momius - Fotolia
It's time to start locking down Windows 10 with reasonable desktop security standards as the OS becomes more common in the enterprise.
Windows 10 is relatively secure out of the box, but Microsoft can only do so much to provide IT with the security measures it needs. As a result, it's up to IT to ensure that it is taking full advantage of the Windows 10 security settings available to it and properly implementing and managing them.
Windows 10 endpoints will never truly be 100% secure or compliant, but organizations can get pretty close if IT doesn't overlook the details.
Find the weak spots
It pays to figure out where Windows 10 is vulnerable. IT can use tools such as Rapid7's Nexpose and Nessus Vulnerability Scanner to run vulnerability scans. The scans can uncover shortcomings in Windows 10 security settings, such as weak passwords, missing patches with both Windows and third-party software, unprotected network shares and third-party software IT may not know about or support.
Run the scans both with and without user authentication -- preferably with domain administrator or local administrator credentials. Vulnerability scanners can even uncover rogue or misconfigured Windows 10-based systems that might not belong on certain network segments. A network analyzer that monitors and tracks specific endpoints can also provide insight into what the OS, applications and end users are doing. Look for technical security vulnerabilities to fine-tune gaps in security standards and policies.
Become friends with Security Compliance Manager
A solid next step is to look at the actual Windows 10 configurations. Many people are unaware of Microsoft's Security Compliance Manager (SCM). SCM is a great resource for establishing Windows 10 security settings baselines. There are also similar security hardening resources from the Center for Internet Security and the Defense Information Systems Agency.
Better base configurations combined with better visibility and control let IT professionals develop and evolve Windows 10 desktop security standards. They can also help them ensure that users adhere to security policies.
What else should IT be on the lookout for?
To identify even more potential Windows 10 security settings issues, IT should turn to an in-house or third-party security team to do a formal security assessment. The assessment uncovers a broader view of what's happening at the desktop level through the organization's usage patterns, network management and monitoring, and so on. IT can assess any operations-related gaps that often introduce risks.
Some common areas of weakness in Windows 10 security settings in this context include:
- workflows involving cloud applications;
- homegrown client/server applications;
- third-party software, including what IT permits users to do in terms of handling or saving corporate information within this software;
- cloud access security brokers;
- backups and retention; and
- standard Windows logs that IT can manage with Group Policy Objects (GPOs), as well as more niche areas involving both local and network-based malware protection.
IT can also run into trouble if it does not use security information and event management to get an overview of all the data sources and trends in an organization and web content filtering to prevent threats.
Additional opportunities for improving Windows 10 security settings include:
- standardizing on one web browser;
- adopting data loss prevention strategies;
- using unified endpoint management to secure users' devices;
- ensuring full-disk encryption -- a feature IT should enable on all computers;
- implementing enterprise-grade malware protection that minimizes the risk of infection and the associated consequences; and
- supporting privacy management -- something that not only affects users but can protect the organization as well. Check out what Spybot Anti-Beacon can disable in terms of Windows 10 privacy settings.
Keep in mind that certain additional Windows 10 security settings are not available without Windows Server 2016. Security features such as importable GPOs and custom ADMX files are all exclusive to the latest Windows 10 security.
Windows 10 Fall Creators Update changes that have IT worried
The ultimate Windows 10 security guide
Dive deeper into a handy list of Windows 10 security tools