Qualys Blog

www.qualys.com
Shounak Itraj

Top 5 New Settings in Security Compliance Manager for Windows 10

Most organizations enforce system configuration policies to reduce the chance of misconfiguration and improve their overall security posture. For Microsoft Windows systems, many organizations rely on guidance from Microsoft Security Compliance Manager (SCM) for proper configuration. For organizations deploying Windows 10, this Top 5 list helps you understand and implement the new settings introduced in SCM for Windows 10.

As an engineer on the Qualys Policy Compliance product team, I routinely compare compliance benchmarks, and have compiled this list based on my work. If you are already familiar with previous version of Windows, this blog post can help you to quickly adopt the new changes.

Controls (represented by Control IDs or CIDs) are the building blocks of the policies in Qualys Policy Compliance used to measure and report compliance for a set of hosts. For each of the Top 5 in this article, we include the CID that allows you to build policies to measure and report compliance for that new setting.

Microsoft Edge Browser

The first four of the Top 5 New Settings are for the Edge browser, which Microsoft launched with Windows 10.

1) Disable Password Manager (Qualys CID – 10383)

The path to the setting is: Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge.

This setting lets you decide whether users can save their passwords locally, using Password Manager. Enabling the setting, or not configuring it, lets your users use password manager. Disabling this setting stops users from using Password Manager.

Disable Password Manager (screenshot)

 

  • Microsoft recommends to disable this setting.
  • Default: Not configured
  • Recommended: Disabled

2) Disable the SmartScreen Filter (Qualys CID – 10385)

The path to this setting is: Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge

This setting lets you decide whether to enable the SmartScreen filter. SmartScreen filter provides warning messages to help protect your users from Phishing Scams and malicious software.

Disable the SmartScreen Filter (screenshot)

Enabling this setting, or not configuring it, turns on SmartScreen filter; disabling this setting turns off the SmartScreen filter.

  • Microsoft recommends to enable this setting.
  • Default: Not Configured
  • Recommended: Enabled

3) Prohibit SmartScreen Filter Warning Overrides (Qualys CID – 10379)

The path to this setting is: Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge

This setting lets you decide whether the users can override the SmartScreen filter warnings about potentially malicious websites.

Prohibit SmartScreen Filter Warning Overrides (screenshot)

Enabling this setting stops users from ignoring the SmartScreen filter warnings and blocks them from going to the site. Disabling or not configuring this setting lets users ignore the SmartScreen filter warnings about potentially malicious websites and lets them continue to the site.

  • Microsoft recommends to enable this setting.
  • Default: Not Configured
  • Recommended: Enabled

4) Prohibit SmartScreen Filter Warning Overrides for Unverified Files (Qualys CID – 10380)

The path to this setting is: Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge

This setting lets you decide whether the users can override the SmartScreen filter warnings about downloading unverified files.

Prohibit SmartScreen Filter Warning Overrides for Unverified Files (screenshot)

Enabling this setting stops users from ignoring the SmartScreen filter warnings and block them from downloading unverified files. Disabling or not configuring this setting lets users ignore the SmartScreen filter warnings about unverified files and lets them continue the download process.

  • Microsoft recommends to enable this setting.
  • Default: Not Configured
  • Recommended: Enabled

4-½) Additional Edge Settings

In addition to the critical new SCM settings of Microsoft Edge browser for Windows 10 above, organizations should also refer to some of the settings below:

  • Configure corporate Home pages:  This setting lets you configure your corporate Home pages for domain-joined devices.
  • Turn off InPrivate browsing: This setting lets you decide whether users can browse using InPrivate website browsing
  • Configure Cookie: This setting lets you configure how your company deals with cookies. Enabling this setting lets you decide to:
    • Allow all cookies (default)
    • Block only 3rd-party cookies
    • Block all cookies
  • Allow employees to send Do Not Track headers: This setting lets you decide whether users can send Do Not Track headers to websites that request tracking info.
  • Send all intranet sites to Internet Explorer 11: This setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.

 

Virtualization-Based Security with Credential Guard

The last of the Top 5 New Settings is for Virtualization-based Security with Credential Guard.

Credential Guard Security is one more new feature Microsoft has launched in Windows 10 which is a virtualization feature designed to protect against credential theft. Previous Windows versions used the Local Security Authority (also known as “LSASS.EXE”) to store local credential information. With Windows 10 and Credential Guard Security, credentials are stored encrypted using Hyper-V, an approach known as “Virtualization-based security”. Credential Guard Security blocks access to untrusted programs even if it has full administrative access to the environment.

Microsoft’s definition of Credential Guard:

Credential Guard is the ability to store derived credentials (i.e. NTLM hashes and Kerberos tickets) and the process that manages them (i.e. Local Security Authority Subsystem Service (LSASS) in a secured isolated container which uses Hyper-V and virtualization based security (VBS) for additional protections.

5) Enable Virtualization-Based Security with Credential Guard

Virtualization-based security can be enabled via Group Policy or the Registry; and then Credential Guard Security should be configured. It is also recommended to deploy a Code Integrity Policy.

Using Group Policy: The path of the setting is Computer Configuration\Administrative Templates\System\Device Guard.

This setting specifies whether the virtualization based security is enabled or not.

Enable Virtualization-Based Security with Credential Guard (screenshot)

Virtualization Based Security uses the Windows Hypervisor to provide support for security services.  Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections.  DMA protections require hardware support and will only be enabled on correctly configured devices. This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled kernel mode memory protections are enforced and the Code Integrity validation path is protected by the virtualization based security feature.

Using the Registry: You can also enable Credential Guard security using the Registry.

  1. Open Registry Editor (using command regedit)
  2. Enable virtualization-based security:
    1. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
    2. Add a new DWORD value named EnableVirtualizationBasedSecurity. Set the value of this registry setting to enable virtualization-based security and set it to 0 to disable it. (Qualys CID – 10472)
    3. Add a new DWORD value named RequirePlatformSecurityFeatures. Set the value of this registry setting to 1 to use Secure Boot only or set it to 3 to use Secure Boot and DMA protection. (Qualys CID – 10475)
  3. Enable Credential Guard:
    1. Go to HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
    2. Add a new DWORD value named LsaCfgFlags. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. (Qualys CID – 10473)
  4. Close Registry Editor

Credential Guard Configuration: This setting lets users turn on Credential Guard with Virtualization Based security to help protect credentials:

  • The “Disabled” option turns off Credential Guard remotely if it was previously turned on with “Enable without lock” option.
  • The “Enable with UEFI lock” option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to “Disabled” as well as remove security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
  • The “Enable without lock” option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).

Code Integrity Policy: This policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine, in this Windows will restrict what can run in both kernel mode and Windows Desktop

Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.

More information: Credential Guard Security.

Leave a Reply