Re: Windows 10 Security Profile

[Eric Lukens <eric.lukens () UNI EDU>]

We're actually in the process of determining our hardening standards for
Windows 10 right now.

I'd have a look through the CIS hardening guide for Windows 10 (
https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.os.windows.10)
and the Microsoft SCM guide (
http://blogs.technet.com/b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1511-quot-threshold-2-quot-final.aspx).
You'll find they differ on a lot of the "cloud" stuff, but both have the
SmartScreen filter enabled. The Microsoft one has done away with almost all
settings that are otherwise the default--so it isn't a full guide of "these
are all the settings that should be in place" but rather a list of settings
that increase the security of the default system at the expense of some
functionality. The CIS guide includes a lot of the settings that had been
in previous guides--even if they are now the default. Virtually no guide
includes all "bad" settings since there are a lot of places in Group Policy
where you could seriously compromise your security. I think CIS was very
cautious in balancing the privacy/data loss potential against the benefits
of certain features, so most "fun" features like Cortana are disabled. On
the flip side, I think the Microsoft guide lets too many invasive features
remain. I think it might be wise to start using Windows 10 as suggest by
CIS and perhaps begin enabling some of the features after you are more
certain of their impact.

The SmartScreen filter is a basic reputation-based anti-malware where known
good are allowed to run, known bad are blocked, and unknown are either
blocked or allowed depending on your policies--remember this applies not
only to IE but to all downloads from all browsers. There are few places
where I think the privacy concerns of SmartScreen would outweigh the
security benefits. I do know the SmartScreen filter on Win 8.1 has
successfully blocked a number of things that would have otherwise led to
infections for us. Most of the malware tries to bypass the filter now by
exploiting a browser plugin and loading their code via it.

Anyway, we require the hardening standards to be used on all machines and
then the policy can be "softened" where needed if justified, documented,
and approved. We wrote in our guide that certain settings could be softened
without needing approval, just because we knew of common scenarios where a
setting would need to be changed.

If anyone has questions about specific settings and what our thoughts on
that setting are, feel free to ask me, it is one of the projects I'm
working on right now.

-Eric

On Thu, Mar 10, 2016 at 5:29 PM, Brad Judy <brad.judy () cu edu> wrote:

> I’d be cautious disabling the SmartScreen filter.  While it does give
> browsing info to MS, it’s also an important security feature for blocking
> phishing/malware sites.  It also isn’t new/unique to Windows 10 – it’s part
> of IE in other versions of Windows and I think built into the OS for
> Windows 8 as well.
>
> Brad Judy
>
>
>
> Information Security Officer
>
> Office of Information Security
>
> University of Colorado
> 1800 Grant Street, Suite 300
> Denver, CO  80203
>
> Office: (303) 860-4293
>
> Fax: (303) 860-4302
>
> www.cu.edu
>
>
>
> [image: cu-logo_fl]
>
>
>
>
> From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
> Homer Manila <homer () american edu>
> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Thursday, March 10, 2016 at 4:14 PM
> To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] Windows 10 Security Profile
>
> All,
>
> We are in the middle of designing a Windows 10 image for the first time
> and are considering turning the following privacy-related settings/features
> off:
>
>    - Wifi Sense
>    - Advertising ID
>    - SmartScreen Filter
>    - Location information (or "Let websites provide locally relevant
>    content")
>    - Speech, Inking and Typing
>    - Send MS info about how I write
>    - Feedback and Diagnostics (or at least set Diagnostic and usage data
>    to Basic)
>
>
> Are other institutions turning off any other privacy settings than these,
> or think any of these settings are overblown as a privacy issue?  We expect
> Cortana to be a big draw in Windows 10 for our users and are hesitant in
> turning off any feature that would make it less useful (location settings,
> or any of the Getting To Know me settings).  Additionally, SmartScreen
> Filter seems it could be a nice security feature to have in the Apps store
> and Edge.
>
>
> http://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229
> http://www.zdnet.com/article/how-to-secure-windows-10-the-paranoids-guide/
>
> Thanks for any feedback!
>
> --Homer Manila, CISSP, GCWN
> Information Security Engineer
> American University
> Office of Information Technology
> 202-885-2209
>
> AU IT will never ask for your password via e-mail.
> Don't share your password with anyone!



-- 

Eric C. Lukens
IT Security Compliance & Policy Analyst
ITS-Information Security
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
(319) 273-7434http://www.uni.edu/elukens/

"Security is a process, not a product."  Bruce Schneier