Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Publishes SECCON Framework For Securing Windows 10 (zdnet.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

34 comments

  1. Why be SECCON when Linux comes FIRST by Anonymous Coward · · Score: 0

    If you want proprietary and proprietary games, you deserve security problems.

    1. Re:Why be SECCON when Linux comes FIRST by Anonymous Coward · · Score: 1

      Linux has exactly the same problem, out of the box it is woefully insecure by default and requires good configuration for most use cases.

  2. only has three lines by Anonymous Coward · · Score: 1


    1. Reformat!
    2. Install linux!
    3. Partaaaay!

    1. Re: only has three lines by Anonymous Coward · · Score: 0

      My penguin furry suit is ready! Let's go!

    2. Re: only has three lines by Anonymous Coward · · Score: 0

      Sir, please step away from the anal probe.

  3. Black hole news is way more by Anonymous Coward · · Score: 0

    practical

  4. Does it say how to shut off reporting? by WoodstockJeff · · Score: 5, Insightful

    Most of us would want to make sure it disables all the user-tracking stuff.

    Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

    1. Re:Does it say how to shut off reporting? by Sir_Eptishous · · Score: 2

      Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

      Windows 10 Pro is the new Windows Home.

      --
      We play the game with the bravery of being out of range
    2. Re:Does it say how to shut off reporting? by Anonymous Coward · · Score: 0

      Stick to windows pe and add the security on top of that. There is is an iso out there where win10 enterprise pe is set up with firefox chrome vlc and many useful utilities. I've managed to copy it to a hard drive (dual boot)and get it to boot up but the settings revert with each boot back to the original configuration. It's a bit like a kiosk computer at the library.

    3. Re:Does it say how to shut off reporting? by dissy · · Score: 2

      Most of us would want to make sure it disables all the user-tracking stuff.
      Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

      Only Enterprise, IoT, and Education editions (also Server 2016) can have their telemetry setting set to zero, the lowest amount of data to send back.

      Despite being given the ID 0, even this is not fully disabled as one might assume.

    4. Re:Does it say how to shut off reporting? by dwywit · · Score: 1

      Go to task scheduler, identify the various jobs that deal with user data telemetry, and set them to "disabled". The OS will continue to collect data, but it will never be sent.

      Re-assess the status of those jobs after updates, or write your own script to check and re-set the jobs every 5 minutes.

      One thing I've never explored, though - where does the OS store that data pending its journey to Microsoft? You could have another scheduled job clearing (or better, poisoning) that data every few minutes.

      --
      They sentenced me to twenty years of boredom
    5. Re:Does it say how to shut off reporting? by dissy · · Score: 1

      Go to task scheduler, identify the various jobs that deal with user data telemetry, and set them to "disabled". The OS will continue to collect data, but it will never be sent.

      Sadly they have the telemetry tendrils very deep and plentiful into the system.
      Scheduled tasks are not the only processes that submit the stored data.
      There are even functions in "service host" to both send data and undo tampering with other telemetry processes. Simply disabling svchost would rightly fuck most everything on the system.

      There are lists of hosts you can block in an external firewall, but naturally Microsoft doubled up duty for those hosts, so that may break other things.
      Also don't forget that Win 10 now can fall back to peer-to-peer as well, so it can get updates and relay diagnostic info through other Win 10 systems on the LAN that do have access to those MS hosts.

      One thing I've never explored, though - where does the OS store that data pending its journey to Microsoft? You could have another scheduled job clearing (or better, poisoning) that data every few minutes.

      It's littered around in many places. Event logs, system folders, the windows data store, applications individual logs, etc.

      Here's a tool from MS that will gather all those locations up in one view, similar to how event viewer does for the normal logs:
      https://docs.microsoft.com/en-us/windows/privacy/diagnostic-data-viewer-overview

      At the very least go check out that first screen shot. See the list of telemetry sources on the left? See the size of that scroll bar? It's fucking disgusting.

      I've been using a modified version of this for a few years:
      https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1

      Some of the domains in there that it blocks are commented with other functions that break by blocking it.

      From personal experience:

      You'll need to setup an NTP and SNTP server and manually point windows to it. Clock drift can break various forms of encryption.

      Windows will be convinced you have no internet connection anymore, and I've had a few programs check that status and refuse to even try (spotify, nvidia experience, and a couple games)

      Make sure you don't have any programs installed from the MS store you want to keep, they won't be able to validate their licenses. Even free ones.
      Hope you didn't upgrade from home to pro or from pre-10 to 10 using an online license :P

      All Microsoft AV software will stop updating, so you'll want to be sure to have something from a 3rd party. 10 gets annoying with the notifications with nothing installed/active.

      Some things that break but are likely considered a good thing:
      Windows updates, bing and all integrated searches (start menu search included), contra, skype, itunes, and newer versions of office (2016 and 365 have issues, but 2010 continues to work fine, haven't tried others)

      Good luck

    6. Re:Does it say how to shut off reporting? by dwywit · · Score: 1

      Thanks! I'll go exploring -rubs hands with glee-

      --
      They sentenced me to twenty years of boredom
    7. Re:Does it say how to shut off reporting? by DeVilla · · Score: 1

      That makes you gleeful? You Windows users really are sadists.

  5. Step One by ArhcAngel · · Score: 1

    Disconnect PC from any network or other connectivity protocol.

    This was an actual requirement for security certification for the NT 3.51 OS

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    1. Re:Step One by Anonymous Coward · · Score: 0

      You also had to remove the monitor and keyboard and keep the machine in a locked room since the electrical impulses could be detected remotely and direct physical access allows for a myriad of hardware attacks.

      Ultimately, any operating system that has a central admin role (i.e. root in *nix, Administrator in win(x)), will have poor security

      sudo, sudoers and sudo log are just bandaids on the issue in *nixs and can be circumvented with a privilege escalation attack

      As far as 'real' security goes, Multics is the only publicly acknowledged system that has functionally demonstrated security at the OS level, and likely could not be run on any current 'commodity' hardware.

    2. Re:Step One by F.Ultra · · Score: 1

      If you have a privilege escalation bug it does not matter which OS you run, including Multics.

    3. Re:Step One by thereddaikon · · Score: 1

      Well any single user OS wouldn't have any privilege escalation exploits because the only user has full access anyways. Just think of all of the old 8bit micros, you power it on and had full access, even low level hardware control. *taps forehead* can't have escalation bugs if there's nothing to escalate.

    4. Re:Step One by Anonymous Coward · · Score: 0

      Ignorance is bliss to the ignorant...

      In a system like any of the *nixes, root can change time stamps, update log files, simply change anything that could possible trace what was done to the operating system.

      In Multics, if the OS is writing a log file (Ring 0), no other user (and you cannot escalate to OS) can change that log file.
      Here are the five security principals of Multics:
      1. the default situation should be lack of access
      2. there should be regular audits that maintain current authority
      3. the design should be open and collaboration should be supported by peer review
      4. it should incorporate the principle of least privilege
      5. there should be ease of use so that the user doesn't have to think about the underlying design

      In addition they put "Address Descriptors" into the memory management system which effective eliminated the chance of infringing on another process's memory

      The sad thing (soooo saaaad) is that Microsoft, Linux and all of the Unixes have ignored, or intentionally broken, these simple principals, i.e. MSoft running the UI with full system privileges because it makes it faster.

  6. My Own "FrameWork" by Anonymous Coward · · Score: 2, Interesting

    1. Run inside a virtual machine, it get's limited network access
    2. limit the network access even further on the router - it gets no updates
    3. limit the internal network access even further, it sees nothing on the LAN, it only sees a network share, and that only contains the files it needs to see.
    4. limit the hardware it can see, windows actually performs nicely on simple hardware, the more complex the hardware, the more crashes
    5. a pi-hole further limits what gets to the machine
    6. exfiltration of data is limited on the router

  7. Doe it say how to kill telemetry? by gweihir · · Score: 5, Insightful

    No? Then it is not a security guide or rather one that is worthless...

    (I assume it does not. In good /. tradition, I have not looked at the documents...)

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Doe it say how to kill telemetry? by thegarbz · · Score: 2

      No? Then it is not a security guide or rather one that is worthless...

      (I assume it does not. In good /. tradition, I have not looked at the documents...)

      In the usual tradition, those who have not looked end up being wrong. If you would have looked you'd see that it applies to enterprise only which already has telemetry disabled.

    2. Re:Doe it say how to kill telemetry? by gweihir · · Score: 1

      Ah, so even more worthless...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Doe it say how to kill telemetry? by thegarbz · · Score: 1

      Ah, so even more worthless...

      Yeah except to the 10s of millions of machines it affects.

    4. Re:Doe it say how to kill telemetry? by DeVilla · · Score: 1

      And with a little bit of internet searching, you'd see that even at telemetry level "zero" windows 10 enterprise (and a few other variants of windows 10 that offer telemetry level zero) still sends telemetry data back to Microsoft. In other words, even in windows 10 enterprise, you can't completely disable telemetry.

  8. Headline: Fox to provide henhouse security by Anonymous Coward · · Score: 0

    Next, lets have the inmates run the asylum!

  9. Does it 'secure' against Miscreant-o-soft itself? by Rick+Schumann · · Score: 2

    'Microsoft' and 'security' in the same sentence? AAAHahahahahaha, that's hilarious, my sides, they're exploding, I'm laughing so hard!
    The only 'security' I'd want if I had to use Windows anymore (and I don't; Ubuntu master-race, here) is securing it against Microsoft intrusion into my computer that I bought and paid for. Bugger off Microsoft.

  10. Windows is a mess. Period by Anonymous Coward · · Score: 0

    Ever waited for 10 or more minutes on the Welcome or Logout screens?

    I did. An its freaking annoying.

    1. Re:Windows is a mess. Period by Anonymous Coward · · Score: 0

      I just pull the plug when that happens.

  11. .....ABOUT TIME! by Anonymous Coward · · Score: 1

    A couple months ago I was asked to use the "Windows 10 security baseline" to determine the security of our v1809 image before we rolled it out.... The baseline turned out to be a vague spreadsheet full of random registry key changes and a GPO policy that you're supposed to import. It was hard to believe that the closest thing MS had to an official security framework for their own OS was a half-assed spreadsheet and a policy!

    At least now we have official configuration frameworks to compare our workstations against. If every OS had an in-depth security framework the world would be a *slightly* safer place.

  12. Re:Does it 'secure' against Miscreant-o-soft itsel by Wolfrider · · Score: 1

    --Yep. "Windows security" is kind of like "Military intelligence"... Especially if you're on the front lines. Fully patched Win boxes are still prone to probably hundreds of different exploits, not the least being social hacks and encryption malware.

    https://thehackernews.com/2018...

    --And don't forget the 0-day hax, 3rd-party software vulns, and shared DLL libraries that have been around since the 90's and never code-audited. Last but not least, they now have to worry about the WSL layer as a possible attack vector.

    / there's a reason I've been a Linux guy for a LONG time now
    // and an extra slashy for OSX/iMac being my primary desktop these days

    --
    .
    == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
  13. Re:Does it 'secure' against Miscreant-o-soft itsel by Rick+Schumann · · Score: 1

    I have to admit that after 20 years of dealing with Windows to the point where it was childs' play I have to struggle a little with non-routine tasks and problems with Ubuntu but I know it's worth it in the long run and so far I've been able to solve 99% of anything that comes up. Com-port problems with WINE are still kicking my ass though, as are com-port problems in general.

  14. Re:Does it 'secure' against Miscreant-o-soft itsel by Anonymous Coward · · Score: 0

    Fully patched Win boxes are still prone to probably hundreds of different exploits, not the least being social hacks and encryption malware.

    Keep in mind "security policy" is not the same thing as "the state of your security"

    "Security policy" are the way you *want* it to behave. Actual security is how well it does that.

    An exploit, by definition, is code working in an intended way and not following the security policy.
    If it was intended, it wouldn't be an exploit but instead be a back door.

    The types of things here, being security policy, are for example what defines a complex password, how often to force a password change, and how many previous passwords to keep stored to prevent reuse.

    Separate from that would be an exploit allowing one to bypass the authentication system completely.
    This isn't a fault in the policy itself, it is a fault in the software not enforcing the policy as stated.

    That what microsoft is offering here is only policies, it would of course have no effect what so ever on the software properly enforcing them, so details like you provide are fairly off topic.
    Only really their track record of so poorly enforcing your policy would be relevant.

    In fact these same policies could be applied to any OS. I can tell Linux you must use a 16 character minimum password just as well as Windows.
    That's the extent of a security policies scope.
    Stating "16 char minimum password" wouldn't raise the likelihood of an Linux exploit, nor patch a Linux exploit, any more than in Windows. That's a different subject matter all together.

    So yes, the only relevant part of bringing up exploits would be akin to trusting Linux developers more than Windows developers to write code that does what it says it will do.