One of the most useful tools you will use in your role as an Information Securit
ID: 3698347 • Letter: O
Question
One of the most useful tools you will use in your role as an Information Security professional is a hardening checklist Essentially it is a document that serves as a guide to configuring a desktop/system security Please develop this guide for a windows 10 desktop environment The hardening checklist will take the form of a table or chart that lists how the Windows 10 desktop should be hardened This will be culmination of everything you have learned in terms of operating Systems, Security Controls and various strategies that can be employed Essentially this documents will summarize everything you know about securing a system in an easy to follow checklist You should try to provide a short and quick one sentence description on each setting or task that you are recommending in the checklist.Explanation / Answer
Hardening checklist for windows 10:
One of the more important Enterprise hardening capabilities comes as a byproduct of Microsoft's incremental approach to new features. For those needing a hardened environment, pushing out frequent new features would spawn an almost continuous effort to test, adjust and approve a each new hardened release. To address this, Microsoft has introduced the Long Term Servicing Branch (LTSB). The LTSB will be a stable release, relatively speaking, with only critical fixes being applied. Each such branch will be maintained for Microsoft’s entire five-year support period.
While the details are not fully known yet, we are told that users will be able to easily move from an LTSB to the Current Branch and back, as well as to a later LTSB. As now, administrators will be able to control the deployment of non-feature updates with Windows Server Update Services (WSUS). The Windows 10 "free" users, on the other hand, will no longer be able to control which updates they receive.
Windows 10 includes a number of additional features that will be of interest to corporate security officers, including:
Multifactor authentication
The ability to use multifactor authentication for PC access is incorporated into Windows 10 at the OS level. It will support either a biometric device or a PIN sent to a mobile device. This will be useful for corporate environments, particularly in securing lost laptops.
WHAT READERS LIKE
Scientists can now make lithium-ion batteries last a lifetime
Sen. Durbin calls Abbott Labs' IT layoffs 'harsh and insensitive’
Google's asinine Gmail prank: What were these fools thinking?
Data loss prevention (DLP)
As I discussed in "Closing the data floodgates," DLP automates the process of monitoring for and masking the transmission or exposure of protected data such as Social Security numbers. This is normally complicated to implement and manage, but Microsoft is trying to simplify the process by incorporating some DLP features directly into Windows 10, via its Enterprise Data Protectionfunctionality. This facility includes the ability to recognize and transparently encrypt corporate versus personal data, some remote device wiping capabilities, and audit reports.
Application control
Prior Windows versions allowed users to install untrusted applications, after a strongly worded warning. Windows 10 has the ability to disallow any untrusted applications, known as Device Guard. This will give security administrators better automated control over users running potentially harmful applications.
Phishing protection
Windows 10 provides some inherent protection from certain phishing attacks by placing the user access token, which allows continued user access after initial authentication, in a secure container. This will eliminate certain classes of attacks, such as Pass the Hash and Pass the Ticket.
Thinkstock
If you are tempted to cede protection of your corporate security to Windows 10 and relax, you may be a bit premature, however. There are some well-publicized privacy exposures in Windows 10 that will take some work to control. These include Windows 10 sharing your Wi-Fi information automatically with people in your address list, tracking your location, and sending your browsing history to Microsoft so it can "help" you. Security managers will want to make sure these privacy holes are plugged as they deploy new workstations.
arden Windows 10 - A Security Guide gives detailed instructions on how to secure Windows 10 machines and prevent it from being compromised. We will harden the system to eliminate lots of attack surface and impede attackers. Vulnerable services and unnecessary networking protocols will be disabled. Layers of security will be added to protect our system, private documents, browsers and other applications. Firewall rules, ACLs and Software Restriction Policy are some of the settings we will set up. Then, continuing the security process, we will set up patch monitoring to notify us of insecure applications which require patching. Then we will set up event monitoring to monitor admin account uses and all unusual events. And we will setup baselines so that we can regularly compare against the current running system to ensure it has not been modified. And finally we want to monitor the current threat landscape and be able to react to emerging security threats in time. Good security consists of deter, deny, delay and detection. Hardening covers the first 3. We will cover all 4 in this guide.
In today's environment, criminals attack vulnerable PCs to gain access personal data for id theft purposes, to steal your credit card data and to conduct business espionage. So any PC is game for intrusion and it is not an elaborate thing, attacking a PC only requires a few minutes.
The Windows 10 Hardening Guide is below and all of the hardening steps are contained in this document. There is an optional Configuration Pack which automates some of the configuration steps and also provides the ACLs to partition away hacker friendly admin command line tools. Some settings can only be reached with the Configuration Pack. Performing all the steps manually takes 3-4 hours and the Configuration Pack saves time by letting you import certain configs.
Due to technical difficulties, we are not able to offer instant download for the Configuration Packs, orders will be emailed out every day after 6pm EST
Email: fortified dot windows -at- gmail dot com
Importance of Testing
It is important to note, that after hardening a system, one has to test to see if the applications that you run still runs as expected. The ideal candidate of this project is a user with no need for communications among PCs in the LAN. That is because the more network ports you open, the less secure you become.
Testing was done on Windows 10 Pro 64 bit and Windows 10 64 bit machines.
After hardening, all control panel items are tested working, with the following exceptions:
Before you begin
If your system has already been compromised, the best course of action is to re-install Windows. Because there is no telling what backdoors and botnets clients have been installed on your system. You cannot fight back at someone who already has administrator control of your system. You can implement something and they will just disable it. You best chance of survival is to re-install Windows and then hardening it to prevent further attacks from happening.
For details of the Automated Configuration files, see the Automated Configuration section near the bottom of this document. They will also be mentioned as when applicable in each section though out the document.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.