Microsoft Publishes SECCON Framework For Securing Windows 10 (zdnet.com)

← Back to Stories (view on slashdot.org)

Microsoft Publishes SECCON Framework For Securing Windows 10 (zdnet.com)

Posted by msmash on Friday April 12, 2019 @03:30AM from the how-about-that dept.

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

22 of 34 comments (clear)

Min score:

Reason:

Sort:

only has three lines by Anonymous Coward · 2019-04-12 04:37 · Score: 1

1. Reformat! 2. Install linux! 3. Partaaaay!
Does it say how to shut off reporting? by WoodstockJeff · 2019-04-12 04:41 · Score: 5, Insightful

Most of us would want to make sure it disables all the user-tracking stuff.
Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...
1. Re:Does it say how to shut off reporting? by Sir_Eptishous · 2019-04-12 04:57 · Score: 2
  
  Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...
  Windows 10 Pro is the new Windows Home.
  
  --
  We play the game with the bravery of being out of range
2. Re:Does it say how to shut off reporting? by dissy · 2019-04-12 08:36 · Score: 2
  
  Most of us would want to make sure it disables all the user-tracking stuff.
  Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...
  Only Enterprise, IoT, and Education editions (also Server 2016) can have their telemetry setting set to zero, the lowest amount of data to send back.
  Despite being given the ID 0, even this is not fully disabled as one might assume.
3. Re:Does it say how to shut off reporting? by dwywit · 2019-04-12 09:53 · Score: 1
  
  Go to task scheduler, identify the various jobs that deal with user data telemetry, and set them to "disabled". The OS will continue to collect data, but it will never be sent.
  Re-assess the status of those jobs after updates, or write your own script to check and re-set the jobs every 5 minutes.
  One thing I've never explored, though - where does the OS store that data pending its journey to Microsoft? You could have another scheduled job clearing (or better, poisoning) that data every few minutes.
  
  --
  They sentenced me to twenty years of boredom
4. Re:Does it say how to shut off reporting? by dissy · 2019-04-12 19:57 · Score: 1
  
  Go to task scheduler, identify the various jobs that deal with user data telemetry, and set them to "disabled". The OS will continue to collect data, but it will never be sent.
  Sadly they have the telemetry tendrils very deep and plentiful into the system.
  Scheduled tasks are not the only processes that submit the stored data.
  There are even functions in "service host" to both send data and undo tampering with other telemetry processes. Simply disabling svchost would rightly fuck most everything on the system.
  There are lists of hosts you can block in an external firewall, but naturally Microsoft doubled up duty for those hosts, so that may break other things.
  Also don't forget that Win 10 now can fall back to peer-to-peer as well, so it can get updates and relay diagnostic info through other Win 10 systems on the LAN that do have access to those MS hosts.
  
  One thing I've never explored, though - where does the OS store that data pending its journey to Microsoft? You could have another scheduled job clearing (or better, poisoning) that data every few minutes.
  It's littered around in many places. Event logs, system folders, the windows data store, applications individual logs, etc.
  Here's a tool from MS that will gather all those locations up in one view, similar to how event viewer does for the normal logs:
  https://docs.microsoft.com/en-us/windows/privacy/diagnostic-data-viewer-overview
  At the very least go check out that first screen shot. See the list of telemetry sources on the left? See the size of that scroll bar? It's fucking disgusting.
  I've been using a modified version of this for a few years:
  https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1
  Some of the domains in there that it blocks are commented with other functions that break by blocking it.
  From personal experience:
  You'll need to setup an NTP and SNTP server and manually point windows to it. Clock drift can break various forms of encryption.
  Windows will be convinced you have no internet connection anymore, and I've had a few programs check that status and refuse to even try (spotify, nvidia experience, and a couple games)
  Make sure you don't have any programs installed from the MS store you want to keep, they won't be able to validate their licenses. Even free ones.
  Hope you didn't upgrade from home to pro or from pre-10 to 10 using an online license :P
  All Microsoft AV software will stop updating, so you'll want to be sure to have something from a 3rd party. 10 gets annoying with the notifications with nothing installed/active.
  Some things that break but are likely considered a good thing:
  Windows updates, bing and all integrated searches (start menu search included), contra, skype, itunes, and newer versions of office (2016 and 365 have issues, but 2010 continues to work fine, haven't tried others)
  Good luck
5. Re:Does it say how to shut off reporting? by dwywit · 2019-04-12 20:32 · Score: 1
  
  Thanks! I'll go exploring -rubs hands with glee-
  
  --
  They sentenced me to twenty years of boredom
6. Re:Does it say how to shut off reporting? by DeVilla · 2019-04-16 05:43 · Score: 1
  
  That makes you gleeful? You Windows users really are sadists.
Step One by ArhcAngel · 2019-04-12 04:50 · Score: 1

Disconnect PC from any network or other connectivity protocol.

This was an actual requirement for security certification for the NT 3.51 OS

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
1. Re:Step One by F.Ultra · 2019-04-12 05:19 · Score: 1
  
  If you have a privilege escalation bug it does not matter which OS you run, including Multics.
2. Re:Step One by thereddaikon · 2019-04-12 07:18 · Score: 1
  
  Well any single user OS wouldn't have any privilege escalation exploits because the only user has full access anyways. Just think of all of the old 8bit micros, you power it on and had full access, even low level hardware control. *taps forehead* can't have escalation bugs if there's nothing to escalate.
My Own "FrameWork" by Anonymous Coward · 2019-04-12 04:51 · Score: 2, Interesting

1. Run inside a virtual machine, it get's limited network access
2. limit the network access even further on the router - it gets no updates
3. limit the internal network access even further, it sees nothing on the LAN, it only sees a network share, and that only contains the files it needs to see.
4. limit the hardware it can see, windows actually performs nicely on simple hardware, the more complex the hardware, the more crashes
5. a pi-hole further limits what gets to the machine
6. exfiltration of data is limited on the router
Doe it say how to kill telemetry? by gweihir · 2019-04-12 04:53 · Score: 5, Insightful

No? Then it is not a security guide or rather one that is worthless...
(I assume it does not. In good /. tradition, I have not looked at the documents...)

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Doe it say how to kill telemetry? by thegarbz · 2019-04-12 06:44 · Score: 2
  
  No? Then it is not a security guide or rather one that is worthless...
  (I assume it does not. In good /. tradition, I have not looked at the documents...)
  In the usual tradition, those who have not looked end up being wrong. If you would have looked you'd see that it applies to enterprise only which already has telemetry disabled.
2. Re:Doe it say how to kill telemetry? by gweihir · 2019-04-12 12:24 · Score: 1
  
  Ah, so even more worthless...
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:Doe it say how to kill telemetry? by thegarbz · 2019-04-12 20:39 · Score: 1
  
  Ah, so even more worthless...
  Yeah except to the 10s of millions of machines it affects.
4. Re:Doe it say how to kill telemetry? by DeVilla · 2019-04-16 05:51 · Score: 1
  
  And with a little bit of internet searching, you'd see that even at telemetry level "zero" windows 10 enterprise (and a few other variants of windows 10 that offer telemetry level zero) still sends telemetry data back to Microsoft. In other words, even in windows 10 enterprise, you can't completely disable telemetry.
Does it 'secure' against Miscreant-o-soft itself? by Rick+Schumann · 2019-04-12 05:12 · Score: 2

'Microsoft' and 'security' in the same sentence? AAAHahahahahaha, that's hilarious, my sides, they're exploding, I'm laughing so hard!
The only 'security' I'd want if I had to use Windows anymore (and I don't; Ubuntu master-race, here) is securing it against Microsoft intrusion into my computer that I bought and paid for. Bugger off Microsoft.
.....ABOUT TIME! by Anonymous Coward · 2019-04-12 06:04 · Score: 1

A couple months ago I was asked to use the "Windows 10 security baseline" to determine the security of our v1809 image before we rolled it out.... The baseline turned out to be a vague spreadsheet full of random registry key changes and a GPO policy that you're supposed to import. It was hard to believe that the closest thing MS had to an official security framework for their own OS was a half-assed spreadsheet and a policy!
At least now we have official configuration frameworks to compare our workstations against. If every OS had an in-depth security framework the world would be a *slightly* safer place.
Re:Does it 'secure' against Miscreant-o-soft itsel by Wolfrider · 2019-04-12 06:10 · Score: 1

--Yep. "Windows security" is kind of like "Military intelligence"... Especially if you're on the front lines. Fully patched Win boxes are still prone to probably hundreds of different exploits, not the least being social hacks and encryption malware.
https://thehackernews.com/2018...
--And don't forget the 0-day hax, 3rd-party software vulns, and shared DLL libraries that have been around since the 90's and never code-audited. Last but not least, they now have to worry about the WSL layer as a possible attack vector.
/ there's a reason I've been a Linux guy for a LONG time now
// and an extra slashy for OSX/iMac being my primary desktop these days

--
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
Re:Does it 'secure' against Miscreant-o-soft itsel by Rick+Schumann · 2019-04-12 07:44 · Score: 1

I have to admit that after 20 years of dealing with Windows to the point where it was childs' play I have to struggle a little with non-routine tasks and problems with Ubuntu but I know it's worth it in the long run and so far I've been able to solve 99% of anything that comes up. Com-port problems with WINE are still kicking my ass though, as are com-port problems in general.
Re:Why be SECCON when Linux comes FIRST by Anonymous Coward · 2019-04-12 11:48 · Score: 1

Linux has exactly the same problem, out of the box it is woefully insecure by default and requires good configuration for most use cases.