Client Module

Key Control Areas

• Access Control and Session Management (AC-03, AC-06, AC-07, AC-11, AC-12): Access enforcement and least privilege are the first line of defence on any client endpoint. AC-03 ensures that the operating system and applications enforce authorised access based on policy. AC-06 restricts users and processes to the minimum privileges necessary, preventing lateral movement and privilege escalation after initial compromise. AC-07 locks accounts or introduces delays after repeated failed login attempts, defending against brute-force and credential-stuffing attacks. AC-11 and AC-12 handle session lock and termination, ensuring that unattended workstations do not become open doors. Implementation typically involves Group Policy or MDM-enforced screen lock timeouts, idle session termination, and role-based access control at the OS level.
• Configuration Management and Hardening (CM-02, CM-06, CM-07, CM-08): These controls define the security posture of the endpoint before it ever connects to the network. CM-02 establishes a baseline configuration -- a gold image or configuration-as-code template that every client is built from. CM-06 enforces specific security settings: disabled unnecessary services, restricted registry keys, hardened browser configurations, and enforced security policies. CM-07 applies least functionality by removing or disabling software, ports, protocols, and services that are not required for the user's role. CM-08 maintains an accurate inventory of all endpoint hardware and software components, which is essential for vulnerability management and licence compliance. Without strong configuration management, every other control operates on an uncertain foundation.
• Malware Protection and Software Integrity (SI-03, SI-07, SI-06, SA-06, SA-07): Malware protection on the client endpoint must be multi-layered. SI-03 mandates anti-malware capabilities with automatic signature updates, real-time scanning, and behavioural detection. SI-07 verifies the integrity of software and firmware, detecting unauthorised modifications that could indicate rootkit installation or supply chain compromise. SI-06 provides runtime verification that security functions are operating correctly. SA-06 and SA-07 control software installation, restricting what users can install and ensuring that only authorised, licensed software runs on endpoints. Modern implementations combine traditional AV with EDR (endpoint detection and response), application whitelisting, and code signing verification.
• Audit Logging and Accountability (AU-02, AU-03, AU-08, AU-09, AU-11): Comprehensive audit logging on client endpoints is essential for incident investigation, compliance evidence, and threat detection. AU-02 defines which events are auditable -- logon/logoff, privilege use, file access, process execution, configuration changes, and security-relevant application events. AU-03 specifies the content of each audit record: timestamp, source, event type, user identity, outcome, and affected object. AU-08 ensures accurate timestamps synchronized via NTP, critical for correlating events across distributed systems. AU-09 protects audit logs from tampering or deletion by local users or malware. AU-11 defines retention periods aligned with organisational and regulatory requirements. Logs should be forwarded to a central SIEM in near-real-time to survive endpoint compromise.
• Vulnerability and Patch Management (RA-05, SI-02, SI-05): Client endpoints accumulate vulnerabilities rapidly through operating system flaws, browser vulnerabilities, application bugs, and driver issues. RA-05 requires regular vulnerability scanning to identify missing patches and misconfigurations. SI-02 mandates timely flaw remediation -- patching operating systems, browsers, productivity suites, and third-party applications within defined SLAs based on severity. SI-05 ensures that security alerts and advisories from vendors and CERTs are monitored and acted upon. The combination of scanning, patching, and advisory monitoring creates a continuous vulnerability management cycle. Organisations should target 24-48 hours for critical patches and 14 days for high-severity patches on client endpoints.
• Cryptographic Services (SC-12, SC-13, IA-07): Client endpoints handle sensitive data in transit and at rest, requiring robust cryptographic capabilities. SC-12 covers cryptographic key establishment and management, including certificate lifecycle management for TLS, S/MIME, and disk encryption keys. SC-13 mandates the use of approved cryptographic algorithms and implementations -- this means TLS 1.2+ for network communications, AES-256 for disk encryption, and FIPS-validated or equivalent cryptographic modules where required. IA-07 ensures that cryptographic modules themselves authenticate correctly. Practical implementation includes full-disk encryption (BitLocker, FileVault), certificate-based authentication, and hardware TPM integration for key storage.
• Incident Response Readiness (IR-04, IR-05, IR-06, IR-07): Every client endpoint is a potential incident source, and the module must support rapid detection, containment, and investigation. IR-04 covers incident handling procedures specific to endpoint events: malware detection, unauthorised access attempts, data loss indicators, and anomalous behaviour. IR-05 provides continuous incident monitoring through EDR telemetry and SIEM integration. IR-06 defines how endpoint incidents are reported and escalated. IR-07 ensures that incident response assistance is available -- whether through internal SOC, managed detection and response (MDR), or vendor support channels. Endpoints should be capable of remote isolation for containment without requiring physical access.

When to Use

This module should be referenced by any OSA pattern that includes a client endpoint device in its architecture. It applies to corporate desktops and laptops, developer workstations, kiosk systems, shared terminals, and any user-facing computing device that processes, stores, or transmits organisational data. It is particularly relevant when building patterns for remote access, cloud computing, wireless connectivity, and any scenario where endpoints connect to organisational services.

When NOT to Use

This module is not designed for mobile devices (phones, tablets) which have fundamentally different OS architectures, management models, and threat profiles -- see the Mobile Device patterns instead. It does not cover server-class systems (see SP-002 Server Module) or network infrastructure devices. IoT and embedded devices with constrained operating systems require purpose-built control sets rather than this general-purpose client module. Thin clients and virtual desktop infrastructure (VDI) endpoints may require a subset of these controls, with server-side controls handling the remainder.

Typical Challenges

Endpoint diversity is the primary challenge: organisations typically support multiple OS versions, hardware generations, and form factors, making uniform baseline enforcement difficult. BYOD and hybrid work models blur the boundary between corporate and personal devices, complicating control enforcement. Users with legitimate needs for elevated privileges (developers, power users) resist least-functionality restrictions. Legacy applications may require insecure configurations or older runtime environments that conflict with hardening standards. Patch deployment across distributed, intermittently-connected endpoints introduces delays that leave vulnerability windows open. Audit log volumes from endpoints can overwhelm storage and SIEM capacity without careful event selection and filtering. Balancing security controls with user productivity and system performance is a constant tension -- overly aggressive malware scanning or restrictive application whitelisting can impair daily work.

Threat Resistance

The Client Module addresses the full spectrum of endpoint threats. Malware infection through phishing, drive-by downloads, and removable media is countered by SI-03 malware protection, CM-07 least functionality, and SA-06/SA-07 software restrictions. Credential theft and brute-force attacks are mitigated by AC-07 lockout, IA-02 strong authentication, and SC-13 cryptographic protections. Unauthorised data access is prevented by AC-03 access enforcement and AC-06 least privilege. Data loss through theft or loss of physical devices is addressed by SC-12/SC-13 disk encryption. Insider threats are detected through AU-02/AU-03 audit logging and SI-04 monitoring. Exploitation of unpatched vulnerabilities is reduced by RA-05 scanning and SI-02 patch management. Session hijacking and unattended access are prevented by AC-11 session lock and AC-12 session termination. Supply chain and software integrity attacks are detected by SI-07 integrity verification.

Assumptions

The organisation maintains a centralised endpoint management capability (MDM, SCCM, Intune, or equivalent) that can enforce configuration baselines and deploy patches. Network connectivity exists for log forwarding, signature updates, and remote management. Users operate with standard (non-administrative) privileges by default. The organisation has defined data classification policies that inform endpoint encryption and data handling controls. Hardware supports modern security features including TPM, Secure Boot, and virtualisation-based security where applicable.

Developing Areas

• EDR evasion techniques are evolving faster than signature-based detection can adapt. Adversaries routinely use living-off-the-land binaries (LOLBins), reflective DLL injection, and direct syscalls to bypass endpoint agents, with new evasion frameworks appearing on underground markets monthly. Behavioural AI models and kernel-level telemetry are emerging as countermeasures, but the arms race between evasion and detection shows no signs of stabilising.
• BYOD policy enforcement on unmanaged devices remains an unsolved architectural problem. Containerisation and app-level management (Intune App Protection, Android Enterprise) provide partial isolation, but the underlying device posture -- jailbreak status, OS patch level, presence of malware -- is only partially observable on devices the organisation does not own. Privacy-preserving device attestation APIs from Apple and Google are improving but remain inconsistent across platforms and OS versions.
• Browser isolation technology is maturing as a defence against web-based threats but adoption remains below 5% of enterprises. Remote browser isolation (RBI) executes web content in disposable cloud containers, streaming only safe visual output to the endpoint, effectively eliminating drive-by downloads and browser exploit chains. However, performance overhead, rendering fidelity issues, and integration with SaaS applications that rely on local browser capabilities are limiting deployment beyond high-risk user populations.
• Endpoint attestation using hardware root of trust (TPM 2.0, Apple Secure Enclave) is becoming a prerequisite for zero-trust device compliance but the ecosystem is immature. While Windows 11 mandates TPM 2.0 and macOS leverages the Secure Enclave for boot integrity, the tooling to consume attestation signals across heterogeneous fleets and integrate them into conditional access decisions is fragmented across vendors with no interoperable standard.
• Post-quantum TLS deployment to endpoints is an emerging concern as NIST finalised its first post-quantum cryptographic standards (ML-KEM, ML-DSA) in 2024. Browser vendors are beginning hybrid key exchange trials (X25519Kyber768), but enterprise endpoint TLS stacks, VPN clients, and certificate infrastructure are years away from supporting post-quantum algorithms at scale. Organisations face a harvest-now-decrypt-later threat for data transmitted today over endpoints using classical cryptography.