Different Recommendations to Choose From
One of the most important requirements for organizations that wish to use Microsoft Intune is the security baseline of the device. In the UK, the National Cyber Security Centre (NCSC), is a government entity that provides recommendations to help companies gain status such as the Cyber Essentials Plus certification.
However, I was tasked recently by a client with ensuring Windows desktops are secured using benchmarks provided by the Center for Internet Security (CIS) – an independent, non-profit organization based in the United States.
Many customers ask about the differences between the guidance provided by NCSC, CIS, and Microsoft’s pre-configured security baselines for Intune. In this article, I explain the guidance from each organization, while providing a gap analysis between the baselines.
To begin with, the CIS Microsoft Intune for Windows 10 Release 2004 Benchmark was released on May 18, 2021. The first thought many will have, is that this latest CIS benchmark is for an OS that is now out of support as of December 14, 2021. Although many aspects of this benchmark are still relevant to later versions of Windows 10 (it was last updated in May of 2021), there have been no updates to reflect versions past 2004 or Windows 11.
It should be noted that the benchmark is a little difficult to access. The first step is to fill out a form, and after a couple of hours (in my case) you will receive an email with a list of different CIS Benchmarks. The benchmarks themselves come in PDF format, and the document for Windows 10 and Intune is over one thousand pages. Within the document there are Policy Definitions that provide IT admins options for configuring Intune to various levels of security. The options are:
- Level 1 (L1) – Corporate/Enterprise Environment (general use)
- Level 1 (L1) + BitLocker (BL)
- Level 1 (L1) + Next Generation Windows Security (NG)
- Level 1 (L1) + BitLocker (BL) + Next Generation Windows Security (NG)
- Level 2 (L2) – High Security/Sensitive Data Environment (limited functionality)
- Level 2 (L2) + BitLocker (BL)
- Level 2 (L2) + Next Generation Windows Security (NG)
- Level 2 (L2) + BitLocker (BL) + Next Generation Windows Security (NG)
- BitLocker (BL) – optional add-on for when BitLocker is deployed
- Next Generation Windows Security (NG) – optional add-on for use in the newest hardware and configuration environments
In terms of the recommendations, the benchmark is highly informative. Each recommendation typically contains the following information:
- Profile Applicability
- CIS Controls
However, the implementation of the CIS benchmark is painful. Very painful. For the purposes of this article, I created three Microsoft 365 tenants with Office 365 E5 licenses and configured a benchmark on each tenant. Completing just Level 1 with BitLocker of the CIS benchmark took a couple of evenings to finish, so my opinion could be clouded by the fact that working with these recommendations requires a substantial time commitment.
CIS Policy Highlights and Lowlights
The positives of implementing the CIS Microsoft Intune for Windows 10 benchmarks:
- Extremely thorough investigation with details, providing admins with the exact reasons why to apply each listed setting.
- The Level 2 + BitLocker + Next Generation Windows Security, specifically, is a very thorough baseline. It’s intended for highly secure locations such as government facilities, or for extremely sensitive/secret departments.
The negatives of implementing the CIS Microsoft Intune for Windows 10 benchmarks are:
- It takes an exceptionally long time to implement the baseline with no importable JSON or PowerShell scripts to ease the implementation.
- You potentially run into the instance of laptops being “overprotected,” which could influence user productivity if Level 2 protection is enabled.
- By CIS’ own admission, Level 2 protection “may negatively inhibit the utility or performance of the technology and limit the ability of remote management/access.”
- The latest guidance is for Windows 10 2004, which is now out of support.
- If there are any future changes (minor or major) to the CIS benchmark, it could possibly make things more difficult to update, especially if you need to scan another 1000-page document.
The National Cyber Security Centre supports UK organizations by being a single point of contact for security issues that affect SMEs, large organizations, and government agencies. Like the Center for Internet Security (CIS), they provide guidance for configuring Windows 10 for Intune and their Intune guide is available online.
The guidance on GitHub suggests that the NCSC’s guidance may be better suited to government or medium/large organizations, but I would suggest that even small businesses consider implementing these policies.
Following the same process for the CIS benchmark policies, I created another demo tenant, applied the NCSC policies, and found that the task of implementing the policies was a painless exercise. In the past, I have found that the NCSC policies caused many conflicts with other policies which resulted in failures, but this time, all the policies succeeded without the need to update anything. Figure 1 shows a summary of the NCSC policies assigned to a Windows 10 device:
As with the CIS benchmark part of this article, the Microsoft Secure Score for Device on this tenant is a lofty 82.04%, which I think is a great score. Microsoft recommends only twenty-two additional improvement actions which would take the score to 100%, as shown in Figure 2:
Therefore, if you are looking for a secure baseline with optimal ease of us – the NCSC policies are near to perfect. More importantly, for organizations where it’s essential to get to a near 100% Secure Score rating, the NCSC policies are a great starting point.
NCSC Policy Highlights and Lowlights
The positives of implementing the NCSC’s guidance for Windows 10:
- Relatively simple to implement; it took around 15-20 minutes to import each baseline then assign a group for distribution.
- Companies who abide by this guidance could achieve the Cyber Essentials Plus certification.
- Obtaining a high Secure Score rating for Devices
The negatives of implementing the NCSC’s guidance for Windows 10:
- As with the CIS benchmarks, the NCSC guidance was last tested on Windows 10 2004 – again, an out of support Operating System.
- The BitLocker encryption policy is 128-bit, and not 256-bit.
Microsoft Intune Security Baselines
Microsoft provides the following Security Baselines ‘out of the box‘:
- Security Baseline for Windows 10 and later.
- Microsoft Defender for Endpoint Baseline.
- Microsoft Edge Baseline.
- Windows 365 Baseline.
These policies are easily applied to devices by going to the Security Baselines section in Endpoint Manager (Figure 3). The best aspect of Microsoft baselines is that Microsoft regularly updates them, and those updates are easily applied to user devices. When an update is available, it’s as simple as clicking on the profile name then Change Version (Figure 3):
The Microsoft security baselines are also very secure with a Secure Score rating of 83.65%, with only seventeen improvement areas to address manually (Figure 4):
Microsoft Intune Security Baseline Policy Highlights and Lowlights
The positives of implementing the Microsoft Security Baseline’s guidance for Windows 10:
- Amazingly simple to implement across all devices in an organization.
- An easy update function which enables comparison of new and old baselines to give IT administrators the ability to see what will change before updating the baselines.
- A high Secure Score rating for Devices.
The negatives of implementing the Microsoft Security Baseline’s guidance:
- The BitLocker encryption policy is 128-bit and not 256-bit.
128-Bit vs 256-Bit Disk Encryption
While looking through all the baselines, it is apparent that baselines recommend 128-bit disk encryption over 256-bit encryption which has me a little surprised. In conversation with NCSC’s research team in April 2021, NCSC said that 128-bit was the recommendation based on “public and internal research.”
However, the team also said that it isn’t an issue to change to 256-bit encryption if that need exists. Personally, I prefer that any organization that I work with uses 256-bit encryption as default; but in my opinion, although 128-bit is “secure enough,” using 256-bit ensures that any future requirements with encryption are satisfied without any need for migration.
Implementing CIS benchmarks can be a cumbersome, time-consuming experience working with Intune. With no JSONs available to import into Intune as there are for the NCSC policies, I cannot stress how much of a difficult and laborious a task it is to implement even just level 1 of these policies. Is the CIS benchmark secure? Yes, but I highly recommend that small or medium-sized businesses without a large infosec team should look at the other two alternatives.
Both the Microsoft Security Baselines and NCSC guidelines are almost equally secure and enable device protection for users to be able to do their day-to-day jobs without an overly locked-down experience. I have had organizations that have been penetration tested using both baselines and passed. But as alluded to earlier, I recommend Microsoft Security Baselines for organizations as they have an easy upgrade path for future versions of Windows.