Alternate format: Microsoft Windows 7 Enterprise Edition hardening configuration guidance (ITSB-110) (PDF, 58 KB)
1 Purpose
This document provides guidance for deploying Microsoft Windows 7 Enterprise Edition operating system (OS) (i.e., Windows 7) in a manner that will best prevent compromise of Government of Canada (GC) IT assets and infrastructures in a generic internet-facing Protected B environment. It is intended for use by information system practitioners, security practitioners, and security assessment and authorization authorities who are collectively responsible for departmental networking risk management.
2 Impact
Many GC departments have deployed, or are in the process of deploying, Windows 7 as their primary OS. However, sub-optimal configurations of these newer OSs still present a number of security risks, leaving organizations’ IT assets and infrastructure susceptible to compromise.
2.1 Considerations
Implementing one of the configuration guides recommended below, without further considering the design and security requirements of the complete departmental enterprise architecture, will not provide the required level of security assurance for a Protected B environment. As part of the risk management activities, continuous monitoring is required to ensure the effectiveness of any implemented security controls.
Before selecting the most appropriate configuration strategy for the specific environment, it is recommended that departments review their respective Threat and Risk Assessment (TRA ) that takes into account departmental operational, business and security needs as well as the organization’s security posture.
3 Mitigation Strategies
Select and implement a Windows 7 baseline configuration as proposed by one of several reputable standards organizations. CSE has identified three standards organizations that have developed and published appropriate guides. These organizations and their respective configuration guides are listed below:
- Center for Internet Security (CIS) - Microsoft Windows 7 Benchmark.
- National Institute of Standards and Technology (NIST) - United States Government Configuration Baseline Windows 7.
- Defense Information Systems Agency (DISA) - Windows 7 Security Technical Implementation Guide (STIG).
Each organization provides prescriptive guidance for establishing a secure configuration posture for Windows 7. By applying one of these three guidance options, and by giving due consideration to their TRA, departments will be able to risk manage Windows 7 for use in their Protected B environment.
4 Implementation
After selecting a baseline configuration, departments should further tailor the Windows 7 hardening configuration to counter any specific vulnerabilities or threats identified in the TRA of their IT networks. The TRA findings may indicate the need to apply additional settings or to alter some of the recommended settings.
4.1 Windows 7 Security Features and Tools
To further satisfy a risk mitigation strategy, there are additional security features and tools that are either native to Windows 7, or are available as a free download from Microsoft. The following list of Window 7 security features are recommended in this bulletin:
- BitLocker is a Cryptographic Module Validation Program (CMVP)-validated full-disk encryption feature that provides the capability to protect data at rest in the Windows 7 environment from offline attacks or malicious boots from another OS. To encrypt GC data, BitLocker must be configured in Federal Information Processing Standards (FIPS) mode. The encryption of any GC information using CMVP modules outside of FIPS mode is not recommended by CSE;
- Enhanced Mitigation Experience Toolkit (EMET) is a utility that can prevent the exploitation of vulnerabilities in software found on legacy and third-party applications. The mitigation techniques employed include data execution prevention, structured exception handler overwrite protection, and anti-return oriented programming;
- AppLocker is an extension of Microsoft’s earlier Software Restriction Policy feature that provides flexible definition options for application whitelisting;
- Microsoft’s Security Compliance Manager (SCM) is a tool that can be used to create a security baseline of registry settings for a given Windows OS. SCM does not deploy the baseline, but it can export the baseline to a Group Policy format for deployment across the domain.
- Microsoft’s Desired Configuration Manager (DCM) is a feature that can be used to assess the compliance of a Window’s host against a desired baseline (imported from SCM). Compliance verification can include OS version, application configuration, updates, and other security settings.
- Microsoft Office Isolated Conversion Environment (MOICE) is a feature added to the Microsoft Office Compatibility Pack to more securely open Word, Excel, and PowerPoint binary files included as attachments in e-mails.
4.2 Consequences of Deploying Default OS Configuration
Deploying Windows 7 with an updated configuration provides the opportunity to leverage a robust suite of features that will improve the security posture of the GC. However, deploying Windows 7 in its default (out-of-the-box) configuration could lead to the compromise of department IT assets.
5 Summary
Risk managing Windows 7 in a Protected B environment will require executing a comprehensive TRA and selecting a mitigation strategy that implements continuous monitoring as a component. Using one of the aforementioned CSE-recommended Windows 7 configuration guides, and additional security features and tools, will provide departments with a baseline from which to build a tailored security solution.
Implementing a solution that will reduce the risk to an acceptable level requires consideration of the design and security requirements of the complete departmental enterprise architecture.
6 Contacts and Assistance
ITS Client Services
Telephone: 613-991-7654
E-mail: itsclientservices@cse-cst.gc.ca
© Her Majesty the Queen in Right of Canada, as represented by the Minister of the Communications Security Establishment, 2014.