diff --git a/windows/security/threat-protection/windows-seccon-framework/TOC.md b/windows/security/threat-protection/windows-seccon-framework/TOC.md index 6038ad503b..8a4ce81dac 100644 --- a/windows/security/threat-protection/windows-seccon-framework/TOC.md +++ b/windows/security/threat-protection/windows-seccon-framework/TOC.md @@ -4,11 +4,11 @@ ### [Security Compliance Toolkit](security-compliance-toolkit-10.md) ### [Get support](get-support-for-security-baselines.md) ## [Windows SECCON framework](windows-security-configuration-framework.md) -### [SECCON 1 enterprise administrator security](seccon-1-enterprise-administrator-security.md) -### [SECCON 2 enterprise dev/ops security](seccon-2-enterprise-devops-security.md) -### [SECCON 3 enterprise VIP security](seccon-3-enterprise-vip-security.md) -### [SECCON 4 enterprise high security](seccon-4-enterprise-high-security.md) -### [SECCON 5 enterprise security](seccon-5-enterprise-security.md) +### [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) +### [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) +### [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) +### [SECCON 2 Enterprise Dev/Ops Workstation](seccon-2-enterprise-devops-security.md) +### [SECCON 1 Enterprise Administrator Workstation](seccon-1-enterprise-administrator-security.md) ##Windows Security Blog Posts ### [Sticking with Well-Known and Proven Solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) ### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md index ed958a060d..dbb8dd85f1 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md @@ -25,25 +25,6 @@ ms.date: 04/05/2018 SECCON 5 is the minimum security configuration for an enterprise device. Microsoft recommends the following configuration for SECCON 5 devices. -## Behaviors - -The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. - -| Feature | Config | Description | -|---------|-------------------|-------------| -| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | - -## Controls - -The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. - -| Feature | Config | Description | -|-----------------------------------|-------------------------------------|--------------------| -| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | -| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | -| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | -| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | - ## Policies The policies in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. @@ -242,4 +223,24 @@ Download and install the [Microsoft Local Admin Password Solution](https://www.m | Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played | | Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live | | Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games | -| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API \ No newline at end of file +| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API | + +## Controls + +The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. + +| Feature | Config | Description | +|-----------------------------------|-------------------------------------|--------------------| +| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | +| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | +| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | +| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | + +## Behaviors + +The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. + +| Feature | Config | Description | +|---------|-------------------|-------------| +| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | + diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md index 06fc71b69e..c245933403 100644 --- a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md @@ -31,10 +31,17 @@ While appropriate for organizations with very high security needs such as those They can’t justify the investment in that very high level of security with an ROI. Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: The SECCON Baselines. -The SECCON Baselines organize devices into one of 5 distinct security configurations: +The SECCON Baselines organize devices into one of 5 distinct security configurations. ![SECON Framework](./../images/seccon-framework.png) +- [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this SecCon level are generally straightforward and are designed to be deployable within 30 days. +- [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this SecCon level are generally accessible to most organizations and are designed to be deployable within 90 days. +- [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this SecCon level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. +- [SECCON 2 DevOps Workstation](seccon-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! +- [SECCON 1 Administrator Workstation](seccon-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. SecCon 1 guidance is coming soon! + + The SECCON Baselines divide configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices (SECCON 5, 4, and 3). Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). @@ -44,7 +51,7 @@ SECCON 5 should be considered the minimum baseline for an enterprise device, and ## Security Control Classification -The recommendations are grouped into three categories: +The recommendations are grouped into three categories. ![Security Control Classifications](./../images/security-control-classification.png) @@ -52,7 +59,7 @@ The recommendations are grouped into three categories: ## Security Control Deployment Methodologies The way Microsoft recommends implementing these controls depends on the -auditability of the control–there are two primary methodologies: +auditability of the control–there are two primary methodologies. ![Security Control Deployment methodologies](./../images/security-control-deployment-methodologies.png)