Guidance

EUD Security Guidance: Windows 10

Created:  06 Mar 2017
Updated:  06 Mar 2017
Secure configuration for devices running Windows 10 1607 “Anniversary Edition”

About this guidance 

This guidance has been updated for the 1607 “Anniversary Edition” of Windows 10 Enterprise, building on the previous ALPHA guidance. It has also been tested on the latest Windows Insider Preview Build (Creators Update).

Testing was performed on a Windows Hardware Certified device, running Windows 10 Enterprise, Current Branch. The hardware was a Dell XPS 13, managed with Active Directory on Server 2016. This guidance is not applicable to Windows devices managed via an MDM or Windows To Go.

It's important to remember that this guidance has been conceived as a way to satisfy the 12 End User Device Security Principles. As such, it consists of recommendations and should not be seen as a set of mandatory instructions requiring no further thought.

Risk owners and administrators should agree a configuration which balances business requirements, usability and security.

Risk owners’ summary

We recommend the following architectural choices for Windows 10:

  • All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic, and to allow the devices and data on them to be protected by enterprise protective monitoring solutions.
  • Arbitrary third party application installation by users is not permitted on the device. Applications should be authorised by an administrator and deployed via a trusted mechanism.
  • Most users should have accounts with no administrative privileges. Users that require administrative privileges should use a separate unprivileged account for email and web browsing. It is recommended that local administrator accounts have a unique strong password per device.

When configured in this way, risk owners should be aware of the following technical risks associated with this platform:

Associated security principle

Explanation of risks

Secure boot

Windows 10 can support secure boot, but is dependent on supported and correctly configured hardware

 

Administrators’ deployment guide

Overview

To meet the principles outlined in the End User Devices Security Framework, several recommendations are given in the table below.

Security principle

Explanation

Assured data-in-transit protection

Use the new Windows 10 Built-In VPN Client configured as per the CPA customisation guide (available via NCSC Enquiries).

Configure the built-in Windows firewall to block outbound connections when the VPN is not active. An example firewall profile is provided in the Firewall configuration section.

Use certificates for user or machine credentials. It is recommended that Windows Key Attestation or Windows Hello for Business is used to bind these credential to the device’s hardware.

Alternatively, use DirectAccess or the legacy IKEv2 IPsec clients configured as per the CPA customisation guide or a third party, correctly configured, CPA Foundation grade VPN app which makes use of the UWP (Universal Windows Platform) VPN plug-in platform.

Assured data-at-rest protection

Use one of the following configurations to provide full volume encryption:

  • BitLocker with a TPM and PIN configured in alignment with the BitLocker configuration settings.
  • An independently assured CPA Foundation Grade, Data at Rest encryption product that supports UEFI and Windows Secure Boot, configured in alignment with the security procedures for that product.

If using BitLocker, deploy the configuration settings before encryption is started.

BitLocker is not Foundation Grade certified. However, NCSC has determined that the level of protection it provides is equivalent to Foundation Grade when configured as per this guidance.

“Device Encryption” introduced for Connected Standby devices in Windows 10 does not allow the use of a passphrase to unlock the disk and so does not support some of the mandatory requirements expected from assured disk encryption products. BitLocker, or an evaluated third party product, should be used instead.

Authentication

The user implicitly authenticates to the device by decrypting BitLocker on boot.

The user then has a secondary credential to use when authenticating to the platform after boot and when unlocking the device. A good user experience will be achieved by enabling Windows Hello and allowing the user to log in with a PIN code. For both Windows Hello and traditional passwords, the credential derives a key which protects other credentials that give access to corporate services.

In an enterprise environment, the user will also be issued with an Active Directory credential which will be required when they use a device for the first time. This credential will be best protected if Credential Guard is enabled, the user is a member of the Protected Users group on the domain and that domain is running 2016 Functional Domain Level.

Windows Hello also permits biometric unlock of devices but the strength of its security is difficult to measure. In cases where there is a business requirement to use biometric authentication, and the risks of doing so are understood, biometric authentication can be enabled.

Accounts with administrative privileges should only be present on End User Devices used to perform administrative functions and should take advantage of the Restricted Admin feature of Remote Desktop Connections. User accounts with administrative privileges should have a strong password and ideally a second factor to authenticate them to the platform at logon and unlock time. The credentials will be best protected if the administrative user is a member of the Protected Users group on the domain, and have Authentication Policy Silos applied.

Microsoft provides guidance on the use of administrative workstationsdelegation of privilege and other good administrative practices.

Secure boot

On Windows 10, this requirement is met on a correctly configured platform deployed on Hardware Compatibility Program.

A UEFI password can make it more difficult for an attacker to modify the boot process. With physical access, the boot process can still be compromised.

Platform integrity and application sandboxing

No configuration is required.

Application whitelisting

An enterprise configuration can be applied to implement application control using AppLocker. A recommended sample configuration that only allows Administrator-installed applications to run is provided below.

Device Guard can also be used to reinforce application control rules. As it is more complex to configure and maintain, it is not currently recommended for most deployments.

AppLocker can be used to restrict which pre-installed Windows Apps are available to users, and if the public Windows Store is enabled it can control which applications a user can install.

Malicious code detection and prevention

Windows 10 includes Windows Defender and Windows SmartScreen that attempt to detect malicious code for this platform. Cloud sample submission can be disabled. Alternatively, third party anti-malware products are available. If using a third party product, those that implement the Anti-Malware Scan Interface (AMSI) should be preferred to improve compatibility with future Feature Updates.

The Early Launch Anti-Malware (ELAM) driver provides signature checking for known bad drivers on ELAM compliant systems that are configured to use Secure Boot.

Windows Store for Business or a Company Store can be used to distribute user-installable universal apps. Such stores should only contain vetted apps. If the public Windows Store is enabled, AppLocker can be used to control which applications a user is able to install. Content-based attacks can be filtered by scanning capabilities in the enterprise.

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) should be used to help prevent vulnerabilities in older software from being successfully exploited.

Security policy enforcement

Settings applied through Group Policy cannot be modified by unprivileged users.

It is possible to manage Windows 10 using MDM policies, however, only a subset of the configurations implemented below as Group Policy are currently available. While it is therefore not currently recommended, if you choose to use an MDM, pick one that uses the built-in Windows MDM management client, instead of one that requires extra software to be installed on the device.

External interface protection

Interfaces can be configured using group policy. USB removable media can be blocked through Group Policy if required. Direct Memory Access (DMA) is possible from peripherals connected to some external interfaces including FireWire and Thunderbolt unless disabled through group policy as detailed below, or in the UEFI/BIOS. With Windows 10 Connected Standby devices, part of the hardware compliance mitigates DMA attacks by disallowing these interfaces.

Device updates

Windows Update can automatically download and install updates. If the Windows Store is enabled, it should be configured to automatically update Windows Store apps.

Some devices will allow the UEFI firmware to be updated automatically via Windows Update. Devices that do not implement this will require updates via another mechanism whenever a new firmware is released.

Windows Update for Business or Windows Server Update Services (WSUS) can optionally be used to monitor and enforce updates of the core platform, system firmware and any Windows applications.

Event collection

Event collection can be carried out using Windows Event Forwarding for central event log collection.

Incident response

The combination of BitLocker drive encryption and enterprise revocation of user credentials are appropriate for managing this security recommendation.

 

Recommended network architecture

All remote or mobile working scenarios should consider using a typical remote access architecture based on the Walled Garden Architectural Pattern. The following network diagram describes the recommended architecture for this platform. The remote device will need  Active Directory access in order to authenticate and retrieve group policy.

Windows 10 architecture

Figure 1: Recommended walled garden network architecture for Windows 10 deployments

Alternatively, consider a reduced presentation layer that allows direct access from the VPN gateway to internal services via the internal firewall. This is the same architecture proposed for use in the DirectAcess CPA Customisation Guide. The inner firewall should be used to restrict access where possible. The risk of allowing more direct access to the core network can be reduced by binding the authentication certificate to the end user device, ensuring that it is only possible for legitimate devices to connect.

Windows 10 DirectAccess

Figure 2: DirectAccess architecture for Remote Access

Preparation for deployment

The steps below should be followed to prepare your organisational infrastructure to host a deployment of these devices:

  1. Procure, deploy and configure network components, including an approved IPsec VPN Gateway.
  2. Configure the Microsoft Deployment Toolkit to deploy your organisation's standard desktop build, using a clean Windows 10 Enterprise image. For larger deployments, include credential management tools such as LAPS and MBAM.
  3. Create Group Policies for user and computer groups in accordance with the settings later in this section, ensuring that the Microsoft Baseline settings have the lowest precedence when being deployed.
  4. Deploy an AppLocker rule set using Group Policy following guidance in Application Whitelisting. A sample configuration which allows only applications installed by an Administrator to run, is outlined in the Group Policy settings below.
  5. Create Event Forwarding Subscriptions and configure Group Policy to forward at least AppLocker, Application, System and Security logs that have a level of Critical Error or Warning, to an event management system as per NSA guidance.
  6. Configure user groups according to the principle of least privilege. Where available, configure these users to be in the Protected Users group and apply Restricted Admin and Authentication Policy Silos to privileged users.

 

Device provisioning steps

The steps below should be followed to provision each end user device onto your organisation’s network, preparing it for distribution to end users:

  1. Update the system firmware to the latest version available from the vendor. This may be called a UEFI or BIOS update.
  2. Configure the system firmware to boot in UEFI mode, enable TPM, Secure Boot and virtualisation extensions. Disable unused hardware interfaces, check the boot order to prioritise internal storage and set a password to prevent changes. Most of these settings will be pre-configured on a Windows Hardware Compatibility Program device.
  3. Install a clean version of Windows from a known good source.
  4. Deploy the most recent version of EMET (5.52 at the time of writing) and configure it using Group Policy configuration given below.

 

Recommended policies and settings

This section details important security policy settings which are recommended for a Windows 10 deployment. Other settings (e.g. server address) should be chosen according to the relevant network configuration.

Remember, any guidance points given here are recommendations - they are not mandatory. Risk owners and administrators should agree a configuration which balances business requirements, usability and the security of the platform. 

Settings not listed in this section are either not applicable to this mode or should be chosen according to your organisational policy and requirements.

Microsoft baselines

The configuration below builds on the enterprise baselines distributed by Microsoft with the Security Compliance Manager tool. It has been tested to work with the Windows 10 version 1607 baseline configurations.

You should use the following Microsoft baseline GPO settings:

  • Windows 10 (1607) BitLocker (C)
  • Windows 10 (1607) Credential Guard
  • Windows 10 (1607) Computer Security Baseline (C)
  • Windows 10 (1607) Windows Defender (C)
  • Windows 10 (1607) User Security Baseline (U)
  • Internet Explorer 11 - User* 
  • Internet Explorer 11 - Computer* 

These should be used in combination with the custom NCSC GPO settings described throughout this document. For easy configuration, the full set of NCSC GPO settings are also available in a zip file. 

* Security baselines for web browsers are not needed if Internet Explorer is removed from the provisioned Enterprise image. The suggested Internet Explorer 11 baselines are used to attempt to mitigate some of the risks of using IE11 that are mitigated by default in more modern web browsers. 

The US Information Assurance Directorate publishes a sample EMET configuration that mitigates common attack vectors including those that exploit weaknesses in Office and AppLocker.

User account hardening

Group Policy

Value(s)

Computer Configuration > Administrative Templates > Network > Network Connections > Require domain users to elevate when setting a network’s location

Enabled

Computer Configuration > Administrative Templates > Windows Components > Credential User Interface > Do not display the password reveal button

Enabled

Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage

Enabled

Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync

Enabled

Allow users to turn syncing on: Disabled

Computer Configuration > Administrative Templates > Windows Components > Search > Allow Cortana

Disabled

Computer Configuration > Administrative Templates > Windows Components > Search > Don’t search the web or display web results in Search

Enabled

Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

Enabled

User Configuration > Administrative Templates > Control Panel > Personalization > Screen saver timeout

600 seconds

Computer Configuration > Administrative Templates > System > Logon > Turn off picture password sign-in

Enabled

Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > Use a hardware security device

Enabled

 

Authentication policy

Your organisation should have a consistent authentication policy which applies to all users and devices capable of accessing its data. You can use our published password guidance to help inform any password policy.

An administrator should configure the relevant on-device settings in line with your authentication policy.

For further guidance on authentication policies, see the NCSC EUD Authentication guidance.

Windows 10 Enterprise implements a number of relevant settings as Fine Grained Password Policies that should be configured on the Domain Controller.

Group Policy

Value(s)

CN=System > CN=Password Settings Container > CN=Granular Password Settings Users

Precedence: 2

Enforce minimum password length

Enforce lockout policy

Account will be locked out: Until an administrator manually unlocks the account

Directly Applies To: Domain Users

CN=System > CN=Password Settings Container > CN=Granular Password Settings Administrators

Precedence: 1

Enforce minimum password length

Password must meet complexity requirements

Enforce lockout policy

Account will be locked out: Until an administrator manually unlocks the account

Directly Applies To: Domain Admins

Protect from accidental deletion: Enabled

Active Directory

A user’s Active Directory password will normally only be used when enrolling against a device for the first time. It is not backed by a second factor or by hardware-backed anti-hammer, even when Credential Guard is deployed. Different requirements can be set for different account types using Fine Grained Password Policies. If the Active Directory password is only used for device enrolment, it needs to be easy to type in but does not need to be memorable.

Windows Hello and Hardware Strengthening

The user should log in to a device or unlock it using Windows Hello or Windows Hello for Business (previously known as Microsoft Passport). This is a new type of user credential that is tied to the physical device using a PIN or biometric. When run on Windows 10 Certified devices, it provides hardware-backed anti-hammer. Windows Hello should only be enabled on devices that use a hardware security device.

Users can choose to set a PIN after they have logged on to the device for the first time. A number of group policies can be used to configure the PIN requirements including:

Group Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

Use Windows Hello for Business

PIN Complexity > Maximum PIN length

PIN Complexity > Minimum PIN length

PIN Complexity > Require digits

PIN Complexity > Require lowercase letters

PIN Complexity > Require special characters

PIN Complexity > Require uppercase characters

Once a PIN is set, if the device has the right sensors the user can also enrol a biometric to unlock it. The strength of the security of the different types of biometric sensor is difficult to measure. If the risks of enabling biometrics are understood and accepted, biometric authentication can be enabled.

Group Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business

Use Biometrics

Organisations that are not using Windows Hello for Business still have the option to set a “Convenience PIN” (formerly known as “Windows Hello PIN”). By default, in the Anniversary (1607) release any domain joined client will have this option disabled, any client with this option already enabled before updating will still have the option to sign in with the Convenience PIN. To enable:

Group Policy

Value(s)

Computer Configuration > Administrative Templates > System > Logon > Turn on convenience PIN sign-in

Enabled

The configuration provided in this guidance enables Virtual Secure Mode and Credential Guard on supported devices. Biometrics should not be used unless these features are installed and enabled. Biometrics are enabled by default on Windows 10, so group policy should be used to disable biometrics if they are not being used. For more information see Microsoft’s paper on credential guard.

System hardening

Group Policy

Value(s)

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS > Send file samples when further analysis is required

Disabled

Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry

Enabled:

0 - Security

Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting

Enabled

Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Prevent installation of devices that match these device IDs

Enabled: PCI\CC_0C0A

Also apply to matching devices that are already installed: Disabled

Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Prevent installation of drivers matching these device setup classes

Enabled:

d48179be-ec20-11d1-b6b8-00c04fa372a7

7ebefbc0-3200-11d2-b4c2-00a0C9697d07

c06ff265-ae09-48f0-812c-16753d7cba83

d48179be-ec20-11d1-b6b8-00c04fa372a7

6bdd1fc1-810f-11d0-bec7-08002be2092f

Also apply to matching devices that are already installed: Disabled

Computer Configuration > Preferences > Windows Settings > Registry > Replace > HKLM\SYSTEM\CurrentControlSet\Control\PnP\Pci (DWORD) DisableExternalDMAUnderLock = 1

Computer Configuration > Administrative Templates > Windows Components > Store > Turn off Automatic Download and Install of updates

Disabled

Computer Configuration > Administrative Templates > Windows Components > App runtime > Block launching Windows Store apps with Windows Runtime API access from hosted content.

Enabled

Computer Configuration > Administrative Templates > Network > Network Isolation > Proxy definitions are authoritative

Enabled

Computer Configuration > Administrative Templates > Network > Network Isolation > Subnet definitions are authoritative

Enabled

Computer Configuration > Administrative Templates > Windows Components > Portable Operating System > Windows To Go Default Startup Options

Disabled

Computer Configuration > Preferences > Windows Settings > Registry > Replace > HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\

(DWORD) SafeModeBlockNonAdmins = 1

Group Policy can be used to limit user access to removable media such as USB mass storage devices, if required by organisational policy. The settings can be found in Computer Configuration > Administrative Templates > System > Removable Storage Access.

Group Policy can also be used to fully whitelist all devices or device classes which are allowed to be installed. In this way you could allow, for example, basic peripherals such as mice, keyboards, monitors and network cards, but refuse the connection and installation of other devices. It is important to whitelist enough classes of device to allow a successful boot on a variety of hardware.

Details on how to enable whitelisting of specific devices can be found on MSDN.

Windows Defender configuration

If using Windows Defender, configure it to enable cloud-backed protections while limiting its ability to send sensitive data for analysis.

Group Policy

Value(s)

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS > Configure the ‘Block at First Sight’ feature

Enabled

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS > Join Microsoft MAPS

Enabled: Advanced

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > MAPS > Send file samples when further analysis is required

Enabled: Send safe samples automatically

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > Real-time Protection > Turn off real-time protection

Disabled

AppLocker configuration

This example set of AppLocker rules implements the principle outlined in Enterprise Considerations below. It can be modified to allow the user to install and run apps from either an enterprise software center or the Windows Store.

Scripting languages such as Visual Basic Scripting and should be disabled unless they are specifically needed. The Australian Cyber Security Center describe how to secure Powershell in the enterprise if it is to be used.

Group Policy

Value(s)

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Executable Rules

Configured: True Enforce Rules

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules

Allow Everyone: All files located in the Program Files folder

 

Allow Everyone: All files located in the Windows folder - with exceptions

Exception: %SYSTEM32%\com\dmp\*

Exception: %SYSTEM32%\FxsTmp\*

Exception: %SYSTEM32%\Spool\drivers\color\*

Exception: %SYSTEM32%\Spool\PRINTERS\*

Exception: %SYSTEM32%\Spool\SERVERS\*

Exception: %SYSTEM32%\Tasks\*

Exception: %SYSTEM32%\PresentationHost.exe

Exception: %SYSTEM32%\microsoft\crypto\rsa\machinekeys\*

Exception: %SYSTEM32%\mshta.exe

Exception: %SYSTEM32%\wbem\WMIC.exe

Exception: %SYSTEM32%\cipher.exe

Exception: %WINDIR%\tasks\*

Exception: %WINDIR%\temp\*

Exception: %WINDIR%\tracing\*

Exception: %WINDIR%\registration\crmlog\*

Exception: %WINDIR%\servicing\packages\*

Exception: %WINDIR%\servicing\sessions\*

Exception: %Microsoft.NET%\Framework64\v2.0.50727\IEExec.exe

Exception: %Microsoft.NET%\Framework64\v2.0.50727\InstallUtil.exe

 

Allow Administrators: All files

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Windows Installer Rules

Configured: True Enforce Rules

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Windows Installer Rules

Allow Administrators: All Windows Installer files

 

Allow Everyone: %WINDIR%\Installer\*

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Script Rules

Configured: True Enforce Rules

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Script Rules > Enforce rules of this type

Allow Everyone: All Scripts located in the Program Files folder

 

Allow Everyone: All Scripts located in the Windows folder - with exceptions

Exception: %SYSTEM32%\com\dmp\*

Exception: %SYSTEM32%\FxsTmp\*

Exception: %SYSTEM32%\Spool\drivers\color\*

Exception: %SYSTEM32%\Spool\PRINTERS\*

Exception: %SYSTEM32%\Spool\SERVERS\*

Exception: %SYSTEM32%\Tasks\*

Exception: %WINDIR%\registration\crmlog\*

Exception: %WINDIR%\tasks\*

Exception: %WINDIR%\temp\*

Exception: %WINDIR%\tracing\*

Exception: %WINDIR%\servicing\packages\*

Exception: %WINDIR%\servicing\sessions\*

Exception: %SYSTEM32%\microsoft\crypto\rsa\machinekeys\*

 

Allow Administrators: All scripts

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > DLL Rules

Configured: True Enforce Rules

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > DLL Rules

Allow Everyone: All DLLs located in the Program Files folder

 

Allow Everyone: All DLLs located in the Windows folder - with exceptions

Exception: %SYSTEM32%\com\dmp\*

Exception: %SYSTEM32%\FxsTmp\*

Exception: %SYSTEM32%\Spool\drivers\color\*

Exception: %SYSTEM32%\Spool\PRINTERS\*

Exception: %SYSTEM32%\Spool\SERVERS\*

Exception: %SYSTEM32%\Tasks\*

Exception: %SYSTEM32%\microsoft\crypto\rsa\machinekeys\*

Exception: %WINDIR%\registration\crmlog\*

Exception: %WINDIR%\tasks\*

Exception: %WINDIR%\temp\*

Exception: %WINDIR%\tracing\*

Exception: %WINDIR%\servicing\packages\*

Exception: %WINDIR%\servicing\sessions\*

 

Allow Administrators: All DLLs

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Packaged app Rules

Configured: True Enforce Rules

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app rules

Allow Everyone: All signed packaged apps

Exception: Microsoft.Getstarted

Exception: Microsoft.MicrosoftOfficeHub

Exception: Microsoft.SkypeApp

Exception: Microsoft.WindowsFeedback

BitLocker configuration

The following settings should be configured to use full volume encryption in TPM and PIN mode.

Group Policy

Value(s)

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Enforce drive encryption type on operating system drives

Enabled

Select the encryption type: Full encryption

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup

Enabled

Allow BitLocker without a compatible TPM (Requires a password or startup key on a USB flash drive): Unticked

Configure TPM startup: Do not allow TPM

Configure TPM startup PIN: Allow startup PIN with TPM

Configure TPM startup key: Do not allow startup key with TPM

Confgure TPM startup key and PIN: Allow startup key and PIN with TPM

The BitLocker PIN should be in line with your organisation’s password policy. NCSC has published password guidance to inform this. Please contact us if you need help devising an appropriate password policy. Deployments that include fixed-location workstations may prefer to use BitLocker Network Unlock as an alternative to a PIN.

Users can change the PIN after they have logged on to the device for the first time. A number of group policies can be used to configure the PIN requirements including:

Group Policy > Computer Configuration > Administrative Templates > Windows Components > Operating System Drives

Allow enhanced PINs for startup

Configure minimum PIN length for startup

Configure use of passwords for operating system drives

 

EMET configuration

Group Policy

Value(s)

Computer Configuration > Administrative Templates > Windows Components > EMET > Default Action and Mitigation Settings

Enabled

Deep Hooks: Enabled

Anti Detours: Enabled

Banned Functions: Enabled

Exploit Action: Stop Program

Computer Configuration > Administrative Templates > Windows Components > EMET > System DEP

Enabled

DEP Setting: Always On 

Group Policy should be used to apply EMET to Enterprise applications which render untrusted data, such as those which are Internet facing. The required settings can be found in Computer Configuration > Administrative Templates > Windows Components > EMET > Application Configuration.

Windows 10 now receives regular patches and feature updates. The security features that were initially part of EMET are making their way into Windows 10 by default. With this in mind, Microsoft recently announced end-of-life for EMET and therefore will be stopping support by the end of July 2018 (see Microsoft’s blog). As with all unsupported software, after this date EMET should be removed. Until then, it is recommended to continue deploying EMET. We believe EMET will continue to add value until around the end of 2017, after which, organisations should begin migrating away from it. Once end-of-life has been reached, this guidance will be updated to reflect the changing recommendation.

Firewall configuration

This firewall configuration is used to enforce the use of an always-on VPN.

You may also need to add rules to allow your VPN client to make outbound connections when the device is in either a public or private profile. Sample rules are provided with the CPA configuration guide.

If you need to add firewall exceptions to allow for remote management, they should only be applied to the Domain profile.

Group Policy

Value(s)

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Domain Profile

Firewall State : On (Recommended)

Inbound connections : Block (default)

Outbound connections : Allow (default)

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Domain Profile > Settings > Customize > Apply local firewall rules

No

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Private Profile

Firewall State : On (Recommended)

Inbound connections : Block (default)

Outbound connections : Block

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Private Profile > Settings > Customize > Apply local firewall rules

No

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Public Profile

Firewall State : On (Recommended)

Inbound connections : Block (default)

Outbound connections : Block

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Public Profile > Settings > Customize > Apply local firewall rules

No

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Outbound Rules

Enabled

 

Allow outbound DHCP

General > Action: Allow the connection

Programs and Services > Programs > This Program > %SystemRoot%\system32\svchost.exe

Allow Programs and Services > Service > Apply to this service > DHCP Client (Dhcp)

Advanced > Profiles: Private, Public

Protocols and Ports > Local port: UDP 68

Protocols and Ports > Remote port: UDP 67

 

Allow outbound DNS

General > Action: Allow the connection

Programs and Services > Programs > This Program > %SystemRoot%\system32\svchost.exe

Allow Programs and Services > Service > Apply to this service > DNS Client (Dnscache)

Advanced > Profiles: Private, Public

Protocols and Ports > Remote port: TCP 53, UDP 53

 

Allow outbound Kerberos

General > Action: Allow the connection

Programs and Services > Programs > This Program > %SystemRoot%\system32\lsass.exe

Advanced > Profiles: Private, Public

Protocols and Ports > Remote port: All TCP and UDP ports

 

Allow outbound LDAP

General > Action: Allow the connection

Programs and Services > Programs > This Program > All programs that meet the specified conditions

Advanced > Profiles: Private, Public

Protocols and Ports > Remote port: TCP 389, UDP 389

 

Allow outbound NCSI Probe

General > Action: Allow the connection

Programs and Services > Programs > This Program > %SystemRoot%\system32\svchost.exe

Allow Programs and Services > Service > Apply to this service > Network Location Awareness (NlaSvc)

Advanced > Profiles: Private, Public

Protocols and Ports > Remote port: TCP 80

 

VPN configuration

The deployed VPN should be configured according to NCSC's IPsec Guidance. If using either the Windows 10 Built-In VPN Client, the legacy IKEv2 IPsec VPN client or the DirectAccess client, they should be configured using the CPA customisation guides which are available via NCSC enquiries.

These configurations differ slightly from that of other End User Devices (which follow the PRIME profile) as the profile is not completely supported by Windows 10. A secondary VPN server or configuration may therefore need to be configured to run in parallel if other devices are being deployed.

The recommended IPsec cipher suite profile for protecting information is called PRIME and requires a PKI infrastructure configured to support Elliptic Curve cryptography. A non-authoritative summary is provided in the table below: 

IKEv2

Selection

Encryption AES with 128-bit keys in GCM-128 mode
Pseudo-Random Function

HMAC-SHA-256 (RFC4868)

Diffie-Hellman Group Group 19 256-bit random ECP (RFC5903)
Authentication X.509 certificates with ECDSA signatures (256-bit) on the P-256 curve and SHA-256 (RFC4945 and RFC4055)

ESP

Selection

Encryption AES with 128-bit keys in CBC mode (RFC3602)
Integrity SHA-256 (RFC4846)

If you are using a third-party VPN client, you should prefer one that has been built on top of the Windows 10 UWP VPN plug-in platform. These will likely integrate better into the platform and be more reliable, as the Windows platform is regularly updated.

Enterprise considerations

The following points are in addition to the common enterprise considerations and contain specific issues for Windows 10 deployments.

Windows 10 feature updates

The Windows 10 servicing model upgrades the platform every 6 or so months. These are sometimes called “feature updates”.  Only currently supported releases will receive security patches.

The NCSC recommends that the best balance between usability and reliability will be met by Current Branch for Business servicing. Enterprises can run a pilot with a subset of their users and devices on the Current Branch and Insider builds to allow them to identify compatibility issues in advance of the majority of users receiving the same feature updates.

When choosing third party products that alter the behaviour of the platform (such as VPN clients, anti-malware tools, management agents and auditing tools), it is important to consider that these may also need to be updated to remain compatible with newer versions of Windows 10. Products are more likely to be supported on future versions of Windows 10 if they use legitimate API’s such as the Anti-Malware Scan Interface and the Windows Runtime API for VPN’s.

This guidance may be updated in the future to cover significant new features in Windows 10 if they can improve the usability of the platform, while best addressing each of the security recommendations. The Windows 10 Long Term Servicing Branch is designed for devices that never change, such as medical equipment and components in industrial control systems. It should not be deployed on OFFICIAL End User Devices that are used to browse the web or use enterprise productivity software.

Device selection

Windows 10 can run on a wide variety of device types with a wide variety of internal hardware. Many of the newer Windows security mitigations require the device to have specific hardware components and for them to be turned on.

Even if you are not deploying these mitigations at the moment, you should seek to buy a Windows Hardware Compatibility Program device that support TPM 2.0, UEFI v2.3.1 or higher and have a processor with virtualisation extensions.

The NCSC recommends devices that support InstantGo. Devices that are InstantGo certified will not have ports that allow DMA access and will have TPM 2.0 or later. InstantGo will maintain network connectivity when your screen is off in standby mode and will automatically have device encryption enabled.

If you are using Windows Hello with biometric authentication, you will need to buy special hardware, see Microsoft's blog for more information. 

Device firmware

You should ensure that devices are configured to boot from UEFI with Secure Boot enabled when initially installing Windows 10 – even if you choose to not configure some of the features that require it. This will make future version upgrades and adoption of those features easier at a later date.

The Windows 10 Secure Boot process (on supported and correctly configured hardware) alerts a user when an attempt to subvert the security controls has taken place. It is important that users know how to identify and respond to this alert.

Firmware updates can be automated via Windows Update and you should prefer devices that support this. If your OEM (original equipment manufacturer) is not choosing to use that mechanism, you will need to periodically check with them to see what the most recent version of the firmware is and how to deploy it across an enterprise

Application whitelisting

When configuring additional application whitelists for a Windows device, it is important that the following conditions are considered:

  • Users should not be allowed to run programs from areas where they are permitted to write files.
  • Care should be taken to ensure that application updates do not conflict with whitelisting rules.
  • Applications should be reviewed before being approved enterprise-wide, to ensure they don’t undermine application whitelisting. This is especially important for scripting languages which have their own execution environment.

The suggested AppLocker configuration in this guidance will implement those rules if using software that adheres to the requirements of Microsoft’s Desktop App Certification Program. If the rules do need to be customised, follow Microsoft's Design Guide to minimise the impact to the operation of the enterprise.

Universal applications

The configuration given above prevents users from accessing the Windows Store to install applications, but an organisation can still host its own store to distribute in-house applications to their employees if required. This can be implemented either using the Windows Store for Business in the cloud, or via a Company Store app deployed to devices.

If the Windows Store is enabled, users should explicitly use their corporate Microsoft ID to sign into the Store app rather than associating their work device with their personal Microsoft ID. AppLocker can be configured to only allow installation of apps that are on an enterprise-configured “allow” list. The Windows Store can be configured to automatically update any installed Universal applications. The same mechanism can also be used to remove Universal Apps that come with Windows – ones that the user is not allowed to run will be disallowed and removed from the Start menu.

Desktop applications

Enterprise software that handles data downloaded from the Internet needs additional protections.

Application sandboxing and content rendering controls should be considered essential. For applications such as Microsoft Office, or Adobe Acrobat, the use of their enterprise security controls should be considered. These security controls aim to help protect the end user when processing these potentially malicious files.

As well as providing a trusted platform to run enterprise web apps, modern web browsers have to process a wide variety of rich content from the Internet – some of which must be considered untrustworthy. You should consider the security controls available when choosing a web browser. If choosing a Microsoft browser, Edge should be preferred, with Internet Explorer only being used for specific website compatibility. If it is feasible, remove Internet Explorer from the installed image.

The update mechanisms built into Windows can be used to deploy and update Microsoft products but cannot keep third party products up to date. Where available, the auto-update mechanism built into third party products should be use to install updates – where this is not available it will be necessary to deploy updates using an enterprise system management service.

Cloud integration

Windows 10 devices do not need to be associated with a Microsoft ID to operate as required within an enterprise. Users should not enable personal, non-enterprise Microsoft ID (Live ID) accounts on the device, as this may allow data to leak through Microsoft cloud services backup and application storage.

However, organisations wishing to use cloud based services such as OneDrive can use the NCSC Cloud Security Guidance to help them understand both the benefits and risks of using online services. 

Was this guidance helpful?

We need your feedback to improve this content.

Yes No