The German Federal Office for Information Security (BSI) has published new documents on Microsoft Windows 10 and how to secure it. I looked at the BSI security recommendations for Windows 10 before I wanted to report on them. The background to this is that in the past, publications in this direction were sometimes more than outdated when they were published or they were very superficial.
This time it is surprisingly different. Also, this time most of the documents are written in English and only the summaries are in German. This is an advantage in the context of mostly international IT projects. But it will also have ensured that the BSI was able to get international feedback in advance and was not only dependent on German experts.
Selection of versions for the security recommendations for Windows 10
The BSI also focuses on the versions that form the basis for the Windows Server LTSC (i.e. Windows Server 2016 or Windows Server 2019) and the corresponding Windows 10 LTSC versions (also 2016 or 2019). The functional scope of the LTSC versions is limited for server and client. Microsoft does this in order not to have to support insufficiently tested components according to the software lifecyle of 10 or 7 years.
Many settings and functions that are explained and configured in the section for Windows 10 1607 are still valid today. Even if some of them have been slightly modified.
Overview of the topics
The Windows 10 1607 Topics
- Analysis of Windows 10 – General OS Structure
- Telemetry Service
- TPM and “UEFI SecureBoot”
- Virtualization Based Security
- Device Guard
- PowerShell and Windows Script Host
- TPM Vulnerability CVE-2017-15361
The Windows 10 1809 Topics
- Logging Guideline
- Hardening Guideline
- GPOs for Guidelines
- Monitoring System Modifications
- Universal Windows Apps and Windows Information Protection
- Secure Boot Configuration Policy
- Telemetry Monitoring Framework
- Windows Application Compatibility Infrastructure
- PatchGuard
- Driver Management
As can be seen from the list (source: BSI, BSI – Studien – SiSyPHuS Win10: Study on system structure, logging, hardening and security functions in Windows 10 (bund.de)), we can expect a few more topics.
Group Policy Objects
The BSI has also made group policy objects available for download as templates for hardening. These have been defined for 3 usage scenarios:
- Domain member with normal protection requirements
- Domain member with high protection requirements
- Individual computer (workgroup) with normal protection requirements
These can also be implemented as a local GPO with the Microsoft tool LGPO.exe, without the need for a domain. The implementation instructions are available.
Technical detail and explanations
This time I was pleasantly surprised by the technical detail and the explanations. Despite the demanding topics, they are easy to understand and include explanatory diagrams.
The documents I have seen so far all go down to the necessary depths of the technical functions. For beginners, however, this is difficult fare, and they should definitely take a look at the Microsoft overview pages on the topics beforehand to get a basic feel for it.
Additional recommendations for more security for Windows 10
For those who would like to make their systems a little more secure, I also recommend taking a look at the following articles of mine:
- Local Administrator Password Solution (LAPS)
- Using and Auditing PowerShell Scripts with Microsoft Local Administrator Password Solution (LAPS)
- New version of get-GPOBackup
- Windows 10 and the Microsoft Store
- Windows WinRM over HTTPs
- List of different Group Policy Templates (Updated)
- Microsoft identified a critical vulnerability and closed it via the Microsoft Store
