Revisiting the WS Security Baseline: Part 1

Topic

New Reply

	TOP STORY Revisiting the WS Security Baseline: Part 1
	By Susan Bradley Regular Windows Secrets readers know that we cover PC and Internet security almost every week. But many Windows users never get the message. Keeping your digital life has gotten far more complex. Here are some tips for computing in the year 2014.

---

The full text of this column is posted at http://windowssecrets.com/top-story/revisiting-the-ws-security-baseline-part-1/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

As usual, a very good article 🙂 I just wanted to mention another free tool to protect from ransomware (including CryptoLocker, CryptoDefense and others). SurfRight offering “HitmanPro.Alert”includes “CryptoGuard” which simply stops unauthorized encryption of your files. It’s important to distinguish between HitmanPro.Alert and HitmanPro. The former is free, the latter isn’t.

Personally, I think it’s a more elegant solution than CryptoPrevent (which I recommended in response to your original post about CryptoLocker). It should be noted that HitmanPro.Alert does not remove the infection – it will just stop files being encrypted (which of course is the main consideration here). On finding an issue, it will prompt you to purchase HitmanPro to do the removal – but it’s not necessary, as Malwarebytes AntiMalware Free will remove the infection.

Reply | Quote

Tools like EMET appear to be possible bloat ware, possibly severely degrading your computer experience more than helping. The Pros and Cons of these tools must be considered, tested, and reported in articles such as this from WS. To simply recommend software is not enough. Tell us the ‘Secrets’ Windows Secrets Newsletter.

Reply | Quote

I would welcome a more detailed article revisiting the whole question of backups in the light of current threats.

I started (in the days of DOS) using “xcopy /s/e/m” daily with a monthly run after resetting all attribs – and knew what was going on!
Then I moved to dragging data folders onto a CD icon once a week.
I moved a few years ago to a NAS which was meant to be backing up on the fly (fit and forget) – and was never really sure what it was doing.
I tried using SyncToy with the NAS but it would regularly choke on “files in use” or “path too long”
Post Cryptolock and other ransomware I have moved to a weekly USB harddrive backup (that can then be disconnected and moved to another place) – but again I am not really confident what the software (WD Smartware) is really doing. So I take system images using the Win7 Backup/Restore built-in application every month.

It’s not ideal and could be better. I am prepared to pay for software – if I can understand what it is doing and feel confident that it is doing it. Too much software nowadays is both clever-proof and/or idiot-proof; I’m somewhere in between!

I think I want:
1) Regular system images – to go off-site, but they take time so cannot be done too frequently.
2) Frequent “data” backups – to a medium that can then be disconnected (ideally with ability to check individual files)
3) Off-site media to be encrypted – which is why I am using WD external harddrives
Then if the worst happens, I restore from a system image and then copy over each subsequent data back-up in order.
I have a gut feel that the Win 7 backup Control Panel applet provides all I need. So why do so many people advocate applications like Acronis?

I have twice “lost” a hard disk, fortunately back in the xcopy days. Restoration (from multiple floppy disks) took a few hours, but was complete and certain. And putting a floppy disk in the drive each night to take the daily incremental backup (to go home) was quick, easy and dependable. Which is the way it should be.

Reply | Quote

Like user dsf, I too create a system image every month using just the Windows 7 Backup & Restore function. And I agree that there is no need for a third-party tool. But there’s one other step I do: Go into the WindowsImageBackup folder and suffix the recently created image folder name with the date and optional label. For example, my machine is named EARTH so I would rename the newly created EARTH subfolder to something like EARTH-20140704_BeforeDeviceDriverUpdates. When you need to restore an image when booting up from the system repair disk, you will see these names.

Another reason for renaming the system image folder is that if you don’t, I think the next system image will not do a fresh complete image but overwrite the existing one with just differential changes. I don’t trust Windows to apply/restore these differentials properly in an emergency. It’s better to keep things simple and only restore single complete images.

I have restored my computer’s system image several times this way without a hitch.

Reply | Quote

I would welcome a more detailed article revisiting the whole question of backups in the light of current threats.

I have a gut feel that the Win 7 backup Control Panel applet provides all I need. So why do so many people advocate applications like Acronis?

I have twice “lost” a hard disk, fortunately back in the xcopy days. Restoration (from multiple floppy disks) took a few hours, but was complete and certain. And putting a floppy disk in the drive each night to take the daily incremental backup (to go home) was quick, easy and dependable. Which is the way it should be.

Because in the case of a full recovery, Acronis gives more options and in particular I’m speaking both for Win7 as well as Windows 8. 8 and it’s ‘file history’ and it’s ‘restore to image’ doesn’t get you back to right where you were before the oopsie. Acronis is way better.

Reply | Quote

Tools like EMET appear to be possible bloat ware, possibly severely degrading your computer experience more than helping. The Pros and Cons of these tools must be considered, tested, and reported in articles such as this from WS. To simply recommend software is not enough. Tell us the ‘Secrets’ Windows Secrets Newsletter.

EMET does not impact performance of Windows. It can block unsafe actions, which may interfere with poorly designed programs, and users may get confused and enter the wrong settings. Barring these events however, EMET does not impact system performance the way some Antivirus Suites which try to be all things to all people have a reputation for doing.

-- rc primak

Reply | Quote

Tools like EMET appear to be possible bloat ware, possibly severely degrading your computer experience more than helping. The Pros and Cons of these tools must be considered, tested, and reported in articles such as this from WS. To simply recommend software is not enough. Tell us the ‘Secrets’ Windows Secrets Newsletter.

EMET is definitely not bloatware but will get a more fleshed out detail report in an upcoming article. I only had so much room this go around so it was devoted to the checklist.

Reply | Quote

I wish to THANK “Rui Ribeiro Windows Secrets Lounge Administrator” for solving my issues with getting into this part of the forum.

Also wanted to inform Susan Bradley that there are many features available on the web for keeping you as safe as possible. #1.WinPatrol PLUS by Bill Pytlovany of BillPStudios that is a very small program and will monitor your complete system and notify you if any thing is added or changed without your authority. #2. Password Maker (addon for Mozilla FireFox) v1.7.8 and is very secure and easy to use with many features to-boot. #4. If you are using the x86 (32bit) software for your O/S then this will not work for you. That said, “if you are running 64bit O/S Windows Seven, Eight, or Eight point one then you may do as I have done since getting my very first 64 bit O/S as Win7 without SP1, it had not been dispatched at that time, after about two (2) months SP1 was available and installed by me. I run Microsoft’s Windows FireWall; Security Client; EMET; Key Scrambler; SuperAntiSpyware: MBAM Pro; Spybot Search & Destroy; WinPatrol PLUS; Avast! Anti Virus and a few other all up to date, latest versions, all at the same time. Have even done scans with them all at the same time with out any hang ups, DO NOT DO THIS WITH 32BIT (x86) O/S as it will lock-up your system.”

Also wanted to note: I had the Avast! AntiVirus software Pro test with FireWall and had their firewall setup along with Microsoft’s FireWall and they did not conflict just worked together and that was only for a MONTH or so and then went back to the FREE version. Being retired and with little funds to pay for all of the different payed versions except for a very few as noted in my above informaion.

I think that will be enough for now . .

"Infinite CREATOR" cast "Loving Light" upon thee
TIA, CU L8R, 'd' "LoneWanderer"
"Only you can control your future." Dr. Seuss
NOT a leader,
NOT a BLIND follower,
Join US and LIVE this LIFE as ONE!
Original author Unknown

Reply | Quote

“Microsoft’s Windows FireWall; Security Client; EMET; Key Scrambler; SuperAntiSpyware: MBAM Pro; Spybot Search & Destroy; WinPatrol PLUS; Avast! Anti Virus and a few other all up to date, latest versions”

I think that’s a bit much honestly. You have five similar programs?

Reply | Quote

One last point if I may? This is not reference to what this section is about, just my opinion and hopefully will not cause any ‘spot fires.’

What I post is my opinion ONLY, not suggesting any one else do the same. As we all know ‘opinions are like discharge points of nourishments’ and do not smell sweet. That said, we are all masters of our own systems and any post is done to let another know what we experience with our own system. We many times disagree with another and that is when the ‘flames’ start, so do not think I am suggesting any thing for another to do or experience. You do what you feel most comfortable with and maintain your own system as you wish Even Ms Bradley gives what she uses and some alternatives if you do not like what she has suggested or told us about her own operations. That is all any of us can do is to let another know how you work or what you use. We are not all the same and never will, we just need to work together and keep ourselves as safe as possible.

"Infinite CREATOR" cast "Loving Light" upon thee
TIA, CU L8R, 'd' "LoneWanderer"
"Only you can control your future." Dr. Seuss
NOT a leader,
NOT a BLIND follower,
Join US and LIVE this LIFE as ONE!
Original author Unknown

Reply | Quote

One last point if I may? This is not reference to what this section is about, just my opinion and hopefully will not cause any ‘spot fires.’

What I post is my opinion ONLY, not suggesting any one else do the same. As we all know ‘opinions are like discharge points of nourishments’ and do not smell sweet. That said, we are all masters of our own systems and any post is done to let another know what we experience with our own system. We many times disagree with another and that is when the ‘flames’ start, so do not think I am suggesting any thing for another to do or experience. You do what you feel most comfortable with and maintain your own system as you wish Even Ms Bradley gives what she uses and some alternatives if you do not like what she has suggested or told us about her own operations. That is all any of us can do is to let another know how you work or what you use. We are not all the same and never will, we just need to work together and keep ourselves as safe as possible.

I find that when I post long strings of advice, and when I pose as an expert with opinions and suggestions which are superior to other members of the Lounge Community, that this is when I get strong and negative replies to my posts. I like to be more tentative, less absolute in my language these days. I often qualify my advice by saying “this works on my system”, Your Mileage May Vary, and “just my opinion”. Sometimes I even begin what I think may be an unpopular post with “Just my Two Cents Worth” or something like that.

Having said all of this, I find your security recommendations well worth considering, especially Win Patrol. I personally find Avast oversized, and it has slowed my Windows 7 system, but I still use it for safety. Sometimes, when doing relatively safe things, I drop some of Avast’s more system-slowing shields for awhile just to get some work done, especially when I’m offline to begin with.

I also use Linux (in the dreaded dual-booting configuration) for all sensitive banking and eCommerce logins. In Linux, Firefox plus AppArmor set to Enforce has much the same level of protections as Windows 8 with IE 11 plus EMET restrictions. Quite adequate for most folks.

Browsers can be made further secured by adding Extensions or settings which limit or prevent scripts from executing, and blocking Tracking Cookies. For most major browsers, Abine has a version of their DoNotTrackMe Extension. For Firefox (Windows and Linux) I use Ghostery and DNTM. I use Chromium in Linux and Chrome in Windows 7, both with DNTM. In Windows, I further use special add-ons to block the Google Analytics, whereas as Open Source, Chromium for Linux doesn’t have the “Google Botnet” installed.

Backup drives can fail, so I make at least one copy for off-site storage and to use as a “backup for my backup”. The two drives never get connected to the computer at the same time, and no backup drive ever connects with a computer which is online.

I also like Susan’s recommendation that for casual web surfing, entertainment, media streeaming, etc., a second device is a good idea. I will consider an Android Tablet for this purpose, combined with Chromecast or some Chinese knockoff, to stream content to my (modestly sized) HDTV. I am still waiting for the new Android Kit-Kat on Intel BayTrail tablets to hit our shores from China. With the price savings vs. Samsung or Apple, I could buy two or three of these devices if I so choose. Android needs Antivirus too! Avast for Android is highly rated by many reviewers.

I have yet to use it, but Hitman Pro Alert looks like a good addition to my arsenal of Windows protections.

One more set of tools for security — bootable media with Windows Defender Offline and at least one other bootable antivirus program, to be run if the main hard drive gets locked or encrypted. In these situations, not even Windows Safe Mode would be available. Sometimes Linux Boot Repair and repartitioning tools can get rid of a bootkit by recreating the MBR without destroying the installed OS(es). These run with a live CD in a Linux environment, completely immune from further Windows infections. And if I can restore the MBR, I still have accesss to my Linux installation — which is also immune to Windows malware. A totally trashed hard drive can always be replaced, and both my Linux and my Windows, as well as all Data, are backed up regularly and can be restored when needed — even to a new drive. So maybe a few logs or recent versions of working documents get lost — better to know everything is now uninfected.

I would not be too quick to do a rollback or reinstall in the case of malware. It is best to solve the problem and in the process understand better how the breach occurred in the first place. and then set about using better preventive practices moving forward.

Not that Linux cannot be compromised — it CAN be infected. But that’s a security story all its own… :o:

-- rc primak

Reply | Quote

“Bob Primak,”

Thank you for this informative post, both of them, as I do have EMET on my system and it has not caused any slowness that I can see anyway. You are also very correct about doing any backup OFF LINE . . many thingys I do are off line as well. If you ever have a H/D issue and need to see if you can recover it, Gibson Research Corporation (grc.com) has a little program called SpinRite that has the ability to restore from what has been miss-identified as a bad spot when only the calibration of the head positioning needs to be corrected and his software will do the recalibration. Plus Microsoft’s ChkDsk will only attempt to recover a bad spot only one time his software will do up to 2K (for some that is 2,000 times) attempts to recover the software or so called bad spot. I have had some issues with drives that were recovered by SpinRite v6.0. Have found the price is worth the money when you can restore a supposedly dead drive, not just one but several.

You are just busier than I am on a system, not being a programmer just a very determined user learning how to do some of the technical operations through some of these forums over the years has been very fruitful for me.

One last point almost forgot to post, when logging in any where I NEVER check the “Keep Me Logged in for ” how ever many days, weeks or months the site has selectable. Always do a single login for each one and LOG OUT when done.

"Infinite CREATOR" cast "Loving Light" upon thee
TIA, CU L8R, 'd' "LoneWanderer"
"Only you can control your future." Dr. Seuss
NOT a leader,
NOT a BLIND follower,
Join US and LIVE this LIFE as ONE!
Original author Unknown

Reply | Quote

You mentioned looking for a consumer product to monitor software install. I have been using Winpatrol for quite a number of years and suggest it to a lot of people, especially those who are “at risk”. The free version is very good while the paid version (one time fee) has some extra goodies. It has caught some baddies where my AV product didn’t and has save me from number PUP’s.

Reply | Quote

There’s one surfire way to keep your security questions safe from educated guesses: lie.
I’ve never had a pet, which makes the name of my beloved first puppy quite a challenge to a would-be hacker.
And not even my parents know the city of my birth.

Reply | Quote

There’s one surfire way to keep your security questions safe from educated guesses: lie.
I’ve never had a pet, which makes the name of my beloved first puppy quite a challenge to a would-be hacker.
And not even my parents know the city of my birth.

My bank requires me to answer some questions truthfully as they match to the data they hold when they validated me as a customer for the purpose of meeting UK money laundering rules.

I have to tell the truth about:
– my name
– my address (which anyone can look up in about three minutes)
– my date and place of birth (which anyone can lookup in about 30 seconds)
However, I can lie about:
– My mother’s maiden name (does not even have to be a name – just a reliably remembered response)
– My Memorable Address (does not even have to be an address – again just a reliably remembered response)
There was quite a delay in getting them to accept the above two items – put on hold whilst the phone teller “spoke to security”!

The worrying thing is that my bank selects security questions at random and sometimes they only use questions which I have to be truthful about – and which can be looked up.

Reply | Quote

dsf
Yet another reason to avoind online banking. And of course if one lies one must remember what lies one tells(oh what a tangled web…) The really bad thing is that these ‘security questions’ are being utilized to allow people access to accounts for which they have ‘forgotten’ the passwords.
I put my ficticious answers right next to my password in my master list so a lotta good it would do me if I lost my list but at least the answers are set to something nonresearchable.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

You guys read your mail! (At least I hope my letter asking for an update of the WS Security Baseline was the inspiration for this column.) Excellent stuff. I am looking forward to discussion of hardware (particularly wireless routers) in Part II. My D-Link DIR-825 is getting overloaded by the proliferation of devices wanting wireless access in our home. I have to reboot it occasionally when it gets confused, so I’m thinking I need a newer, industrial-strength wireless access point around the house and will appreciate brand-name recommendations.

Encryption is also another Big Issue. Since I don’t travel internationally with electronic devices, I’m not particularly worried about NSA or DHS getting through the backdoors built into Bitlocker and TPM. I simply need to protect my “data at rest” from loss or theft domestically and encrypt cloud backups.

Thanks for addressing these issues.

Reply | Quote

Ms. Bradley:

Thanks for a very interesting article. I recall from many weeks ago that you had been researching virtual private networks, but unless I missed a Windows Secrets newsletter (possible, because I did have some problems with my ISP), I haven’t seen any VPN recommendations. In any case, given your very useful posts in WindowsSecrets newsletters, I don’t think you could have had time to finish your VPN research and write it up.

I am now about to do some traveling (with my Windows7 Sp1 laptop), and I probably will install Witopia. But I really need some guidance. Previously, on Windows 2000 and XP laptops, I was using HotSpotVPN-2 (https://hotspotvpn.com/), but after many hours (days, actually) of effort I never could successfully install it. I had a lot of correspondence with the owner-manager describing in detail the steps I had taken and asking “was this step correct,” but his replies were not nearly detailed enough for me to get HotSpotVPN-2 to work. So I gave up, and have uninstalled it since it didn’t work.

So I hope that you, or someone else reading this post, will have VPN suggestions.

R.N. (Roger) Folsom

Reply | Quote

You mentioned getting rid of Silverlight if possible (“Keep… apps up to date”). I do have it installed, although I don’t remember why. I do stream media to my TV (not often), but I’m not sure if I really need it. I tried to look up a description, but the ones I found are not very clear about exactly what it is needed for, and whether there may be alternatives. Can anyone tell me any specific programs/apps that require Silverlight to work properly?

Reply | Quote

Netflix is one app the uses Silverlght although they have plans to move off.

Jerry

Reply | Quote

In Susan Bradley’s article “Revisiting the WS Security Baseline: Part 1” she mentions a program called MalwareBytes and that she now uses the Paid version. I was going to go to the Paid version as well this past year but one thing stopped me dead in my tracks. I remember when one purchased software and had to renew it each year and the onus was on the individual who had made the purchase. Now, if one wants to buy MalwareBytes for their computer, instead of a single license for one machine one gets to install the software on up to 3 computing devices. So what’s wrong with this? Nothing except now the customer is forced into a “subscription” if you want the Paid version. What this means is that once again another website now has one’s credit card information and each year one is billed on the day you bought the software. For those that don’t have a problem with websites sitting on their credit card information and making an automatic purchase once every year, that’s great. But many of us like myself don’t like nor want websites to have this sort of control over how, who and when I use my credit card.

On top of this, there’s a dirty little secret most folks are not aware of: the software “subscription” you bought into just a few years ago for say, $20 bucks a year may now be up to $35 or more. Now how many people keep track of software purchases over the years? Exactly, and that’s what software companies realize which is why they’ve moved to pushing “subscriptions” on an unsuspecting public. Furthermore, these software companies are keenly aware that those who purchase a “subscription” won’t install the program on 3 computers because they don’t have this many computing devices. So they offer the customer up something they will never use and there’s no lost revenue for the software company. How divine! It used to be one could buy software and use it indefinitely on their computer and when one felt it was necessary to move to a newer version you could do so When You Wanted To. Now, software creators would have us believe that if we don’t upgrade to the next version of their program then we’ll have nothing but trouble and problems if we keep using a previous version. That’s just Hogwash!

Miss Bradley should have made mention of this pricing scheme in her article so folks reading it would have more information available to them as to whether or not they too would like to move to the Paid version. I’m sure there are now some folks who have signed on to the Paid version of MalwareBytes and don’t realize now that every year for as long as the credit card is valid that they’ll have a charge on the anniversary date of their purchase. For now, I’m sticking to the Free version that doesn’t have all the bells or whistles as the Paid version but then there’s one less website that has and is sitting on my credit card info. This is known as Peace of Mind.

Reply | Quote

Thanks. I do use Netflix, so I guess it can stay.

Reply | Quote

Re ‘Monitoring your system for rogue software’ (7/3 Windows Secrets):

I’ve been using Win Patrol (http://www.winpatrol.com/download.html) for years and recommend it very highly. The product is excellent at monitoring/reporting any attempted Registry changes, file associations, etc. before the fact- it then gives the user the option of allowing or rejecting. Lots more functionality in this program. Support is as good as it gets.

P.S. Bret Lowry (Ruiware, LLC) recently purchased Win Patrol from founder Bill Pytlovany (BillP Studios). Greg has excellent credentials and I’m certain will continue to maintain and enhance Win Patrol for many years to come.

Reply | Quote

Two more issues worthy of discussion:

1. Using VPNs to prevent websites from tracking my browsing habits, monitoring my searches, and discovering my geographic location. I’ve had good luck with Witopia[/url] and Private Internet Access[/url], but a VPN is only as good as the vendor. I have no way of knowing for certain whether these vendors (or others) are trustworthy or maintain records of the real IP addresses that connect to them. Both could be run by NSA so far as I know.

2. Outbound firewall control. Fred Langa and other writers have generally dismissed it as unnecessary, but allowing any program to “phone home” without my permission disturbs me. I’ve tried Zone Alarm[/url] and two different products called “Windows Firewall Control,” this one and this one. All three solutions produce cryptic information about outbound connections that is beyond my ability to decipher. Is there a better way? In a perfect world, the firewall would produce a message to the effect that a particular program is attempting to connect to a particular server and give me the option to allow or deny the connection. Early versions of Zone Alarm worked like that, but then vendors (and Microsoft) began to disguise the services with obscure names, making it nearly impossible to determine who is phoning home or why. Promiscuous outbound connections are rampant and should be controlled.

Reply | Quote

Bob

Firefox plus AppArmor set to Enforce

What is AppArmor ? I did a addon search and came up nil.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

He did say, “In Linux, “:

AppArmor can also be used to lock down Mozilla Firefox for increased security, but it doesn’t do this by default.

HTG Explains: What AppArmor Is and How It Secures Your Ubuntu System:

Reply | Quote

Ooops I did not get that. On the computer I wrote it on I guess I have it. :blush:

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

There’s only one real way to protect your OS and that’s not to directly use it (i.e., browse in a virtual machine with golden recovery point). No other scheme will be adequate enough and folks that depend on virus scanners and firewalls are just given a false sense of security. I do like and use the above to protect my Host OS but I rarely if ever browse the Internet with it (a few sites that keep my fingers crossed never get infected). That’s why I use my XP VM (and often recovery if I need to or not like 3 or 4 times a week) along with another cool virtualization tool called Sandboxie (so I’m in essence double-sandboxed) for my security needs and, so far, I’ve also been lucky (since if a hacker really wanted too, he/she can eat your lunch). Virtualization is never discussed often enough for it’s security and it should be; it shoud be the main defense listed period. Still, I dare the OPs here to finally do so and add that to the arsenal of baseline security. All I hear though is crickets chirping which leads me to believe you want folk to get infected (my only guess is job security). 🙂

Reply | Quote

One free app I would add to the list: Secunia PSI. Helps me know when I have an application that is vulnerable, out-of-date, or end-of-life.

Reply | Quote

One free app I would add to the list: Secunia PSI. Helps me know when I have an application that is vulnerable, out-of-date, or end-of-life.

PSI was included in the article, under “Keep Windows and apps up to date:”:

Use Secunia’s Personal Software Inspector (PSI; site) to help scan for outdated and/or unpatched software.

Bruce

Reply | Quote

Hi Susan,

A topic I’d like to see discussed in Part 2 of this article is the use of Microsoft’s Security Compliance Manager (although it seems limited to Win7, which is fine by me).

How do you feel about the group policy security settings applied locally by the tool LocalGPO.msi included with the Security Compliance Manager? Are they adequate? Too much for most users? Any that should be tweaked?

Also, where does the Microsoft Baseline Security Analyzer fit into the picture?

While I recognize you are not in the business of providing legal advice, the American Bar Association has recently amended its Model Rules of Professional Conduct concerning confidentiality of client information to include electronically-stored information. I’d like to use the results of your research to develop an internal office policy concerning what steps constitute “reasonable efforts” and “due diligence” necessary to secure client data on office workstations.

Reply | Quote

… Microsoft’s Security Compliance Manager (although it seems limited to Win7, which is fine by me).

Nothing more recent than Windows 7 existed when the article you linked to was published, but SCM is also available for Windows 8 or later and server editions :

Setup Requirements
The supported operating systems and requirements to use SCM include:
•Windows® 7 and Windows® 8 or later
Microsoft Security Compliance Manager (SCM)
What’s New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11

(It appears that SCM is designed to be used by enterprises using Active Directory Domain Services; not intended for home or small business use as far as I can see.)

Bruce

Reply | Quote

The link from the Win7 article directs you to the updated SCM3 that includes Win8.1 etc.

Reply | Quote