End User Devices Security Guidance: Windows 7 and Windows 8
Updated 14 October 2013
© Crown copyright 2013
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/end-user-devices-security-guidance-windows-7-and-windows-8/end-user-devices-security-guidance-windows-7-and-windows-8
This guidance is applicable to devices running Enterprise versions of Windows 7 and Windows 8, acting as client operating systems, which include BitLocker Drive Encryption, AppLocker and Windows VPN features.
This guidance was developed following testing performed on a logo compliant device running Windows 7 SP1 and Windows 8.0 respectively. The guidance for Windows 7 and Windows 8 is broadly similar, and so is combined for simplicity. Where differences do exist, they have been highlighted accordingly. This guidance is not applicable to Windows 8 RT.
1. Usage Scenario
Windows devices will be used remotely over any network bearer, including Ethernet, Wi-Fi and 3G, to connect back to the enterprise over a VPN. This enables a variety of remote working approaches such as
-
accessing OFFICIAL email;
-
creating, editing, reviewing and commenting on OFFICIAL documents;
-
accessing the OFFICIAL intranet resources, the internet and other web-resources.
To support these scenarios, the following architectural choices are recommended:
-
All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic, and to benefit from enterprise protective monitoring solutions.
-
Arbitrary third-party application installation by users is not permitted on the device. Applications should be authorised by an administrator and deployed via a trusted mechanism.
2. Summary of Platform Security
This platform has been assessed against each of the twelve security recommendations, and that assessment is shown in the table below. Explanatory text indicates that there is something related to that recommendation that the risk owners should be aware of. Rows marked [!] represent a more significant risk. See How the Platform Can Best Satisfy the Security Recommendations for more details about how each of the security recommendations is met.
| Recommendation | Rationale |
|---|---|
| 1. Assured data-in-transit protection | There are three types of VPN: - IPsec - L2TP - Direct Access The L2TP and IPsec VPNs can be disabled by the user and do not initiate automatically at boot. The Windows 8 IPsec VPN has been independently evaluated against the VPN Security Requirements. Neither AuthIP component of Direct Access, nor Windows 7 VPNs, have been independently assured to Foundation Grade. In Windows 7 the VPNs do not support some of the mandatory requirements expected from an assured VPN.
|
| 2. Assured data-at-rest protection | BitLocker has not been independently assured to Foundation Grade. |
| 3. Authentication | |
| 4. Secure boot (Windows 7) | Secure boot is not supported on this platform. |
| 4. Secure boot (Windows 8) | Secure boot is met on the platform on a correctly configured platform deployed on supported hardware. |
| 5. Platform integrity and application sandboxing | |
| 6. Application whitelisting | |
| 7. Malicious code detection and prevention | |
| 8. Security policy enforcement | |
| 9. External interface protection | |
| 10. Device update policy (Windows 7) | |
| 10. Device update policy (Windows 8) | The enterprise cannot force the user to update Windows 8 Store applications, if used. |
| 11. Event collection for enterprise analysis | |
| 12. Incident response |
2.1 Significant Risks
The following significant risks have been identified:
-
Only the Windows 8 IPsec VPNs have been independently evaluated. The other VPNs, including the AuthIP component of Direct Access, have not been independently assured to Foundation Grade, and for Windows 7 the VPNs do not support some of the mandatory requirements expected from assured VPNs. Without assurance in the VPNs there is a risk that data transiting from the device could be compromised. In addition, for two of the VPNs (L2TP and IPsec) they do not initiate automatically at boot and there is potential for the user to disconnect the VPN at any time.
- BitLocker has not been independently assured to Foundation Grade. However, CESG has previously assessed that BitLocker is suitable for protecting information protectively marked RESTRICTED.
-
For Windows Store Applications, there is a reliance on the user performing application updates as there are no centrally controlled methods that allow enterprises to force updates to those applications. This may result in applications becoming outdated and exploitable by an attacker who could compromise data.
- Many Windows devices have external interfaces which permit Direct Memory Access (DMA) from connected peripherals. This presents an opportunity for a local attacker to exfiltrate keys and data.
3. How the Platform Can Best Satisfy the Security Recommendations
This section details the platform security mechanisms which best address each of the security recommendations.
3.1 Assured data-in-transit protection
Use the native IPsec VPN client on Windows 8. On Windows 7, use the native IPsec VPN client until a Foundation Grade VPN client is available for this platform.
3.2 Assured data-at-rest protection
Use BitLocker to provide full volume encryption. CESG recommend the use of a complex password of at least 9 characters in length, or of at least 6 characters in length when used in conjunction with a second factor.
3.3 Authentication
The user authenticates to the device by decrypting the disk at boot time.
The user then has a secondary password to authenticate themselves to the platform at boot and unlock time. This password also derives a key which encrypts certificates and other credentials, giving access to enterprise services.
3.4 Secure boot
On Windows 8 this requirement is met by the platform on a correctly configured platform deployed on supported hardware.
On Windows 7 there is no secure boot capability; an EFI/BIOS password can make it more difficult for an attacker to modify the boot process. With physical access, the boot process can still be compromised.
3.5 Platform integrity and application sandboxing
This requirement is met by the platform without additional configuration.
3.6 Application whitelisting
An enterprise configuration can be applied to provide software restriction policies (using AppLocker) which prevent the device from allowing any applications except those explicitly allowed.
For Windows 8, the Windows 8 Store feature can be disabled to prevent users adding arbitrary applications.
3.7 Malicious code detection and prevention
Several third-party anti-malware products exist which attempt to detect malicious code for this platform. An Windows Application catalog (on Windows 8) can be used which should only contain vetted apps. In addition, the Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to prevent malicious code from running. Content-based attacks can be filtered by scanning capabilities in the enterprise.
3.8 Security policy enforcement
Settings applied through Group Policy cannot be modified by the user.
3.9 External interface protection
Interfaces can be configured using group policy. Direct Memory Access (DMA) is possible from peripherals connected to some external interfaces including FireWire, eSATA, and Thunderbolt. With Windows 8 connected standby devices, part of the hardware compliance mitigates DMA attacks by disallowing these interfaces.
3.10 Device update policy
WSUS is used to enforce updates of the core platform and any windows applications. This can also be used to update third-party applications.
For Windows 8, the enterprise cannot control when the Windows Store applications are updated. These updates rely on user interaction.
3.11 Event collection for enterprise analysis
Event collection can be carried out using Windows Event Forwarding for central event log collection.
3.12 Incident response
Windows 7 and Windows 8 do not natively support remote wipe, however the combination of BitLocker drive encryption and enterprise revocation of user credentials are appropriate for managing this security recommendation.
4. Network Architecture
All remote or mobile working scenarios should use a typical remote access architecture based on the Walled Garden Architectural Pattern. The following network diagram describes the recommended architecture for this platform.
Recommended network architecture for Windows 7/8 deployments
5. Deployment Process
The following steps should be followed to prepare the enterprise infrastructure for hosting a deployment of these devices:
-
Procure, deploy and configure network components, including an approved IPsec VPN Gateway.
-
Configure Windows Server Update Services (WSUS) to follow Microsoft’s best practices for security.
-
Create Group Policies for users and groups in accordance with the settings later in this chapter.
-
Deploy a default-deny AppLocker ruleset using Group Policy following guidance in enterprise consideration.
-
Create Event Forwarding Subscriptions and configure Group Policy to forward at least Application, System and Security logs that have a level of Critical Error or Warning to an event management system.
6. Provisioning Steps
The following steps should be followed to provision each end user device onto the enterprise network to prepare it for distribution to end users:
-
Configure the BIOS to disable unused hardware interfaces, enable Secure Boot (Windows 8 only), check the boot order to prioritise internal storage and set a password to prevent changes.
-
Deploy the most recent version of EMET (4.0 at the time of writing) and configure it using Group Policy to implement Microsoft’s Maximum security settings profile.
7. Configuration Settings
The listed configurations below should be applied through Group Policy Management in addition to these standard Microsoft baselines that are distributed via the SCM tool:
-
Win8 Computer Security Compliance 1.0
-
Win8 User Security Compliance 1.0
-
IE10 Computer Security Compliance 1.0
-
IE10 User Security Compliance 1.0
| Group Policy | Value(s) |
|---|---|
| Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Require domain users to elevate when setting a network’s location | Enabled |
| Computer Configuration > Policies > Administrative Templates > Network > Network Isolation > Proxy definitions are authoritative | Enabled |
| Computer Configuration > Policies > Administrative Templates > Network > Network Isolation > Subnet definitions are authoritative | Enabled |
| Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections | Enabled |
| Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections | Enabled |
| Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security | Enabled Firewall state: On |
| Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules | Enabled General > Action: Block the connection Programs and Services > Programs > Application Packages: Apply to all programs and application packages Programs and Services > Programs > Services: Apply to all programs and services Advanced > Profiles: Domain, Private, Public Advanced > Allow edge traversal: False |
| Computer Configuration > Policies > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon | Enabled |
| Computer Configuration > Policies > Administrative Templates > System > Logon > Turn off picture password sign-in | Enabled |
| Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings > Allow standby states (S1-S3) when sleeping (on battery) | Disabled |
| Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings > Allow standby states (S1-S3) when sleeping (plugged in) | Disabled |
| Computer Configuration > Policies > Administrative Templates > Windows Components > AutoPlay Policies > Disallow Autoplay for non-volume devices | Enabled |
| Computer Configuration > Policies > Administrative Templates > Windows Components > AutoPlay Policies > Turn off Autoplay | Enabled Turn off Autoplay on: All Drives |
| Computer Configuration > Policies > Administrative Templates > Windows Components > Credential User Interface > Do not display the password reveal button | Enabled |
| Computer Configuration > Policies > Administrative Templates > Windows Components > Portable Operating System > Windows To Go Default Startup Options | Disabled |
| Computer Configuration > Policies > Administrative Templates > Windows Components > Tablet PC > Input Panel > Turn off password security in Input Panel | Enabled Turn off password security in Input Panel: High |
| Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Configure Microsoft Active Protection Service Reporting | Disabled |
| Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Turn off Windows Defender | Disabled |
| Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting | Enabled |
| Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer > Always install with elevated privileges | Enabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Disable changing Automatic Configuration settings | Enabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Do not allow users to enable or disable add-ons | Enabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent bypassing SmartScreen Filter warnings | Enabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent changing proxy settings | Enabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent managing SmartScreen Filter | Enabled Select SmartScreen Filter Mode: On |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Prevent ignoring certificate errors | Enabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page > Turn off encryption support | Enabled Secure Protocol combinations: Use SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Turn on certificate address mismatch warning | Enabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > [All Zones] > Allow font downloads | Disabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > [All Zones] > Scripting of Java applets | Disabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > [All Zones] > Turn on Cross-Site Scripting (XSS) Filter | Enabled Turn on Cross-Site Scripting (XSS) Filter: Enable |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > [All Zones] > Turn on SmartScreen Filter scan | Enabled Use SmartScreen Filter: Enable |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Do not display the reveal password button | Enabled |
| User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Toolbars > Turn off Developer Tools | Enabled |
| Preferences > Windows Settings > Registry > Replace > HKLM\Software\Microsoft\Windows\CurrentVersion\ policies\system\SafeModeBlockNonAdmins | 1 |
| Computer Configuration > Policies > Administrative Templates > Turn off the Store application | Enabled |
| Computer Configuration > Policies > Windows Settings > Application Control Policies > Appx Rules > Enforce rules of this type | True
Deny Everyone All signed packaged apps |
| Computer Configuration > Policies > Windows Settings > Application Control Policies > Dll Rules > Enforce rules of this type | True Allow Everyone: All DLLs located in the Program Files folder
Allow Everyone: All DLLs located in the Windows folder Allow Administrators: All DLLs |
| Computer Configuration > Policies > Windows Settings > Application Control Policies > Executable Rules > Enforce rules of this type | True
Allow Everyone: All files located in the Program Files folder
Allow Everyone: All files located in the Windows folder Allow Administrators: All DLLs |
| Computer Configuration > Policies > Windows Settings > Application Control Policies > Windows Installer Rules > Enforce rules of this type | True Allow Administrators: All Windows Installer files |
| Computer Configuration > Policies > Script Rules > Application Control Policies > Appx Rules > Enforce rules of this type | True Allow Administrators: All Scripts |
| CN=System > CN=Password Settings Container > CN=Granular Password Settings Users | Precedence: 2 Enforce minimum password length: 9 characters Enforce password history: 8 Password must meet complexity requirements: Enabled Enforce maximum password age: 90 days Enforce lockout policy: 5 attempts Account will be locked out: Until an administrator manually unlocks the account Directly Applies To: Domain Users |
| CN=System > CN=Password Settings Container > CN=Granular Password Settings Administrators | Precedence: 1 Enforce minimum password length: 14 characters Enforce password history: 24 Password must meet complexity requirements: Enabled Enforce maximum password age: 42 days Enforce lockout policy: 5 attempts Account will be locked out: Until an administrator manually unlocks the account Directly Applies To: Domain Admins Protect from accidental deletion: Enabled
|
8. Enterprise Considerations
The following points are in addition to the common enterprise considerations and contain specific issues for Windows 7 and 8 deployments.
8.1 Secure Boot
The Windows 8 Secure Boot process alerts a user when an attempt to subvert the security controls has taken place. It is important that users know how to identify and respond to this alert.
8.2 Application Whitelisting
When configuring additional application whitelists for a Windows device, it is important that the following conditions are considered:
-
Users should not be allowed to run programs from areas where they are permitted to write files;
-
Care should be taken to ensure that application updates do not conflict with whitelisting rules;
-
Applications should be reviewed before being approved in the enterprise to ensure they don’t undermine application whitelisting. This is especially important for scripting languages which have their own execution environment.
8.3 Windows Live Accounts
Users should not enable personal, non-enterprise Microsoft ID (Live ID) accounts on the device as this may allow data to leak through Microsoft cloud services backup and application storage.
8.4 Third-party Application Updates
Windows Server Update Service (WSUS) can be used to deploy and update Microsoft products but cannot keep third-party products up to date unless they have a package in enterprise system management service.