2024: A look back, a leap forward
Table of Contents
Like any other system, Windows systems are often targets for cyberattacks. Hackers like to target operating systems and applications that aren’t correctly configured or secured, which is why strong security practices are essential to protect sensitive data and keep systems running smoothly.
It’s not a given that an operating system is secure by default. The options to improve a systems security are available but often not enabled due to possible application compatibility concerns. Guidelines like Microsoft security baselines, CIS (Center for Internet Security Benchmarking) Benchmarking and STIG (Security Technical Implementation Guide) will help in hardening operating systems.
This research is about the performance outcome when applying these kinds of benchmarks. Security hardening may or may not impact performance; this research aims to discover whether that is the case.
About Windows hardening
As mentioned in the introduction, generally speaking, most operating systems aren’t as secure as possible by default. Operating System vendors continually release updates and patches to make their operating system as secure as possible. However, user experience is the most important aspect. By applying hardening, many settings and services enabled by default can be disabled. While using those hardening methods, it’s essential to continue testing the system and application’s availability and functionality. In general, it will be a balance between security and usability for most of the benchmark settings.
To assist with hardening your (Windows) systems, there are multiple guidelines and best practices available, like: Microsoft security baselines, CIS (Center for Internet Security) Benchmarking, and STIG (Security Technical Implementation Guide).
Let’s start by explaining 3 of the more significant security frameworks that are often being used in the industry:
Microsoft security baselines
Microsoft provides security baselines for Windows, Azure, Office, and Edge. Those security baselines contain group policy and registry settings to secure the endpoint. The Microsoft security baselines can be implemented via Microsoft Intune, Group Policy Management, or the Microsoft Security Compliance Toolkit (SCT). More info can be found here.
CIS Benchmarks
CIS Benchmarks are developed by the Center for Internet Security and are available for a much wider range of platforms than Windows only, including Linux, Google Cloud, and Amazon Web Services. However, benchmarks are also available for specific products like BIND, Apache, F5, NGINX, and much more.
CIS Benchmarks are defined in two different levels:
- Level 1 - Recommends basic security requirements that can be configured on any system and should cause little or no service interruption or reduced functionality.
- Level 2 - Recommends security settings for environments requiring greater security that could result in some reduced functionality.
The CIS Benchmarks are available in PDF format. After registration, you can download them for free from the CIS website. Microsoft also has information on CIS benchmarks here.
STIGs
Security Technical Implementation Guides are guides provided by the U.S. Defense Information Systems Agency (DISA) for the Department of Defense (DoD). STIGs are being developed for the Department of Defense but currently also available for the public sector.
Due to their nature STIGs are meant for highly secure environments like government agencies or defense contractors. Each STIG is available in XML format and can be downloaded here.
Setup and Testing Methodology
To validate whether security hardening impacts system performance, the following two scenarios are included in this research article:
- Baseline – Default configuration without any hardening
- Hardened – Microsoft security baseline applied
Some of these hardening baselines require a subscription; therefore, the Microsoft baseline has been selected as it is publicly available and can be downloaded here. This package includes multiple baselines for various operating systems. Since this research primarily focuses on system performance, only the Windows hardening configurations are selected; for the complete settings list, please use the link for more details:
Additional policies such as BitLocker, Credential Guard, Defender Antivirus, Internet Explorer 11, and Domain Security are not included in this specific research.
Even though this is a very generic topic, as GO-EUC is focusing on end-user computing, it has been decided to execute this research in our context. As our lab environment is set up for delivering virtualized desktops, it has been decided to apply this scenario to a VDI setup delivered via Citrix. Please note the results and conclusion of this research apply not only to a Citrix environment but also to other virtual environments and physical machines.
The VDI runs Windows 11 24H2, as the default operating system delivered via Citrix 2407. No specific optimizations were applied; however, Windows Defender was disabled to ensure consistency in the test. Please note that this is not a best practice and is not recommended in any environment. The VM configuration has 4 vCPUs with 4GB of memory, and a pool of 32 VDIs is used in the load test.
When applying the Microsoft security baseline, Citrix was unable to register the VDA with the Citrix Delivery Controller, which is a known issue and is described in a knowledge base article. Additionally, the default behavior requires users to authenticate twice, once on Citrix StoreFront and a second time when the connection is established. This prevents the test from running, so two exclusions are applied.
This is done by creating an additional Group Policy Object (GPO) with a higher priority than the security baseline. The following exclusions are applied at the computer level:
| Policy | Default | Adjusted | Reason |
|---|---|---|---|
| Access this computer from the network | Disabled | GO\CTX-DDC-1$ | Allows communication towards the Citrix Delivery Controller. |
| Always prompt for password upon connection | Enabled | Disabled | When enabled, the user is required to enter credentials upon connection and not directly sign on to the desktop. |
This research has been executed with LoadGen using the default workload, which is described in detail on the testing methodology page.
Hypothesis & Results
Within the EUC industry, it is generally expected that any type of security tooling or configuration will somehow impact user experience. Windows security hardening, as a process, restricts certain services that may allow attack vectors, restricts users’ ability to run applications, and restricts access to parts of the operating system. The generally expected result was split; disabling services and scheduled tasks may increase performance, whereas additional auditing settings may lead to decreased performance.
For this research, data is collected from both the VM and hypervisor levels. Let’s start by checking the results from the hypervisor level.
When looking at the hypervisor CPU utilization, it shows that a system that is hardened uses less CPU resources on the hypervisor. On scale, this will reflect in more scalability in terms of users on a single hypervisor.
One interesting peak was observed around 30 min in the test in both scenarios and during all the individual test runs. This is related to the Microsoft Office click-to-run process on the operating system level. As this is consistent between both scenarios, it does not have any influence on the results and conclusion. Note that this has been observed in all metrics but can be ignored.
The disk activity in both reads/sec and writes/sec are very consistent between both scenarios and do not show any significant difference. Besides a slight reduction in disk writes/sec, this will not directly affect the overall performance or the user experience. This could be related to disabled services and settings.
On the other available metrics from a hypervisor perspective, such as memory usage or network activity, are either not relevant or no direct difference has been seen between the scenarios.
Now, let’s have a look at the metrics inside the VM. Do they match the hypervisor?
At the VM level, it is also shown that the CPU is less active when the Microsoft security baseline is in place. Now, as this is on an individual VM level, the difference is very minimal. However, at scale, this can make the difference, as shown on the hypervisor level. From a VM perspective, it is therefore not expected that a user will directly notice a difference in performance.
When inspecting the memory that’s being used inside the VM, a slight difference is noticed. Having the Microsoft security baseline in place requires less memory, which can be related to fewer running processes. Even though having more available memory is a direct benefit for other applications, it is not expected that a user will notice this when sized appropriately.
Conclusion
Hardening your operating systems becomes more and more important as there has been an increase in cyberattacks over the last couple of years. By default, an operating system is meant to deliver the best performance and user experience. This means that there is always room for improvement from a hardening perspective. It is very important to continually keep testing the user experience because aggressive hardening can also break things, as we encountered during this research.
Based on this research, it can be concluded that applying Microsoft security baseline on Windows 11 is beneficial for the systems performance. The goal of applying a security baseline is to reduce the attack surface, while the additional benefit is an increase in the overall scalability. Even though the scope of this research was only limited to a specific set of hardening settings, it showed an improvement. Keep in mind that there are several security baselines and benchmarks available for other specific applications and services, such as Windows Defender and BitLocker, as well as Microsoft Edge and the entire Microsoft Office 365 suite. On the other hand, this research also showed that when applying a security baseline, it can break functionality, and therefore, exclusions need to be applied. When extending to other applications and services, validating the impact on the user will be very important.
Also, having any type of security baseline in place means that this needs to be maintained regularly since security vulnerabilities are constantly being discovered. The impact of security hardening from a performance perspective is an interesting topic. Several services and scheduled tasks are disabled as part of the security hardening process, which, in turn, explains the reduction in resource utilization of CPU and memory. Note that other hardening could add more auditing, which might have a different impact. Therefore, it is always recommended that you validate the performance impact in your environment.
In case you also applied security hardening, do you share the same conclusion in your environment? And are there specific baselines or benchmarks we should research? Please let us know in the comments below.
