Educause Security Discussion mailing list archives
Re: Windows 10 Security Profile
From: Velislav K Pavlov <VelislavPavlov () FERRIS EDU>
Date: Fri, 11 Mar 2016 17:27:35 +0000
We are in the process of defining the privacy and security settings. We rely on CIS Win 10 and MS SCM, but we had to start with a common foundation This is what we have so far. We are working on automating these settings via GPO. It would be great if the community adds/corrects to the list. Policy Name Policy Location Notes Access Calendar Settings > Privacy > Calendar Recommended off Access Contacts Settings > Privacy > Contacts Recommended off Accounts: Block Microsoft Accounts Windows Settings > Security Settings > Local Policies > Security Options Check "Define this policy setting" and choose "Users can't add or log on with Microsoft Accounts" Allow Cortana Administrative Templates > Windows Components > Search Set to Disabled Allow indexing of encrypted files Computer Configuration > Administrative Templates > Windows Components > Search If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). Allow input personalization Administrative Templates > Control Panel > Regional and Language Options Set to Disabled. This disables the use of Cortana, collection of speech and handwriting patterns, typing history, contacts, and calendar information. Allow Telemetry Administrative Templates > Windows Components > Data Collection and Preview Builds Set policy to Enabled and set Options to "0 - Off [Enterprise Only]" Apps that can access calendar Settings > Privacy > Calendar Recommended off Apps that can control radios Settings > Privacy > Radios Recommended to keep radios off until needed (specific apps) Apps that can read or send messages Settings > Privacy > Messaging Recommended off BitLocker Drive Encryption Control Panel>System and Security>BitLocker Drive Encryption DO NOT use Bitlocker. [ORG NAME REPLACED] use ORG NAME centralized encryption via PRODUCT X (specific for us) When device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for your device is automatically backed up online in your Microsoft OneDrive account. Camera Settings>Privacy>Camera Keep off by default until needed and select specific like Skype. Configure SmartScreen HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer Set the SmartScreenEnabled String Value RequireAdmin = Get administrator approval before running an unrecognized app from the internet Prompt = Warn before running an unrecognized app, but don't require administrator approval Disable IPv6 https://support.microsoft.com/en-us/kb/929852 Disable using the Microsoft EasyFix or manually via the provided registry settings (specific to us) Disable Radios Settings > Privacy > Radios Recommended to keep radios off until needed Disable Windows Error Reporting Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. Do not send a Windows error report when a generic driver is installed on a device Computer Configuration > Administrative Templates > System > Device Installation Windows has a feature that sends "generic-driver-installed" reports through the Windows Error Reporting infrastructure DownloadMode Preferences > Windows Settings > Registry This registry policy preference will disable peer-to-peer update sharing and should be created with the name "DownloadMode" as a "Replace" action, in the HKEY_LOCAL_MACHINE hive, at the "SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" key. The value type is "REG_DWORD", and the value data is "0". On the Common tab, the setting "Remove this item when it is no longer applied" should be checked. Edge browser Advanced Settings Privacy and Services Recommended settings: Advanced Settings> Use Adobe Flash "Off" by default Privacy and services> * Offer to Save passwords "Off" * Save form entries "Off" * Send "Do Not Track Requests "On" * Have Cortana assist me in Microsoft Edge "Off" * Let sites save protected media licenses on my device "Off" Feedback and Diagnostics Settings>Privacy>Feedback & diagnostics Set feedback frequency to never and use the following commands from elevated command prompt (run as admin) to remove sending Microsoft feedback and diagnostic information sc delete DiagTrack sc delete dmwappushservice echo "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl Getting to Know you Settings > Privacy > Speech, inking, & typing Recommended off. Windows and Cortana can get to know your voice and writing to make better suggestions for you. We'll collect info like contacts, recent calendar events, speech and handwriting patterns, and typing history. Improve typing Settings > Privacy > General HKEY_CURRENT_USER\SOFTWARE\Microsoft\Input\TIPC Recommended value is disabled. Value name: 0 (disable the option). Send Microsoft info about how I write to help us improving typing and writing in the future. Join Microsoft MAPS Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS Microsoft MAPS is the online community that helps you choose how to respond to potential threats. You can choose to send basic or additional information about detected software. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent Let apps access my name, picture, and other account info Settings>Privacy>Account info Keep off by default Locally relevant content Settings > Privacy > General HKEY_CURRENT_USER\Control Panel\International\User Profile Value name: HttpAcceptLanguageOptOut Value data: 1 (disable the option) Recommended value is disabled. If you speak a language other than English, this feature could be useful, but feel free to turn it off if you'd rather sites not know what language your system uses. Location history Settings > Privacy > Location Recommended to turn location off. When location is on, the location obtained to meet the needs of your apps and services will be stored for a limited time on the device. Apps that have access to these stored location will appear Microphone Settings>Privacy>Microphone Keep off by default until needed and select specific like Skype. Other wireless devices that share info Settings > Privacy > Other devices Prevent Music CD and DVD Media Information Retrieval User Configuration > Administrative Templates > Windows Components > Windows Media Player This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. Prevent Music File Media Information Retrieval User Configuration > Administrative Templates > Windows Components > Windows Media Player This policy setting allows you to prevent media information for music files from being retrieved from the Internet. Prevent participation in the Customer Experience Improvement Program Computer Configuration > Administrative Templates > Windows Components > Internet Explorer This policy setting prevents the user from participating in the Customer Experience Improvement Program Prevent Windows Media DRM Internet Access Computer Configuration > Administrative Templates > Windows Components > Windows Media Digital Rights Management When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades Read of send message Settings > Privacy > Messaging Recommended off Sent file samples when further analysis is required Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set Set what information is shared in Search Computer Configuration > Administrative Templates > Windows Components > Search This policy setting allows you to control what information is shared with Bing in Search Sync Your Settings Computer Configuration > Administrative Templates > Windows Components Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings Turn off Application Telemetry Administrative Templates > Windows Components > Application Compatibility Set to Enabled Turn off Inventory Collector Computer Configuration > Administrative Templates > Windows Components > Application Compatibility The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems Turn off picture password sign-in Administrative Templates > System > Logon Set to Enabled Turn off the Advertising ID Administrative Templates > System > User Profiles Set to Enabled. This is recommended to protect user privacy. This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. Turn off Windows Customer Experience Improvement Program Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Turn off Windows Error Reporting Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. Turn on PIN sign-in Administrative Templates > System > Logon Set as desired. If PINs are allowed, they must comply with with [ORG NAME REPLACED] minimum password requirements. Another option is to disable PIN sign-in entirely. Turn on PIN sign-in Options * Use digits * Use lowercase letters * Maximum PIN Length * Minimum PIN Length * Use special characters * Use uppercase letters Administrative Templates > Windows Components > Microsoft Passport for Work> PIN complexity All passwords, including device PINs, must comply with [ORG NAME REPLACED] minimum password requirements. Another option is to disable PIN sign-in entirely. Updates Settings>Update & Security> Recommended settings: Updates from more than one place "Off" Use Microsoft Passport for Work Administrative Templates > Windows Components > Microsoft Passport for Work Set as desired. This functionality is used with biometrics and PINs as long as we have the capability and support to use these technologies. Else, disable it. WiFi Sense Settings>Network & Internet> Recommended settings: Connect to suggested open hotspots "Off" Connect to networks shared by contacts "Off" Windows-Defender Settings>Update & Security>Windows Defender Recommended settings: Cloud based protection "Off" Sample submission "Off" Vel Pavlov | Sr. IT Security Analyst M.Sc., CISSP, C|EH, C)PTE, Security+, CNA, MPCS, ITIL, A+ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Homer Manila Sent: Thursday, March 10, 2016 6:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Windows 10 Security Profile All, We are in the middle of designing a Windows 10 image for the first time and are considering turning the following privacy-related settings/features off: * Wifi Sense * Advertising ID * SmartScreen Filter * Location information (or "Let websites provide locally relevant content") * Speech, Inking and Typing * Send MS info about how I write * Feedback and Diagnostics (or at least set Diagnostic and usage data to Basic) Are other institutions turning off any other privacy settings than these, or think any of these settings are overblown as a privacy issue? We expect Cortana to be a big draw in Windows 10 for our users and are hesitant in turning off any feature that would make it less useful (location settings, or any of the Getting To Know me settings). Additionally, SmartScreen Filter seems it could be a nice security feature to have in the Apps store and Edge. http://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229 http://www.zdnet.com/article/how-to-secure-windows-10-the-paranoids-guide/ Thanks for any feedback! --Homer Manila, CISSP, GCWN Information Security Engineer American University Office of Information Technology 202-885-2209 AU IT will never ask for your password via e-mail. Don't share your password with anyone!
Current thread:
- Windows 10 Security Profile Homer Manila (Mar 10)
- Re: Windows 10 Security Profile Barton, Robert W. (Mar 10)
- Re: Windows 10 Security Profile Brad Judy (Mar 10)
- Re: Windows 10 Security Profile Eric Lukens (Mar 11)
- Re: Windows 10 Security Profile randy (Mar 11)
- Re: Windows 10 Security Profile Eric Lukens (Mar 11)
- Re: Windows 10 Security Profile Velislav K Pavlov (Mar 11)