Educause Security Discussion mailing list archives
Re: Windows 10 Security Profile
From: randy <marchany () VT EDU>
Date: Fri, 11 Mar 2016 09:52:51 -0500
We set up a page on our www site with recommended Windows 10 Privacy Settings. It was based on some of the early discussion about what the Windows 10 privacy defaults were. The page is at http://security.vt.edu/resources_and_information/win10privacy.html. -Randy Marchany VA Tech IT Security Office and Lab On Fri, Mar 11, 2016 at 9:48 AM, Eric Lukens <eric.lukens () uni edu> wrote:
We're actually in the process of determining our hardening standards for Windows 10 right now. I'd have a look through the CIS hardening guide for Windows 10 ( https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.os.windows.10) and the Microsoft SCM guide ( http://blogs.technet.com/b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1511-quot-threshold-2-quot-final.aspx). You'll find they differ on a lot of the "cloud" stuff, but both have the SmartScreen filter enabled. The Microsoft one has done away with almost all settings that are otherwise the default--so it isn't a full guide of "these are all the settings that should be in place" but rather a list of settings that increase the security of the default system at the expense of some functionality. The CIS guide includes a lot of the settings that had been in previous guides--even if they are now the default. Virtually no guide includes all "bad" settings since there are a lot of places in Group Policy where you could seriously compromise your security. I think CIS was very cautious in balancing the privacy/data loss potential against the benefits of certain features, so most "fun" features like Cortana are disabled. On the flip side, I think the Microsoft guide lets too many invasive features remain. I think it might be wise to start using Windows 10 as suggest by CIS and perhaps begin enabling some of the features after you are more certain of their impact. The SmartScreen filter is a basic reputation-based anti-malware where known good are allowed to run, known bad are blocked, and unknown are either blocked or allowed depending on your policies--remember this applies not only to IE but to all downloads from all browsers. There are few places where I think the privacy concerns of SmartScreen would outweigh the security benefits. I do know the SmartScreen filter on Win 8.1 has successfully blocked a number of things that would have otherwise led to infections for us. Most of the malware tries to bypass the filter now by exploiting a browser plugin and loading their code via it. Anyway, we require the hardening standards to be used on all machines and then the policy can be "softened" where needed if justified, documented, and approved. We wrote in our guide that certain settings could be softened without needing approval, just because we knew of common scenarios where a setting would need to be changed. If anyone has questions about specific settings and what our thoughts on that setting are, feel free to ask me, it is one of the projects I'm working on right now. -Eric On Thu, Mar 10, 2016 at 5:29 PM, Brad Judy <brad.judy () cu edu> wrote:I’d be cautious disabling the SmartScreen filter. While it does give browsing info to MS, it’s also an important security feature for blocking phishing/malware sites. It also isn’t new/unique to Windows 10 – it’s part of IE in other versions of Windows and I think built into the OS for Windows 8 as well. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu [image: cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Homer Manila <homer () american edu> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, March 10, 2016 at 4:14 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Windows 10 Security Profile All, We are in the middle of designing a Windows 10 image for the first time and are considering turning the following privacy-related settings/features off: - Wifi Sense - Advertising ID - SmartScreen Filter - Location information (or "Let websites provide locally relevant content") - Speech, Inking and Typing - Send MS info about how I write - Feedback and Diagnostics (or at least set Diagnostic and usage data to Basic) Are other institutions turning off any other privacy settings than these, or think any of these settings are overblown as a privacy issue? We expect Cortana to be a big draw in Windows 10 for our users and are hesitant in turning off any feature that would make it less useful (location settings, or any of the Getting To Know me settings). Additionally, SmartScreen Filter seems it could be a nice security feature to have in the Apps store and Edge. http://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229 http://www.zdnet.com/article/how-to-secure-windows-10-the-paranoids-guide/ Thanks for any feedback! --Homer Manila, CISSP, GCWN Information Security Engineer American University Office of Information Technology 202-885-2209 AU IT will never ask for your password via e-mail. Don't share your password with anyone!-- Eric C. Lukens IT Security Compliance & Policy Analyst ITS-Information Security Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121(319) 273-7434http://www.uni.edu/elukens/ "Security is a process, not a product." Bruce Schneier
Current thread:
- Windows 10 Security Profile Homer Manila (Mar 10)
- Re: Windows 10 Security Profile Barton, Robert W. (Mar 10)
- Re: Windows 10 Security Profile Brad Judy (Mar 10)
- Re: Windows 10 Security Profile Eric Lukens (Mar 11)
- Re: Windows 10 Security Profile randy (Mar 11)
- Re: Windows 10 Security Profile Eric Lukens (Mar 11)
- Re: Windows 10 Security Profile Velislav K Pavlov (Mar 11)