A security configuration framework for Windows 10 unveiled by Microsoft this week defines five different levels of discrete prescriptive security configurations.
Having customers define this aspect of their security until now has resulted in a huge number of configurations, and Microsoft is now looking to simplify the process while still providing customers with flexibility.
The new security configuration framework, Microsoft Principal Program Manager Chris Jackson says, should allow customers to balance security, productivity, and user experience by meeting many of the common device scenarios observed in the enterprise today.
Jackson also points out that the secure score in Microsoft Defender ATP provides enough information for one company to trust software from another when necessary, which eventually leads to industry cooperation.
“Through the top recommendations, we suggest a prioritized list for securing your devices, with a relative ranking of the overall impact to your security posture. We are also exploring ways to provide useful comparisons using this framework,” he notes.
Through the secure score, customers receive recommendations for securing their endpoint devices (among other things). Context-aware, the recommendations are driven by the existing configuration and the threats impacting the environment.
One issue that remains, however, is related to new Windows 10 deployments, where guidance from the Microsoft Defender ATP Secure Score isn’t available yet. This is what the newly introduced security configuration framework aims to resolve, Jackson points out.
Microsoft focused on grouping recommendations into coherent and discrete groups, so that customers could easily figure out where they stand in terms of defensive posture.
The 5 discrete levels of security configuration in the initial draft mimic the DEFCON levels used to determine alert state by the United States Armed Forces, with lower numbers indicating a higher degree of security hardening.
Enterprise security is the minimum-security configuration for an enterprise device, with straightforward recommendations that are designed to be deployable within 30 days.
Enterprise high security is recommended for devices where users access sensitive or confidential information, and might impact app compatibility (will often go through an audit-configure-enforce workflow). Recommendations are accessible to most organizations and deployable within 90 days.
Enterprise VIP security is recommended for devices in organizations likely to be targeted by well-funded and sophisticated adversaries. Recommendations can be complex, can often go beyond 90 days, and are meant for larger or more sophisticated security teams.
DevOps workstation is recommend for developers and testers, who may be targeted in both supply chain and credential theft attacks that aim at disrupting critical business functions. This guidance is still under development.
Administrator workstation is recommended for individuals who face the highest risk, through data theft, data alteration, or service disruption. The guidance hasn’t been finalized yet.
“We are releasing this draft version to gather additional feedback from organizations looking to organize their device security hardening program,” Jackson says, adding that Microsoft is expecting feedback to find ways to improve the framework.