Hokhori Consulting
Back to blog
security workstation Windows Linux checklist cybersecurity

Workstation Security Checklist for Windows and Linux 2026

A practical, comprehensive security checklist for hardening company workstations running Windows 11 and Linux, with NIS2 alignment notes for each section.

By Hokho

Why Workstation Security Remains the Weakest Link

In 2026, the vast majority of business intrusions begin with a compromised workstation: a phishing e-mail opened, a reused password, an unencrypted device left unattended. Yet basic protection measures remain insufficiently applied across Belgian SMEs.

This checklist covers the essential points for both Windows 11 and Linux. It is designed to be used by your IT lead or directly by your team members. Each section indicates its relevance to the NIS2 directive for companies within its scope.

Tick each item. An unticked item is an identified risk.

1. Operating System Hardening

Windows 11

  • BitLocker encryption enabled on the system drive (Settings → Privacy and security → Device encryption)
  • Strong PIN or password required at start-up (minimum 12 characters, complex)
  • Windows Hello configured for biometric authentication (fingerprint or facial recognition)
  • Automatic updates enabled: Windows Update configured to install security patches within 24 hours
  • Windows Defender Firewall enabled and verified for all network profiles (domain, private, public)
  • Windows Defender Antivirus active with signature database up to date
  • Ransomware protection (Controlled Folder Access) enabled in Windows Security
  • UAC (User Account Control) set to the maximum level
  • Telemetry minimised: diagnostic data set to "Required diagnostic data" only
  • Secure Boot enabled in BIOS/UEFI

Linux (Ubuntu / Debian / Fedora)

  • LUKS encryption enabled on the system partition (configured at installation time)
  • Automatic updates: unattended-upgrades installed and configured
  • UFW firewall enabled: ufw enable with restrictive rules in place
  • ClamAV installed for periodic scans (even on Linux, for shared files)
  • Secure Boot enabled where the hardware supports it
  • AppArmor / SELinux active (Ubuntu uses AppArmor by default — verify it has not been disabled)
  • System logs active: systemd-journald or rsyslog configured and archived

NIS2 alignment: Article 21 of NIS2 requires security measures for networks and information systems proportionate to the risk. Disk encryption and automatic updates are baseline expected measures.

2. Account Security

  • Local administrator account disabled for daily use: users work with a standard account and elevate privileges only when necessary
  • MFA (multi-factor authentication) enabled on all professional accounts: e-mail, VPN, cloud portals, SaaS tools
  • Password manager deployed: Bitwarden (open source, self-hostable), KeePassXC, or equivalent. No passwords stored in plain text files or notes
  • Unique passwords for every service (verifiable via a password manager audit)
  • Passwords of at least 16 characters for privileged accounts
  • Quarterly review of active accounts: any former employee removed within 24 hours of their departure
  • Service accounts documented with rotating passwords and minimum required permissions
  • SSO (Single Sign-On) in use if you operate Active Directory or an identity provider — reduces the password surface area

NIS2 alignment: NIS2 explicitly cites access control policies and multi-factor authentication as required measures.

3. Browser Security

  • uBlock Origin installed on all browsers (blocks adverts, trackers, and malicious sources)
  • HTTPS-only mode enabled: Firefox → Settings → Privacy → HTTPS-Only Mode
  • Passwords are not saved in the browser: function disabled, password manager used instead
  • Browser extensions audited: only necessary and trusted extensions installed
  • Browser updated automatically (Chrome, Firefox, and Edge update themselves by default — verify this is not blocked)
  • Separate professional browser profile from personal profile (Chrome Profiles, Firefox Profiles)
  • DNS over HTTPS configured in the browser (Firefox: Settings → Network → DNS over HTTPS, using Quad9 or Cloudflare)

4. E-mail Security

  • Phishing awareness training completed by all staff within the last 12 months (simulation recommended)
  • Opening unexpected attachments is treated with suspicion — documented verification procedure in place
  • Office macros disabled by default and enabled only on explicit request for internally signed files
  • SPF, DKIM, and DMARC configured on your mail domain (verifiable at mail-tester.com)
  • Anti-spam and anti-malware active at the mail server level (Exchange Online Protection, Rspamd, or equivalent)
  • Links in e-mails are verified before clicking (hover to preview, use a URL checker if in doubt)
  • Encryption of sensitive e-mails: S/MIME or PGP for confidential communications

NIS2 alignment: Security incident management and user awareness training are explicit NIS2 obligations. Phishing is the number one attack vector.

5. Network Security

  • Professional VPN mandatory for all remote work (self-hosted WireGuard or OpenVPN, or a European professional service)
  • Public WiFi is never used without an active VPN — policy documented and signed by all staff
  • Corporate WiFi network separated from the guest network and IoT devices
  • WPA3 used on corporate WiFi access points (WPA2 minimum where WPA3 is unavailable)
  • DNS over HTTPS or encrypted DNS configured at router or workstation level (Quad9 recommended: privacy-respecting, no logs)
  • Network segmentation: production servers on a separate VLAN from workstations
  • Network connection logging: your firewall records anomalous outbound connections

6. Backups

  • 3-2-1 rule applied: 3 copies of data, on 2 different media types, with 1 copy offsite
  • Automated daily backup of critical data (documents, databases, configurations)
  • Backups encrypted before offsite transmission (Restic, Borg Backup, or Duplicati)
  • Restore tested at least once per quarter — an untested backup is not a backup
  • Offline or immutable backup available (to withstand ransomware that encrypts network shares)
  • Retention period documented: how long do you keep backups? (30 days minimum recommended)
  • Named backup owner recorded in your internal documentation

NIS2 alignment: Business continuity and disaster recovery management are explicit NIS2 obligations. A tested backup policy is the foundation.

Summary by Priority Level

Priority Actions Impact
Critical Disk encryption, MFA, automatic updates, password manager Blocks the most common attacks
High Non-admin daily account, firewall, uBlock Origin, VPN when travelling Drastically reduces the attack surface
Important Phishing training, macros disabled, tested backups Limits damage if an incident occurs
Good practice DNS over HTTPS, network segmentation, extension audit Additional hardening

This checklist covers the essentials. It does not replace a full cybersecurity audit, but when applied in its entirety it eliminates the vast majority of common attack vectors targeting SMEs.

Assess your Sovereign Score | Contact us for a security audit