System Hardening Best Practices
The following best practices are a suggested as a security baseline for production systems:
- 1.Configure the system with static IP address and dedicated VLAN, separated from Guests and Employees VLAN
- 2.Activate Microsoft Windows Defender
- 3.Enable Mago Room Kiosk Mode
- 4.Disconnect Keyboard and mouse
- 5.Manage and control the room from the Mago Cloud Management Console
- 6.
- 7.
Follow this guide for setting the appropriate security policy:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-locally
Disable Internet Connection Sharing (ICS) Service
Disable the following Remote Services
- Remote Desktop Configuration
- Remote Desktop Services
- Remote Desktop Services UserMode Port Redirector
- Remote Registry
Configure manual startup
Configure manual start-up for these services:
- Remote Procedure Call (RPC) Locater
- Windows Error Reporting Service
Disable all accounts that do not meet system or application objectives.
Deny autorun and access to removable media devices
- Set the default behavior for AutoRun: Enabled
- All Removable Storage classes: Deny all access: Enabled
- CD and DVD: Deny read access: Enabled
- CD and DVD: Deny write access: Enabled
- Removable Disks: Deny read access: Enabled
- Removable Disks: Deny write access: Enabled
- WPD Devices: Deny read access: Enabled
- WPD Devices: Deny write access: Enabled
Restrict Users to Store Data in Local Drive, Desktop, Document, Downloads etc.: https://docs.microsoft.com/en-us/answers/questions/129425/restrict-users-to-store-data-in-local-drive-deskto.html
Mago Advanced Settings
- Enable Kiosk Mode
- Create and Apply an automatic Mago Room Update policy from Mago Cloud Management Console (admin.mago.io)