← Patterns / SP-001

Client Module

The Client Module is a foundational building block in the OSA pattern library. Rather than being a standalone security architecture, it encapsulates the security controls that should be applied to any client endpoint -- desktops, laptops, workstations, and similar user-facing devices. Other OSA patterns reference this module wherever a client device appears in their architecture, ensuring consistent security baselines across different deployment scenarios. Client endpoints are among the most attacked surfaces in any organisation. They are where users interact with data, authenticate to services, browse the web, open email attachments, and connect removable media. Every major breach category -- phishing, ransomware, credential theft, insider threat, data exfiltration -- either originates at or passes through the client endpoint. The controls in this module address that reality across multiple dimensions: access control, system hardening, malware protection, audit logging, cryptographic services, vulnerability management, and incident response readiness. The module covers 80 controls spanning 16 NIST 800-53 control families. Access control (AC) provides the authentication and session management foundation. Configuration management (CM) ensures endpoints are built from hardened baselines with least-functionality principles. System and information integrity (SI) addresses malware protection, patch management, and software integrity verification. Audit and accountability (AU) ensures that endpoint activity is logged, timestamped, and protected for forensic and compliance purposes. As a module rather than a pattern, the Client Module is designed for composition. It does not prescribe network architecture, perimeter controls, or server-side protections -- those are handled by the patterns that reference it. This separation of concerns allows architects to reason about client security independently while ensuring that every pattern incorporating client endpoints inherits a proven, comprehensive control set. When the Client Module is updated, all referencing patterns benefit automatically. Practitioners implementing this module should pay particular attention to the interplay between endpoint hardening (CM-02, CM-06, CM-07), malware protection (SI-03), and vulnerability management (RA-05, SI-02). These three areas form the core defensive triad for client endpoints. Without all three operating effectively, the endpoint becomes a reliable entry point for adversaries.

Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06

Assess

ATT&CK This pattern addresses 462 techniques across 13 tactics View on ATT&CK Matrix →

Click any control badge to view its details. Download SVG

Key Control Areas

Access Control and Session Management

AC-03 AC-06 AC-07 AC-11 AC-12

Access enforcement and least privilege are the first line of defence on any client endpoint. AC-03 ensures that the operating system and applications enforce authorised access based on policy. AC-06 restricts users and processes to the minimum privileges necessary, preventing lateral movement and privilege escalation after initial compromise. AC-07 locks accounts or introduces delays after repeated failed login attempts, defending against brute-force and credential-stuffing attacks. AC-11 and AC-12 handle session lock and termination, ensuring that unattended workstations do not become open doors. Implementation typically involves Group Policy or MDM-enforced screen lock timeouts, idle session termination, and role-based access control at the OS level.

Configuration Management and Hardening

CM-02 CM-06 CM-07 CM-08

These controls define the security posture of the endpoint before it ever connects to the network. CM-02 establishes a baseline configuration -- a gold image or configuration-as-code template that every client is built from. CM-06 enforces specific security settings: disabled unnecessary services, restricted registry keys, hardened browser configurations, and enforced security policies. CM-07 applies least functionality by removing or disabling software, ports, protocols, and services that are not required for the user's role. CM-08 maintains an accurate inventory of all endpoint hardware and software components, which is essential for vulnerability management and licence compliance. Without strong configuration management, every other control operates on an uncertain foundation.

Malware Protection and Software Integrity

SI-03 SI-07 SI-06 SA-06 SA-07

Malware protection on the client endpoint must be multi-layered. SI-03 mandates anti-malware capabilities with automatic signature updates, real-time scanning, and behavioural detection. SI-07 verifies the integrity of software and firmware, detecting unauthorised modifications that could indicate rootkit installation or supply chain compromise. SI-06 provides runtime verification that security functions are operating correctly. SA-06 and SA-07 control software installation, restricting what users can install and ensuring that only authorised, licensed software runs on endpoints. Modern implementations combine traditional AV with EDR (endpoint detection and response), application whitelisting, and code signing verification.

Audit Logging and Accountability

AU-02 AU-03 AU-08 AU-09 AU-11

Comprehensive audit logging on client endpoints is essential for incident investigation, compliance evidence, and threat detection. AU-02 defines which events are auditable -- logon/logoff, privilege use, file access, process execution, configuration changes, and security-relevant application events. AU-03 specifies the content of each audit record: timestamp, source, event type, user identity, outcome, and affected object. AU-08 ensures accurate timestamps synchronized via NTP, critical for correlating events across distributed systems. AU-09 protects audit logs from tampering or deletion by local users or malware. AU-11 defines retention periods aligned with organisational and regulatory requirements. Logs should be forwarded to a central SIEM in near-real-time to survive endpoint compromise.

Vulnerability and Patch Management

RA-05 SI-02 SI-05

Client endpoints accumulate vulnerabilities rapidly through operating system flaws, browser vulnerabilities, application bugs, and driver issues. RA-05 requires regular vulnerability scanning to identify missing patches and misconfigurations. SI-02 mandates timely flaw remediation -- patching operating systems, browsers, productivity suites, and third-party applications within defined SLAs based on severity. SI-05 ensures that security alerts and advisories from vendors and CERTs are monitored and acted upon. The combination of scanning, patching, and advisory monitoring creates a continuous vulnerability management cycle. Organisations should target 24-48 hours for critical patches and 14 days for high-severity patches on client endpoints.

Cryptographic Services

SC-12 SC-13 IA-07

Client endpoints handle sensitive data in transit and at rest, requiring robust cryptographic capabilities. SC-12 covers cryptographic key establishment and management, including certificate lifecycle management for TLS, S/MIME, and disk encryption keys. SC-13 mandates the use of approved cryptographic algorithms and implementations -- this means TLS 1.2+ for network communications, AES-256 for disk encryption, and FIPS-validated or equivalent cryptographic modules where required. IA-07 ensures that cryptographic modules themselves authenticate correctly. Practical implementation includes full-disk encryption (BitLocker, FileVault), certificate-based authentication, and hardware TPM integration for key storage.

Incident Response Readiness

IR-04 IR-05 IR-06 IR-07

Every client endpoint is a potential incident source, and the module must support rapid detection, containment, and investigation. IR-04 covers incident handling procedures specific to endpoint events: malware detection, unauthorised access attempts, data loss indicators, and anomalous behaviour. IR-05 provides continuous incident monitoring through EDR telemetry and SIEM integration. IR-06 defines how endpoint incidents are reported and escalated. IR-07 ensures that incident response assistance is available -- whether through internal SOC, managed detection and response (MDR), or vendor support channels. Endpoints should be capable of remote isolation for containment without requiring physical access.

When to Use

This module should be referenced by any OSA pattern that includes a client endpoint device in its architecture. It applies to corporate desktops and laptops, developer workstations, kiosk systems, shared terminals, and any user-facing computing device that processes, stores, or transmits organisational data. It is particularly relevant when building patterns for remote access, cloud computing, wireless connectivity, and any scenario where endpoints connect to organisational services.

When NOT to Use

This module is not designed for mobile devices (phones, tablets) which have fundamentally different OS architectures, management models, and threat profiles -- see the Mobile Device patterns instead. It does not cover server-class systems (see SP-002 Server Module) or network infrastructure devices. IoT and embedded devices with constrained operating systems require purpose-built control sets rather than this general-purpose client module. Thin clients and virtual desktop infrastructure (VDI) endpoints may require a subset of these controls, with server-side controls handling the remainder.

Typical Challenges

Endpoint diversity is the primary challenge: organisations typically support multiple OS versions, hardware generations, and form factors, making uniform baseline enforcement difficult. BYOD and hybrid work models blur the boundary between corporate and personal devices, complicating control enforcement. Users with legitimate needs for elevated privileges (developers, power users) resist least-functionality restrictions. Legacy applications may require insecure configurations or older runtime environments that conflict with hardening standards. Patch deployment across distributed, intermittently-connected endpoints introduces delays that leave vulnerability windows open. Audit log volumes from endpoints can overwhelm storage and SIEM capacity without careful event selection and filtering. Balancing security controls with user productivity and system performance is a constant tension -- overly aggressive malware scanning or restrictive application whitelisting can impair daily work.

Threat Resistance

The Client Module addresses the full spectrum of endpoint threats. Malware infection through phishing, drive-by downloads, and removable media is countered by SI-03 malware protection, CM-07 least functionality, and SA-06/SA-07 software restrictions. Credential theft and brute-force attacks are mitigated by AC-07 lockout, IA-02 strong authentication, and SC-13 cryptographic protections. Unauthorised data access is prevented by AC-03 access enforcement and AC-06 least privilege. Data loss through theft or loss of physical devices is addressed by SC-12/SC-13 disk encryption. Insider threats are detected through AU-02/AU-03 audit logging and SI-04 monitoring. Exploitation of unpatched vulnerabilities is reduced by RA-05 scanning and SI-02 patch management. Session hijacking and unattended access are prevented by AC-11 session lock and AC-12 session termination. Supply chain and software integrity attacks are detected by SI-07 integrity verification.

Assumptions

The organisation maintains a centralised endpoint management capability (MDM, SCCM, Intune, or equivalent) that can enforce configuration baselines and deploy patches. Network connectivity exists for log forwarding, signature updates, and remote management. Users operate with standard (non-administrative) privileges by default. The organisation has defined data classification policies that inform endpoint encryption and data handling controls. Hardware supports modern security features including TPM, Secure Boot, and virtualisation-based security where applicable.

Developing Areas

EDR evasion techniques are evolving faster than signature-based detection can adapt. Adversaries routinely use living-off-the-land binaries (LOLBins), reflective DLL injection, and direct syscalls to bypass endpoint agents, with new evasion frameworks appearing on underground markets monthly. Behavioural AI models and kernel-level telemetry are emerging as countermeasures, but the arms race between evasion and detection shows no signs of stabilising.
BYOD policy enforcement on unmanaged devices remains an unsolved architectural problem. Containerisation and app-level management (Intune App Protection, Android Enterprise) provide partial isolation, but the underlying device posture -- jailbreak status, OS patch level, presence of malware -- is only partially observable on devices the organisation does not own. Privacy-preserving device attestation APIs from Apple and Google are improving but remain inconsistent across platforms and OS versions.
Browser isolation technology is maturing as a defence against web-based threats but adoption remains below 5% of enterprises. Remote browser isolation (RBI) executes web content in disposable cloud containers, streaming only safe visual output to the endpoint, effectively eliminating drive-by downloads and browser exploit chains. However, performance overhead, rendering fidelity issues, and integration with SaaS applications that rely on local browser capabilities are limiting deployment beyond high-risk user populations.
Endpoint attestation using hardware root of trust (TPM 2.0, Apple Secure Enclave) is becoming a prerequisite for zero-trust device compliance but the ecosystem is immature. While Windows 11 mandates TPM 2.0 and macOS leverages the Secure Enclave for boot integrity, the tooling to consume attestation signals across heterogeneous fleets and integrate them into conditional access decisions is fragmented across vendors with no interoperable standard.
Post-quantum TLS deployment to endpoints is an emerging concern as NIST finalised its first post-quantum cryptographic standards (ML-KEM, ML-DSA) in 2024. Browser vendors are beginning hybrid key exchange trials (X25519Kyber768), but enterprise endpoint TLS stacks, VPN clients, and certificate infrastructure are years away from supporting post-quantum algorithms at scale. Organisations face a harvest-now-decrypt-later threat for data transmitted today over endpoints using classical cryptography.

Related Patterns

Patterns that operate within or alongside this one. Click any to view.

SP-002 Server Module SP-006 Wireless Private Network Pattern SP-007 Wireless Public Hotspot Pattern SP-008 Public Web Server Pattern SP-011 Cloud Computing Pattern SP-014 Awareness and Training Pattern SP-016 DMZ Module SP-024 iPhone Pattern SP-025 Advanced Monitoring and Detection

AC: 8AT: 3AU: 8CA: 4CM: 7CP: 5IA: 3IR: 6MA: 5MP: 1PL: 1PS: 1RA: 4SA: 7SC: 10SI: 7

AC-03 Access enforcement

AC-05 Separation Of Duties

AC-06 Least privilege

AC-07 Unsuccessful login attempts

AC-08 System use notification

AC-11 Session Lock

AC-12 Session Termination

AC-19 Session Termination

AT-02 Security Awareness

AT-03 Security Training

AT-04 Security Training Records

AU-02 Auditable Events

AU-03 Content Of Audit Records

AU-04 Audit Storage Capacity

AU-05 Response To Audit Processing Failures

AU-08 Time Stamps

AU-09 Protection Of Audit Information

AU-10 Non-Repudiation

AU-11 Audit Record Retention

CA-02 Security Assessments

CA-04 Security Certification

CA-06 Security Accreditation

CA-07 Continuous Monitoring

CM-02 Baseline Configuration

CM-03 Configuration Change Control

CM-04 Monitoring Configuration Changes

CM-05 Access Restrictions For Change

CM-06 Configuration Settings

CM-07 Least Functionality

CM-08 Information System Component Inventory

CP-03 Contingency Training

CP-04 Contingency Plan Testing And Exercises

CP-05 Contingency Plan Update

CP-09 Information System Backup

CP-10 Information System Recovery And Reconstitution

IA-02 User Identification And Authentication

IA-06 Authenticator Feedback

IA-07 Cryptographic Module Authentication

IR-02 Incident Response Training

IR-03 Incident Response Testing And Exercises

IR-04 Incident Handling

IR-05 Incident Monitoring

IR-06 Incident Reporting

IR-07 Incident Response Assistance

MA-02 Controlled Maintenance

MA-03 Maintenance Tools

MA-04 Remote Maintenance

MA-05 Maintenance Personnel

MA-06 Timely Maintenance

MP-02 Media Access

PL-04 Rules Of Behavior

PS-06 Access Agreements

RA-02 Security Categorization

RA-03 Risk Assessment

RA-04 Risk Assessment Update

RA-05 Vulnerability Scanning

SA-02 Allocation Of Resources

SA-03 Life Cycle Support

SA-04 Acquisitions

SA-05 Information System Documentation

SA-06 Software Usage Restrictions

SA-07 User Installed Software

SA-08 Security Engineering Principles

SC-03 Security Function Isolation

SC-04 Information Remnance

SC-05 Denial Of Service Protection

SC-06 Resource Priority

SC-11 Trusted Path

SC-12 Cryptographic Key Establishment And Management

SC-13 Use Of Cryptography

SC-14 Public Access Protections

SC-15 Collaborative Computing

SC-18 Mobile Code

SI-02 Flaw Remediation

SI-03 Malicious Code Protection

SI-04 Information System Monitoring Tools And Techniques

SI-05 Security Alerts And Advisories

SI-06 Security Functionality Verification

SI-07 Software And Information Integrity

SI-11 Error Handling