Microsoft published a generic “security configuration framework” to help standardize the basic security settings systems administrators should be applying for Windows 10 systems.
“In the past, we left defining the security configuration for Windows 10 as a task for every customer to sort out. As a result, we aw as many different configurations as we saw customers,” Microsoft’s principal program manager Chris Jackson wrote on the Microsoft Security blog.
While setting the baseline would simplify security configuration for IT administrators, Microsoft was careful to note that these prescriptive configurations should be a starting point. Administrators should still tweak the settings to fit the security, productivity, and user experience requirements for their environments.
The framework defines five different levels of security configurations for “common device scenarios” seen in enterprises: Enterprise Security, Enterprise High Security, Enterprise VIP Security, DevOps Workstation, and Administrator Workstation. The levels mimic the DEFCON levels used by the United States Armed Forces, with lower numbers indicating a higher degree of security hardening.
Level 5, or Enterprise Security is the minimum-security configuration for an enterprise device. The recommendations are generally straightforward and designed so that administrators can deploy this configuration within 30 days.
Level 4, or Enterprise High Security is recommended for devices where users access sensitive or confidential information. This configuration may impact app compatibility, and “therefore will often go through an audit-configure-enforce workflow,” Microsoft said. Administrators would be able to deploy this set of configurations within 90 days.
Level 3, or Enterprise VIP Security is recommended for devices in organizations with a large or sophisticated security team, or for select groups within an organization identified as being “uniquely high risk.” This can mean users who handle data that are so sensitive that if stolen, would directly impact the company’s stock price. Organizations or groups concerned about well-funded and sophisticated adversaries should be looking at this configuration level. Deploying this set of configurations can be complex, and can take more than 90 days.
At the moment, Level 2, or DevOps Workstation, and Level 1, Administrator Workstation, recommendations are still under development. Microsoft considers the framework still in draft version and said it is expecting feedback to improve the recommendations in the framework.
Level 2, or DevOps Workstation is recommended for developers and testers as they are usually on systems containing high-value data or running critical business functions. Attackers can target these systems in supply chain attacks or credential theft attacks.
Level 1, or Administrator Workstation is designed for administrators who “face the highest risk, through data theft, data alteration, or service disruption.”
“If you’re an organization that’s already looking to Windows security baselines to provide advanced levels of security, then level 3 incorporates these baselines as the foundation,” Jackson said. “If you’re earlier in your journey, then you should find level 5 a great starting point and can then balance the enhanced security of higher levels against your application readiness and risk tolerance.”
The framework addresses a chicken-and-egg problem administrators currently face with Windows 10 deployments. The Microsoft Defender ATP Secure Score is a context-aware score that takes into account existing configurations and actual threats impacting the corporate environment. Administrators can use the score to tweak the security configuration in a way that best fits their circumstances. However, administrators who want to configure as many security features as possible as part of a brand-new Windows 10 deployment can’t reference the Microsoft Defender ATP Secure Score because the score hasn’t been generated yet.
The secure score “represents our best recommendations for securing your endpoint devices (among other things),” Jackson said. The security framework guides administrators with general recommendations right from the start, even before there is a chance to learn from the organization’s unique circumstances.
Security professionals have plenty of security assessments and guidance on what needs to be done, but it is a challenge to know which task is the most important thing to do, Jackson said. The framework should be used to identify priorities, and also to give enterprises a basis of comparison with likeminded organizations.
“We sat down and asked ourselves this question: if we didn’t know anything at all about your environment, what security policies and security controls would we suggest you implement first?” Jackson said.