Building on the results obtained in the work packages 2 to 10 a configuration recommendation for the hardening of Windows 10 has been created which covers the following use cases: “normal protection needs domain member” (orig. ger.: “normaler Schutzbedarf Domänenmitglied”, ND), “increased protection needs domain member” (orig. ger.: “hoher Schutzbedarf Domänenmitglied”, HD) and “normal protection needs standalone computer” (orig. ger.: “normaler Schutzbedarf Einzelrechner”, NE).

The recommendation is aimed at advanced users and administrators and is suitable for directly implementing the configuration settings of the operating system.

Important Remark: In the Introduction, the text mistakenly refers to the German language version. For the English versions of the recommendations (Logging Guideline, Hardening Guideline, GPOs for Guidelines), the system in focus was Windows 10 LTSC 2019 64bit, English language.

• Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities
• Configuration Settings Matrix for Hardening of Windows 10 Using Built-in Functionalities
  
  

Table of Content

1 Introduction
1.1 Executive Summary
2 General Concepts
2.1 Scope
2.2 Scope Conditions
2.3 Definition of the Use Cases
2.4 Impact on Functionalities of the Operating System
3 General Recommendations
3.1 Acquisition of Hardware and Software Through Secure Sources
3.2 Separation of Standard User Accounts and Administrative Accounts
3.3 Implementation of Secure Password Policies
3.4 Secure Password Storage
3.5 No Password Reuse
3.6 Regular Updating of Firmware, Operating System, and Installed Applications
3.7 Installation of Only Necessary Applications and Operating System Components
3.8 Use of Hard Disk Encryption
4 Configuration Recommendations
5 Additional Configuration Recommendations
5.1 (HD) Windows Defender Application Control
5.2 (HD, ND, NE) Virtualization Based Security
5.3 (HD, ND, NE) Trusted Platform Module
5.4 (HD, ND, NE) Windows-Telemetry
5.5 PowerShell and Windows Script Host
5.6 (HD, ND, NE) Firmware
Appendix
Tools Used
Reference Documentation
Abbreviations

Summary

This document and the configuration recommendations it contains are valid for the Microsoft Windows 10 Long Term Servicing Channel (LTSC) operating system, version 2019. The Semi-Annual Channel (SAC) version equivalent to this is Windows 10, version 1809. It is functionally identical to Windows 10 LTSC version 2019 both in terms of the kernel and components which are included in both versions.

The configuration recommendations are based on the analysis conducted during the project, on security best practices, as well as on expertise by ERNW. All recommendations are both compared against the Center for Internet Security (CIS) Benchmark for Windows 10 Enterprise (Version 1809) as a globally known and widely adopted standard and the recommendations of the Security Baseline for Windows 10 1809 by Microsoft. Deviations from the Security Baseline or the CIS Benchmark are explained and substantiated for the affected settings.

The configuration recommendations for logging described in the following are based on a standard use case scenario, such as using a Windows 10 system for office work. However, the recommendations may also be used as a basis for defining logging configurations for more specific use cases, such as a Windows 10 system used for administrative tasks.

While creating this document, decisions for specific hardening recommendations were led by the following basic principles for increasing system security:

• Preventing known and widespread attack scenarios that, based on current knowledge, are being actively exploited or have a high probability of being exploited.
• Reducing the attack surface by disabling not needed (or outdated) functions and components.
• Improving data protection by disabling functions and components that rely on cloud services.
• Improving data protection by preventing unnecessary communication to the vendor as far as possible.
• Minimizing key security and privacy decisions as well as choices by the user.
• Enforcing of reasonable default settings to prevent modifications by the user.

It is important to note that the recommended hardening settings should not be adopted in a productive environment without extensive preliminary testing as some settings may involve general or even very specific (depending on the use case) functional limitations. Furthermore, not all configuration parameters of the operating system are covered by the recommendations given in this document but only the configuration parameters that are relevant to improve the security of the operating system and fulfill the aforementioned basic principles. The same applies to setting recommendations not adopted from the CIS Benchmark, as some of these settings go beyond the scope of this document.

Logging related configuration recommendations can be found in the document “Configuration Recommendations for Windows 10 Logging” (orig. ger.: “Empfehlung zur Konfiguration der Protokollierung in Windows 10”) of the SiSyPHuS project (work package 10).

The corresponding Group Policy objects for the recommendations regarding logging (work package 10) and hardening (work package 11) are provided as part of work package 12.