Mimicking the DEFCON levels, Microsoft divulged the “SECCON Framework” i.e. a generic Windows 10 Security Configuration Framework. This framework aids in standardizing the basic security settings that should be applied for Windows 10 systems. It consists of a series of guides which help in securing a range of Windows 10 configurations in diverse environments.
Windows 10 Security Configuration Framework or SECCON Framework
Chris Jackson, Principal Program Manager at Microsoft said,
We sat down and asked ourselves this question: if we didn’t know anything at all about your environment, what security policies and security controls would we suggest you implement first?
The result was what Microsoft has named – The SECCON framework. Opening with an “Administrator workstation” at level 1 building up to the “Enterprise security” at level 5, the Windows 10 security configuration framework is Microsoft’s effort to simplify and standardize the security system on Windows 10. This security configuration isn’t a universal solution, yet a simplified configuration which could be used by enterprise-level users to meet many common device configurations and scenarios.
The five levels in Windows 10 security configuration framework
Windows 10 security configuration framework for enterprises are defined based on “Common Device Scenarios” in 5 different levels by Microsoft: Enterprise Security, Enterprise High Security, Enterprise VIP Security, DevOps Workstation, and Administrator Workstation; Levels 5 – 1 respectively.
Here, the lower numbers indicate a higher degree of security hardening. Following are the 5 levels in Windows 10 Security Configuration Framework.
- Level 5: Enterprise Security
- Level 4: Enterprise High Security
- Level 3: Enterprise VIP Security
- Level 2: DevOps workstation
- Level 1: Administrator Workstation
Let’s briefly explain each of these security levels:
1] Level 5 – Enterprise Security:
Enterprise security or Level 5 is the minimum-security configuration for an enterprise device. This security configuration level contains recommendations that are generally straightforward and designed to be deployed within 30 days. Read more about this level in the Microsoft Docs.
2] Level 4 – Enterprise High Security:
This configuration is recommended for devices where users need to access confidential/sensitive information. Few of these controls can impact app compatibility, hence often pass through an audit-configure-enforce workflow. According to Microsoft, recommendations for Level 2 are accessible to the administrators and the configurations can be deployed within 90 days. Read more about this level in the Microsoft Docs.
3] Level 3 – Enterprise VIP Security:
Aimed specifically at devices run by organizations having a larger or more sophisticated security team, or for specific users/groups who are at exclusively high risk. An organization who is prone to get targeted by well-funded and sophisticated rivals should pursue this configuration. Deploying this set of configurations may be complex and can often take more than 90 days. Read more about this level in the Microsoft Docs.
4] Level 2 – DevOps workstation:
Microsoft recommends this configuration to the developers and testers, who are an attractive target since they are on systems holding high-value data or running critical business functions. This level is still under development, and Microsoft will make an announcement as soon as it’s ready. Read more about this level in the Microsoft Docs.
5] Level 1 – Administrator Workstation:
Administrator Workstation or Level 1 in Windows 10 Security Configuration Framework (SEECON) is designed for administrators who “face the highest risk, through data theft, data alteration, or service disruption.” Like Level 4, this level is also under development, and Microsoft will make an announcement as soon as it is ready. Read more about this level in the Microsoft Docs.
Security Control Classification
Owing to the risk levels associated with each device type, the Windows 10 security configuration framework is more restrictive in the lower levels. Recommendations for each level are alienated into 3 different categories:
- Policies: These suggest configuring certain security policies on devices like applying a minimum password length, password complexity requirements, deactivating guest accounts, certain firewall rules, or limiting certain rights to specific user groups.
- Controls: This group recommends the use of certain specific security features or applications. For example, Level 5 controls advise to configure certain Windows Defender features like Application Guard or Credential Guard and make Microsoft Edge the default browser.
- Behaviors: This group defines security processes like installing security updates in specific duration after release or confiscating as many users as possible from the administrator group.
Microsoft says, this is a draft version and they are gathering feedback from organizations who are looking to implement a device security tightening program. You can read the draft from here.