Re: Windows 10 Security Profile

[Velislav K Pavlov <VelislavPavlov () FERRIS EDU>]

We are in the process of defining the privacy and security settings. We rely on CIS Win 10 and MS SCM, but we had to 
start with a common foundation This is what we have so far. We are working on automating these settings via GPO. It 
would be great if the community adds/corrects to the list.
Policy Name

Policy Location

Notes

Access Calendar

Settings > Privacy > Calendar

Recommended off

Access Contacts

Settings > Privacy > Contacts

Recommended off

Accounts: Block Microsoft Accounts

Windows Settings > Security Settings > Local Policies > Security Options

Check "Define this policy setting" and choose "Users can't add or log on with Microsoft Accounts"

Allow Cortana

Administrative Templates > Windows Components > Search

Set to Disabled

Allow indexing of encrypted files

Computer Configuration > Administrative Templates > Windows Components > Search

If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will 
still apply).

Allow input personalization

Administrative Templates > Control Panel > Regional and Language Options

Set to Disabled. This disables the use of Cortana, collection of speech and handwriting patterns, typing history, 
contacts, and calendar information.

Allow Telemetry

Administrative Templates > Windows Components > Data Collection and Preview Builds

Set policy to Enabled and set Options to "0 - Off [Enterprise Only]"

Apps that can access calendar

Settings > Privacy > Calendar

Recommended off

Apps that can control radios

Settings > Privacy > Radios

Recommended to keep radios off until needed (specific apps)

Apps that can read or send messages

Settings > Privacy > Messaging

Recommended off

BitLocker Drive Encryption

Control Panel>System and Security>BitLocker Drive Encryption

DO NOT use Bitlocker. [ORG NAME REPLACED] use ORG NAME centralized encryption via PRODUCT X (specific for us)

When device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery 
key. The BitLocker recovery key for your device is automatically backed up online in your Microsoft OneDrive account.

Camera

Settings>Privacy>Camera

Keep off by default until needed and select specific like Skype.

Configure SmartScreen

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Set the SmartScreenEnabled String Value

RequireAdmin = Get administrator approval before running an unrecognized app from the internet

Prompt = Warn before running an unrecognized app, but don't require administrator approval

Disable IPv6

https://support.microsoft.com/en-us/kb/929852

Disable using the Microsoft EasyFix or manually via the provided registry settings (specific to us)

Disable Radios

Settings > Privacy > Radios

Recommended to keep radios off until needed

Disable Windows Error Reporting

Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting

This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or 
internal servers within your organization when software unexpectedly stops working or fails.

Do not send a Windows error report when a generic driver is installed on a device

Computer Configuration > Administrative Templates > System > Device Installation

Windows has a feature that sends "generic-driver-installed" reports through the Windows Error Reporting infrastructure

DownloadMode

Preferences > Windows Settings > Registry

This registry policy preference will disable peer-to-peer update sharing and should be created with the name 
"DownloadMode" as a "Replace" action, in the HKEY_LOCAL_MACHINE hive, at the 
"SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" key. The value type is "REG_DWORD", and the 
value data is "0". On the Common tab, the setting "Remove this item when it is no longer applied" should be checked.

Edge browser

Advanced Settings

Privacy and Services

Recommended settings:

Advanced Settings> Use Adobe Flash "Off" by default

Privacy and services>
* Offer to Save passwords "Off"
* Save form entries "Off"
* Send "Do Not Track Requests "On"
* Have Cortana assist me in Microsoft Edge "Off"
* Let sites save protected media licenses on my device "Off"

Feedback and Diagnostics

Settings>Privacy>Feedback & diagnostics


Set feedback frequency to never and use the following commands from elevated command prompt (run as admin) to remove 
sending Microsoft feedback and diagnostic information
    sc delete DiagTrack

    sc delete dmwappushservice

    echo "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl

Getting to Know you

Settings > Privacy > Speech, inking, & typing

Recommended off. Windows and Cortana can get to know your voice and writing to make better suggestions for you. We'll 
collect info like contacts, recent calendar events, speech and handwriting patterns, and typing history.

Improve typing

Settings > Privacy > General
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Input\TIPC

Recommended value is disabled. Value name: 0 (disable the option).
Send Microsoft info about how I write to help us improving typing and writing in the future.

Join Microsoft MAPS

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS

Microsoft MAPS is the online community that helps you choose how to respond to potential threats. You can choose to 
send basic or additional information about detected software. This information can include things like location of 
detected items on your computer if harmful software was removed. The information will be automatically collected and 
sent

Let apps access my name, picture, and other account info

Settings>Privacy>Account info

Keep off by default

Locally relevant content

Settings > Privacy > General
HKEY_CURRENT_USER\Control Panel\International\User Profile
Value name: HttpAcceptLanguageOptOut
Value data: 1 (disable the option)

Recommended value is disabled.
If you speak a language other than English, this feature could be useful, but feel free to turn it off if you'd rather 
sites not know what language your system uses.

Location history

Settings > Privacy > Location

Recommended to turn location off.
When location is on, the location obtained to meet the needs of your apps and services will be stored for a limited 
time on the device. Apps that have access to these stored location will appear

Microphone

Settings>Privacy>Microphone

Keep off by default until needed and select specific like Skype.

Other wireless devices that share info

Settings > Privacy > Other devices



Prevent Music CD and DVD Media Information Retrieval

User Configuration > Administrative Templates > Windows Components > Windows Media Player

This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.

Prevent Music File Media Information Retrieval

User Configuration > Administrative Templates > Windows Components > Windows Media Player

This policy setting allows you to prevent media information for music files from being retrieved from the Internet.

Prevent participation in the Customer Experience Improvement Program

Computer Configuration > Administrative Templates > Windows Components > Internet Explorer

This policy setting prevents the user from participating in the Customer Experience Improvement Program

Prevent Windows Media DRM Internet Access

Computer Configuration > Administrative Templates > Windows Components > Windows Media Digital Rights Management

When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and 
security upgrades

Read of send message

Settings > Privacy > Messaging

Recommended off

Sent file samples when further analysis is required

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS

This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set

Set what information is shared in Search

Computer Configuration > Administrative Templates > Windows Components > Search

This policy setting allows you to control what information is shared with Bing in Search

Sync Your Settings

Computer Configuration > Administrative Templates > Windows Components

Prevent syncing to and from this PC.  This turns off and disables the "sync your settings" switch on the "sync your 
settings" page in PC Settings

Turn off Application Telemetry

Administrative Templates > Windows Components > Application Compatibility

Set to Enabled

Turn off Inventory Collector

Computer Configuration > Administrative Templates > Windows Components > Application Compatibility

The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information 
to Microsoft. This information is used to help diagnose compatibility problems

Turn off picture password sign-in

Administrative Templates > System > Logon

Set to Enabled

Turn off the Advertising ID

Administrative Templates > System > User Profiles

Set to Enabled. This is  recommended to protect user privacy. This policy setting turns off the advertising ID, 
preventing apps from using the ID for experiences across apps.

Turn off Windows Customer Experience Improvement Program

Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication 
settings

The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you 
use our software and services to identify trends and usage patterns.

Turn off Windows Error Reporting

Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication 
settings

Error Reporting is used to report information about a system or application that has failed or has stopped responding 
and is used to improve the quality of the product.

Turn on PIN sign-in

Administrative Templates > System > Logon

Set as desired. If PINs are allowed, they must comply with with [ORG NAME REPLACED] minimum password requirements. 
Another option is to disable PIN sign-in entirely.

Turn on PIN sign-in Options
* Use digits
* Use lowercase letters
* Maximum PIN Length
* Minimum PIN Length
* Use special characters
* Use uppercase letters

Administrative Templates > Windows Components > Microsoft Passport for Work> PIN complexity

All passwords, including device PINs, must comply with [ORG NAME REPLACED] minimum password requirements. Another 
option is to disable PIN sign-in entirely.

Updates

Settings>Update & Security>

Recommended settings:

Updates from more than one place "Off"

Use Microsoft Passport for Work

Administrative Templates > Windows Components > Microsoft Passport for Work

Set as desired. This functionality is used with biometrics and PINs as long as we have the capability and support to 
use these technologies. Else, disable it.

WiFi Sense

Settings>Network & Internet>

Recommended settings:
Connect to suggested open hotspots "Off"

Connect to networks shared by contacts "Off"

Windows-Defender

Settings>Update & Security>Windows Defender

Recommended settings:

Cloud based protection "Off"

Sample submission "Off"





Vel Pavlov | Sr. IT Security Analyst
M.Sc., CISSP, C|EH, C)PTE, Security+,
CNA, MPCS, ITIL, A+


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Homer 
Manila
Sent: Thursday, March 10, 2016 6:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows 10 Security Profile

All,

We are in the middle of designing a Windows 10 image for the first time and are considering turning the following 
privacy-related settings/features off:

  *   Wifi Sense
  *   Advertising ID
  *   SmartScreen Filter
  *   Location information (or "Let websites provide locally relevant content")
  *   Speech, Inking and Typing
  *   Send MS info about how I write
  *   Feedback and Diagnostics (or at least set Diagnostic and usage data to Basic)

Are other institutions turning off any other privacy settings than these, or think any of these settings are overblown 
as a privacy issue?  We expect Cortana to be a big draw in Windows 10 for our users and are hesitant in turning off any 
feature that would make it less useful (location settings, or any of the Getting To Know me settings).  Additionally, 
SmartScreen Filter seems it could be a nice security feature to have in the Apps store and Edge.

http://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229
http://www.zdnet.com/article/how-to-secure-windows-10-the-paranoids-guide/

Thanks for any feedback!

--Homer Manila, CISSP, GCWN
Information Security Engineer
American University
Office of Information Technology
202-885-2209

AU IT will never ask for your password via e-mail.
Don't share your password with anyone!