deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

added link to rings method

Browse Source
This commit is contained in:
Justin Hall 2019-04-08 12:02:43 -07:00
parent 5ab744e076
commit fb3ed08be9
3 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md
View File

@ -41,7 +41,7 @@ organizations.
The controls enforced in SECCON 3 implement complex security configuration and controls.
They are likely to have a higher impact to users or to applications,
enforcing a level of security commensurate with the risks facing the most targeted organizations.
Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and the rings methodology for those that do
Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do
not.
| Feature Set | Feature | Description |
@ -52,7 +52,7 @@ not.
## Policies
The policies enforced in SECCON 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using the rings methodology.
The policies enforced in SECCON 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
### Security Template Policies

6
windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md
View File

@ -45,12 +45,12 @@ configuration than SECCON 5. While they may have a slightly higher impact to
users or to applications, they enforce a level of security more commensurate
with the risks facing users with access to sensitive information. Microsoft
recommends using the Audit/Enforce methodology for controls with an Audit mode,
and the rings methodology for those that do not, with a moderate timeline that
and t[the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that
is anticipated to be slightly longer than the process in SECCON 5.
| Feature Set | Feature | Description |
|-------------------------------------------------------------|-------------------------------------------------------|----------------|
| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls: <br>- Control flow guard (CFG)<br>- Data Execution Protection (DEP)<br>- Mandatory ASLR<br>- Bottom-Up ASLR<br>- High-entropy ASLR<br>- Validate Exception Chains (SEHOP)<br>- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using the Rings methodology. |
| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls: <br>- Control flow guard (CFG)<br>- Data Execution Protection (DEP)<br>- Mandatory ASLR<br>- Bottom-Up ASLR<br>- High-entropy ASLR<br>- Validate Exception Chains (SEHOP)<br>- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and Enforce Attack Surface Reduction Rules:<br>- Block executable content from email client and webmail<br>- Block all Office applications from creating child processes<br>- Block Office applications from creating executable content<br>- Block Office applications from injecting code into other processes<br>- Block JavaScript or VBScript from launching downloaded executable content<br>- Block execution of potentially obfuscated scripts<br>- Block Win32 API calls from Office macro<br>- Block executable files from running unless they meet a prevalence, age, or trusted list criterion<br>- Use advanced protection against ransomware<br>- Block credential stealing from the Windows local security authority subsystem (lsass.exe)<br>- Block process creations originating from PSExec and WMI commands<br>- Block untrusted and unsigned processes that run from USB<br>- Block Office communication applications from creating child processes<br>- Block Adobe Reader from creating child processes<br>| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):<br>1) Audit enable the controls in audit mode, and gather audit data in a centralized location<br>2) Review review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure<br>3) Enforce Deploy the configuration of any exemptions and convert the control to enforce mode |
| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
@ -60,7 +60,7 @@ The policies enforced in SECCON 4 implement more controls and a more sophisticat
configuration than SECCON 5. While they may have a slightly higher impact to
users or to applications, they enforce a level of security more commensurate
with the risks facing users with access to sensitive information. Microsoft
recommends using the rings methodology for these security configurations and
recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and
controls, with a moderate timeline that is anticipated to be slightly longer
than the process in SECCON 5.

7
windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md
View File

@ -22,6 +22,9 @@ ms.date: 04/05/2018
- Windows Server 2016
- Office 2016
SECCON 5 is the minimum security configuration for an enterprise device.
Microsoft recommends the following configuration for SECCON 5 devices.
## Behaviors
The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications.
@ -38,8 +41,8 @@ The controls enabled in SECCON 5 enforce a reasonable security level while minim
|-----------------------------------|-------------------------------------|--------------------|
| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. |
| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. |
| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using the rings methodology. |
| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using the rings methodology. |
| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
## Policies