An example firewall profile is provided in the Configuration Settings section which demonstrates how to mitigate this behaviour. The L2TP and IPsec VPNs do not initiate automatically at boot and there is potential for the user to disconnect the VPN at any time. If using the native IKEv2 IPSec VPN use the Windows Firewall to block outbound connections when the VPN is not active. If using DirectAccess use the CPA customisation guide (available via CESG enquiries) to configure the client. Use DirectAccess or the native IKEv2 IPsec VPN configured as per the Windows VPN Security Procedures. This section details the platform security mechanisms which best address each of the security recommendations. How the platform can best satisfy the security recommendations Event collection for enterprise analysisģ. Malicious code detection and preventionġ1. Platform integrity and application sandboxingħ. On supported and correctly configured hardware Windows 8.1 can support Secure boot.ĥ. See How the platform can best satisfy the security recommendations for more details about how each of the security recommendations is met. Rows marked represent a more significant risk. Explanatory text indicates that there is something related to that recommendation that the risk owners should be aware of. This platform has been assessed against each of the 12 security recommendations, and that assessment is shown in the table below. It is recommended that local administrator accounts have a unique strong password per device Users that require administrative privileges should use a separate unprivileged account for email and web browsing. Most users should use accounts with no administrative privileges. Applications should be authorised by an administrator and deployed via a trusted mechanism To support these scenarios, the following architectural choices are recommended:Īll data should be routed over a secure enterprise VPN to ensure the Confidentiality and Integrity of the traffic, and to benefit from enterprise protective monitoring solutionsĪrbitrary third party application installation by users is not permitted on the device. This enables a variety of remote working approaches such as:Ĭreating, editing, reviewing and commenting on OFFICIAL documentsĪccessing the OFFICIAL intranet resources, the Internet and other web resources Windows 8.1 devices will be used remotely over any network bearer, including Ethernet, Wi-Fi and 3G, to connect back to the enterprise over a VPN. This guidance is not applicable to Windows 8.1 RT or Windows To Go. This guidance was developed following testing performed on a Windows Hardware Certified device running Windows 8.1 Enterprise. This guidance is applicable to devices running Enterprise versions of Windows 8.1, acting as client operating systems, which include BitLocker Drive Encryption, AppLocker and Windows VPN features.
0 Comments
Leave a Reply. |