Microsoft Publishes SECCON Framework For Securing Windows 10

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

Does it say how to shut off reporting?

[WoodstockJeff]

Most of us would want to make sure it disables all the user-tracking stuff.

Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

Re:Does it say how to shut off reporting?

[Sir_Eptishous]

Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

Windows 10 Pro is the new Windows Home.

Re:Does it say how to shut off reporting?

[dissy]

Most of us would want to make sure it disables all the user-tracking stuff.
Of course, a lot of the settings I saw can only be set if you have the Enterprise version of Windows, so home and pro users are stuck...

Only Enterprise, IoT, and Education editions (also Server 2016) can have their telemetry setting set to zero, the lowest amount of data to send back.

Despite being given the ID 0, even this is not fully disabled as one might assume.

My Own "FrameWork"

1. Run inside a virtual machine, it get's limited network access
2. limit the network access even further on the router - it gets no updates
3. limit the internal network access even further, it sees nothing on the LAN, it only sees a network share, and that only contains the files it needs to see.
4. limit the hardware it can see, windows actually performs nicely on simple hardware, the more complex the hardware, the more crashes
5. a pi-hole further limits what gets to the machine
6. exfiltration of data is limited on the router

Doe it say how to kill telemetry?

[gweihir]

No? Then it is not a security guide or rather one that is worthless...

(I assume it does not. In good /. tradition, I have not looked at the documents...)

Re:Doe it say how to kill telemetry?

[thegarbz]

No? Then it is not a security guide or rather one that is worthless...

(I assume it does not. In good /. tradition, I have not looked at the documents...)

In the usual tradition, those who have not looked end up being wrong. If you would have looked you'd see that it applies to enterprise only which already has telemetry disabled.

Does it 'secure' against Miscreant-o-soft itself?

[Rick+Schumann]

'Microsoft' and 'security' in the same sentence? AAAHahahahahaha, that's hilarious, my sides, they're exploding, I'm laughing so hard!
The only 'security' I'd want if I had to use Windows anymore (and I don't; Ubuntu master-race, here) is securing it against Microsoft intrusion into my computer that I bought and paid for. Bugger off Microsoft.