Building on the results obtained in the preceding work packages a configuration recommendation for logging on Windows 10 has been created which allows to detect attempted attacks and unwanted actions of Windows functionalities that threaten the confidentiality, availability or integrity of the IT system. The recommendation is aimed at advanced users and administrators and is suitable for directly implementing the configuration settings of the operating system.

Important Remark: In the Introduction, the text mistakenly refers to the German language version. For the English versions of the recommendations (Logging Guideline, Hardening Guideline, GPOs for Guidelines), the system in focus was Windows 10 LTSC 2019 64bit, English language.

• Configuration Recommendations for Windows 10 Logging

Table of Contents

1 Introduction
1.1 Executive Summary
2 General Concepts
2.1 Scope
2.2 Scope Conditions
3 General Recommended Measures
3.1 Time Synchronization
3.2 Central Collection of Logging Data
3.3 Handling of Sensitive Logging Data
4 Configuration Recommendations: System-wide Settings
4.1 Security Options
4.2 Windows Defender Firewall with Advanced Security
4.3 Administrative Templates
5 Configuration Recommendations: Audit Policies and Event Logs
5.1 Account Activity
5.2 Activity of Core System Components
5.3 Configuration Changes
5.4 Network Activity
5.5 Process Activity
5.6 Registry Activity
Appendix
Tools
Event IDs
References
Abbreviations

Summary

This document and the configuration recommendations it contains are valid for the Microsoft Windows 10 Long-Term Servicing Channel (LTSC) operating system, version 2019. The Semi-Annual Channel (SAC) version equivalent to this is Windows 10, version 1809. It is functionally identical to Windows 10 LTSC version 2019 both in terms of the kernel and components which are included in both versions.

The configuration recommendations for logging described in the following are based on a standard use case scenario, such as using a Windows 10 system for office work. However, the recommendations may also be used as a basis for defining logging configurations for more specific use cases, such as a Windows 10 system used for administrative tasks.

The configuration recommendations are based on the analysis conducted during the project, on security best practices, as well as on expertise by ERNW. All recommendations are both compared against the Center for Internet Security (CIS) Benchmark for Windows 10 Enterprise (Version 1809) as a globally known and widely adopted standard and the recommendations of the Security Baseline for Windows 10 1809 by Microsoft. Deviations from the Security Baseline or the CIS Benchmark are explained and substantiated for the affected settings.

While creating this document, decisions for specific configuration recommendations were led by the following basic principles for increasing system security:

• Collecting data relevant to the detection of known and widespread attack scenarios so that it can be used for an active monitoring to identify attempted and ongoing attacks
• Collecting data relevant for the analysis of known and widespread attack scenarios, so that it can be further evaluated in the course of forensic investigations.
• Collecting relevant data on configuration changes of security relevant objects and the function of security relevant components so that it can be used during a continuous monitoring of the security level of a system.
• Enforcing settings to prevent modifications by the user.
• Extending the default configuration to ensure the generation and storage of relevant logging data.
• Considering data privacy by identifying configurations that may lead to the disclosure of sensitive data in logging files.

For this document, the collection of logging data in order to monitor and ensure the operational reliability of a system was not considered. The concrete evaluation of the logged data as part of a monitoring solution is beyond the scope of this document, as well.

In addition, or alternatively, the configuration recommendations defined in this document can also be partially implemented by Sysmon which allows for a very fine-grained configuration beyond the capabilities of built-in tools.

Hardening-related configuration recommendations can be found in the document “Configuration Recommendations for Windows 10 Hardening With Built-in Tools” (orig. ger.: “Konfigurationsempfehlungen zur Härtung von Windows 10 mit Bordmitteln”) of the SiSyPHuS project (work package 11).

The corresponding Group Policy objects for the recommendations regarding logging (work package 10) and hardening (work package 11) are provided as part of work package 12.