DokuWiki

Site Tools

Trace: workstation_configuration
guides:workstation_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
guides:workstation_configuration [2019/01/17 01:23] administratorguides:workstation_configuration [2025/10/23 20:58] (current) 216.9.23.34
Line 2: Line 2:
  
  
-Once you have acquired your ERDS and/or G2G workstation, a variety of tasks must be performed to prepare the workstation to be used with CeRTNA’s ERDS and/or G2G platform. These tasks include:+Once you have acquired your ERDS and/or G2G workstation and/or created your ERDS and/or G2G Virtual Machine, a variety of tasks must be performed to prepare the workstation to be used with CeRTNA’s ERDS and/or G2G platform.
  
 +These tasks include:
  
 {{tablelayout?colwidth="250px,350px"&rowsFixed=1&rowsVisible=10&float=center}} {{tablelayout?colwidth="250px,350px"&rowsFixed=1&rowsVisible=10&float=center}}
 ^ Task ^ Description ^ ^ Task ^ Description ^
-| Physically Secure The Workstation | Certified ERDS workstations must be physically secured. Per CeRTNA’s HW / SW, CeRTNA recommends using a locking workstation security cabinet that can be secured to a wall or floor. \\ . \\ G2G workstations are not required to be kept in a locking security cabinet, however, many CeRTNA clients do secure their G2G workstations as well. | +| Physically Secure The Workstation \\ (Standalone workstations only.) | Certified ERDS workstations must be physically secured. Per CeRTNA’s HW / SW, CeRTNA recommends using a locking workstation security cabinet that can be secured to a wall or floor. \\ . \\ G2G workstations are not required to be kept in a locking security cabinet, however, many CeRTNA clients do secure their G2G workstations as well. \\ . \\ Notes regarding Virtual Machine (VM) installation are provided further down in this document. | 
-| Workstation Configuration | ERDS workstations need to pass a system security audit in order to be certified for transmitting ERDS transactions. This document provides recommendations on how to configure a variety of operating system components on your local workstations, including Windows Update settings, Local Security Policy settings, and Anti-Virus/Malware Protection settings. \\ . \\ G2G workstations are not subject to a system security audit, however CeRTNA recommends applying the same settings to your G2G workstation as recommended for your ERDS workstation. \\ . \\ Additional workstation configuration details are provided later in this document. | +| Workstation Configuration | ERDS workstations and/or Virtual Machines need to pass a system security audit in order to be certified for transmitting ERDS transactions. This document provides recommendations on how to configure a variety of operating system components on your local workstations, including Windows Update settings, Local Security Policy settings, and Anti-Virus/Malware Protection settings. \\ . \\ G2G workstations are not subject to a system security audit, however CeRTNA recommends applying the same settings to your G2G workstation as recommended for your ERDS workstation. \\ . \\ Additional workstation configuration details are provided later in this document. | 
-| Network / Firewall Configuration | Per regulations, certified ERDS workstations are expected to be secured for the ‘sole use’ purpose of electronic recording activity. CeRTNA’s ERDS infrastructure is accessible over the Internet, as such, workstations must restrict access to only domains that are required to facilitate the functionality provided in the APEX client. A list of the domains that are used by APEX are listed further down in this document. \\ . \\ Additional network configuration details are provided provided later in this document. | +| Network / Firewall Configuration | Per regulations, certified ERDS workstations and/or Virtual Machines are expected to be secured for the ‘sole use’ purpose of electronic recording activity. CeRTNA’s ERDS infrastructure is accessible over the Internet, as such, workstations must restrict access to only domains that are required to facilitate the functionality provided in the APEX client. A list of the domains that are used by APEX are listed further down in this document. \\ . \\ Additional network configuration details are provided provided later in this document. | 
-| Software Installation | There is a limited amount of software that needs to be installed. Currently these include: \\ . \\ - SafeNet Authentication Client (SAC) \\ - APEX \\ - Microsoft Baseline Security Analyzer (MBSA) \\ . \\ APEX is CeRTNA’s client application software that is used to interact with the CeRTNA ERDS & G2G platforms. \\ . \\ The SafeNet Authentication Client (SAC) contains USB token drivers and APEX uses the token drivers to access the token based PKI certificates that are used for authentication, digital signatures, and encryption/decryption functions. \\ . \\ The Microsoft Baseline Security Analyzer (MBSA) is a tool produced by Microsoft that analyzes your workstation configuration to determine its level of security. It checks a variety of conditions, for example, are any Windows Updates missing, is the firewall on, do any users have non-expiring passwords, etc. \\ . \\ Additional software installation details are provided later in this document. | +| Software Installation | There is a limited amount of software that needs to be installed. Currently these include: \\ . \\ - SafeNet Authentication Client (SAC) \\ - APEX \\ . \\ APEX is CeRTNA’s client application software that is used to interact with the CeRTNA ERDS & G2G platforms. \\ . \\ The SafeNet Authentication Client (SAC) contains USB token drivers and APEX uses the token drivers to access the token based PKI certificates that are used for authentication, digital signatures, and encryption/decryption functions. \\ . \\ Additional software installation details are provided later in this document. | 
-Generate MBSA Report An MBSA report is required for the intial installation of both the ERDS & G2G workstations and an updated MBSA report for both the ERDS & G2G workstations must be submitted to CeRTNA annually. |+Certificate Installation The CeRTNA Root CA certificate needs to be installed to support out Private Key Infrastructure  |
  
  
 === Workstation Configuration === === Workstation Configuration ===
 +
 +You will need to determine if your users are going to login to the ERDS or G2G workstation or VM's using a domain login account or a local login account. If you choose to use a local user account you will need to create the user accounts using Windows Computer Management feature which is accessible via the Windows Control Panel/Administrative Tools in Windows 10 or the Control Panel/Window Tools in Windows 11. 
 +
 +You will also need to determine whether your organization is going to manage the various security settings for the workstation or VM using Group Policy or Local Security Policy or a combination of both. CeRTNA does not have strict rules on which method you use. We have customers that use both methods effectively.
  
 Once your workstation is installed, complete the following tasks: Once your workstation is installed, complete the following tasks:
  
-  * Create individual user accounts (non-admin) for the users that are or will be authorized to use the CeRTNA ERDS workstation. 
   * Disable the local Guest account.   * Disable the local Guest account.
-  * Ensure the anti-virus/anti-malware software is installed. Note: Windows Defender is built into the Windows 10 operating system+  * Rename the local Administrator user account. 
 +  * Ensure the anti-virus/anti-malware software is installed. Note: Windows Defender is built into the Windows 10 and Windows 11 operating systems. 
 +  * Ensure that a local Windows Firewall is running on the ERDS/G2G workstation. Some 3rd party antivirus solutions override the built-in Windows Firewall and this is acceptable as long as the firewall is enabled and protecting the computer. 
 + 
 + 
 +== Install the CeRTNA Root CA certificate == 
 + 
 +INstallation instructions can be found at LINK
  
  
Line 32: Line 43:
  
  
-Anti-virus/Anti-malware software must be installed on your ERDS & G2G workstations. Microsoft has 2 product offerings to protect your workstation Microsoft Security Essentials (Windows 7) and Windows Defender (Windows 10). Your organization may be using an alternative 3rd party software product, for example, Symantec Endpoint Protection, McAfee Anti-Virus, AVG Anti-Virus, Trend Micro Anti-Virus, or any of the other myriad of commercial anti-virus products available. CeRTNA accepts your organizations solution for anti-virus/anti-malware protection, however, you must be able to show a security auditor that the anti-virus/anti-malware software is active and show that both quick and/or full scans are being completed on a regular basis.+Anti-virus/Anti-malware software must be installed on your ERDS & G2G workstations. Windows 10 and Windows 11 both include Windows Defender. Your organization may be using an alternative 3rd party software product, for example, Symantec Endpoint Protection, McAfee Anti-Virus, AVG Anti-Virus, Trend Micro Anti-Virus, or any of the other myriad of commercial anti-virus products available. CeRTNA accepts your organizations solution for anti-virus/anti-malware protection, however, you must be able to show a security auditor that the anti-virus/anti-malware software is active and show that both quick and/or full scans are being completed on a regular basis.
  
  
Line 41: Line 52:
  
  
-As per regulations, the ERDS & G2G workstations are required to for the 'sole-use' function of electronic recording. To that end, CeRTNA requires that the sites that the ERDS & G2G workstations can access are restricted. There are different ways that this can be accomplished including:+As per regulations, the ERDS & G2G workstations are required to be for the 'sole-use' function of electronic recording. To that end, CeRTNA requires that the sites accessible by the ERDS & G2G workstations are restricted. There are different ways that this can be accomplished including:
  
   * Via organizational firewall rules.   * Via organizational firewall rules.
Line 50: Line 61:
  
  
-{{page>[:guides:network_settings&noheader&noindent&nofooter&nouser&nodate&noeditbtn&nopermalink]}}+{{page>[:guides:firewall_settings&noheader&noindent&nofooter&nouser&nodate&noeditbtn&nopermalink]}}
  
  
Line 66: Line 77:
  
 {{page>[:guides:apex_installation_guide&noheader&noindent&nofooter&nouser&nodate&noeditbtn&nopermalink]}} {{page>[:guides:apex_installation_guide&noheader&noindent&nofooter&nouser&nodate&noeditbtn&nopermalink]}}
- 
- 
-== Microsoft Baseline Security Analyzer Installation == 
- 
- 
-{{page>[:guides:mbsa_installation&noheader&noindent&nofooter&nouser&nodate&noeditbtn&nopermalink]}} 
- 
- 
- 
  
  
guides/workstation_configuration.1547688191.txt.gz · Last modified: by administrator