Sistema de blogs Diarium
Universidad de Salamanca
Pablo Gallardo's Blog
My professional web log about IT, Cybersecurity & Project Management
 

Windows 10 Security

This post summarizes some tools, courses, certifications and hardening guides related to Windows 10.

As Windows 10 and 11 are very similar, this post applies to both operating systems.

Windows 10 Security Tools

There are different security tools and functionalities available for Windows 10:

  • General Security: Microsoft Defender for Endpoint, Windows Defender Security Center
  • Security Analysis: Microsoft Security Compliance Toolkit (SCT)
  • Antimalware: Windows Defender Antimalware, Windows Defender Exploit Guard, Windows Defender Advanced Threat Protection (ATP)
  • Antiphising: Windows Defender SmartScreen
  • Encryption: BitLocker
  • Firewall: Windows Defender Firewall
  • Apps: AppLocker, Windows Defender Application Control
  • Network: IPSec, DNSSEC, VPN
  • Credential protection: Windows Defender Credential Guard
  • Browser-based thread: Windows Defender Application Guard
  • Data Loss Prevention: Windows Information Protection
  • Group Policy
  • PKI
  • PowerShell
  • Virtualization
  • Update: Windows Update

Windows 10 Security Training

There are not many courses dedicated exclusively to Windows desktop security. Sometimes only part of more general Windows courses are referred:

Windows 10 Security Certifications

Certifications directly related to Windows Desktop Security:

More barely related certifications:

Windows 10 Hardening Guides

This section summerizes some guides, guidelines, recommendations or baselines to harden Windows 10 endpoints.

  • Microsoft Security Baselines
  • CIS Benchmarks guides for Windows OS
  • NIST Windows 10 STIG Checklist
  • CCN-STIC guides for Windows OS

 

Microsoft Security Baselines

Microsoft Baselines are included in the Microsoft Security Compliance Toolkit (SCT). SCT substituted Security Compliance Manager (SCM).

To learn more about Microsoft and its security baselines, check this link.

To download Microsoft Security Compliance Toolkit (SCT):
aka.ms/sctdownload

After clicking on Download, check the file that corresponds to the Windows baseline you want to download (e.g. “Windows 10 version 21H2 Security Baseline.zip”). There are other files that do not correspond to Microsoft Baselines.

This zip file includes:

  • GPO backups
  • GPO reports
  • Excel spreadsheets
  • WMI filters
  • Scripts to apply the settings to local policy

Some hints to use baseline zip file:

  • GPO Reports
    • GP Reports are located in folder “GP Reports” of zip file
    • It contains HTML files informing about GPO templates available on this Windows 10 Security Baseline and what are the modifications applied
  • Excel spreadsheets
    • Excel spreadsheets are located in folder “Documentation” of zip file
    • There is a large Excel file with all the details of every configuration part of the baseline
  • Policy Analyzer rules
    • .PolicyRules file with baseline GPO is located in folder “Documentation” of zip file
    • .PolicyRules file holds a set of GPO folders in a single file
    • Use tool Policy Analyzer to compare baseline GPO with your own GPO
  • GPO backups
    • GPO backups in folder “GPOs” of zip file
    • GPO backups can be imported directly into Active Directory Group Policy along with corresponding WMI filters to apply policies to the correct machines.
    • The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv).
    • To take the place of SCM’s offline GPO-editing abilities, consider standing up an otherwise non-functional domain controller, importing Group Policy (.ADMX) templates as needed.
    • Right-click on a blank GPO and select “Import Settings…”. Select the “GPOs” folder and follow Wizard instructions.
  • Scripts
    • Scripts are located in folder “Scripts” of zip file
    • It consist of .ps1 files, that can be run from PowerShell
    • They are used to apply configuration
  • Templates
    • Templates are located in folder “Templates” of zip file
    • It includes Administrative Template files, of extension .admx (language-neutral) and .adml (language-specific).
    • Import .amdx to Central Store
    • Import .adml to the corresponding language subfolder in Central Store
  • WMI Filters
    • WMI filters are located in folder “WMI Filters” of zip file
    • There may be no WMI filters on some security baselines

Useful SCT tools:

  • Policy Analyzer
    • Policy Analyzer is a lightweight utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies and can highlight the differences between versions or sets of Group Policies. It can also compare one or more GPOs against local effective state. You can export all its findings to a Microsoft Excel spreadsheet.
    • To compare GPOs or to export to Excel, take a look at Policy Analyzer, which has much richer abilities in both areas than SCM had. Policy Analyzer saves its data in XML files with a .PolicyRules file extension.
    • You can get more info about how to use Policy Analyzer on this post
  • LGPO.exe
    • LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. It can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files and Policy Analyzer “.PolicyRules” XML files.
    • The more-functional LGPO.exe is substituting LocalGPO.wsf tool that had shipped with SCM. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs’ .cab files are no longer supported.
    • More info about how to use LGPO.exe can be found here.

More info about SCT baselines and its transition from SCM can be found here and here.

Alongside with Windows 10 baselines, you may check other related Microsoft baselines available on SCT:

  • Microsoft 365 Apps for Enterprise
  • Microsoft Edge
  • Windows Update

There is a Microsoft Security Baselines official community and an official blog.

CIS Benchmarks

CIS (Center for Internet Security) is a non-profit organization promoting protection against cyber threats. It is based in New York, USA.

There are CIS Benchmarks on different topics, including OS. You can find them on this link.

CIS Benchmarks relevant to Windows desktop can be found on this link.

NIST features CIS Benchmarks on its website.

NIST Windows 10 STIG Checklist

NIST Windows 10 STIG (Security Technical Implementation Guide) Checklist is a tool created to improve the security of USA Department of Defense (DoD) information systems. Nevertheless, it can be used on other organizations. It has been developed by the Defense Information System Agency.

As of August 2022, it latest version is Version 2, Release 4 (latest update on 8-Jun-2022). It can be downloaded from this link.

CCN-STIC Guides

CCN (National Cryptologic Center, from the Spanish Centro Criptológico Nacional) is a public organization of Spain, dependant on the CNI (National Intelligence Center, from the Spanish Centro Nacional de Inteligencia), the Spanish official intelligence agency.

CCN publishes a set of guides, referred as CCN-STIC (from the Spanish Seguridad de las Tecnologías de Información y Comunicaciones) guidelines and recommendations related to cybersecurity. They are oriented towards public administrations of Spain and their collaborating citizens or organizations.

CCN-STIC guides are grouped in series. The existing series are listed on this link.

500 guide series is related to Windows environment, and can be found on this link.

Guides relevant to Windows desktop:

 

A different annex applies depending on scenario:

  • CNN-STIC-599A18
    • A: Pro/Enterprise in ENS
    • B: LTSC in classified networks
  • CCN-STIC-599A19
    • A: LTSC in ENS
    • B: LTSC in classified networks
    • C: Pro/Enterprise in ENS
    • D: Pro/Enterprise in classified networks

Basics

Windows 10 versions (in ascending order of cost/customization/functionalities):

  • Home
  • Professional (Pro)
  • Enterprise
  • Others (like Education, etc.)

Update Channels:

  • Windows Insider.
  • Semi annual (targeted), formerly as known current branch (CB). Devices are updated right after versions are validated from Windows Insider program. These updates can be postponed, though.
  • Semi annual, formerly known as Current Branch for Business (CBB). Devices are updated 4 months after versions are validated from Windows Insider program. It is technically similar to Semiannual (targeted), but with a delay.
  • LTSC, formerly known as Long Term Service Branch (LTSB): 10-year maintenance

If you need to ascertain your update channel, check this link.

Types of updates:

  • Quality Updates
  • Feature Updates

You might also be interested in…

You might also be interested in…

pmgallardo

About pmgallardo

I studied Computer Science at University of Salamanca. Since then, I have been working first as developer and then as SAP consutant. This blog is about problems I dealt when using computers, and more important, the solutions I found. Whenever I am on an issue and suddenlly I have a flash that leads me to a solution, I document my discoveries in a post.

, , , , , , , , , , , , , , , , , , , , , , , , , , ,

No comments yet.

Leave a Reply


*

Política de privacidad
Studii Salmantini. Campus de excelencia internacional