This post summarizes hardening guides, security baselines, guidelines or standards for Windows 10.
List of Windows 10 Hardening Guides
This section summarizes some guides, guidelines, recommendations or baselines to harden Windows 10 endpoints:
- Microsoft Security Baselines
- CIS Benchmarks guides for Windows OS
- NIST Windows 10 STIG Checklist
- CCN-STIC guides for Windows OS
Microsoft Security Baselines
Microsoft Baselines are included in the Microsoft Security Compliance Toolkit (SCT). SCT substituted Security Compliance Manager (SCM).
To learn more about Microsoft and its security baselines, check this link.
To download Microsoft Security Compliance Toolkit (SCT):
aka.ms/sctdownload
After clicking on Download, check the file that corresponds to the Windows baseline you want to download (e.g. “Windows 10 version 21H2 Security Baseline.zip”). There are other files that do not correspond to Microsoft Baselines.
This zip file includes:
- GPO backups
- GPO reports
- Excel spreadsheets
- WMI filters
- Scripts to apply the settings to local policy
Some hints to use baseline zip file:
- GPO Reports
- GP Reports are located in folder “GP Reports” of zip file
- It contains HTML files informing about GPO templates available on this Windows 10 Security Baseline and what are the modifications applied
- Excel spreadsheets
- Excel spreadsheets are located in folder “Documentation” of zip file
- There is a large Excel file with all the details of every configuration part of the baseline
- Policy Analyzer rules
- .PolicyRules file with baseline GPO is located in folder “Documentation” of zip file
- .PolicyRules file holds a set of GPO folders in a single file
- Use tool Policy Analyzer to compare baseline GPO with your own GPO
- GPO backups
- GPO backups in folder “GPOs” of zip file
- GPO backups can be imported directly into Active Directory Group Policy along with corresponding WMI filters to apply policies to the correct machines.
- The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv).
- To take the place of SCM’s offline GPO-editing abilities, consider standing up an otherwise non-functional domain controller, importing Group Policy (.ADMX) templates as needed.
- Right-click on a blank GPO and select “Import Settings…”. Select the “GPOs” folder and follow Wizard instructions.
- Scripts
- Scripts are located in folder “Scripts” of zip file
- It consist of .ps1 files, that can be run from PowerShell
- They are used to apply configuration
- Templates
- Templates are located in folder “Templates” of zip file
- It includes Administrative Template files, of extension .admx (language-neutral) and .adml (language-specific).
- Import .amdx to Central Store
- Import .adml to the corresponding language subfolder in Central Store
- WMI Filters
- WMI filters are located in folder “WMI Filters” of zip file
- There may be no WMI filters on some security baselines
Useful SCT tools:
- Policy Analyzer
- Policy Analyzer is a lightweight utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies and can highlight the differences between versions or sets of Group Policies. It can also compare one or more GPOs against local effective state. You can export all its findings to a Microsoft Excel spreadsheet.
- To compare GPOs or to export to Excel, take a look at Policy Analyzer, which has much richer abilities in both areas than SCM had. Policy Analyzer saves its data in XML files with a .PolicyRules file extension.
- You can get more info about how to use Policy Analyzer on this post
- LGPO.exe
- LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. It can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files and Policy Analyzer “.PolicyRules” XML files.
- The more-functional LGPO.exe is substituting LocalGPO.wsf tool that had shipped with SCM. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs’ .cab files are no longer supported.
- More info about how to use LGPO.exe can be found here.
More info about SCT baselines and its transition from SCM can be found here and here.
Alongside with Windows 10 baselines, you may check other related Microsoft baselines available on SCT:
- Microsoft 365 Apps for Enterprise
- Microsoft Edge
- Windows Update
There is a Microsoft Security Baselines official community and an official blog.
CIS Benchmarks
CIS (Center for Internet Security) is a non-profit organization promoting protection against cyber threats. It is based in New York, USA.
There are CIS Benchmarks on different topics, including OS. You can find them on this link.
CIS Benchmarks relevant to Windows desktop can be found on this link.
NIST features CIS Benchmarks on its website.
NIST Windows 10 STIG Checklist
NIST Windows 10 STIG (Security Technical Implementation Guide) Checklist is a tool created to improve the security of USA Department of Defense (DoD) information systems. Nevertheless, it can be used on other organizations. It has been developed by the Defense Information System Agency.
As of August 2022, it latest version is Version 2, Release 4 (latest update on 8-Jun-2022). It can be downloaded from this link.
CCN-STIC Guides
CCN (National Cryptologic Center, from the Spanish Centro Criptológico Nacional) is a public organization of Spain, dependant on the CNI (National Intelligence Center, from the Spanish Centro Nacional de Inteligencia), the Spanish official intelligence agency.
CCN publishes a set of guides, referred as CCN-STIC (from the Spanish Seguridad de las Tecnologías de Información y Comunicaciones) guidelines and recommendations related to cybersecurity. They are oriented towards public administrations of Spain and their collaborating citizens or organizations.
CCN-STIC guides are grouped in series. The existing series are listed on this link.
500 guide series is related to Windows environment, and can be found on this link.
Guides relevant to Windows desktop:
- CCN-STIC-522A Windows 7 (domain client)
- CCN-STIC-522B Windows 7 (independent client)
- CCN-STIC-559A Windows 10 (domain member client) group contains:
- CCN-STIC-559A Windows 10 Security (domain member client)
- CCN-STIC-599A18 Windows 10 Enterprise LTSB Security (domain member client)
- 599A18
- 599A18 ENS – Annex A
- 599A18 ENS – Annex A – Preconfigured Device
- 599A18 ENS – Annex A – Scripts
- 599A18 ENS – Annex B [restricted to registered users]
- 599A18 ENS – Annex B – Scripts [restricted to registered users]
- 599A18 ENS – Annex B – Preconfigured Device [restricted to registered users]
- CCN-STIC-599A19 “Windows 10 Enterprise (domain member client)”
- CCN-STIC-599B Windows 10 (independent client) group contains:
- CCN-STIC-559B Windows 10 Security (independent client)
- CCN-STIC-599B18 Windows 10 Security (independent client)
- CCN-STIC-599B19 “Windows 10 Secure Settings (independent client)”
A different annex applies depending on scenario:
- CNN-STIC-599A18
- A: Pro/Enterprise in ENS
- B: LTSC in classified networks
- CCN-STIC-599A19
- A: LTSC in ENS
- B: LTSC in classified networks
- C: Pro/Enterprise in ENS
- D: Pro/Enterprise in classified networks