Archive

Archive for the ‘baseline’ Category

Security baseline for Windows 10 – DRAFT

October 9th, 2015 No comments

Microsoft is pleased to announce the beta release of the security baseline settings for Windows 10 along with updated baseline settings for Internet Explorer 11. With this release we have taken a different approach from baselines of the past. Instead…(read more)

Security baseline for Windows 10 – DRAFT

October 9th, 2015 No comments

Microsoft is pleased to announce the beta release of the security baseline settings for Windows 10 along with updated baseline settings for Internet Explorer 11. With this release we have taken a different approach from baselines of the past. Instead…(read more)

Security baseline for Windows 10 – DRAFT

October 8th, 2015 No comments

[Removing the attachment from this post. Please see updated baseline content for Windows 10 v1507 (TH1) and Windows 10 v1511 (TH2).]

Microsoft is pleased to announce the beta release of the security baseline settings for Windows 10 along with updated baseline settings for Internet Explorer 11. With this release we have taken a different approach from baselines of the past. Instead of piling on more settings and continuing to grow the size of the baseline, we have reevaluated older settings to determine whether they address contemporary threats, and have removed 44 (so far) that don’t. In many cases, these settings merely enforce defaults that don’t need to be actively enforced through Group Policy. By removing these settings, we allow administrators to focus on real security issues, and allow organizations that choose to enable a technology or feature to be able to do so without having to argue with or receive failing marks from security auditors, or to reverse group policy settings.

Microsoft released the Local Administrator Password Solution (LAPS) earlier this year, and we strongly recommend that enterprises deploy it to workstations and member servers. LAPS is a simple and elegant solution that randomizes local account passwords so that no two computers on your network have a matching local account and password. When computers have identical local account passwords, an attacker who gets administrative rights on one computer can easily take over all other computers on the network via a pass-the-hash attack. LAPS mitigates that threat. The Windows 10 baseline includes policies to enable LAPS. (Note that LAPS requires an Active Directory schema extension. See the links at the end of this article for more information.)

We recommend enabling Credential Guard on systems that can support it. We have put the Credential Guard settings in a separate GPO, however, because backing the settings out on a UEFI computer requires more than just removing the GPO. See the links for more information.

We have also moved the ancient “MSS” settings from Security Options to a custom Administrative Template. The mechanism that had been used to expose the MSS settings in Security Options had become unsupportable. The new custom ADMX and ADML establish the same registry settings, if you choose to configure them, but in a manner that is supportable.

While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a download package attached to this blog post. The download includes a spreadsheet listing all the baseline settings and highlighting all the new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, custom ADMX files to expose some important settings that aren’t currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems.

Download and extract the attached “Win10-IE11-Baselines-DRAFT.zip”. It contains the following folders:

  • Documentation: “SCM Windows 10 – 2015-10-08.xlsx” is an Excel spreadsheet that describes the full set of recommended settings. The spreadsheet has multiple tabs.  On each tab there’s a MSFT 8.1 column and an MSFT 10 column.  (On the IE tabs it’s MSFT IE11 and MSFT 10 (IE11 update).  If the MSFT 10 column is empty, that means that the 8.1/IE11 setting is retained.  If the MSFT 10 column is not empty, that’s the new value for that setting.  In many cases, the new value is “Not configured.”  There’s also some color coding:  yellow indicates a setting that is new and applies only to Windows 10.  Green indicates a custom ADMX..

  • Administrative Template: Five ADMX and corresponding US English ADML files to expose additional security-relevant settings through the Group Policy editor. These include the LAPS (AdmPwd) and MSS settings described earlier, the EMET 5.5 beta policy files, a custom policy file to disable Wi-Fi Sense, and the Pass The Hash mitigations policy file we introduced with the Windows 8.1 baseline.

  • GP Reports: Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets).

  • GPOs: Group Policy Object backups for the following policies that can be imported into Active Directory Group Policy:

    • SCM Windows 10 – Computer

    • SCM Windows 10 – User

    • SCM Windows 10 – Domain Security

    • SCM Windows 10 – BitLocker

    • SCM Windows 10 – Cred Guard

    • SCM Internet Explorer – Computer

    • SCM Internet Explorer – User

  • Local_Script: This directory contains a batch file that applies the Computer, User and IE policies to local group policy.

  • WMI Filters: This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems.

We will follow up on this blog when the draft content is updated and when the SCM cab files become available.

[Update – adding in the links I had intended to include]

Local Administrator Password Solution (LAPS):

Credential Guard (Windows 10)

 

Blocking Remote Use of Local Accounts

September 3rd, 2014 No comments

The use of local accounts for remote access in Active Directory environments is problematic for a number of reasons. By far, the biggest problem is that when an administrative local account has the same user name and password on multiple machines, an…(read more)

Blocking Remote Use of Local Accounts

September 3rd, 2014 No comments

The use of local accounts for remote access in Active Directory environments is problematic for a number of reasons. By far, the biggest problem is that when an administrative local account has the same user name and password on multiple machines, an…(read more)

What’s New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11

August 16th, 2014 No comments

The attachment on this post describes what's new in the security baseline recommendations for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11, relative to the baselines published for Windows 8, Windows Server 2012 and Internet Explorer…(read more)

What’s New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11

August 16th, 2014 No comments

The attachment on this post describes what's new in the security baseline recommendations for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11, relative to the baselines published for Windows 8, Windows Server 2012 and Internet Explorer…(read more)

Configuring Account Lockout

August 14th, 2014 No comments

We can recommend an ideal configuration for most of the settings in our security guidance. For example, the “Debug programs” privilege should be granted to Administrators and to no one else. For account lockout, however, there is no “one…(read more)

Configuring Account Lockout

August 14th, 2014 No comments

We can recommend an ideal configuration for most of the settings in our security guidance. For example, the “Debug programs” privilege should be granted to Administrators and to no one else. For account lockout, however, there is no “one…(read more)

Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta

August 14th, 2014 No comments

We have made a small number of changes in the baseline security guidance for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 since we released the beta version of our guidance last April. This blog post discusses those changes and the reasons…(read more)

Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

August 14th, 2014 No comments

Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions…(read more)

Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta

August 14th, 2014 No comments

We have made a small number of changes in the baseline security guidance for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 since we released the beta version of our guidance last April. This blog post discusses those changes and the reasons…(read more)

Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

August 14th, 2014 No comments

Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions…(read more)

Why We’re Not Recommending “FIPS Mode” Anymore

April 7th, 2014 No comments

In the latest review of the official Microsoft security baselines for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System…(read more)

Why We’re Not Recommending “FIPS Mode” Anymore

April 7th, 2014 No comments

In the latest review of the official Microsoft security baselines for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System…(read more)

Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 (BETA)

April 7th, 2014 No comments

Update, 13 August 2014: The final version of this guidance has been posted here . The changes since the beta are described here , with a separate discussion about the changes in the Account Lockout policy here .

Microsoft is pleased to announce…(read more)

Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 (BETA)

April 7th, 2014 No comments

Update, 13 August 2014: The final version of this guidance has been posted here . The changes since the beta are described here , with a separate discussion about the changes in the Account Lockout policy here .

Microsoft is pleased to announce…(read more)

Security Compliance Manager (SCM) version 2.5 now available

April 9th, 2012 No comments

You’ve been asking for Exchange Server baselines. You’ve been waiting for the Windows 7 SP1 baseline update. They are all available now in SCM v2.5!
SCM 2.5 includes a number of new and updated baselines, empowering you to manage configuration…(read more)

Security Compliance Manager (SCM) version 2.5 now available

April 9th, 2012 No comments

You’ve been asking for Exchange Server baselines. You’ve been waiting for the Windows 7 SP1 baseline update. They are all available now in SCM v2.5!
SCM 2.5 includes a number of new and updated baselines, empowering you to manage configuration…(read more)

Security Compliance Manager (SCM) version 2.5 now available

April 9th, 2012 No comments

You’ve been asking for Exchange Server baselines. You’ve been waiting for the Windows 7 SP1 baseline update. They are all available now in SCM v2.5!
SCM 2.5 includes a number of new and updated baselines, empowering you to manage configuration…(read more)