The Windows 10 operating system was released about 15 months ago and is being used increasingly for both private and business purposes. Initial enthusiasm for Windows 10 was muted and has not increased much since the launch. The graphical interface (e.g. the Start menu and the Action Center), the forced updates, the integration of cloud services, and the logging of user behavior have all caused annoyance. Scant attention was paid to improving security functions and settings. Some of these functions were even withheld from enterprise customers, such as Credential and Device Guard.

Microsoft’s standard settings form a solid basis but need to be revised in order to ensure a secure operating system. Based on the CIS Microsoft Windows 10 Benchmarks, I have created a checklist that can be used to harden Windows 10 in both the private and business domain. The hardening checklist can be used for all Windows versions, but the GroupPolicyEditor is not integrated into Windows 10 Home; adjustments have to be carried out directly in the registry.

Basic principles

To protect against unauthorized physical access, the hard drive should be encrypted. The integrated BitLocker function can be used for this. Ideally, Bitlocker should be used in combination with SecureBoot. This links the hard drive to the individual system’s hardware.

The integrated Windows Defender solution can be used as anti-virus software. Windows Defender offers adequate protection against known malware and has not been found to have any serious weaknesses. In a Security Research of Anti-Virus Software project, Travis Ormandy, researcher in Google’s Project Zero, found that, unlike competitor products, Windows Defender did not have any critical vulnerabilities that impaired the security of the operating system.

In 2009, Microsoft published the Enhanced Mitigation Experience Toolkit (EMET), which can be used as a Defense in Depth measure against the exploitation of vulnerabilities. EMET includes measures against known exploits such as heap spraying, and Return Oriented Programming. Support for EMET will stop at the end of July 2018, as Microsoft has integrated the majority of the functions into Windows 10. According to an analysis, by Will Dormann, this is not yet the case with the current version of Windows 10. EMET should therefore continue to be operated on a correctly hardened system.

In Windows 10, the properties of Windows Update were altered. After a certain amount of time, Windows updates are installed automatically and the system is re-started. This has not been popular with users and has led to the recommendation to deactivate the Windows update processes. Installing Windows updates promptly is key to maintaining the system’s security and the process should not be deactivated under any circumstances. This year, there have been at least three privilege escalation vulnerabilities (MS16-032, MS16-111, and MS16-124), for which functioning exploits were published within a few days of the patch being released.

Security and privacy

The use of NT LAN Manager (NTLM) is also a security-related topic for Windows 10. If an attacker can capture the NTLM challenge response process, such as by manipulating the network traffic, they can use this to work out the user’s password. An eight-digit password can be worked out in just a few hours. NTLM should now only be used in version 2 (NTLMv2); all other versions (NTLMv1 and LM) should be rejected. Ideally, NTLM should be completely deactivated or restricted to specific IP addresses.

A new security function blocks untrustworthy fonts (truetype fonts) but is not active in the default settings. This function should therefore be activated. A few vulnerabilities were found in Windows which enable a privilege escalation up to kernel level of the operating system when a font is opened or viewed. It is now possible to deactivate the support for untrustworthy fonts in order to mitigate the vulnerability.

Windows 10 comes with a range of functions which, in the default settings, have a negative impact on the user’s privacy. For example, user behavior can be analyzed by capturing telemetry data. What’s more, cloud functions are active in the default settings which users may not want to utilize at all. These include the storage function OneDrive and the speech recognition software Cortana. Most of these issues can be managed using group policies and deactivated if required. It is therefore possible to switch off the logging and transmission of error messages to Microsoft, reduce the capturing of telemetry data to a minimum (it can only be switched off completely in the Enterprise version), and deactivate cloud applications such as OneDrive or Cortana.

Auditing and logs

Security-related events must be logged and assessed on a hardened system. To do this, the default settings need to be extended. In order to detect an attempted attack or the misuse of access data at an early stage, failed login attempts should be logged. Strengthening the log settings, however, only helps if the integrity of the logs is assured and they have been recorded properly. The maximum size of the event log should therefore be expanded in order to ensure that no entries can be lost by being overwritten. In addition, access rights should be restricted to administrators.

Full checklist

The full checklist with all settings can be downloaded in text format. The settings should be seen as security recommendations; before accepting them, check carefully whether they will affect the operation of your infrastructure or impair the usability of key functions. A balance should be struck between security and usability. Considering your system’s security settings leads to a better understanding of the system and your requirements, which in turn improves the security of the overall system.

About the Author

Michael Schneider has been in IT since 2000. Since 2010 he is focused on information security. He is an expert at penetration testing, hardening and the detection of vulnerabilities in operating systems. He is well-known for a variety of tools written in PowerShell to find, exploit, and mitigate weaknesses. (ORCID 0000-0003-0772-9761)

Links

• https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_10_Enterprise_RTM_Release_1507_Benchmark_v1.0.0.pdf
• https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/
• https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=owner%3Ataviso%40google.com
• https://en.wikipedia.org/wiki/Privilege_escalation
• https://en.wikipedia.org/wiki/Return-oriented_programming
• https://github.com/0×6d69636b/windows_hardening/
• https://googleprojectzero.blogspot.com
• https://insights.sei.cmu.edu/author/will-dormann/
• https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html
• https://technet.microsoft.com/en-us/security/jj653751
• https://twitter.com/taviso
• https://vuldb.com/?id.81278
• https://vuldb.com/?id.91564
• https://vuldb.com/?id.92593
• https://wikipedia.org/wiki/Heap_spraying