From 73286ba6c14ca42ac8e52af8912c44043baa8acf Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 12:39:35 -0700 Subject: [PATCH] filled in topic node --- ...con-1-enterprise-administrator-security.md | 27 -- .../seccon-5-enterprise-security.md | 244 ------------------ ...indows-security-configuration-framework.md | 64 ----- .../TOC.md | 24 +- .../windows-security-compliance.md | 11 +- 5 files changed, 20 insertions(+), 350 deletions(-) delete mode 100644 windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md delete mode 100644 windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md delete mode 100644 windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md deleted file mode 100644 index bf1890abdf..0000000000 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: SECCON 1 enterprise administrator security -description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization -keywords: virtualization, security, malware -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: appcompatguy -author: appcompatguy -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/05/2018 ---- - -# Level 1 security configuration for enterprise administrators - -**Applies to** - -- Windows 10 - - -Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. -SECCON 1 guidance to help protect devices used by administrators is coming soon! - - diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md deleted file mode 100644 index a29c50f1fc..0000000000 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ /dev/null @@ -1,244 +0,0 @@ ---- -title: SECCON 5 Enterprise Security -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization -keywords: virtualization, security, malware -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: appcompatguy -author: appcompatguy -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/05/2018 ---- - -# Level 5 security configuration for enterprise security - -**Applies to** - -- Windows 10 - -SECCON 5 is the minimum security configuration for an enterprise device. -Microsoft recommends the following configuration for SECCON 5 devices. - -## Policies - -The policies in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. -Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls. - -### Security Template Policies - -| Feature | Policy Setting | Policy Value | Description | -|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. | -| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. | -| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. | -| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. | -| Security Options | Accounts: Guest account status | Disabled | Determines if the Guest account is enabled or disabled. | -| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. | -| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password | -| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data | -| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked | -| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation | -| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. | -| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. | -| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. | -| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. | -| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. | -| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer | -| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system | -| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file | -| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. | -| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. | -| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager | -| User Rights Assignments | Create symbolic links | Administrators | Determines if the user can create a symbolic link from the computer he is logged on to | -| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. | -| User Rights Assignments | Deny access to this computer from the network | Guests; NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. | -| User Rights Assignments | Deny log on locally | Guests | Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. | -| User Rights Assignments | Deny log on through Remote Desktop Services | Guests; NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client | -| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. | -| User Rights Assignments | Increase scheduling priority | Administrators | Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. | -| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. | -| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object | -| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads | - -### Advanced Audit Policies - -| Feature | Policy Setting | Policy Value | Description | -|--------------------|---------------------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. | -| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. | -| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials | -| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device | -| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited | -| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out | -| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. | -| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer | -| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account | -| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) | -| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed | -| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder | -| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects | -| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. | -| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings | -| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy | -| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. | -| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications | -| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used | -| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. | -| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. | -| System | Audit Security System Extension | Success | Audit events related to security system extensions or services | -| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem | - -### Windows Defender Firewall Policies - -| Feature | Policy Setting | Policy Value | Description | -|----------------------------|---------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection | -| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection | -| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection | -| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile | -| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile | -| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile | -| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection | -| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection | -| Private Profile / Logging | Size limit | 16384 | Sets the firewall log file size for a private connection | -| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile | -| Private Profile / State | Firewall state | On | Enables the firewall when connected to the private profile | -| Private Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile | -| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection | -| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection | -| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection | -| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain | -| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules | -| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile | -| Public Profile / State | Firewall state | On | Enables the firewall when connected to the public profile | -| Public Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile | - -### Computer Policies - -| Feature | Policy Setting | Policy Value | Description | -|---------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server | -| System / Device Guard | Turn on Virtualization Based Security | Enabled: SecureBoot and DMA Protection | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. | -| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Enabled: Good, Unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. | -| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | -| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | -| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Enabled: Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. | -| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. | -| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. | -| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Enabled: Do not execute any autorun commands | Sets the default behavior for Autorun commands. | -| Windows Components / AutoPlay Policies | Turn off Autoplay | Enabled: All Drives | Allows you to turn off the Autoplay feature. | -| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication | -| Windows Components / BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10) | Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives | Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. | -| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows | -| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker | -| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow Secure Boot for integrity validation | Enabled | Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. | -| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | -| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | Enabled: 196608 | Specifies the maximum size of the log file in kilobytes. | -| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | -| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software | -| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | Warn and prevent bypass | Allows you to turn Windows Defender SmartScreen on or off | -| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. | -| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites | -| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators | -| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system | -| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system | -| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network | -| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. | - -### Windows Defender Antivirus Policies - -| Feature | Policy Setting | Policy Value | Description | -|------------------------------------------------------------------------|-----------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus | -| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. | -| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Enabled: Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. | -| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set | -| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection | -| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. | -| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. | -| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). | -| Windows Components / Windows Defender Antivirus / Scan | Turn on e-mail scanning | Enabled | Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments | - -### User Policies - -| Feature | Policy Setting | Policy Value | Description | -|----------------------------------------|-------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. | -| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers | - -### IE Computer Policies - -| Feature | Policy Setting | Policy Value | Description | -|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | Enabled: On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. | -| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | Enabled: No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. | - -### LAPS - -Download and install the [Microsoft Local Admin Password Solution](https://www.microsoft.com/download/details.aspx?id=46899). - -| Feature | Policy Setting | Policy Value | Description | -|---------|----------------------------------------|--------------|-------------------------------| -| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device | - -### Custom Policies - -| Feature | Policy Setting | Policy Value | Description | -|-----------------------------------------------------------------------|-----------------------------------------------------------|--------------|---------------------------------------------------------------------------------------| -| Computer Configuration / Administrative Templates / MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons | - -### Services - -| Feature | Policy Setting | Policy Value | Description | -|----------------|-----------------------------------|--------------|-----------------------------------------------------------------------------------| -| Scheduled Task | XblGameSaveTask | Disabled | Syncs save data for Xbox Live save-enabled games | -| Services | Xbox Accessory Management Service | Disabled | Manages connected Xbox accessories | -| Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played | -| Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live | -| Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games | -| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API | - -## Controls - -The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. - -| Feature | Config | Description | -|-----------------------------------|-------------------------------------|--------------------| -| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | -| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | -| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | -| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | - -## Behaviors - -The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. - -| Feature | Config | Description | -|---------|-------------------|-------------| -| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | - diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md deleted file mode 100644 index 5ec7880a83..0000000000 --- a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Windows Security Configuration Framework -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization -keywords: virtualization, security, malware -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: appcompatguy -author: appcompatguy -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/05/2018 ---- - -# Introducing the Security Configuration Framework - -**Applies to** - -- Windows 10 - -Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. -It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns. - -Because of this, with each release of Windows, Microsoft publishes [Windows Security Baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. -However, many organizations have discovered that this baseline sets a very high bar. -While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. -They can’t justify the investment in that very high level of security with an ROI. -Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: The SECCON Baselines. - -The SECCON Baselines organize devices into one of 5 distinct security configurations. - -![SECON Framework](./../images/seccon-framework.png) - -- [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this SecCon level are generally straightforward and are designed to be deployable within 30 days. -- [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this SecCon level are generally accessible to most organizations and are designed to be deployable within 90 days. -- [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this SecCon level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. -- [SECCON 2 DevOps Workstation](seccon-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! -- [SECCON 1 Administrator Workstation](seccon-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. SecCon 1 guidance is coming soon! - - -The SECCON Baselines divide configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices -(SECCON 5, 4, and 3). -Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). - -Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that SECCON level. -SECCON 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite. - -## Security Control Classification - -The recommendations are grouped into three categories. - -![Security Control Classifications](./../images/security-control-classification.png) - - -## Security Control Deployment Methodologies - -The way Microsoft recommends implementing these controls depends on the -auditability of the control–there are two primary methodologies. - -![Security Control Deployment methodologies](./../images/security-control-deployment-methodologies.png) - - diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md index e994f2c0ff..d305b00ebe 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md @@ -1,17 +1,17 @@ -# [Windows security compliance](windows-security-compliance.md) +# [Windows security guidance for enterprises](windows-security-compliance.md) ## [Windows security baselines](windows-security-baselines.md) ### [Security Compliance Toolkit](security-compliance-toolkit-10.md) ### [Get support](get-support-for-security-baselines.md) -## [Windows SECCON framework](windows-security-configuration-framework.md) -### [Level 5 Enterprise Security](level-5-enterprise-security.md) -### [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) -### [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) -### [Level 2 Enterprise Dev/Ops Workstation](level-2-enterprise-devops-security.md) -### [Level 1 Enterprise Administrator Workstation](level-1-enterprise-administrator-security.md) -##Windows Security Blog Posts -### [Sticking with Well-Known and Proven Solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) -### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) -### [Configuring Account Lockout](windows-security-blog/configuring-account-lockout.md) -### [Blocking Remote Use of Local Accounts](windows-security-blog/blocking-remote-use-of-local-accounts.md) +## [Windows security configuration framework](windows-security-configuration-framework.md) +### [Level 5 enterprise security](level-5-enterprise-security.md) +### [Level 4 enterprise high security](level-4-enterprise-high-security.md) +### [Level 3 enterprise VIP security](level-3-enterprise-vip-security.md) +### [Level 2 enterprise dev/ops workstation](level-2-enterprise-devops-security.md) +### [Level 1 enterprise administrator aorkstation](level-1-enterprise-administrator-security.md) +##Windows security articles +### [Sticking with well-known and proven solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) +### [Why we’re not recommending "FIPS Mode" anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) +### [Configuring account lockout](windows-security-blog/configuring-account-lockout.md) +### [Blocking remote use of local accounts](windows-security-blog/blocking-remote-use-of-local-accounts.md) ### [Dropping the “Untrusted Font Blocking” setting](windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md index 3c0522fd4b..aaf62986eb 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md @@ -1,6 +1,6 @@ --- title: Windows security guidance for enterprises -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +description: This article describes how to use Windows security baselines in your organization keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -19,5 +19,10 @@ ms.date: 04/05/2018 **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 + +The topics in this section provide security configuration guidelines for enterprises. You can use these guidelines to deploy security configuration settings and to ensure that user and device settings comply with enterprise policies. + +| Capability | Description | +|------------|-------------| +| [Windows security baselines](windows-security-baselines.md) | Microsoft-recommended configuration settings and their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. | +| [Windows security configuration framework](windows-security-configuration-framework.md) | Five distinct security configurations for more granular control over productivity devices and privileged access workstations. |