This guidance is applicable to devices running Enterprise versions of Windows 7 and Windows 8, acting as client operating systems, which include BitLocker Drive Encryption, AppLocker and Windows VPN features.

This guidance was developed following testing performed on a logo compliant device running Windows 7 SP1 and Windows 8.0 respectively. The guidance for Windows 7 and Windows 8 is broadly similar, and so is combined for simplicity. Where differences do exist, they have been highlighted accordingly. This guidance is not applicable to Windows 8 RT.

1. Usage Scenario

Windows devices will be used remotely over any network bearer, including Ethernet, Wi-Fi and 3G, to connect back to the enterprise over a VPN. This enables a variety of remote working approaches such as

  • accessing OFFICIAL email;

  • creating, editing, reviewing and commenting on OFFICIAL documents;

  • accessing the OFFICIAL intranet resources, the internet and other web-resources.

To support these scenarios, the following architectural choices are recommended:

  • All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic, and to benefit from enterprise protective monitoring solutions.

  • Arbitrary third-party application installation by users is not permitted on the device. Applications should be authorised by an administrator and deployed via a trusted mechanism.

2. Summary of Platform Security

This platform has been assessed against each of the twelve security recommendations, and that assessment is shown in the table below. Explanatory text indicates that there is something related to that recommendation that the risk owners should be aware of. Rows marked [!] represent a more significant risk. See How the Platform Can Best Satisfy the Security Recommendations for more details about how each of the security recommendations is met.

Recommendation Rationale
1. Assured data-in-transit protection There are three types of VPN:
- IPsec
- L2TP
- Direct Access

The L2TP and IPsec VPNs can be disabled by the user and do not initiate automatically at boot.

The Windows 8 IPsec VPN has been independently evaluated against the VPN Security Requirements. Neither AuthIP component of Direct Access, nor Windows 7 VPNs, have been independently assured to Foundation Grade.

In Windows 7 the VPNs do not support some of the mandatory requirements expected from an assured VPN.

2. Assured data-at-rest protection BitLocker has not been independently assured to Foundation Grade.
3. Authentication
4. Secure boot (Windows 7) Secure boot is not supported on this platform.
4. Secure boot (Windows 8) Secure boot is met on the platform on a correctly configured platform deployed on supported hardware.
5. Platform integrity and application sandboxing
6. Application whitelisting
7. Malicious code detection and prevention
8. Security policy enforcement
9. External interface protection
10. Device update policy (Windows 7)
10. Device update policy (Windows 8) The enterprise cannot force the user to update Windows 8 Store applications, if used.
11. Event collection for enterprise analysis
12. Incident response

2.1 Significant Risks

The following significant risks have been identified:

  • Only the Windows 8 IPsec VPNs have been independently evaluated. The other VPNs, including the AuthIP component of Direct Access, have not been independently assured to Foundation Grade, and for Windows 7 the VPNs do not support some of the mandatory requirements expected from assured VPNs. Without assurance in the VPNs there is a risk that data transiting from the device could be compromised. In addition, for two of the VPNs (L2TP and IPsec) they do not initiate automatically at boot and there is potential for the user to disconnect the VPN at any time.

  • BitLocker has not been independently assured to Foundation Grade. However, CESG has previously assessed that BitLocker is suitable for protecting information protectively marked RESTRICTED.
  • For Windows Store Applications, there is a reliance on the user performing application updates as there are no centrally controlled methods that allow enterprises to force updates to those applications. This may result in applications becoming outdated and exploitable by an attacker who could compromise data.

  • Many Windows devices have external interfaces which permit Direct Memory Access (DMA) from connected peripherals. This presents an opportunity for a local attacker to exfiltrate keys and data.

3. How the Platform Can Best Satisfy the Security Recommendations

This section details the platform security mechanisms which best address each of the security recommendations.

3.1 Assured data-in-transit protection

Use the native IPsec VPN client on Windows 8. On Windows 7, use the native IPsec VPN client until a Foundation Grade VPN client is available for this platform.

3.2 Assured data-at-rest protection

Use BitLocker to provide full volume encryption. CESG recommend the use of a complex password of at least 9 characters in length, or of at least 6 characters in length when used in conjunction with a second factor.

3.3 Authentication

The user authenticates to the device by decrypting the disk at boot time.

The user then has a secondary password to authenticate themselves to the platform at boot and unlock time. This password also derives a key which encrypts certificates and other credentials, giving access to enterprise services.

3.4 Secure boot

On Windows 8 this requirement is met by the platform on a correctly configured platform deployed on supported hardware.

On Windows 7 there is no secure boot capability; an EFI/BIOS password can make it more difficult for an attacker to modify the boot process. With physical access, the boot process can still be compromised.

3.5 Platform integrity and application sandboxing

This requirement is met by the platform without additional configuration.

3.6 Application whitelisting

An enterprise configuration can be applied to provide software restriction policies (using AppLocker) which prevent the device from allowing any applications except those explicitly allowed.

For Windows 8, the Windows 8 Store feature can be disabled to prevent users adding arbitrary applications.

3.7 Malicious code detection and prevention

Several third-party anti-malware products exist which attempt to detect malicious code for this platform. An Windows Application catalog (on Windows 8) can be used which should only contain vetted apps. In addition, the Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to prevent malicious code from running. Content-based attacks can be filtered by scanning capabilities in the enterprise.

3.8 Security policy enforcement

Settings applied through Group Policy cannot be modified by the user.

3.9 External interface protection

Interfaces can be configured using group policy. Direct Memory Access (DMA) is possible from peripherals connected to some external interfaces including FireWire, eSATA, and Thunderbolt. With Windows 8 connected standby devices, part of the hardware compliance mitigates DMA attacks by disallowing these interfaces.

3.10 Device update policy

WSUS is used to enforce updates of the core platform and any windows applications. This can also be used to update third-party applications.

For Windows 8, the enterprise cannot control when the Windows Store applications are updated. These updates rely on user interaction.

3.11 Event collection for enterprise analysis

Event collection can be carried out using Windows Event Forwarding for central event log collection.

3.12 Incident response

Windows 7 and Windows 8 do not natively support remote wipe, however the combination of BitLocker drive encryption and enterprise revocation of user credentials are appropriate for managing this security recommendation.

4. Network Architecture

All remote or mobile working scenarios should use a typical remote access architecture based on the Walled Garden Architectural Pattern. The following network diagram describes the recommended architecture for this platform.

Windows 7/8 network diagram
Recommended network architecture for Windows 7/8 deployments

5. Deployment Process

The following steps should be followed to prepare the enterprise infrastructure for hosting a deployment of these devices:

  1. Procure, deploy and configure network components, including an approved IPsec VPN Gateway.

  2. Configure Windows Server Update Services (WSUS) to follow Microsoft’s best practices for security.

  3. Create Group Policies for users and groups in accordance with the settings later in this chapter.

  4. Deploy a default-deny AppLocker ruleset using Group Policy following guidance in enterprise consideration.

  5. Create Event Forwarding Subscriptions and configure Group Policy to forward at least Application, System and Security logs that have a level of Critical Error or Warning to an event management system.

6. Provisioning Steps

The following steps should be followed to provision each end user device onto the enterprise network to prepare it for distribution to end users:

  1. Configure the BIOS to disable unused hardware interfaces, enable Secure Boot (Windows 8 only), check the boot order to prioritise internal storage and set a password to prevent changes.

  2. Deploy the most recent version of EMET (4.0 at the time of writing) and configure it using Group Policy to implement Microsoft’s Maximum security settings profile.

7. Configuration Settings

The listed configurations below should be applied through Group Policy Management in addition to these standard Microsoft baselines that are distributed via the SCM tool:

  • Win8 Computer Security Compliance 1.0

  • Win8 User Security Compliance 1.0

  • IE10 Computer Security Compliance 1.0

  • IE10 User Security Compliance 1.0

Group Policy Value(s)
Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Require domain users to elevate when setting a network’s location Enabled
Computer Configuration > Policies > Administrative Templates > Network > Network Isolation > Proxy definitions are authoritative Enabled
Computer Configuration > Policies > Administrative Templates > Network > Network Isolation > Subnet definitions are authoritative Enabled
Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections Enabled
Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections Enabled
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security Enabled

Firewall state: On
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules Enabled

General > Action: Block the connection

Programs and Services > Programs > Application Packages: Apply to all programs and application packages

Programs and Services > Programs > Services: Apply to all programs and services

Advanced > Profiles: Domain, Private, Public

Advanced > Allow edge traversal: False
Computer Configuration > Policies > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon Enabled
Computer Configuration > Policies > Administrative Templates > System > Logon > Turn off picture password sign-in Enabled
Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings > Allow standby states (S1-S3) when sleeping (on battery) Disabled
Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings > Allow standby states (S1-S3) when sleeping (plugged in) Disabled
Computer Configuration > Policies > Administrative Templates > Windows Components > AutoPlay Policies > Disallow Autoplay for non-volume devices Enabled
Computer Configuration > Policies > Administrative Templates > Windows Components > AutoPlay Policies > Turn off Autoplay Enabled

Turn off Autoplay on: All Drives
Computer Configuration > Policies > Administrative Templates > Windows Components > Credential User Interface > Do not display the password reveal button Enabled
Computer Configuration > Policies > Administrative Templates > Windows Components > Portable Operating System > Windows To Go Default Startup Options Disabled
Computer Configuration > Policies > Administrative Templates > Windows Components > Tablet PC > Input Panel > Turn off password security in Input Panel Enabled

Turn off password security in Input Panel: High
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Configure Microsoft Active Protection Service Reporting Disabled
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Turn off Windows Defender Disabled
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting Enabled
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer > Always install with elevated privileges Enabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Disable changing Automatic Configuration settings Enabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Do not allow users to enable or disable add-ons Enabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent bypassing SmartScreen Filter warnings Enabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent changing proxy settings Enabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent managing SmartScreen Filter Enabled

Select SmartScreen Filter Mode: On
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Prevent ignoring certificate errors Enabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page > Turn off encryption support Enabled

Secure Protocol combinations: Use SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Turn on certificate address mismatch warning Enabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > [All Zones] > Allow font downloads Disabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > [All Zones] > Scripting of Java applets Disabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > [All Zones] > Turn on Cross-Site Scripting (XSS) Filter Enabled

Turn on Cross-Site Scripting (XSS) Filter: Enable
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > [All Zones] > Turn on SmartScreen Filter scan Enabled

Use SmartScreen Filter: Enable
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Do not display the reveal password button Enabled
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Toolbars > Turn off Developer Tools Enabled
Preferences > Windows Settings > Registry > Replace > HKLM\Software\Microsoft\Windows\CurrentVersion\ policies\system\SafeModeBlockNonAdmins 1
Computer Configuration > Policies > Administrative Templates > Turn off the Store application Enabled
Computer Configuration > Policies > Windows Settings > Application Control Policies > Appx Rules > Enforce rules of this type True

Deny Everyone All signed packaged apps
Exception: windows.immersivecontrolpanel, version 6.2.0.0 from Microsoft Corporation
Computer Configuration > Policies > Windows Settings > Application Control Policies > Dll Rules > Enforce rules of this type True

Allow Everyone: All DLLs located in the Program Files folder

Allow Everyone: All DLLs located in the Windows folder
Exception: %SYSTEM32%\catroot2\*
Exception: %SYSTEM32%\com\*
Exception: %SYSTEM32%\dmp\*
Exception: %SYSTEM32%\FxsTmp\*
Exception: %SYSTEM32%\powershell\*
Exception: %SYSTEM32%\Spool\*
Exception: %SYSTEM32%\Tasks\*
Exception: %SYSTEM32%\Tasks\Microsoft\Windows\*
Exception: %SYSTEM32%\Tasks\Microsoft\Windows\WCM\*
Exception: %WINDIR%\debug\*
Exception: %WINDIR%\debug\wia\*
Exception: %WINDIR%\pchealth\*
Exception: %WINDIR%\registration\*
Exception: %WINDIR%\tasks\*
Exception: %WINDIR%\temp\*
Exception: %WINDIR%\tracing\*

Allow Administrators: All DLLs
Computer Configuration > Policies > Windows Settings > Application Control Policies > Executable Rules > Enforce rules of this type True Allow Everyone: All files located in the Program Files folder

Allow Everyone: All files located in the Windows folder
Exception: %SYSTEM32%\catroot2\*
Exception: %SYSTEM32%\com\*
Exception: %SYSTEM32%\dmp\*
Exception: %SYSTEM32%\FxsTmp\*
Exception: %SYSTEM32%\powershell\*
Exception: %SYSTEM32%\Spool\*
Exception: %SYSTEM32%\Tasks\*
Exception: %SYSTEM32%\Tasks\Microsoft\Windows\*
Exception: %SYSTEM32%\Tasks\Microsoft\Windows\WCM\*
Exception: %WINDIR%\debug\*
Exception: %WINDIR%\debug\wia\*
Exception: %WINDIR%\pchealth\*
Exception: %WINDIR%\registration\*
Exception: %WINDIR%\tasks\*
Exception: %WINDIR%\temp\*
Exception: %WINDIR%\tracing\*
Exception: cscript.exe 5.8.0.0-* from Microsoft Corporation
Exception: wscript.exe 5.8.0.0-* from Microsoft Corporation
Exception: cmd.exe 6.2.0.0-* from Microsoft Corporation
Exception: ftp.exe 6.2.0.0-* from Microsoft Corporation
Exception: net.exe 6.2.0.0-* from Microsoft Corporation
Exception: net1.exe 6.2.0.0-* from Microsoft Corporation
Exception: netsh.exe 6.2.0.0-* from Microsoft Corporation
Exception: powershell.exe 6.2.0.0-* from Microsoft Corporation
Exception: powershell_ise.exe 6.2.0.0-* from Microsoft Corporation
Exception: reg.exe 6.2.0.0-* from Microsoft Corporation
Exception: regedit.exe 6.2.0.0-* from Microsoft Corporation
Exception: regedt32.exe 6.2.0.0-* from Microsoft Corporation
Exception: regini.exe 6.2.0.0-* from Microsoft Corporation

Allow Administrators: All DLLs
Computer Configuration > Policies > Windows Settings > Application Control Policies > Windows Installer Rules > Enforce rules of this type True

Allow Administrators: All Windows Installer files
Computer Configuration > Policies > Script Rules > Application Control Policies > Appx Rules > Enforce rules of this type True

Allow Administrators: All Scripts
CN=System > CN=Password Settings Container > CN=Granular Password Settings Users Precedence: 2

Enforce minimum password length: 9 characters

Enforce password history: 8

Password must meet complexity requirements: Enabled

Enforce maximum password age: 90 days

Enforce lockout policy: 5 attempts

Account will be locked out: Until an administrator manually unlocks the account

Directly Applies To: Domain Users
CN=System > CN=Password Settings Container > CN=Granular Password Settings Administrators Precedence: 1

Enforce minimum password length: 14 characters

Enforce password history: 24

Password must meet complexity requirements: Enabled

Enforce maximum password age: 42 days

Enforce lockout policy: 5 attempts

Account will be locked out: Until an administrator manually unlocks the account

Directly Applies To: Domain Admins

Protect from accidental deletion: Enabled

8. Enterprise Considerations

The following points are in addition to the common enterprise considerations and contain specific issues for Windows 7 and 8 deployments.

8.1 Secure Boot

The Windows 8 Secure Boot process alerts a user when an attempt to subvert the security controls has taken place. It is important that users know how to identify and respond to this alert.

8.2 Application Whitelisting

When configuring additional application whitelists for a Windows device, it is important that the following conditions are considered:

  • Users should not be allowed to run programs from areas where they are permitted to write files;

  • Care should be taken to ensure that application updates do not conflict with whitelisting rules;

  • Applications should be reviewed before being approved in the enterprise to ensure they don’t undermine application whitelisting. This is especially important for scripting languages which have their own execution environment.

8.3 Windows Live Accounts

Users should not enable personal, non-enterprise Microsoft ID (Live ID) accounts on the device as this may allow data to leak through Microsoft cloud services backup and application storage.

8.4 Third-party Application Updates

Windows Server Update Service (WSUS) can be used to deploy and update Microsoft products but cannot keep third-party products up to date unless they have a package in enterprise system management service.

Help us improve GOV.UK

Please don't include any personal or financial information, for example your National Insurance or credit card numbers.