German Federal Office for Information Security (German BSI) security recommendations for Windows 10

- Diesen Artikel auf Deutsch lesen. -
Advertisements

The German Federal Office for Information Security (BSI) has published new documents on Microsoft Windows 10 and how to secure it. I looked at the BSI security recommendations for Windows 10 before I wanted to report on them. The background to this is that in the past, publications in this direction were sometimes more than outdated when they were published or they were very superficial.

6d4d6cacf5494d54a682f050936bcc80 German Federal Office for Information Security (German BSI) security recommendations for Windows 10 3

This time it is surprisingly different. Also, this time most of the documents are written in English and only the summaries are in German. This is an advantage in the context of mostly international IT projects. But it will also have ensured that the BSI was able to get international feedback in advance and was not only dependent on German experts.

Selection of versions for the security recommendations for Windows 10

The BSI also focuses on the versions that form the basis for the Windows Server LTSC (i.e. Windows Server 2016 or Windows Server 2019) and the corresponding Windows 10 LTSC versions (also 2016 or 2019). The functional scope of the LTSC versions is limited for server and client. Microsoft does this in order not to have to support insufficiently tested components according to the software lifecyle of 10 or 7 years.

Many settings and functions that are explained and configured in the section for Windows 10 1607 are still valid today. Even if some of them have been slightly modified.

Overview of the topics

The Windows 10 1607 Topics

The Windows 10 1809 Topics

As can be seen from the list (source: BSI, BSI – Studien – SiSyPHuS Win10: Study on system structure, logging, hardening and security functions in Windows 10 (bund.de)), we can expect a few more topics.

Group Policy Objects

The BSI has also made group policy objects available for download as templates for hardening. These have been defined for 3 usage scenarios:

  • Domain member with normal protection requirements
  • Domain member with high protection requirements
  • Individual computer (workgroup) with normal protection requirements

These can also be implemented as a local GPO with the Microsoft tool LGPO.exe, without the need for a domain. The implementation instructions are available.

Technical detail and explanations

This time I was pleasantly surprised by the technical detail and the explanations. Despite the demanding topics, they are easy to understand and include explanatory diagrams.

Screenshot: TPM Communication Interfaces - Workpackage5_TPM-Nutzung_V1_1.pdf (BSI)
Screenshot: TPM Communication Interfaces – Workpackage5_TPM-Nutzung_V1_1.pdf (BSI)

The documents I have seen so far all go down to the necessary depths of the technical functions. For beginners, however, this is difficult fare, and they should definitely take a look at the Microsoft overview pages on the topics beforehand to get a basic feel for it.

Additional recommendations for more security for Windows 10

For those who would like to make their systems a little more secure, I also recommend taking a look at the following articles of mine:

Advertisements

Leave a comment