Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices.
"We sat down and asked ourselves this question: if we didn't know anything at all about your environment, what security policies and security controls would we suggest you implement first?," said Chris Jackson, Principal Program Manager at Microsoft.
The end result was what Microsoft has named the SECCON framework, which organizes Windows 10 devices into one of five distinct security configurations.
"Mimicking the DEFCON levels used to determine alert state by the United States Armed Forces, lower numbers indicate a higher degree of security hardening," Jackson said.
The five possible Windows 10 SECCON security configuration levels are:
Microsoft describes these five security levels as follows:
Enterprise security: We recommend this configuration as the minimum-security configuration for an enterprise device. Recommendations for this security configuration level are generally straightforward and are designed to be deployable within 30 days.
Enterprise high security: We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compatibility, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
Enterprise VIP security: We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (for example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this security configuration level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
DevOps workstation: We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and credential theft attacks that attempt to gain access to servers and systems containing high-value data or where critical business functions could be disrupted. We are still developing this guidance, and will make another announcement as soon as it is ready.
Administrator workstation: Administrators (particularly of identity or security systems) face the highest risk, through data theft, data alteration, or service disruption. We are still developing this guidance, and will make another announcement as soon as it is ready.
For each of these Windows 10 device security levels, Microsoft has published a list of configurations --containing recommended Windows policy settings and values.
Microsoft says the SECCON framework was put together by taking inspiration from the per-device Security Score top recommendations that Microsoft Defender ATP (the commercial version of Windows Defender) shows to its customers.
Feedback from a select group of pilot customers, experts from Microsoft's engineering team, and the Microsoft sales teams also helped shape the SECCON framework.
Windows 10 May 2019 Update: The new features that matter most