I go into 10 to 20+ major orgs per year for various reasons in the cybersecurity field. The larger organisations (think companies as big as Microsoft):
Standard build would include:
1) Bios lock of some sorts
2) Bitlocker startup key mandatory on first boot - user must setup a personal PIN. The OS will not even launch if the PIN is not entered correct.
3) Bitlocker full disk encryption
4) Group policy "displaybootmenu" set to no - disables safe mode etc. Also no bootable options from CD/USB/Network.
5) Location tracking of some sorts.
6) No local administrator accounts or other default / generic user accounts. All login is over AD. Privileged user accounts are accessible only via a toolset e.g. cyberark, and must be checked-in and checked-out with a ticket raised. All privileged sessions are recorded and data stored in the vault for audit purposes.
7) WiFi selection preference if a corp network SSID is in range. E.g. some users try to use mobile hotspots (especially in US with unlimited mobile data) to avoid corporate filtering. The device will auto connect to corp SSID whenever in range... This was largely implemented to ensure corp policies + mandatory patching could be applied.
8) Two factor authentication to login to the OS, either fingerprint or an app texting a token in addition to your password (increasing since Win 10 built in this functionality).
9) Increasing use of Windows 10 Windows Information Protection (WIP) / other DLP techs to transparently encrypt business vs personal data.
10) Application whitelisting (often via device guard), to enable only X applications to launch. Non-trusted applications require a service now ticket to be raised, with a managers approval, business justification attached and a periodic recertification required (e.g. after 30 days the user will need to re-request to use the app).
11) USB disabled - increasingly common. Some orgs provide bluetooth mice, keyboards etc only rendering USB useless. Where USB devices are required, flash memory e.g. memory sticks, external HDDs are disabled per group policy. A business justification can be presented, but again periodic recertification is required.
12) unnecessary apps + services disabled
13) No CD/Disk drive and no ability to use external drive via USB
14) Baselining: measuring a standard users data throughput, times online (e.g. 9am to 6pm), website usage etc, flagging where throughput is high e.g. 1Gb data transmission to fileshare site e.g. dropbox would raise an incident ticket, likewise logging in at 1AM may raise an incident ticket to be investigated by a line manager, suspicious website usage e.g. browsing job sites combined with emails containing swear words and buzzwords such as "HR" may raise a flag as a potential disgruntled employee who is a "possible malicious threat actor."
More and more common are "thin clients" or entirely locked down end user laptops, with no functionality other than opening a Citrix VDI instance on boot-up. From here a user will connect utilising an AD credential and a two-factor authentication token, into a VDI instance, from where they access corp resources. Data copying between citrix and the base OS is disabled. For accessing email from home, webmail facility is increasingly disabled, with email access only over the Citrix instance.
BYOD is increasingly common, although in major organisations this is effectively "use any machine to access our Citrix VDI" - hence the user ends up on a corp imaged Windows Box of some sorts, and their BYOD is effectively a "thin client" type scenario. No data will ever reside locally on the BYOD.
Overall, in large organisations it really is big brother is watching. Industry standards such as NIST-CSF are increasingly pushing organisations to invest more and more, as the board sets a risk appetite of "risk averse" and the organisation begins huge investment to reach a 3 / 4 on the NIST-CSF maturity scale.
I work for a major consulting firm, and we have had a vast majority of the above since around 2014. Booting a CD/USB/Ethernet, entering a boot menu, entering the bios, and bitlocker PIN to unlock the hard-drive at all has been mandated since 2015. When I press the power button on my work laptop I am greeted with this:
https://www.howtogeek.com/262720/how-to-enable-a-pre...
Enter the PW wrong 3 times, you are locked out, and a service desk call is required, alongside some "proof" you are a genuine user. Often HR verification or a manager to approve you are in-fact locked out. Once you type in the bitlocker pin, it is all secureboot etc, so you can only go into the standard OS.
Absence of knowledge of the PIN / ability for service desk to unlock the device, you can do literally nothing. There is not a single key that will do anything.
Edited by ukhardy07 (Fri 11-Jan-19 01:19:22)