unapproved software - is blocked by default. This is one of the most effective hardening controls available, and one of the most disruptive to implement incorrectly.

On Windows, use Windows Defender Application Control (WDAC) or AppLocker. WDAC is more robust but more complex to configure. AppLocker is simpler and sufficient for most environments. On macOS, use system extensions and MDM-managed app restrictions.

Start by running in audit mode for two to four weeks to identify all applications currently in use. Build your allowlist from this inventory, review it with department heads to confirm no business-critical applications are missing, then switch to enforcement mode. Maintain a process for users to request new applications, with IT review and approval before adding to the allowlist.

Step 12: Automate Third-Party Application Patching

Operating system patches receive attention, but third-party applications are often neglected. Adobe Reader, Google Chrome, Mozilla Firefox, Java, Zoom, and Microsoft Office are among the most frequently exploited applications, and they update on their own schedules independent of OS patching.

Deploy a third-party patch management solution - Automox, ManageEngine, Ivanti, or the patching capabilities built into your endpoint management platform. Configure automatic patching for browsers and their extensions (critical - browsers are the primary attack surface for web-based threats), PDF readers, video conferencing applications, productivity suites, and any internet-facing application. Track patching compliance weekly. Target 95 percent of critical patches deployed within 72 hours of release.

Step 13: Remove Unauthorized and End-of-Life Software

Conduct a quarterly software audit to identify unauthorized software (installed without IT approval), end-of-life software (no longer receiving security updates from the vendor), and duplicate software (two applications serving the same purpose, indicating consolidation opportunity). Unauthorized software introduces unknown risk. End-of-life software introduces known, unpatched risk. Both should be removed.

Common end-of-life software found on enterprise endpoints in 2026 includes older versions of Java (anything below Java 21), Adobe Flash (which reached end of life in 2020 but persists on some machines), older Office versions (2016 and earlier), and Internet Explorer (deprecated but still present on many Windows installations).

Step 14: Restrict Script Execution

PowerShell, VBScript, Windows Script Host, and other scripting engines are powerful tools for IT administration - and powerful tools for attackers. Living-off-the-land attacks use built-in scripting capabilities to download payloads, move laterally, and exfiltrate data without deploying traditional malware.

Configure PowerShell to run in Constrained Language Mode for standard users (allowing only basic operations while blocking access to .NET classes and COM objects used in attacks), disable Windows Script Host for users who do not need it, enable PowerShell script block logging and module logging to capture all script execution for forensic analysis, and require script signing for any scripts that run in production.

Peripheral and Hardware Controls (Steps 15-17)

Step 15: Restrict USB and Removable Media

USB devices are a vector for both data theft and malware delivery. The Stuxnet worm, one of the most sophisticated cyberweapons ever deployed, spread primarily through USB drives. More commonly, employees lose USB drives containing sensitive data, or plug in found USB drives out of curiosity.

Implement one of these policies based on your risk tolerance:

Regardless of which policy you choose, configure USB device connection events to be logged centrally. This provides an audit trail for investigations and compliance evidence.

Step 16: Disable Unused Hardware Interfaces

Bluetooth, infrared, NFC, and other wireless interfaces that are not required for business operations should be disabled by policy. Each wireless interface is a potential attack surface - Bluetooth vulnerabilities such as BlueBorne and BLESA have allowed remote code execution without user interaction. Disable Bluetooth on devices that do not use Bluetooth peripherals. If Bluetooth is required (for keyboards, mice, or headsets), enforce pairing restrictions to prevent unauthorized device connections.

Step 17: Configure BIOS/UEFI Passwords and Boot Order

Set a BIOS/UEFI administrator password on all devices to prevent unauthorized changes to firmware settings. Configure the boot order to boot from the internal drive only - disable boot from USB, CD/DVD, and network (PXE) boot except on devices where IT staff need these capabilities for reimaging. This prevents an attacker with physical access from booting the device from an external drive to bypass operating system security controls.

Browser and Web Security (Steps 18-19)

Step 18: Harden Browser Configuration

The web browser is the application employees use most frequently and the primary attack surface for web-based threats. Harden browser configuration by disabling automatic password saving in the browser (use a dedicated password manager instead), blocking or restricting browser extensions to an approved list, enabling safe browsing and phishing protection features, disabling third-party cookies and cross-site tracking, configuring automatic updates for the browser and all extensions, disabling WebRTC (which can leak internal IP addresses through VPN connections), and blocking downloads of known dangerous file types (.exe, .scr, .bat, .cmd, .vbs, .js) unless explicitly overridden.

Deploy these configurations through Group Policy (Chrome and Edge both support ADMX policy templates), MDM profiles, or your endpoint management tool. Standardize on one or two browsers across your organization to reduce the configuration management burden.

Step 19: Deploy DNS-Level Content Filtering

DNS-level filtering blocks connections to known malicious domains, phishing sites, command-and-control servers, and inappropriate content categories before the connection is established. This works at the network layer below the browser, catching threats from any application that makes DNS queries - not just web browsers.

Deploy a DNS filtering agent on all endpoints that points to your filtering service (Cisco Umbrella, Cloudflare Gateway, DNSFilter, or similar). Configure the agent to persist across network changes so that filtering applies whether the device is on the corporate network, at home, or on public Wi-Fi. Block categories including malware, phishing, newly registered domains (commonly used for short-lived attack campaigns), and cryptomining.

Logging, Monitoring, and Detection (Steps 20-22)

Step 20: Deploy Endpoint Detection and Response

EDR (Endpoint Detection and Response) is the modern replacement for traditional antivirus. While antivirus relies primarily on signature matching to detect known malware, EDR continuously monitors endpoint behavior - process creation, file system changes, network connections, registry modifications, and memory operations - and uses behavioral analysis and machine learning to detect suspicious activity that signature-based detection misses.

Select an EDR solution based on your environment: Microsoft Defender for Endpoint (strong choice for Microsoft-heavy environments, included with Microsoft 365 E5), CrowdStrike Falcon (consistently top-ranked in independent testing, cloud-native), SentinelOne (strong autonomous response capabilities), or Carbon Black (VMware integration, on-premises option available). Deploy the EDR agent to every endpoint, including servers. Configure alert policies to escalate high-severity detections to your security team or SOC within minutes, not hours.

Step 21: Enable Comprehensive Audit Logging

Configure endpoint audit logging to capture security-relevant events. On Windows, enable audit policies for logon events (success and failure), account management (user creation, deletion, privilege changes), object access (sensitive file and registry access), policy changes, and process creation with command line logging. On macOS, enable the audit subsystem (auditd) and configure it to capture authentication events, process execution, and file access to sensitive directories.

Forward all audit logs to a central log management system (SIEM, syslog server, or cloud-based log analytics). Endpoint logs that remain only on the endpoint are useless for detection - if an attacker compromises the endpoint, they can delete the local logs. Centralized log collection ensures that evidence persists even if the endpoint is compromised or destroyed.

Step 22: Configure Automated Alerting

Raw logs without alerting are an audit checkbox, not a security control. Configure automated alerts for failed login attempts exceeding threshold (potential brute force), new local administrator account creation, security tool being disabled or uninstalled, connection to known command-and-control domains, large data transfers to external destinations, execution of scripts from unusual directories (such as temp folders or user downloads), and changes to boot configuration or firmware settings.

Route high-severity alerts to your security team through a channel that demands attention - SMS, phone call, or pager duty integration. Low and medium alerts can go to email or a ticket queue for review during business hours. Tune alert thresholds over the first 30 days to eliminate false positives that cause alert fatigue.

Mobile Device Management (Steps 23-24)

Step 23: Enroll All Mobile Devices in MDM

Every mobile device that accesses corporate data - whether company-owned or personal (BYOD) - should be enrolled in a mobile device management solution. MDM provides the ability to enforce security policies, deploy and manage applications, remotely wipe corporate data if the device is lost or the employee leaves, and maintain an inventory of devices accessing your environment.

For company-owned devices, use full device management that controls the entire device. For BYOD, use a work profile (Android) or managed container (iOS) that separates corporate data from personal data and applies security policies only to the corporate partition. Leading MDM solutions include Microsoft Intune, VMware Workspace ONE, JAMF (macOS and iOS), and Google Endpoint Management.

Minimum MDM policy requirements: enforce device PIN or biometric lock with minimum 6-digit PIN, require device encryption (enabled by default on modern iOS and Android), enforce OS version minimums (block devices running end-of-life operating systems), enable remote wipe capability, and block access from jailbroken or rooted devices.

Step 24: Enforce Mobile Application Management

Mobile application management (MAM) controls how corporate data moves between applications on the device. Without MAM, an employee can copy sensitive data from a corporate email into a personal notes app, save attachments to an unmanaged cloud storage service, or share corporate documents through consumer messaging apps.

Configure MAM policies to prevent copy and paste from corporate apps to personal apps, require corporate apps to use managed storage (OneDrive for Business, corporate SharePoint) rather than personal cloud storage, block screenshots within corporate applications on managed devices, and encrypt corporate app data at rest on the device. These policies apply to the corporate data container without affecting the user's personal apps and data, which is essential for BYOD acceptance.

Compliance and Ongoing Maintenance (Step 25)

Step 25: Map Hardening Controls to Compliance Frameworks

If your organization is subject to compliance requirements, map each hardening control in this checklist to the relevant compliance framework requirements. This serves two purposes: it ensures your hardening program satisfies compliance obligations, and it provides auditors with clear evidence of control implementation.

Conduct a quarterly compliance review where you verify each control is still in place, review exceptions for continued justification, update documentation to reflect any changes, and generate evidence reports for upcoming audits. Automation is essential for this step at scale - endpoint compliance scanning tools can continuously verify that hardening configurations have not drifted from the baseline and flag any devices that have fallen out of compliance.

Implementation Priority: Where to Start

Implementing all 25 controls simultaneously is unrealistic for most IT teams. Prioritize by impact and effort:

• Immediate (this week): Enable automatic OS updates (Step 3), enable disk encryption (Step 8), remove local admin privileges (Step 4), enable host firewall (Step 2). These four controls address the most common attack vectors with relatively straightforward implementation.
• Short-term (next 30 days): Deploy EDR (Step 20), harden browsers (Step 18), configure audit logging (Step 21), enforce account lockout (Step 5). These controls add detection capability and close the next tier of attack surface.
• Medium-term (next 90 days): Implement application allowlisting (Step 11), restrict USB devices (Step 15), deploy DNS filtering (Step 19), automate third-party patching (Step 12), enroll mobile devices in MDM (Step 23). These controls require more planning and user communication but deliver substantial security improvement.
• Ongoing: Compliance mapping (Step 25), software audits (Step 13), script execution restrictions (Step 14), and the remaining controls. Review and refine all controls quarterly.