Field Security Hardening
This reference provides verification criteria for security configurations on field-deployed equipment. Use it during field site establishment, periodic security reviews, and pre-deployment preparation to confirm equipment meets minimum security requirements before deployment to field locations.
Prerequisites
Before using this checklist, confirm the following conditions:
| Requirement | Detail |
|---|---|
| Device inventory | Complete list of devices to be hardened with serial numbers and assigned users |
| MDM enrollment | Devices enrolled in mobile device management or alternative management confirmed |
| Baseline policies | Organisation security policies reviewed and applicable requirements identified |
| Administrative access | Credentials and permissions to configure all device types |
| Verification tools | Access to management consoles, command-line tools, and testing equipment |
Device Hardening: Windows
Windows devices deployed to field locations require configurations that protect against physical theft, malware infection, and unauthorised access while maintaining usability on constrained networks.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| BitLocker full disk encryption | manage-bde -status in elevated command prompt | Protection Status: On, Encryption Method: XTS-AES 256 | Screenshot of status output |
| BitLocker recovery key backup | Check Entra ID or on-premises AD for recovery key | Recovery key present and matches device ID | Recovery key ID confirmation |
| Local administrator password | Attempt login with default/common passwords | Login fails; LAPS configured or unique password set | LAPS policy confirmation |
| Firewall enabled | netsh advfirewall show allprofiles | State: ON for all profiles (Domain, Private, Public) | Screenshot of firewall status |
| Automatic updates | Settings > Windows Update > Advanced options | Updates download automatically; restart within 7 days | Screenshot of update settings |
| Antimalware active | Windows Security > Virus & threat protection | Real-time protection: On, Definitions updated within 7 days | Screenshot of protection status |
| Screen lock timeout | Settings > Accounts > Sign-in options | Require sign-in: When PC wakes from sleep; Screen timeout: 5 minutes or less | Screenshot of lock settings |
| USB storage restriction | Attempt to mount USB storage device | Blocked by policy or requires explicit authorisation | Policy configuration export |
| Remote Desktop disabled | Settings > System > Remote Desktop | Remote Desktop: Off (unless explicitly required) | Screenshot of RDP settings |
| Guest account disabled | net user guest in command prompt | Account active: No | Command output screenshot |
| Secure Boot enabled | msinfo32 > System Summary | Secure Boot State: On | System information screenshot |
| TPM present and active | tpm.msc or Device Manager | TPM ready for use, version 2.0 | TPM management console screenshot |
Offline environments
Windows Update verification assumes network connectivity. For extended offline deployments, document the last update date and establish maximum offline period (60 days recommended) before mandatory reconnection for updates.
Device Hardening: macOS
macOS devices require FileVault encryption and system integrity protections that function independently of network connectivity.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| FileVault encryption | System Settings > Privacy & Security > FileVault | FileVault is turned on | Screenshot of FileVault status |
| FileVault recovery key | Check MDM or organisational key escrow | Recovery key escrowed and retrievable | Key escrow confirmation |
| Firewall enabled | System Settings > Network > Firewall | Firewall: On | Screenshot of firewall settings |
| Automatic updates | System Settings > General > Software Update | Automatic updates enabled, Install Security Responses: On | Screenshot of update settings |
| Screen lock | System Settings > Lock Screen | Require password: Immediately after sleep or screen saver | Screenshot of lock settings |
| Gatekeeper enabled | spctl --status in Terminal | assessments enabled | Terminal output screenshot |
| SIP enabled | csrutil status in Terminal | System Integrity Protection status: enabled | Terminal output screenshot |
| Remote Login disabled | System Settings > General > Sharing | Remote Login: Off (unless explicitly required) | Screenshot of sharing settings |
| Guest user disabled | System Settings > Users & Groups | Guest User: Off | Screenshot of user settings |
| Secure Boot | Apple Silicon: always enabled; Intel: nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy | Full Security or %02 | Boot security confirmation |
Device Hardening: iOS and iPadOS
Mobile Apple devices require MDM enrollment for remote management capability and supervised mode for full security control in field environments.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| MDM enrollment | Settings > General > VPN & Device Management | Organisation MDM profile present and verified | Screenshot of management profile |
| Supervised mode | Settings > General > About | Device marked as supervised (for organisation-owned devices) | Screenshot showing supervision |
| Passcode configured | Attempt device unlock | 6-digit numeric minimum; alphanumeric for sensitive data access | Policy configuration |
| Passcode complexity | MDM compliance check | Minimum 6 characters; no simple sequences (123456, 111111) | MDM compliance report |
| Auto-lock | Settings > Display & Brightness > Auto-Lock | 2 minutes or less | Screenshot of auto-lock setting |
| Data protection | Security Enclave presence confirmed via MDM | Hardware encryption enabled (all devices post-2013) | MDM device inventory |
| USB Restricted Mode | Settings > Face ID/Touch ID & Passcode | USB Accessories: Off (require unlock for USB after 1 hour) | Screenshot of USB setting |
| Find My enabled | Settings > [Name] > Find My | Find My iPhone: On, Send Last Location: On | Screenshot of Find My settings |
| Automatic updates | Settings > General > Software Update > Automatic Updates | All automatic update options enabled | Screenshot of update settings |
| App installation | MDM policy check | Apps install from App Store or MDM only; no sideloading | MDM policy configuration |
| iCloud backup | For sensitive deployments: Settings > [Name] > iCloud > iCloud Backup | Off (use local encrypted backup or MDM backup) | Screenshot of backup setting |
Device Hardening: Android
Android device security depends heavily on manufacturer and version. These criteria apply to Android 12 and later on devices receiving security updates.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| MDM enrollment | Settings > Security > Device admin apps | Organisation MDM enrolled and active | Screenshot of device admin |
| Encryption | Settings > Security > Encryption | Device encrypted (automatic on Android 10+) | Screenshot of encryption status |
| Screen lock | Settings > Security > Screen lock | PIN (6+ digits), password, or biometric with PIN backup | Screenshot of lock type |
| Lock timeout | Settings > Security > Screen lock > Advanced | 1 minute or less | Screenshot of timeout setting |
| Unknown sources | Settings > Security > Install unknown apps | All apps set to “Not allowed” | Screenshot of install permissions |
| Google Play Protect | Google Play Store > Profile > Play Protect | Scan apps with Play Protect: On | Screenshot of Play Protect status |
| Security patch level | Settings > About phone > Android security patch level | Within 90 days of current date | Screenshot showing patch date |
| Developer options | Settings > System > Developer options | Disabled or hidden | Attempt to access developer options |
| USB debugging | Developer options (if accessible) | Off | Screenshot if accessible |
| Find My Device | Settings > Security > Find My Device | On | Screenshot of Find My Device |
| Work profile | For BYOD: Settings > Accounts | Work profile present and separate from personal | Screenshot of profile separation |
Android fragmentation
Security patch availability varies by manufacturer. Samsung devices typically receive monthly patches for 4 years; Google Pixel devices receive 5 years. Other manufacturers vary. Document device-specific support windows.
Network Configuration
Field network equipment requires hardening that accounts for physical access risks and untrusted network environments.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| Default credentials changed | Attempt login with manufacturer defaults | Default username/password rejected | Successful login with organisational credentials |
| Administrative interface | Check interface binding | Admin interface bound to LAN only; WAN access disabled | Router configuration export |
| HTTPS for administration | Browser connection to admin interface | Certificate valid; HTTP redirects to HTTPS; no certificate warnings | Browser security indicator |
| Firmware version | Check administration interface | Version current or within one release; no known critical vulnerabilities | Screenshot of firmware version |
| WiFi encryption | Wireless security settings | WPA3 or WPA2-AES; WPA/WEP disabled | Wireless configuration export |
| WiFi password strength | Review configured password | Minimum 12 characters; not organisation name or location | Password policy documentation |
| Guest network isolation | Network configuration | Guest network on separate VLAN; no access to internal resources | Network topology documentation |
| UPnP disabled | Router security settings | Universal Plug and Play: Disabled | Router configuration screenshot |
| Remote management disabled | Router WAN settings | Remote administration: Disabled | Router configuration screenshot |
| DNS configuration | Network settings > DNS | Organisational DNS or trusted resolver (not ISP default) | DNS configuration screenshot |
| Firewall rules | Router firewall configuration | Inbound: deny all except required services; Outbound: allow established | Firewall rule export |
| DHCP range | DHCP settings | Range appropriate to expected devices; not excessive | DHCP configuration screenshot |
| Logging enabled | Router logging settings | Security events logged; log retention 30+ days | Logging configuration screenshot |
Satellite and Connectivity Equipment
VSAT terminals and mobile connectivity equipment require specific hardening due to their role as network perimeter devices.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| Modem admin credentials | Attempt login with defaults | Default credentials rejected | Successful login with unique credentials |
| Modem firmware | Check modem administration interface | Current version; no known vulnerabilities | Firmware version screenshot |
| Modem interface access | Check interface binding | Administration accessible from LAN only | Configuration export |
| Encryption enabled | Satellite provider configuration | Link encryption active (provider-dependent) | Provider configuration confirmation |
| Traffic monitoring | Review modem statistics | Baseline traffic established; anomaly detection possible | Baseline documentation |
| Physical security | Physical inspection | Equipment in locked enclosure; cables secured; tamper indicators present | Photograph of installation |
| Backup connectivity | Test failover | Secondary connection (cellular, alternate satellite) available and tested | Failover test record |
| Data caps configured | Provider portal or modem | Usage alerts at 75% and 90% of allocation | Alert configuration screenshot |
Authentication Requirements
Authentication configurations must balance security with field usability, particularly for shared devices and intermittent connectivity scenarios.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| MFA enabled | Identity provider configuration | All users require MFA for cloud services | IdP policy configuration |
| MFA method | Review user MFA registrations | Hardware key or authenticator app; SMS only as backup | User registration report |
| Offline authentication | Test authentication without connectivity | Cached credentials function for configured period (96 hours maximum) | Test result documentation |
| Password policy | Identity provider password settings | Minimum 12 characters; complexity requirements enabled | Password policy configuration |
| Account lockout | Identity provider security settings | Lockout after 10 failed attempts; 30-minute lockout duration | Lockout policy configuration |
| Session timeout | Application and IdP settings | Idle timeout: 8 hours maximum; absolute timeout: 12 hours | Session policy configuration |
| Service accounts | Review service account inventory | Documented purpose; password rotated within 90 days; no interactive login | Service account register |
| Shared device mode | For shared tablets/kiosks | Session data cleared on logout; automatic logout after 30 minutes idle | Shared device configuration |
| Local accounts | Device local account audit | Minimum local accounts; documented purpose; unique passwords | Local account inventory |
| Emergency access | Break-glass account verification | Emergency accounts exist; credentials secured; access logged | Emergency account documentation |
Encryption Requirements
Data at rest and in transit requires encryption appropriate to the classification of information processed in field locations.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| Disk encryption | See device-specific sections above | Full disk encryption enabled on all devices | Device inventory with encryption status |
| Removable media encryption | Attempt to use unencrypted USB | Blocked by policy or automatically encrypted | Policy verification |
| Database encryption | Database configuration review | Transparent Data Encryption or equivalent enabled | Database configuration |
| Backup encryption | Backup system configuration | Backups encrypted at rest; encryption keys secured separately | Backup configuration |
| Email encryption | Mail client configuration | TLS required for transmission; S/MIME or PGP available for sensitive content | Mail configuration |
| VPN encryption | VPN configuration | AES-256 or ChaCha20; no deprecated ciphers (DES, 3DES, RC4) | VPN configuration export |
| TLS version | SSL Labs test or nmap --script ssl-enum-ciphers | TLS 1.2 minimum; TLS 1.3 preferred; no SSL 3.0, TLS 1.0, TLS 1.1 | Test results |
| Certificate validity | Certificate inspection | Valid certificate; expiry more than 30 days; trusted CA | Certificate details |
| Key length | Certificate and VPN configuration review | RSA 2048-bit minimum; ECDSA P-256 minimum | Configuration documentation |
Physical Security
Physical security controls compensate for the reduced environmental security of field locations compared to office environments.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| Cable locks | Physical inspection | Laptops secured with cable locks when unattended in office | Photograph of secured devices |
| Lockable storage | Physical inspection | Secure cabinet or safe available for devices overnight | Photograph of storage |
| Asset labels | Physical inspection | All devices labelled with asset tag and contact information | Photograph of labelled device |
| Screen privacy | Physical inspection in working environment | Privacy filters applied where shoulder-surfing risk exists | Photograph or inventory |
| Server/network cabinet | Physical inspection | Network equipment in locked cabinet; key control documented | Photograph; key register |
| Visitor access | Procedure review | Visitors escorted; no unaccompanied access to IT equipment | Access procedure documentation |
| Device checkout | Procedure review | Portable equipment signed out; return tracked | Checkout register |
| Working away guidance | User acknowledgment | Staff briefed on secure device handling during travel | Training record |
| Tamper evidence | Physical inspection | Tamper-evident seals on critical equipment where appropriate | Photograph of seals |
| Disposal procedure | Procedure review | Secure disposal process documented; certificates retained | Disposal procedure; certificates |
Data Handling
Field locations process sensitive data under conditions requiring specific handling controls to maintain confidentiality and comply with data protection requirements.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| Data classification | Spot check of stored files | Files stored according to classification; no restricted data on unapproved devices | File location audit |
| Local data minimisation | Device storage review | Only data required for current operations stored locally | Storage audit |
| Sync configuration | Application sync settings | Selective sync enabled; large archives excluded from field devices | Sync configuration |
| Cloud storage access | Access control review | Access limited to required folders; no organisation-wide access from field | Access control audit |
| Print controls | Printer configuration | Secure print enabled where available; print logs retained | Printer configuration |
| Screen sharing | Application settings | Screen sharing requires authentication; disabled when not in use | Application configuration |
| Clipboard controls | MDM or endpoint policy | Clipboard blocked between managed and unmanaged applications | Policy configuration |
| Data retention | Storage audit | Temporary files cleared; data deleted per retention schedule | Retention audit |
| Backup restoration | Test restore | Field backups restorable; tested within 90 days | Restore test record |
Communication Security
Field communications traverse untrusted networks and may be subject to surveillance, requiring encryption and authentication for all organisational communications.
| Item | Verification method | Pass criteria | Evidence |
|---|---|---|---|
| VPN configuration | VPN client settings | Always-on VPN or VPN required before accessing organisational resources | VPN policy configuration |
| VPN authentication | VPN configuration | Certificate-based or MFA; no username/password only | VPN authentication settings |
| Messaging encryption | Application settings | End-to-end encryption enabled for sensitive communications | Application configuration |
| Voice encryption | Test call with encryption indicator | Encrypted calls possible; users trained on verification | Test call screenshot |
| Email security | Mail headers inspection | SPF, DKIM, DMARC passing on sent mail; TLS on transmission | Header analysis |
| Video conferencing | Platform settings | Meetings require authentication; waiting room enabled; recording controls | Platform configuration |
| File transfer | Transfer method review | SFTP, HTTPS, or encrypted platform; no unencrypted FTP | Transfer audit |
| Public WiFi | User guidance and technical control | Users avoid public WiFi or VPN enforced on untrusted networks | Policy acknowledgment; VPN config |
| Bluetooth | Device settings | Bluetooth off when not in use; no discoverable mode | Spot check of devices |
Exit Criteria
A device or field site passes security hardening verification when all applicable items in relevant sections meet pass criteria. Document exceptions using the exception handling process below.
Pass thresholds:
| Category | Required pass rate |
|---|---|
| Device hardening (per platform) | 100% of applicable items |
| Network configuration | 100% of applicable items |
| Authentication | 100% of items |
| Encryption | 100% of items |
| Physical security | 90% of items; exceptions documented |
| Data handling | 100% of items |
| Communication security | 100% of items |
Items marked as not applicable require documented justification explaining why the control does not apply to the specific deployment context.
Exception Handling
Security controls that cannot be implemented require formal exception approval before deployment.
Exception requirements:
| Element | Requirement |
|---|---|
| Approval authority | IT security lead for 90-day exceptions; IT director for longer |
| Documentation | Exception form with control, reason, compensating controls, review date |
| Compensating controls | Alternative controls that mitigate the risk |
| Maximum duration | 180 days; then re-evaluate or implement permanent compensating control |
| Review | Exceptions reviewed quarterly |
Exception register location: Document exceptions in the organisational risk register with link to detailed exception form.
Non-exceptionable items: The following items cannot be excepted under any circumstances:
- Full disk encryption on devices storing personal data
- MFA for cloud service access (offline caching is not an exception)
- VPN encryption strength (AES-256 or equivalent)
- Administrative credential changes from defaults