Microsoft Publishes SECCON Framework For Securing Windows 10

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

Re:

[Anonymous Coward]

Linux has exactly the same problem, out of the box it is woefully insecure by default and requires good configuration for most use cases.

only has three lines

[Anonymous Coward]

1. Reformat!
2. Install linux!
3. Partaaaay!

Does it say how to shut off reporting?

[WoodstockJeff]

Most of us would want to make sure it disables all the user-tracking stuff.

Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

Re:

[Sir_Eptishous]

Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

Windows 10 Pro is the new Windows Home.

Re:

[dissy]

Most of us would want to make sure it disables all the user-tracking stuff.
Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

Only Enterprise, IoT, and Education editions (also Server 2016) can have their telemetry setting set to zero, the lowest amount of data to send back.

Despite being given the ID 0, even this is not fully disabled as one might assume.

Re:

[dwywit]

Go to task scheduler, identify the various jobs that deal with user data telemetry, and set them to "disabled". The OS will continue to collect data, but it will never be sent.

Re-assess the status of those jobs after updates, or write your own script to check and re-set the jobs every 5 minutes.

One thing I've never explored, though - where does the OS store that data pending its journey to Microsoft? You could have another scheduled job clearing (or better, poisoning) that data every few minutes.

Re:

[dissy]

Go to task scheduler, identify the various jobs that deal with user data telemetry, and set them to "disabled". The OS will continue to collect data, but it will never be sent.

Sadly they have the telemetry tendrils very deep and plentiful into the system.
Scheduled tasks are not the only processes that submit the stored data.
There are even functions in "service host" to both send data and undo tampering with other telemetry processes. Simply disabling svchost would rightly fuck most everything on the system.

There are lists of hosts you can block in an external firewall, but naturally Microsoft doubled up duty for those hosts, so that may break other things.
Also don't forget that

Re:

[dwywit]

Thanks! I'll go exploring -rubs hands with glee-

Re:

[DeVilla]

That makes you gleeful? You Windows users really are sadists.

Step One

[ArhcAngel]

Disconnect PC from any network or other connectivity protocol.

This was an actual requirement for security certification for the NT 3.51 OS

Re:

[F.Ultra]

If you have a privilege escalation bug it does not matter which OS you run, including Multics.

Re:

[thereddaikon]

Well any single user OS wouldn't have any privilege escalation exploits because the only user has full access anyways. Just think of all of the old 8bit micros, you power it on and had full access, even low level hardware control. *taps forehead* can't have escalation bugs if there's nothing to escalate.

My Own "FrameWork"

[Anonymous Coward]

1. Run inside a virtual machine, it get's limited network access
2. limit the network access even further on the router - it gets no updates
3. limit the internal network access even further, it sees nothing on the LAN, it only sees a network share, and that only contains the files it needs to see.
4. limit the hardware it can see, windows actually performs nicely on simple hardware, the more complex the hardware, the more crashes
5. a pi-hole further limits what gets to the machine
6. exfiltration of data is li

Doe it say how to kill telemetry?

[gweihir]

No? Then it is not a security guide or rather one that is worthless...

(I assume it does not. In good /. tradition, I have not looked at the documents...)

Re:

[thegarbz]

No? Then it is not a security guide or rather one that is worthless...

(I assume it does not. In good /. tradition, I have not looked at the documents...)

In the usual tradition, those who have not looked end up being wrong. If you would have looked you'd see that it applies to enterprise only which already has telemetry disabled.

Re:

[gweihir]

Ah, so even more worthless...

Re:

[thegarbz]

Ah, so even more worthless...

Yeah except to the 10s of millions of machines it affects.

Re:

[DeVilla]

And with a little bit of internet searching, you'd see that even at telemetry level "zero" windows 10 enterprise (and a few other variants of windows 10 that offer telemetry level zero) still sends telemetry data back to Microsoft. In other words, even in windows 10 enterprise, you can't completely disable telemetry.

Does it 'secure' against Miscreant-o-soft itself?

[Rick Schumann]

'Microsoft' and 'security' in the same sentence? AAAHahahahahaha, that's hilarious, my sides, they're exploding, I'm laughing so hard!
The only 'security' I'd want if I had to use Windows anymore (and I don't; Ubuntu master-race, here) is securing it against Microsoft intrusion into my computer that I bought and paid for. Bugger off Microsoft.

Re:

[Wolfrider]

--Yep. "Windows security" is kind of like "Military intelligence"... Especially if you're on the front lines. Fully patched Win boxes are still prone to probably hundreds of different exploits, not the least being social hacks and encryption malware.

https://thehackernews.com/2018... [thehackernews.com]

--And don't forget the 0-day hax, 3rd-party software vulns, and shared DLL libraries that have been around since the 90's and never code-audited. Last but not least, they now have to worry about the WSL layer as a possible atta

Re:

[Rick Schumann]

I have to admit that after 20 years of dealing with Windows to the point where it was childs' play I have to struggle a little with non-routine tasks and problems with Ubuntu but I know it's worth it in the long run and so far I've been able to solve 99% of anything that comes up. Com-port problems with WINE are still kicking my ass though, as are com-port problems in general.

.....ABOUT TIME!

[Anonymous Coward]

A couple months ago I was asked to use the "Windows 10 security baseline" [microsoft.com] to determine the security of our v1809 image before we rolled it out.... The baseline turned out to be a vague spreadsheet full of random registry key changes and a GPO policy that you're supposed to import. It was hard to believe that the closest thing MS had to an official security framework for their own OS was a half-assed spreadsheet and a policy!

At least now we have official configuration frameworks to compare our workstations