June 13, 2019

Microsoft Security Configuration Framework for Windows 10 is a Hit – WST

With Microsoft Windows 7 quickly approaching end of life many organizations are starting the initial process of moving to Windows 10.  Without a current deployment it can be difficult to create a standard deployment that meets the needs of your environment for both security and productivity.  Microsoft has addressed these concerns and created the Security Configuration Framework for Windows 10.  This framework, currently in beta, was created to assist companies that are deploying or migrating to a Windows 10 environment in the enterprise by providing five (5) levels of suggested configuration to balance the need for security and productivity based on the user’s job function.  The five levels defined on the Microsoft site (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) are:

  1. Enterprise security – Minimum-security configuration for an enterprise device.  Recommendations for this security configuration level are generally straightforward and are designed to be deployable within 30 days.
  2. Enterprise high security – Configuration for devices where users access sensitive or confidential information.  Some of the controls may have an impact to app compatibility, and therefore will often go through an audit-configure-enforce workflow.  Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
  3. Enterprise VIP security – Configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (for example, one organization identified users who handle data whose theft would directly and seriously impact their stock price).  An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.  Recommendations for this security configuration level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
  4. DevOps workstation – Microsoft recommends this configuration for developers and testers, who are an attractive target both for supply chain attacks and credential theft attacks that attempt to gain access to servers and systems containing high-value data or where critical business functions could be disrupted. We (Microsoft) are still developing this guidance and will make another announcement as soon as it is ready.
  5. Administrator workstation – Administrators (particularly of identity or security systems) face the highest risk, through data theft, data alteration, or service disruption. We (Microsoft) are still developing this guidance and will make another announcement as soon as it is ready.

If you are starting your migration process or deploying a new environment based on Microsoft Windows 10, this is a great tool to assist with your initial baseline configuration.  We expect to see additional configuration and options to come from this framework with additional tweaks and development.

Past Weekly Security Tips – WST