Microsoft Security Baselines articles https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines Microsoft Security Baselines articles Mon, 18 Oct 2021 14:45:13 GMT Microsoft-Security-Baselines 2021-10-18T14:45:13Z Windows 11 Security baseline https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772 <P style="margin-top: 20px;">We are pleased to announce the release of the security baseline package for Windows 11!</P> <P style="margin-top: 20px;">Please download the content from the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A>, test the recommended configurations, and customize / implement as appropriate.</P> <P style="margin-top: 20px;">Two new settings have been added for this release (which were also added to the Windows Server 2022 release), a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions. Additionally, all Microsoft Edge Legacy settings have been removed.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Script Scanning</H2> <P style="margin-top: 20px;">Script scanning was a parity gap we had between Group Policy and MDM. Since this gap is now closed we are enforcing the enablement of script scanning (<EM>Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning</EM>).</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Restrict Driver Installations</H2> <P style="margin-top: 20px;">In July a <A href="#" target="_blank" rel="noopener">Knowledge Base article</A> and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide custom administrative template for SecGuide.admx/l (<EM>Administrative Templates\MS Security Guide\Limits print driver installation to Administrators</EM>) and enforced the enablement.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Microsoft Edge Legacy</H2> <P style="margin-top: 20px;">Microsoft Edge Legacy (EdgeHTML-based) reached end of support on March 9, 2021 and is not part of Windows 11. Therefore, the settings that supported it have been removed from the baseline. Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A>.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Tamper Protection</H2> <P style="margin-top: 20px;">While you are enabling the Microsoft Security Baseline for Windows 11 (and/or Windows 10, and/or Windows Server 2022/2019/2016), make sure to enable Microsoft Defender for Endpoint's "<A href="#" target="_blank" rel="noopener">Tamper Protection</A>" to add a layer of protection against Human Operated Ransomware.</P> <P style="margin-top: 20px;">Please let us know your thoughts by commenting on this post or via the&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baseline Community</A>.</P> <P style="margin-top: 20px;">&nbsp;</P> Tue, 05 Oct 2021 13:04:06 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772 Rick_Munck 2021-10-05T13:04:06Z Security baseline for Microsoft Edge v94 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v94/ba-p/2784793 <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 94!</P> <P>&nbsp;</P> <P>We have reviewed the new settings in Microsoft Edge version 94 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 93 package continues to be our recommended baseline. That baseline package can be downloaded from the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>Microsoft Edge version 94 introduced 3 new computer settings, 3 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.</P> <P>&nbsp;</P> <P>In case you missed the announcement, Microsoft Edge has moved to a new release cadence.&nbsp; Additional details can be found in this <A href="#" target="_blank" rel="noopener">blog</A>.</P> <P>&nbsp;</P> <P>As a reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank" rel="noopener">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baselines Discussion site</A> or this post.</P> Mon, 27 Sep 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v94/ba-p/2784793 Rick_Munck 2021-09-27T16:00:00Z Security baseline for Microsoft Edge v93 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v93/ba-p/2744505 <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 93!</P> <P>&nbsp;</P> <P>We have reviewed the settings in Microsoft Edge version 93 and updated our guidance with the addition of 1 setting and the removal of 1 setting. Additionally, there is 1 setting worth mentioning. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 93 package from the&nbsp;<A href="#" target="_blank">Security Compliance Toolkit</A>.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Enable 3DES cipher suites in TLS (added)</STRONG></P> <P>We are enforcing this setting to ensure it remains disabled. 3DES will be completely removed from Microsoft Edge in version 95 (around October 2021) and this policy will stop working at that point. Once it does, we will remove this setting from the baseline. If your server relies upon 3DES support, it should be updated as soon as possible to ensure that modern browsers can continue to connect.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Default Adobe Flash setting (removed)</STRONG></P> <P>Now that Adobe Flash support has ended and been removed from Microsoft Edge, we have removed the requirement to disable this setting.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Configure users’ ability to override feature flags (worth mentioning)</STRONG></P> <P>Some customers have been asking for this policy setting to further lock down what feature flag settings an end-user may configure. If this policy is configured, it can prevent users from reconfiguring Edge settings exposed by the edge://flags page and/or via command line arguments. A tech-savvy user may uncover unsupported mechanisms for adjusting feature flag settings, but this policy allows blocking both supported mechanisms.</P> <P>&nbsp;</P> <P>Microsoft Edge version 93 introduced 31 new computer settings and 26 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.</P> <P><STRONG>&nbsp;</STRONG></P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented&nbsp;<A href="#" target="_blank">here</A>, and all available settings for Microsoft Edge Update are documented&nbsp;<A href="#" target="_blank">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/bd-p/Security-Baselines" target="_blank">Security Baseline Community</A> or this post.</P> Mon, 13 Sep 2021 23:49:49 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v93/ba-p/2744505 Rick_Munck 2021-09-13T23:49:49Z Windows Server 2022 Security Baseline https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685 <P>We are pleased to announce the release of the security baseline package for Windows Server 2022!</P> <P>&nbsp;</P> <P>Please download the content from the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A>, test the recommended configurations, and customize / implement as appropriate.</P> <P>&nbsp;</P> <P>Three new settings have been added for this release, an AppLocker update for Microsoft Edge, a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions.</P> <P>&nbsp;</P> <P><STRONG><EM><U>AppLocker</U></EM></STRONG></P> <P>Now that Microsoft Edge is included within Window Server we have updated the domain controller browser restriction list. The browser restriction list now restricts Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Microsoft Edge. Should additional browsers be used on your domain controllers please update accordingly.</P> <P>&nbsp;</P> <P><STRONG><EM><U>Script Scanning</U></EM></STRONG></P> <P>Script scanning was a parity gap we had between Group Policy and MDM. Since this gap is now closed we are enforcing the enablement of script scanning (<EM>Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning</EM>).</P> <P>&nbsp;</P> <P><STRONG><EM><U>Restrict Driver Installations</U></EM></STRONG></P> <P>In July a <A href="#" target="_blank" rel="noopener">Knowledge Base article</A> and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide custom administrative template for SecGuide.admx/l (<EM>Administrative Templates\MS Security Guide\Limits print driver installation to Administrators</EM>) and enforced the enablement.</P> <P>&nbsp;</P> <P>Please let us know your thoughts by commenting on this post or via the&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baseline Community</A>.</P> Wed, 29 Sep 2021 13:30:01 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685 Rick_Munck 2021-09-29T13:30:01Z Security baseline for Microsoft Edge v92 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v92/ba-p/2563679 <P style="margin: 0in; background: white;"><SPAN style="color: #333333;">We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 92!</SPAN></P> <P style="margin: 0in; background: white;">&nbsp;</P> <P>We have reviewed the settings in Microsoft Edge version 92 and updated our guidance with the addition of 3 settings and the removal of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the new package from the&nbsp;<A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A>.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context</STRONG></P> <P>To prevent cross-origin data theft, JavaScript SharedArrayBuffers can only be used from cross-origin-isolated contexts. To maintain proper cross-origin security, this policy should not be used to relax the isolation restriction. The security baseline has prohibited this and configured this setting to Disabled.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Allow unconfigured sites to be reloaded in Internet Explorer mode</STRONG></P> <P>When it comes to security, administrators are the experts. Allowing an end-user to relax their security posture without awareness of the implications doesn’t usually end well, especially when attackers can use social-engineering techniques to trick users into making unsafe choices. Therefore, the security baseline forbids allowing end-users to open arbitrary websites in IE mode.</P> <P>&nbsp;</P> <P><EM>NOTE: If your enterprise has legacy sites that still require IE mode, you should configure them using the IE mode policies outlined </EM><A href="#" target="_blank" rel="noopener"><EM>here</EM></A><EM>.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Specifies whether to allow insecure websites to make requests to more-private network endpoints</STRONG></P> <P>Allowing public internet sites to “peek” behind your firewall by using the user’s browser to mix intranet resources into internet-delivered pages represents a dangerous attack surface, and browsers are beginning to introduce restrictions upon such architectures. The baseline requires enforcement of the new browser restriction that any such intranet requests are blocked if the internet page was delivered over insecure HTTP.</P> <P>&nbsp;</P> <P><EM>NOTE: If for some reason you need to permit insecure cross-network requests for legacy sites, you can configure temporary exceptions in ‘Allow the listed sites to make requests to more-private network endpoints from insecure contexts’</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Allow certificates signed using SHA-1 when issued by local trust anchors</STRONG></P> <P>As we communicated in the version 85 release, this setting was temporary and a bridge for organizations. We have removed this setting from the baseline as the setting is considered obsolete and there is no supported mechanism to allow SHA-1 any longer, even for certificates issued by your non-public Certificate Authorities.</P> <P><STRONG>&nbsp;</STRONG></P> <P>&nbsp;</P> <P>Microsoft Edge version 92 introduced 11 new computer settings and 11 new user settings. We have included a spreadsheet in the release to make it easier for you to find them.</P> <P>&nbsp;</P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented&nbsp;<A href="#" target="_blank" rel="noopener">here</A>, and all available settings for Microsoft Edge Update are documented&nbsp;<A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baseline Community</A> or this post.</P> Mon, 26 Jul 2021 16:13:06 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v92/ba-p/2563679 Rick_Munck 2021-07-26T16:13:06Z Security baseline for Microsoft 365 Apps for enterprise v2106 - FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2106/ba-p/2492355 <P>We've reviewed the new settings released for Office since the last security baseline (v2104) and determined there are no additional security settings that require enforcement. Please continue to use the&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2104/ba-p/2307695" target="_blank" rel="noopener">Security baseline for Microsoft 365 Apps for enterprise v2104 -FINAL</A>&nbsp;which can be downloaded from the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A>.&nbsp;</P> <P>&nbsp;</P> <P>New Office policies are contained in the&nbsp;<A href="#" target="_blank" rel="noopener">Administrative Template files (ADMX/ADML) version 5179</A>&nbsp;published on 6/7/2021&nbsp;which introduced 7 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Only trust VBA macros that use V3 signatures (Worth considering)</STRONG>&nbsp;</P> <P>Microsoft discovered a vulnerability in Office Visual Basic for Applications (VBA) macro project signing which might enable a malicious user to tamper with a signed VBA project without invalidating its digital signature.&nbsp;<A href="#" target="_blank" rel="noopener">This blog post</A>&nbsp;explains how VBA macros signed with legacy signatures do not offer strong enough protection against a malicious actor looking to compromise the files integrity.&nbsp;</P> <P> &nbsp;</P> <P>Admins should consider upgrading the existing VBA signatures to the V3 signature as soon as possible after they upgrade Office to the supported product versions, see instructions in the links below. Once this is complete you can disable the old VBA signatures by enabling the "Only trust VBA macros that use V3 signatures" policy setting.&nbsp;</P> <P> &nbsp;</P> <UL> <LI><STRONG>Instructions on how to upgrade Office VBA macro signatures:</STRONG>&nbsp; <UL> <LI><A href="#" target="_blank" rel="noopener">Upgrade signed Office VBA macro projects to V3 signature - Microsoft 365 Developer Blog</A>&nbsp;</LI> <LI><A href="#" target="_blank" rel="noopener">Upgrade signed Office VBA macro projects to V3 signature (KB5000676) (microsoft.com)</A>&nbsp;</LI> </UL> </LI> </UL> <P> &nbsp;</P> <P>If you have questions or issues, please let us know via the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baseline Community</A> or this post.&nbsp;</P> Tue, 29 Jun 2021 16:35:42 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2106/ba-p/2492355 Rick_Munck 2021-06-29T16:35:42Z Security baseline for Microsoft Edge version 91 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-91/ba-p/2393274 <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 91!</P> <P>&nbsp;</P> <P>We have reviewed the new settings in Microsoft Edge version 91 and determined that there are no additional security settings that require enforcement. The settings from the Microsoft Edge version 88 package continues to be our recommended baseline. That baseline package can be downloaded from the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>Microsoft Edge version 91 introduced 7 new computer settings, 7 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.</P> <P>&nbsp;</P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank" rel="noopener">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baselines Discussion site</A> or this post.</P> Fri, 28 May 2021 14:01:41 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-91/ba-p/2393274 Rick_Munck 2021-05-28T14:01:41Z Security baseline (FINAL) for Windows 10, version 21H1 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353 <P>We are pleased to announce the final release of the Windows 10, version 21H1 (a.k.a. May 2021 Update) security baseline package!</P> <P>Please download the content from the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A>, test the recommended configurations, and customize / implement as appropriate.</P> <P>&nbsp;</P> <P>This Windows 10 feature update brings very few new policy settings. At this point, no new 21H1 policy settings meet the criteria for inclusion in the security baseline. We are, however, refreshing the package to ensure the latest content is available to you. The refresh contains an updated administrative template for SecGuide.admx/l (that we released with Microsoft 365 Apps for Enterprise baseline), new spreadsheets, .PolicyRules file, along with a script change (commented out the Windows Server options in the <EM>Baseline-LocalInstall.ps1</EM> script)</P> <P>&nbsp;</P> <P>Windows 10, version 21H1 is a client only release. Windows Server, version 20H2 is the current Windows Server Semi-Annual Channel release and per our <A href="#" target="_blank" rel="noopener">lifecycle</A> policy is supported until May 10, 2022.</P> <P>&nbsp;</P> <P>As a reminder, our security baselines for the endpoint also include <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2104/ba-p/2307695" target="_blank" rel="noopener">Microsoft 365 Apps for Enterprise</A>, which we recently released, as well as <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-90/ba-p/2275943" target="_blank" rel="noopener">Microsoft Edge</A> and <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/windows-update-baseline-joins-the-security-compliance-toolkit/ba-p/2098482" target="_blank" rel="noopener">Windows Update</A>.</P> <P>&nbsp;</P> <P>Please let us know your thoughts by commenting on this post or via the&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baseline Community</A>.</P> Tue, 18 May 2021 17:33:20 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353 Rick_Munck 2021-05-18T17:33:20Z Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2104/ba-p/2307695 <P>Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104. Please download the content from the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A>, test the recommended configurations, and implement as appropriate. If you have questions or issues, please let us know via the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baseline Community</A> or this post.</P> <P>&nbsp;</P> <P>This baseline builds on the previous <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-office-365-proplus-v1908-sept-2019-final/ba-p/873084" target="_blank" rel="noopener">Office baseline we released mid-2019</A>. The highlights of this baseline include:</P> <P>&nbsp;</P> <UL> <LI>Restrict legacy JScript execution for Office to help protect remote code execution attacks while maintaining user productivity as core services continue to function as usual.</LI> <LI>Expanded macro protection requiring application add-ins to be signed by a trusted publisher. Also, turning off Trust Bar notifications for unsigned application add ins and blocking them to silently disable without notification.</LI> <LI>Block Dynamic Data Exchange (DDE) entirely.</LI> </UL> <P>&nbsp;</P> <P>Also, see the information at the end of this post regarding updates to Security Policy Advisor and Office Cloud Policy Services.</P> <P>&nbsp;</P> <P>The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file. The recommended settings correspond with the <A href="#" target="_blank" rel="noopener">administrative templates version 5146</A>, released March 22, 2021.</P> <P>&nbsp;</P> <P><STRONG>Changes since the Draft</STRONG></P> <P>A couple small changes were made since the Draft baseline released last month.</P> <UL> <LI>Naming – We were reminded shortly after the Draft released (which was actually reviewed) that we no longer call the product Office 365 ProPlus, it will now be referred to as Microsoft 365 Apps for enterprise.</LI> <LI>GPO changes – We removed the Application Guard settings, while secure, there are conditions where preventing users from exiting App Guard may have an unacceptable end-user productivity impact as Application Guard continues to evolve to handle more file types and active content.</LI> </UL> <P>&nbsp;</P> <P><STRONG>GPOs included in the baseline</STRONG></P> <P>Most organizations can implement the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We've broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed.</P> <P>&nbsp;</P> <P>The “MSFT M365 Apps for enterprise 2104” GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs, each of which is described later:</P> <P>&nbsp;</P> <UL> <LI>"Legacy JScript Block - Computer" disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone.</LI> <LI>“Legacy File Block - User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.</LI> <LI>“Require Macro Signing - User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.</LI> <LI>“DDE Block - User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Restrict legacy JScript execution for Office Apps</STRONG></P> <P>The JScript engine is a legacy component in Internet Explorer which has been replaced by JScript9. Some organizations may have Office applications and workloads relying on this component, therefore it's important to determine whether legacy JScript is being used to provide business-critical functionality before you enable this setting. Blocking the legacy JScript engine will help protect against remote code execution attacks while maintaining user productivity as core services continue to function as usual. As a security best practice, we recommend you disable legacy JScript execution for websites in Internet Zone and Restricted Sites Zone. We’ve enabled a new custom setting called "Restrict legacy JScript execution for Office" in the baseline and provided it in a separate GPO "MSFT M365 Apps for enterprise 2104 - Legacy JScript Block - Computer" to make it easier to deploy. Learn more about <A href="#" target="_blank" rel="noopener">Restrict JScript at a Process Level</A>.</P> <P>&nbsp;</P> <P>Note: It can be a challenge to identify all applications and workloads using the legacy JScript engine, it's often used by a webpage by setting the script language attribute in HTML to Jscript.Encode or Jscript.Compact, it can also be used by the WebBrowser Control (WebOC). After the policy is applied, Office will not execute legacy JScript for the internet zone or restricted site zone websites. Therefore, applying this Group Policy can impact the functionalities in an Office application or add-ins that require the legacy JScript component and users aren’t notified by the application that legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones.</P> <P>&nbsp;</P> <P>Important: If you disable or don’t configure this Group Policy setting, legacy JScript runs without any restriction at the application level.</P> <P>&nbsp;</P> <P><STRONG>Comprehensive blocking of legacy file formats</STRONG></P> <P>In the last Office baseline we published, we blocked legacy file formats in a separate GPO that can be applied as a cohesive unit. There are no changes to the legacy file formats recommended to block.</P> <P>&nbsp;</P> <P><STRONG>Blocking DDE entirely</STRONG></P> <P>Excel already disabled Dynamic Data Exchange (DDE) as an interprocess communication method, and now Word added a new setting “Dynamic Data Exchange” that we have configured to a disabled state. Because of the new addition from Word the existing GPO has been renamed to “MSFT M365 Apps for enterprise 2104 - DDE Block – User”.</P> <P>&nbsp;</P> <P><STRONG>Macro signing</STRONG></P> <P>The “VBA Macro Notification Settings” policy has been updated for Access, Excel, PowerPoint, Publisher, Visio, and Word with a new option. To further control macros we now recommend that macros also need to be signed by a Trusted Publisher. With this new recommendation macros not digitally signed by a Trusted Publisher will be blocked from running. Learn more at <A href="#" target="_blank" rel="noopener">Upgrade signed Office VBA macro projects to V3 signature</A>.</P> <P>&nbsp;</P> <P>Note: Enabling “<A href="#" target="_blank" rel="noopener">Block macros from running in Office files from the Internet</A>” continues to be considered part of the main baseline and should be enforced by all security-conscious organizations.</P> <P>&nbsp;</P> <P><STRONG>Other changes in the baseline</STRONG></P> <UL> <LI>New policy: "Control how Office handles form-based sign-in prompts" we recommend enabling and blocking all prompts. This results in no form-based sign-in prompts displayed to the user and the user is shown a message that the sign-in method isn’t allowed.</LI> <LI>New policy: We recommend enforcing the default by disabling "Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine" (Note: This policy description is a double negative, the behavior we recommend is the security checks remain ON).</LI> <LI>New policy: We recommend enforcing the default by disabling "Allow VBA to load typelib references by path from untrusted intranet locations”. Learn more at <A href="#" target="_blank" rel="noopener">FAQ for VBA solutions affected by April 2020 Office security updates</A>.</LI> <LI>New dependent policy: "Disable Trust Bar Notification for unsigned application add-ins" policy had a dependency that was missed in the previous baseline. To correct, we have added that missing policy, "Require that application add-ins are signed by Trusted Publisher". This applies to Excel, PowerPoint, Project, Publisher, Visio, and Word.</LI> <LI>Removed from the baseline: "Do not display 'Publish to GAL' button". While this setting has been there for a long time, after further research, we believe this setting is used to ensure good deployment practices and not to mitigate security concerns.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Deploy policies from the cloud, and get tailored recommendations for specific security policies</STRONG></P> <P>Deploy user-based policies from the cloud to any Microsoft 365 Apps for enterprise client through the Office cloud policy service. The&nbsp;<A href="#" target="_blank" rel="noopener">Office cloud policy service</A>&nbsp;allows administrators to define policies for Microsoft 365 Apps for enterprise and assign these policies to users via Azure Active Directory security groups. Once defined, policies are automatically enforced as users sign in and use Microsoft 365 Apps for enterprise. No need to be domain joined or MDM enrolled, and it works with corporate-owned devices or BYOD. Learn more about <A href="#" target="_blank" rel="noopener">Office cloud policy service</A>.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Security Policy Advisor</A>&nbsp;can help give you insights on the security and productivity impact of deploying certain security policies. Security Policy Advisor provides you with tailored recommendations based on how Office is used in your enterprise. For example, in most customer environments, macros are typically used in apps such as Excel and only by specific groups of users. Security Policy Advisor helps you identify groups of users and applications where macros can be disabled with minimal productivity impact, and optionally integrate with&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Office</A>&nbsp;to provide you details on who is being attacked. Learn more about <A href="#" target="_blank" rel="noopener">Security Policy Advisor</A>.</P> <P>&nbsp;</P> <P><STRONG>When can I expect the next release of Microsoft 365 Apps for enterprise Security Baseline?</STRONG></P> <P>In the future we will align the release of new security baselines with the Microsoft 365 Apps for enterprise semi-annual channel releases, every 6 months usually in June and December. If there are no new policies to consider at that time, we will evaluate again 6 months later.</P> <P>&nbsp;</P> <P>As always, please let us know your thoughts by commenting on this post.</P> Fri, 30 Apr 2021 10:51:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2104/ba-p/2307695 Rick_Munck 2021-04-30T10:51:09Z Security baseline for Microsoft Edge, version 90 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-90/ba-p/2275943 <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 90!</P> <P>&nbsp;</P> <P>We have reviewed the new settings in Microsoft Edge version 90 and determined that there are no additional security settings that require enforcement. The settings from the Microsoft Edge version 88 package continues to be our recommended baseline. That baseline package can be downloaded from the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>Microsoft Edge version 90 introduced 9 new computer settings, 9 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.</P> <P>&nbsp;</P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank" rel="noopener">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baselines Discussion site</A> or this post.</P> <P>&nbsp;</P> Fri, 16 Apr 2021 13:40:03 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-90/ba-p/2275943 Rick_Munck 2021-04-16T13:40:03Z Security baseline for Microsoft 365 Apps for enterprise (v2103, March 2021) - DRAFT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2103/ba-p/2228388 <P>Microsoft is pleased to announce the&nbsp;<EM>draft </EM>release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2103. We invite you to download the draft baseline package (attached to this post), evaluate the proposed baselines, and provide us your comments and feedback below.</P> <P>&nbsp;</P> <P>This baseline builds on the previous <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-office-365-proplus-v1908-sept-2019-final/ba-p/873084" target="_blank" rel="noopener">Office baseline we released mid-2019</A>. The highlights of this baseline include:</P> <UL> <LI>Restrict legacy JScript execution for Office to help protect remote code execution attacks while maintaining user productivity as core services continue to function as usual.</LI> <LI>Expanded macro protection requiring application add-ins to be signed by a trusted publisher. Also, turning off Trust Bar notifications for unsigned application add ins and blocking them to silently disable without notification.</LI> <LI>Block Dynamic Data Exchange (DDE) entirely.</LI> <LI>New policies added for Microsoft Defender Application Guard, protecting users from unsafe documents.</LI> </UL> <P>Also, see the information at the end of this post regarding updates to Security Policy Advisor and Office Cloud Policy Services.</P> <P>&nbsp;</P> <P>The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file. The recommended settings correspond with the <A href="#" target="_blank" rel="noopener">Office 365 ProPlus administrative templates version 5140</A>, released February 26, 2021.</P> <P>&nbsp;</P> <P><STRONG>GPOs included in the baseline</STRONG></P> <P>Most organizations can implement the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We've broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed.</P> <P>&nbsp;</P> <P>The “MSFT Office 365 ProPlus 2103” GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs, each of which is described later:</P> <UL> <LI>"Legacy JScript Block - Computer" disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone.</LI> <LI>“Legacy File Block - User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.</LI> <LI>“Require Macro Signing - User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.</LI> <LI>“DDE Block - User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Restrict legacy JScript execution for Office</STRONG></P> <P>The JScript engine is a legacy component in Internet Explorer which has been replaced by JScript9. Some organizations may have Office applications and workloads relying on this component, therefore it's important to determine whether legacy JScript is being used to provide business-critical functionality before you enable this setting. Blocking the legacy JScript engine will help protect against remote code execution attacks while maintaining user productivity as core services continue to function as usual. As a security best practice, we recommend you disable legacy JScript execution for websites in Internet Zone and Restricted Sites Zone. We’ve enabled a new custom setting called "Restrict legacy JScript execution for Office" in the baseline and provided it in a separate GPO "MSFT Office 365 ProPlus 2103 - Legacy JScript Block - Computer" to make it easier to deploy. Learn more about <A href="#" target="_blank" rel="noopener">Restrict JScript at a Process Level</A>.</P> <P>&nbsp;</P> <P><EM>Note</EM>: It can be a challenge to identify all applications and workloads using the legacy JScript engine, it's often used by a webpage by setting the script language attribute in HTML to Jscript.Encode or Jscript.Compact, it can also be used by the WebBrowser Control (WebOC). After the policy is applied, Office will not execute legacy JScript for the internet zone or restricted site zone websites. Therefore, applying this Group Policy can impact the functionalities in an Office application or add-ins that require the legacy JScript component and users aren’t notified by the application that legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones.</P> <P>&nbsp;</P> <P><EM>Important</EM>: If you disable or don’t configure this Group Policy setting, legacy JScript runs without any restriction at the application level.</P> <P>&nbsp;</P> <P><STRONG>Comprehensive blocking of legacy file formats</STRONG></P> <P>In the last Office baseline we published, we blocked legacy file formats in a separate GPO that can be applied as a cohesive unit. There are no changes to the legacy file formats recommended to block.</P> <P>&nbsp;</P> <P><STRONG>Blocking DDE entirely</STRONG></P> <P>Excel already disabled Dynamic Data Exchange (DDE) as an interprocess communication method, and now Word added a new setting “Dynamic Data Exchange” that we have configured to a disabled state. Because of the new addition from Word the existing GPO has been renamed to “MSFT Office 365 ProPlus 2103 - DDE Block – User”.</P> <P>&nbsp;</P> <P><STRONG>Macro signing</STRONG></P> <P>The “VBA Macro Notification Settings” policy has been updated for Access, Excel, PowerPoint, Publisher, Visio, and Word with a new option. To further control macros we now recommend that macros also need to be signed by a Trusted Publisher. With this new recommendation macros not digitally signed by a Trusted Publisher will be blocked from running. Learn more at <A href="#" target="_blank" rel="noopener">Upgrade signed Office VBA macro projects to V3 signature</A>.</P> <P>&nbsp;</P> <P>Note: Enabling “<A href="#" target="_blank" rel="noopener">Block macros from running in Office files from the Internet</A>” continues to be considered part of the main baseline and should be enforced by all security-conscious organizations.</P> <P>&nbsp;</P> <P><STRONG>Application Guard policies</STRONG></P> <P>We're excited to announce the integration of Office with Microsoft Defender Application Guard. When Application Guard is enabled for your tenant, the integration will help prevent untrusted files from accessing trusted resources. New policies for Application Guard are added to the baseline to protect users from unsafe documents including enabling "Prevent users from removing Application Guard protection on files." and disabling "Turn off protection of unsupported file types in Application Guard for Office." Learn more about <A href="#" target="_blank" rel="noopener">Microsoft Defender Application Guard</A>.</P> <P>&nbsp;</P> <P><STRONG>Other changes in the baseline</STRONG></P> <UL> <LI>New policy: "Control how Office handles form-based sign-in prompts" we recommend enabling and blocking all prompts. This results in no form-based sign-in prompts displayed to the user and the user is shown a message that the sign-in method isn’t allowed. We understand this setting might have some issues, and we value your feedback during the Draft cycle of this baseline posting.</LI> <LI>New policy: We recommend enforcing the default by disabling "Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine" (Note: This policy description is a double negative, the behavior we recommend is the security checks remain ON).</LI> <LI>New policy: We recommend enforcing the default by disabling "Allow VBA to load typelib references by path from untrusted intranet locations”. Learn more at <A href="#" target="_blank" rel="noopener">FAQ for VBA solutions affected by April 2020 Office security updates</A>.</LI> <LI>New dependent policy: "Disable Trust Bar Notification for unsigned application add-ins" policy had a dependency that was missed in the previous baseline. To correct, we have added that missing policy, "Require that application add-ins are signed by Trusted Publisher". This applies to Excel, PowerPoint, Project, Publisher, Visio, and Word.</LI> <LI>Removed from the baseline: "Do not display 'Publish to GAL' button". While this setting has been there for a long time, after further research, we believe this setting is used to ensure good deployment practices and not to mitigate security concerns.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Deploy policies from the cloud, and get tailored recommendations for specific security policies</STRONG></P> <P>Deploy user-based policies from the cloud to any Office 365 ProPlus client through the Office cloud policy service. The&nbsp;<A href="#" target="_blank" rel="noopener">Office cloud policy service</A>&nbsp;allows administrators to define policies for Office 365 ProPlus and assign these policies to users via Azure Active Directory security groups. Once defined, policies are automatically enforced as users sign in and use Office 365 ProPlus. No need to be domain joined or MDM enrolled, and it works with corporate-owned devices or BYOD. Learn more about <A href="#" target="_blank" rel="noopener">Office cloud policy service</A>.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Security Policy Advisor</A>&nbsp;can help give you insights on the security and productivity impact of deploying certain security policies. Security Policy Advisor provides you with tailored recommendations based on how Office is used in your enterprise. For example, in most customer environments, macros are typically used in apps such as Excel and only by specific groups of users. Security Policy Advisor helps you identify groups of users and applications where macros can be disabled with minimal productivity impact, and optionally integrate with&nbsp;<A href="#" target="_blank" rel="noopener">Office 365 Advanced Threat Protection</A>&nbsp;to provide you details on who is being attacked. Learn more about <A href="#" target="_blank" rel="noopener">Security Policy Advisor</A>.</P> <P>&nbsp;</P> <P>As always, please let us know your thoughts by commenting on this post.</P> Wed, 31 Mar 2021 20:14:01 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2103/ba-p/2228388 Rick_Munck 2021-03-31T20:14:01Z Security baseline for Microsoft Edge, version 89 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-89/ba-p/2186265 <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 89!</P> <P>&nbsp;</P> <P>We have reviewed the new settings in Microsoft Edge version 89 and determined that there are no additional security settings that require enforcement. The settings from the Microsoft Edge version 88 package continues to be our recommended baseline. That baseline package can be downloaded from the <A href="#" target="_blank">Microsoft Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>Microsoft Edge version 89 introduced 8 new computer settings, 8 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.</P> <P>&nbsp;</P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank">Security Baselines Discussion site</A> or this post.</P> Thu, 04 Mar 2021 22:24:42 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-89/ba-p/2186265 Rick_Munck 2021-03-04T22:24:42Z Windows Update Baseline joins the Security Compliance Toolkit https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/windows-update-baseline-joins-the-security-compliance-toolkit/ba-p/2098482 <P>&nbsp;</P> <P><SPAN data-contrast="none">We are excited to announce the&nbsp;</SPAN><A href="#" target="_blank"><SPAN data-contrast="none">Update Baseline</SPAN></A><SPAN data-contrast="none">&nbsp;is now a part of the Security Compliance Toolkit! The Update Baseline is a new security baseline to ensure devices on your network get the latest Windows security updates&nbsp;</SPAN><SPAN data-contrast="none">on time</SPAN><SPAN data-contrast="none">&nbsp;while also providing a great end user experience through the update process.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">The&nbsp;</SPAN><SPAN data-contrast="none">Update</SPAN><SPAN data-contrast="none">&nbsp;Baseline covers Windows Update&nbsp;</SPAN><SPAN data-contrast="none">policies&nbsp;</SPAN><SPAN data-contrast="none">as well as some additional Power and Delivery Optimization policies to&nbsp;</SPAN><SPAN data-contrast="none">improve</SPAN><SPAN data-contrast="none">&nbsp;the update process and ensure devices stay secure.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><SPAN data-contrast="none">Why do I need the Update Baseline?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">We recommend&nbsp;</SPAN><SPAN data-contrast="none">using</SPAN><SPAN data-contrast="none">&nbsp;the Update Baseline to&nbsp;</SPAN><SPAN data-contrast="none">improve your patch compliance and&nbsp;</SPAN><SPAN data-contrast="none">keep devices on your network up</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">to</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">date and secure.</SPAN><SPAN data-contrast="none">&nbsp;The Update Baseline is Microsoft’s set of recommended policy&nbsp;</SPAN><SPAN data-contrast="none">configurations&nbsp;</SPAN><SPAN data-contrast="none">for Windows Updates to ensure devices on your network receive the monthly security update in a timely manner. Devices that are configured for the Update Baseline reach on average&nbsp;</SPAN><SPAN data-contrast="none">a compliance rate&nbsp;</SPAN><SPAN data-contrast="none">between 80-90% within 28 days.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><SPAN data-contrast="none">What is included in the Update Baseline?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">For</SPAN><SPAN data-contrast="none">&nbsp;Windows Update policies, the Update Baseline</SPAN><SPAN data-contrast="none">&nbsp;ensures</SPAN><SPAN data-contrast="none">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none">Setting deadlines</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><A href="#" target="_blank"><SPAN data-contrast="none">Deadlines</SPAN></A><SPAN data-contrast="none">&nbsp;are the most powerful tool in the IT administrator’s arsenal for ensuring devices get&nbsp;</SPAN><SPAN data-contrast="none">updated</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">on time</SPAN><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="none">Downloading and installing u</SPAN><SPAN data-contrast="none">pdates in the background without&nbsp;</SPAN><SPAN data-contrast="none">disturbing</SPAN><SPAN data-contrast="none">&nbsp;end users. This also removes bottlenecks from the update process.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="none">A great end user experience.&nbsp;</SPAN><SPAN data-contrast="none">Users don’t have to</SPAN><SPAN data-contrast="none">&nbsp;approve&nbsp;</SPAN><SPAN data-contrast="none">updates,</SPAN><SPAN data-contrast="none">&nbsp;but</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">they&nbsp;</SPAN><SPAN data-contrast="none">get</SPAN><SPAN data-contrast="none">&nbsp;notified when a</SPAN><SPAN data-contrast="none">n update requires a&nbsp;</SPAN><SPAN data-contrast="none">restart.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><SPAN data-contrast="none">Accommodating low</SPAN><SPAN data-contrast="none">&nbsp;activity devices (which tend to be some of the hardest to update)&nbsp;</SPAN><SPAN data-contrast="none">to&nbsp;</SPAN><SPAN data-contrast="none">ensure&nbsp;</SPAN><SPAN data-contrast="none">the&nbsp;</SPAN><SPAN data-contrast="none">best-possible user experience while respecting compliance goals.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rick_Munck_0-1611680508476.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/249565i43210048507C1005/image-size/medium?v=v2&amp;px=400" role="button" title="Rick_Munck_0-1611680508476.png" alt="Rick_Munck_0-1611680508476.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">L</SPAN><SPAN data-contrast="none">earn more about&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/windows-it-pro-blog/common-policy-configuration-mistakes-for-managing-windows/ba-p/2077328" target="_blank"><SPAN data-contrast="none">common&nbsp;</SPAN><SPAN data-contrast="none">policy configuration&nbsp;</SPAN><SPAN data-contrast="none">mistakes for managing Windows updates</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">and what you can do to avoid them to improve update adoption</SPAN><SPAN data-contrast="none">&nbsp;and provide a great user experience</SPAN><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><SPAN data-contrast="none">How do I apply the Update Baseline?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">If you manage your devices via&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Group Policy</SPAN></STRONG><SPAN data-contrast="none">, you can apply the Update Baseline using the familiar Security Compliance Toolkit framework. With a single PowerShell command, the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Update Baseline Group Policy Object</SPAN></STRONG><SPAN data-contrast="none">&nbsp;(GPO) can be loaded into&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Group Policy Management Center</SPAN></STRONG><SPAN data-contrast="none">&nbsp;(GPMC).&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rick_Munck_1-1611680508492.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/249567i98594C2103714A70/image-size/medium?v=v2&amp;px=400" role="button" title="Rick_Munck_1-1611680508492.png" alt="Rick_Munck_1-1611680508492.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="none">The MSFT Windows Update GPO that implements the Update Baseline is added to GPMC with a single command.</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rick_Munck_2-1611680508486.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/249566i5B366EF3BEE8F270/image-size/medium?v=v2&amp;px=400" role="button" title="Rick_Munck_2-1611680508486.png" alt="Rick_Munck_2-1611680508486.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="none">You will then be able to view the Update Baseline GPO (MSFT Windows Update) in GPMC.</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">That’s it! It’s that simple.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Other cool tidbits</SPAN><SPAN data-contrast="none">?&nbsp;</SPAN><SPAN data-contrast="none">The&nbsp;</SPAN><SPAN data-contrast="none">Update Baseline will&nbsp;</SPAN><SPAN data-contrast="none">continue</SPAN><SPAN data-contrast="none">&nbsp;to be updated and improved as needed</SPAN><SPAN data-contrast="none">,</SPAN><SPAN data-contrast="none">&nbsp;and a Microsoft Endpoint Manager solution to apply the Update Baseline is coming soon!</SPAN><SPAN data-contrast="none">&nbsp;Let us know your thoughts and leave a comment below.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> Tue, 26 Jan 2021 17:07:37 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/windows-update-baseline-joins-the-security-compliance-toolkit/ba-p/2098482 Rick_Munck 2021-01-26T17:07:37Z Security baseline for Microsoft Edge, version 88 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-88/ba-p/2094443 <P>&nbsp;</P> <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 88!</P> <P>&nbsp;</P> <P>We have reviewed the settings in Microsoft Edge version 88 and updated our guidance with the addition of one setting that we will explain below. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 88 package from the <A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Basic Authentication</STRONG></P> <P>HTTP Basic Authentication is a non-secure authentication method that relies on sending the username and password to the server in plaintext (base64). When Basic Authentication is used over non-secure HTTP connections, the credentials can be trivially stolen by others on the network.</P> <P>Basic Authentication for HTTP has been configurable since Internet Explorer 7. Until now, however, there wasn't a way to configure it for Microsoft Edge. With version 88 we now have that ability and are recommending the disablement of basic authentication over HTTP. Disabling Basic Authentication over HTTP falls in line with our other security baselines where we disable this method.</P> <P>&nbsp;</P> <P>Microsoft Edge version 88 introduced 17 new computer settings and 17 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.</P> <P><STRONG>&nbsp;</STRONG></P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank" rel="noopener">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baselines Discussion site</A> or this post.</P> <P>&nbsp;</P> Mon, 25 Jan 2021 16:26:48 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-88/ba-p/2094443 Rick_Munck 2021-01-25T16:26:48Z Security baseline (FINAL) for Windows 10 and Windows Server, version 20H2 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393 <P>We are pleased to announce the final release of the for Windows 10 and Windows Server, version 20H2 (a.k.a. October 2020 Update) security baseline package!</P> <P>&nbsp;</P> <P>Please download the content from the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A>, test the recommended configurations, and customize and implement as appropriate. If you have questions or issues, please let us know via the&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baseline Community</A>.</P> <P>&nbsp;</P> <P>This Windows 10 feature update brings very few new policy settings, which we list in the accompanying documentation. At this point, no new 20H2 policy settings meet the criteria for inclusion in the security baseline, but there are a few policies we are going to be making changes to, which we highlight below along with our recommendations.</P> <P>&nbsp;</P> <P>Tip: If you read the Draft release, we will save you another read. There are no changes since the draft to the actual settings. There were two small changes to the package though; the Baseline-LocalInstall.ps1 script has a change to error handling (thanks to a community member’s suggestion) and second, we neglected to include the custom ADMX/L files in the GP Reports so they showed up as additional registry keys which is now fixed also.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Block at first sight</STRONG></P> <P>We started the journey for cloud protection several years ago. Based on our analysis of the security value versus the cost of implementation, we feel it’s time to add Microsoft Defender Antivirus’ Block At First Sight (BAFS) feature to the security baseline. BAFS was first introduced in Windows 10, version 1607 and allows new malware to be detected and blocked within seconds by leveraging various machine learning techniques and the power of our cloud.</P> <P>&nbsp;</P> <P>BAFS currently requires 6 settings to be configured. Our baseline already sets 2 of them, <EM>Join Microsoft MAPS</EM> and <EM>Send file sample when further analysis is required</EM>. We are now recommending the addition of the following settings to enable BAFS:</P> <P>&nbsp;</P> <P><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Configure the ‘Block at first sight’ feature</EM> set to <STRONG>Enabled</STRONG></P> <P>&nbsp;</P> <P><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Scan all downloaded files and attachments</EM> set to <STRONG>Enabled</STRONG></P> <P>&nbsp;</P> <P><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn off real-time protection</EM> set to <STRONG>Disabled</STRONG></P> <P>&nbsp;</P> <P><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MPEngine\Select cloud protection level</EM> set to <STRONG>High blocking level</STRONG></P> <P>&nbsp;</P> <P>These new settings have been added to the <EM>MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus</EM> group policy.</P> <P>&nbsp;</P> <P>Additional details on BAFS can be found <A href="#" target="_blank" rel="noopener">here</A>.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Attack Surface Reduction Rules</STRONG></P> <P>We routinely evaluate our <A href="#" target="_blank" rel="noopener">Attack Surface Reduction</A> configuration, and based on telemetry and customer feedback we are now recommending configuring two additional Attack Surface Reduction controls: <EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules</EM>: <EM>Use advanced protection against ransomware</EM> and <EM>Block persistence through WMI event subscription</EM>.</P> <P>&nbsp;</P> <P>Introduced in Windows 10, version 1709 the <EM>Use advanced protection against ransomware</EM> <A href="#" target="_blank" rel="noopener">rule</A> will scan any executable files and determine, using advanced cloud analytics, if the file looks malicious .&nbsp; If so, it will be blocked unless that file is added to an exclusion list. This rule does have a cloud dependency, so you must have <EM>Join Microsoft MAPS</EM> also configured (which is already part of the security baseline).</P> <P>&nbsp;</P> <P><EM>Block persistence through WMI event subscription</EM> is a <A href="#" target="_blank" rel="noopener">rule</A> that was released in Windows 10, version 1903. This rule attempts to ensure WMI persistence is not achieved - a common technique adversaries use to evade detection. Unlike many of the other ASR rules, this rule does not allow any sort of exclusions since it is solely based on the WMI repository.</P> <P>&nbsp;</P> <P>A friendly reminder that the security baselines set all ASR rules to block mode. We recommend first configuring them to audit mode, then testing to ensure you understand the impacts these rules will have in your environment, and then configuring them to block mode. Microsoft Defender for Endpoints (formally Microsoft Defender Advanced Threat Protection, MDATP) will greatly enhance the experience of testing, deployment, and operation of ASR rules. We would encourage you to look at <A href="#" target="_blank" rel="noopener">evaluating</A>, <A href="#" target="_blank" rel="noopener">monitoring</A> and <A href="#" target="_blank" rel="noopener">customizing</A> links to better prepare your environment.</P> <P>&nbsp;</P> <P>These new settings have been added to the <EM>MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus</EM> group policy.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>UEFI MAT</STRONG></P> <P>You might recall in the draft release of our security baseline for Windows 10, version 1809 we enabled UEFI Memory Attributes Tables, but based on your feedback we removed that recommendation from the final version. After further testing and discussions, we are recommending that you enable <EM>Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security\Require UEFI Memory Attributes Table</EM>.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Microsoft Edge</STRONG></P> <P>Starting with Windows 10, version 20H2 the new Microsoft Edge (based on Chromium) is now installed as part of the operating system. Please ensure you are applying the security baseline for Microsoft Edge to your Windows 10, version 20H2 machines. We have gotten questions about including it on the Windows security baseline, but since Microsoft Edge is a cross platform product and has a different release cadence, we are going to keep it a separate security baseline.</P> <P>&nbsp;</P> <P>As always, please let us know your thoughts by commenting on this post.</P> Thu, 17 Dec 2020 21:57:41 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393 Rick_Munck 2020-12-17T21:57:41Z Security baseline for Microsoft Edge version 87 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-87/ba-p/1950297 <P><STRONG>Security baseline for Microsoft Edge version 87</STRONG></P> <P>&nbsp;</P> <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 87!</P> <P>&nbsp;</P> <P>We have reviewed the new settings in Microsoft Edge version 87 and determined that there are no additional security settings that require enforcement. The settings from the Microsoft Edge version 85 package continue to be our recommended baseline. That baseline package can be downloaded from the <A href="#" target="_blank">Microsoft Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>Microsoft Edge version 87 introduced 15 new computer settings, 15 new user settings, and removed 1 setting. We have attached a spreadsheet listing the new settings to make it easier for you to find them.</P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank">Security Baselines Discussion site</A> or this post.</P> Wed, 02 Dec 2020 19:41:20 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-87/ba-p/1950297 Rick_Munck 2020-12-02T19:41:20Z Security baseline (DRAFT): Windows 10 and Windows Server, version 20H2 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-draft-windows-10-and-windows-server-version/ba-p/1799721 <P style="margin-top: 20px;">The proposed <EM>draft </EM>of the Windows 10 and Windows Server, version 20H2 (aka the October 2020 Update) security baseline is now available for download!</P> <P style="margin-top: 20px;">We invite you to download the <EM>draft</EM> baseline package (attached to this post), evaluate the proposed baselines, and provide us your comments and feedback below.</P> <P style="margin-top: 20px;">Windows 10 and Windows Server, version 20H2 bring very few new policy settings. All new settings are listed in the accompanying documentation. At this point, none of&nbsp; the new policy settings meet the criteria for inclusion in the security baseline; however, there are a few existing policies we plan to change, and these are highlighted below along with our recommendations.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Block at first sight</H2> <P style="margin-top: 20px;">We started the journey for cloud protection several years ago. Based on our analysis of the security value versus the cost of implementation, we feel it is time to add the Microsoft Defender Antivirus block at first sight feature to the security baseline. Block at first sight was first introduced in Windows 10, version 1607 and allows new malware to be detected and blocked within seconds by leveraging various machine learning techniques and the power of the Microsoft cloud.</P> <P style="margin-top: 20px;">Block at first sight currently requires six settings to be configured. Our baseline already sets two of them, <EM>Join Microsoft MAPS</EM> and <EM>Send file sample when further analysis is required</EM>. We are now recommending the addition of the following settings to enable block at first sight:</P> <P style="margin-top: 20px;"><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Configure the ‘Block at first sight’ feature</EM> set to <STRONG>Enabled</STRONG></P> <P style="margin-top: 20px;"><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Scan all downloaded files and attachments</EM> set to <STRONG>Enabled</STRONG></P> <P style="margin-top: 20px;"><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn off real-time protection</EM> set to <STRONG>Disabled</STRONG></P> <P style="margin-top: 20px;"><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MPEngine\Select cloud protection level</EM> set to <STRONG>High blocking level</STRONG></P> <P style="margin-top: 20px;">These new settings have been added to the <EM>MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus</EM> group policy.</P> <P style="margin-top: 20px;">For more information on block at first sight, see <A href="#" target="_blank" rel="noopener">Turn on block at first sight</A>.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Attack surface reduction rules</H2> <P style="margin-top: 20px;">We routinely evaluate our <A href="#" target="_blank" rel="noopener">attack surface reduction</A> configuration and, based on diagnostic data and customer feedback, we now recommend configuring two additional attack surface reduction controls:</P> <UL> <LI style="margin-bottom: 8px; margin-top: 20px;"><EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules</EM>: <EM>Use advanced protection against ransomware</EM></LI> <LI style="margin-bottom: 8px;"><EM>Block persistence through WMI event subscription</EM>.</LI> </UL> <P style="margin-top: 20px;">Introduced in Windows 10, version 1709 the <A href="#" target="_blank" rel="noopener"><EM>Use advanced protection against ransomware</EM></A> rule will scan any executable files and determine, using advanced cloud analytics, if the file looks malicious. If so, that file will be blocked unless it is added to an exclusion list. This rule does have a cloud dependency, so you must have <EM>Join Microsoft MAPS</EM> also configured (which is already part of the security baseline).</P> <P style="margin-top: 20px;"><EM>Block persistence through WMI event subscription</EM> is a <A href="#" target="_blank" rel="noopener">rule</A> that was released in Windows 10, version 1903. This rule attempts to ensure Windows Management Instrumentation (WMI) persistence—a common technique adversaries use to evade detection—is not achieved. Unlike many of the other attack surface reduction rules, this rule does not allow any sort of exclusions since it is solely based on the WMI repository.</P> <P style="margin-top: 20px;">A friendly reminder that the security baselines for Windows 10 and Windows Server, version 20H2 set all attack surface reduction rules to block mode. We recommend first configuring them to audit mode, testing to ensure you understand the impacts these rules will have in your environment, and then configuring them to block mode. Microsoft Defender for Endpoint (formally Microsoft Defender Advanced Threat Protection, or Microsoft Defender ATP) will greatly enhance the experience of testing, deploying, and managing attack surface reduction rules. We encourage you to look at <A href="#" target="_blank" rel="noopener">evaluating</A>, <A href="#" target="_blank" rel="noopener">monitoring</A> and <A href="#" target="_blank" rel="noopener">customizing</A> attack surface reduction rules to better prepare your environment.</P> <P style="margin-top: 20px;">These new settings have been added to the <EM>MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus</EM> group policy.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">UEFI memory attribute tables</H2> <P style="margin-top: 20px;">You might recall that, in the draft release of our security baseline for Windows 10, version 1809, we enabled UEFI memory attribute tables; however, based on your feedback we removed that recommendation from the final version. (<EM>Thank you to the testers who provided that feedback!</EM>) After further testing and discussions, we are again recommending that you enable the setting for <EM>Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security\Require UEFI Memory Attributes Table</EM>.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Microsoft Edge</H2> <P style="margin-top: 20px;">Starting with Windows 10, version 20H2, Microsoft Edge on Chromium is now installed as part of the operating system. As a result, please ensure you are applying the <A href="#" target="_blank" rel="noopener">security baseline for Microsoft Edge</A> to your Windows 10, version 20H2 devices. We have received questions and feedback about including the Microsoft Edge in the Windows security baseline, but since Microsoft Edge is a cross-platform product and has a different release cadence, we are going to keep it a separate security baseline.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Baseline criteria</H2> <P style="margin-top: 20px;" data-unlink="true">We follow a streamlined and efficient approach to defining a baseline when compared with the baselines we published before Windows 10&nbsp;. The foundation of that approach is as follows:</P> <UL> <LI style="margin-bottom: 8px; margin-top: 20px;">Baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.</LI> <LI style="margin-bottom: 8px;">A baseline enforces a setting only if it mitigates a contemporary security threat <EM>and</EM> does not cause operational issues that are worse than the risks it mitigates.</LI> <LI style="margin-bottom: 8px;">A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:</LI> <UL> <LI style="margin-bottom: 8px; margin-top: 20px;">If a non-administrator can set an insecure state, enforce the default.</LI> <LI style="margin-bottom: 8px;">If setting an insecure state requires administrative rights, enforce the default only if it is <EM>likely</EM> that a misinformed administrator will otherwise choose poorly.</LI> </UL> </UL> <P style="margin-top: 20px;">For additional discussion, please see the “Why aren’t we enforcing more defaults?” section of <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/changes-from-the-windows-8-1-baseline-to-the-windows-10-th1-1507/ba-p/701044" target="_blank" rel="noopener">this blog post</A>.</P> <P style="margin-top: 20px;">&nbsp;</P> Thu, 17 Dec 2020 20:11:11 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-draft-windows-10-and-windows-server-version/ba-p/1799721 Rick_Munck 2020-12-17T20:11:11Z Security baseline for Microsoft Edge version 86 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-86/ba-p/1758453 <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 86!</P> <P>&nbsp;</P> <P>We have reviewed the new settings in Microsoft Edge version 86 and determined that there are no additional security settings that require enforcement. The settings from the Microsoft Edge version 85 package continue to be our recommended baseline. That baseline package can be downloaded from the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>Microsoft Edge version 86 introduced 32 new computer settings and 28 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.</P> <P>&nbsp;</P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank" rel="noopener">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baselines Discussion site</A> or this post.</P> Fri, 09 Oct 2020 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-86/ba-p/1758453 Rick_Munck 2020-10-09T16:00:00Z New & Updated Security Tools https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613 <P>It took us a little longer than we wanted but we are finally ready to announce new versions of LGPO and Policy Analyzer as well as two new tools, GPO2PolicyRules and SetObjectSecurity.&nbsp; These new and updated tools are now available on the <A href="#" target="_self">Microsoft Download Center</A>.&nbsp;</P> <P>&nbsp;</P> <P>The goal is to keep this post as short as possible so let’s just jump into the details.</P> <P>&nbsp;</P> <H2>LGPO v3.0</H2> <P>Two new options were added in LGPO.exe.&nbsp; The first, /ef which enables Group Policy extensions referenced in the backup.xml. The second, /p which allows for importing settings directly from a .PolicyRules file which negates the need to have the actual GPOs on hand. Additionally, LGPO.exe /b and /g now capture locally-configured client-side extensions (CSEs) (which we had an issue with previously). &nbsp;&nbsp;Lastly, /b also correctly captures all user rights assignments, overcoming a bug in the underlying “secedit.exe /export” that fails to capture user rights assignments that are granted to no one.</P> <P>&nbsp;</P> <H2>Policy Analyzer v4.0</H2> <P>The “Compare to Effective State” button has replaced the “Compare local registry” and “Local Policy” checkboxes that used to be in the Policy Analyzer main window.&nbsp; Press it to compare the selected baseline(s) to the current system state. If the selected baseline(s) contain any user configuration settings, they are compared against the current user’s settings. “Compare to Effective State” requires administrative rights if the selected baseline(s) include any security template settings or Advanced Auditing settings. The effective state corresponding to the selected baseline(s) settings are saved to a new policy rule set.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rick_Munck_0-1599136789454.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/216300i560027DDF879E4CE/image-size/medium?v=v2&amp;px=400" role="button" title="Rick_Munck_0-1599136789454.png" alt="Rick_Munck_0-1599136789454.png" /></span></P> <P>&nbsp;</P> <P>Policy Analyzer now captures information about Group Policy Client-Side Extensions (CSEs) when you import GPO backups. From a Policy Viewer window, choose View \ Client Side Extensions (CSEs) to view the Machine and User CSEs for each baseline in the Viewer. (Note that LGPO.exe’s improved support for CSEs includes the ability to apply CSE configurations from Policy Analyzer’s .PolicyRules files.)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rick_Munck_1-1599136789470.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/216301iB0D017C54143A049/image-size/medium?v=v2&amp;px=400" role="button" title="Rick_Munck_1-1599136789470.png" alt="Rick_Munck_1-1599136789470.png" /></span></P> <P>&nbsp;</P> <P>Policy Analyzer now maps settings and sub-settings to display names more completely and more accurately, including mapping the GUIDs for Attack Surface Reduction (ASR) rules to their display names, and improved localization.</P> <P>&nbsp;</P> <H2>GPO2PolicyRules</H2> <P>You can now automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a new command-line tool that is included with the Policy Analyzer download. It takes two command-line parameters: the root directory of the GPO backup that you want to create a .PolicyRules file from, and the path to the new .PolicyRules file that you want to create. For example:</P> <P>&nbsp;</P> <LI-CODE lang="powershell">GPO2PolicyRules.exe C:\BaselinePkg\GPOs C:\Users\Analyst\Documents\PolicyAnalyzer\baseline.PolicyRules</LI-CODE> <P>&nbsp;</P> <H2>SetObjectSecurity v1.0</H2> <P>SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.</P> <P>&nbsp;</P> <P>Use cases include:</P> <UL> <LI>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Restoring default security descriptor on the file system root directory (which sometimes gets misconfigured by some system setup tools)</LI> <LI>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Restricting access to sensitive event logs that grant access too broadly (examples include AppLocker and PowerShell script block logs that grant read or read-write to NT AUTHORITY\INTERACTIVE)</LI> <LI>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Locking down (or opening access to) file shares, directories, registry keys</LI> </UL> <P>&nbsp;</P> <P>SetObjectSecurity.exe is a 32-bit standalone executable that needs no installer, has no dependencies on redistributable DLLs, and works on all supported x86 and x64 versions of Windows. (x64 systems must support WOW64)</P> <P>&nbsp;</P> <H2>Terms of Use</H2> <P>We have now included standard use terms for the tooling that is delivered as part of the Security Compliance Toolkit.</P> <P>&nbsp;</P> <P>We continually try to process all your feedback and make improvements along the way so please give the new and updated tooling a try and as always let us know any feedback in the comments below.</P> Fri, 04 Sep 2020 11:22:04 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613 Rick_Munck 2020-09-04T11:22:04Z Security baseline for Microsoft Edge version 85 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-85/ba-p/1618585 <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 85!</P> <P>&nbsp;</P> <P>We have reviewed the settings in Microsoft Edge version 85 and updated our guidance with the addition of one setting that we will explain below.&nbsp; A new Microsoft Edge security baseline package was just released to the Microsoft Download Center.&nbsp; You can download the version 85 package from the <A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><STRONG>SHA-1</STRONG></P> <P>A new (but, ironically, deprecated) setting has been added to version 85: <EM>Allow certificates signed using SHA-1 when issued by local trust anchors</EM>. While it might seem odd that we are adding a deprecated setting to the baseline, this one is important. Microsoft Edge forbids certificates signed using SHA-1 by default, and the security baseline is enforcing this to ensure Enterprises recognize that allowing SHA-1 chains is not a secure configuration. Should you need to use a SHA-1 chain for compatibility with existing applications that depend on it, moving away from that configuration as soon as possible is critical to the security of your organization. In version 92 of Microsoft Edge (mid-2021) this setting will be removed, and there will be no supported mechanism to allow SHA-1, even for certificates issued by your non-public Certificate Authorities, after that.</P> <P>&nbsp;</P> <P><STRONG>App protocol prompts</STRONG></P> <P>While they may not seem directly related to security, app protocols are something you should be mindful of, as they provide a mechanism for escaping the browser sandbox. New policies to help manage these might therefore be useful in your organization as you strive to balance security and productivity.</P> <P>&nbsp;</P> <P>To make managing app protocols easier, we first added a flag in version 82, exposed a user-facing option in version 84, and have added a policy for the IT Pro to manage them in version 85: <EM>Define a list of protocols that can launch an external application from listed origins without prompting the user</EM>. For a detail discussion on the topic, we recommend reading Eric Lawrence’s blog <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Commonly seen with applications like Microsoft 365 Apps, Microsoft Teams, Skype, the user is by default prompted to allow the external application to launch as depicted in the below examples.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rick_Munck_0-1598620693563.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/215231iA35ABE51F72D6501/image-size/medium?v=v2&amp;px=400" role="button" title="Rick_Munck_0-1598620693563.png" alt="Rick_Munck_0-1598620693563.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rick_Munck_1-1598620693570.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/215230i85E264FB75138E16/image-size/medium?v=v2&amp;px=400" role="button" title="Rick_Munck_1-1598620693570.png" alt="Rick_Munck_1-1598620693570.png" /></span></P> <P>&nbsp;</P> <P>Leveraging this setting will suppress that prompt and reduce noise to the end user by approving the content at the enterprise level. Reducing end user prompts both improves user productivity and helps them make better decisions when an unexpected request appears by reducing prompt fatigue!</P> <P>&nbsp;</P> <P>While you are at Eric’s blog, be sure to check out his other posts.</P> <P>&nbsp;</P> <P><STRONG>Baseline Package Refresh</STRONG></P> <P>Since a new setting has been added we have updated the security baseline package which will include the usual artifacts, as well as a list of new settings from version 84 to 85 and version 80 to 85.&nbsp; This way, those that have been keeping up with the blog have a smaller set of settings to review, and those only looking at the actual released package can see all the changes.</P> <P>&nbsp;</P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank" rel="noopener">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baselines Discussion site</A> and via this post!</P> <P>&nbsp;</P> Fri, 28 Aug 2020 18:05:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-85/ba-p/1618585 Rick_Munck 2020-08-28T18:05:02Z Security baseline (FINAL): Windows 10 and Windows Server, version 2004 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 <P>We are pleased to announce the <EM>final </EM>release of the security configuration baseline settings for Windows 10 and Windows Server version 2004.</P> <P>&nbsp;</P> <P>Please download the content from the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A>, test the recommended configurations, and customize and implement as appropriate.&nbsp; If you have questions or issues, please let us know via the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baseline Community</A>.</P> <P>&nbsp;</P> <P>This Windows 10 feature update brings very few new policy settings, which we list in the accompanying documentation. Only one new policy meets the criteria for inclusion in the security baseline (described below), and we are removing one setting from the baseline. There are two additional policies we are not including in the baseline because of compatibility concerns, but which you may want to consider for your organization.</P> <P>&nbsp;</P> <P><STRONG>LDAP Channel Binding Requirements (Policy updated)</STRONG></P> <P>&nbsp;</P> <P>In the Windows Server version 1809 Domain Controller baseline we created and enabled a new custom MS Security Guide setting called Extended Protection for LDAP Authentication (Domain Controllers only) based on the values provided <A href="#" target="_blank" rel="noopener">here</A>. This setting is now provided as part of Windows and no longer requires a custom ADMX. An <A href="#" target="_blank" rel="noopener">announcement</A> was made in March of this year and now all supported Active Directory domain controllers can configure this policy. The value will remain the same in our baseline, but the setting has moved to the new location. We are deprecating our custom setting. The new setting location is: <EM>Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements</EM>.</P> <P>&nbsp;</P> <P>Note: this new policy requires the March 10, 2020 security update. (We assume that, as security conscious baselines users, you are patching!) Details of that patch are <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P><STRONG>Microsoft Defender Antivirus File Hash (Worth considering)</STRONG></P> <P>&nbsp;</P> <P>Microsoft Defender Antivirus continues to enable new features to better protect consumers and enterprises alike. As part of this journey Windows has a new setting to compute file hashes for every executable file that is scanned, if it wasn’t previously computed. You can find this new setting here: <EM>Computer Configurations\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature</EM>.</P> <P>&nbsp;</P> <P>You should consider using this feature to improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (MDATP). This new feature forces the engine to compute the full file hash for all executable files that are scanned. This can have a performance cost, which we minimize by only generating hashes on first sight. The scenarios where you may want to test more thoroughly for performance include devices where you frequently create new executable content (for example, developers) or where you install or update applications extremely frequently.</P> <P>&nbsp;</P> <P>Because this setting is less helpful for customers who are not using MDATP, we have not added it to the baseline, but we felt it was potentially impactful enough to call out. If you chose to enable this setting, we recommend throttling the deployment to ensure you measure the impact on your users’ machines.</P> <P>&nbsp;</P> <P><STRONG>Account Password Length (Worth considering)</STRONG></P> <P>&nbsp;</P> <P>In the Windows 10 1903 security baselines we <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1903-and-windows-server/ba-p/701084" target="_blank" rel="noopener">announced</A> the removal of the account password expiration policy. We continue to invest in improving this experience. With Windows 10 2004, two new security settings have been added for password policies: <EM>‘Minimum password length audit’</EM> and ‘<EM>Relax minimum password length limits’</EM>. These new settings can be found under <EM>Account Policies\Password Policy</EM>.</P> <P>&nbsp;</P> <P>Previously, you could not require passwords/phrases greater than 14 characters. Now you can! Being able to require a length of more than 14 characters (maximum of 128) can help better secure your environment until you can fully implement a multi-factor authentication strategy. Our vision remains unchanged in achieving a password-less future, but we also recognize that this takes time to fully implement across both your users and your existing applications and systems.</P> <P>&nbsp;</P> <P>You should be cautious with this new setting because it can potentially cause compatibility issues with existing systems and processes. That’s why we introduced the ‘<EM>Minimum password length audit’</EM> setting, so you can see what will happen if you increase your password/phrase length. With auditing you can set your limit anywhere between 1 and 128. Three new events are also created as part of this setting and will be logged as new SAM events in the System event log: one event for awareness, one for configuration, and one for error.</P> <P>&nbsp;</P> <P>This setting will not be added to the baseline as the minimum password length should be audited before broad enforcement due to the risk of application compatibility issues. However, we urge organizations to consider these two settings. Additional details about these new settings will be found <A href="#" target="_blank" rel="noopener">here</A>, once the new article get published in the coming days.</P> <P>&nbsp;</P> <P>(NOTE: As of the today the link is not yet live, we are actively working to ensure it gets posted soon!)</P> <P>&nbsp;</P> <P>As a reminder, length alone is not always the best predictor of password strength, so we strongly recommend considering solutions such as the <A href="#" target="_blank" rel="noopener">on-premise Azure Active Directory Password Protection</A> which does sub-string matching using a dictionary of known weak terms, and rejects passwords that don’t meet a certain score.</P> <P>&nbsp;</P> <P><STRONG>Turn on Behavior Monitoring (Policy removed)</STRONG></P> <P>&nbsp;</P> <P>In keeping with our principals of criteria for baseline inclusion we have found that the following setting does not need to be enforced; there is no UI path to the setting, you must be a privileged account to make the change, lastly we do not feel a mis-informed Admin would change this setting.&nbsp; Based on these principals we are removing <EM>Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring</EM></P> <P>&nbsp;</P> <P><STRONG>Tooling updates</STRONG></P> <P>&nbsp;</P> <P>Finally, we do have some enhancements for LGPO and Policy Analyzer coming very shortly after this release! We will go into more details on these enhancements in a future blog post!</P> <P>&nbsp;</P> <P><STRONG>Baseline criteria</STRONG></P> <P>&nbsp;</P> <P>We follow a streamlined and efficient approach to baseline definition <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/changes-from-the-windows-8-1-baseline-to-the-windows-10-th1-1507/ba-p/701044" target="_blank" rel="noopener">when compared with the baselines we published before Windows 10</A>. The foundation of that approach is essentially:</P> <UL> <LI>The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.</LI> <LI>A baseline enforces a setting only if it mitigates a contemporary security threat <EM>and</EM> does not cause operational issues that are worse than the risks they mitigate.</LI> <LI>A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:</LI> <UL> <LI>If a non-administrator can set an insecure state, enforce the default.</LI> <LI>If setting an insecure state requires administrative rights, enforce the default only if it is <EM>likely</EM> that a misinformed administrator will otherwise choose poorly.</LI> </UL> </UL> <P>For further illustration, see the “Why aren’t we enforcing more defaults?” section in <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/changes-from-the-windows-8-1-baseline-to-the-windows-10-th1-1507/ba-p/701044" target="_blank" rel="noopener">this blog post</A>.</P> <P>&nbsp;</P> <P>As always, please let us know your thoughts by commenting on this post.</P> Tue, 04 Aug 2020 17:55:59 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 Rick_Munck 2020-08-04T17:55:59Z Security baseline for Microsoft Edge v84 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v84/ba-p/1527760 <P><STRONG>Security baseline for Microsoft Edge version 84</STRONG></P> <P>&nbsp;</P> <P>We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 84!</P> <P>&nbsp;</P> <P>We have reviewed the new settings in Microsoft Edge version 84 and determined that there are no additional security settings that require enforcement. The recommended settings from Microsoft Edge version 80 continue to be our recommended settings for Microsoft Edge version 84. That baseline package can be downloaded from the <A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>Microsoft Edge version 84 introduced 18 new computer settings and 15 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.</P> <P>&nbsp;</P> <P>We are still seeking feedback on how often we should update the baseline package on the Download Center for Microsoft Edge if new security settings have not been added. Your feedback so far has been extremely helpful, and we are taking all that feedback into account.</P> <P>&nbsp;</P> <P>As a friendly reminder, all available settings for Microsoft Edge are documented <A href="#" target="_blank" rel="noopener">here</A>, and all available settings for Microsoft Edge Update are documented <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Please continue to give us feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Security Baselines Discussion site</A> and via this post!</P> Thu, 16 Jul 2020 21:27:06 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v84/ba-p/1527760 Rick_Munck 2020-07-16T21:27:06Z Security baseline (DRAFT): Windows 10 and Windows Server, version 2004 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-draft-windows-10-and-windows-server-version/ba-p/1419213 <P style="margin-top: 20px;"><EM><FONT color="#FF0000">[Update, 8/4/2020: The final version of this baseline released and is now available as part of the Security Compliance Toolkit.]</FONT></EM></P> <P style="margin-top: 20px;">&nbsp;</P> <P style="margin-top: 20px;">Microsoft is pleased to announce the <EM>draft </EM>release of the security configuration baseline settings for Windows 10 and Windows Server, version 2004.</P> <P style="margin-top: 20px;">Please download the draft baseline (attached to this post), evaluate the proposed baselines, and leave us your comments/feedback below.</P> <P style="margin-top: 20px;">This Windows 10 feature update brings very few new policy settings, which we list in the accompanying documentation. Only one new policy meets the criteria for inclusion in the security baseline (described below), but there are two other policies we want to highlight for your consideration.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">LDAP channel binding requirements</H2> <P style="margin-top: 20px;">In the Windows Server, version 1809 Domain Controller baseline, we created and enabled a new custom MS Security Guide setting called Extended Protection for LDAP Authentication (Domain Controllers only) based on the values provided <A href="#" target="_blank" rel="noopener">here</A>. This setting is now provided as part of Windows and no longer requires a custom ADMX. An <A href="#" target="_blank" rel="noopener">announcement</A> was made in March of this year and now all supported Active Directory domain controllers can configure this policy. The value will remain the same in our baseline, but the setting has moved to the new location. We are deprecating our custom setting. The new setting location is: <EM>Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements</EM>.</P> <P style="margin-top: 20px;">Note: this new policy requires the March 10, 2020 security update. (We assume that, as security conscious baselines users, you are patching!) Details of that patch are <A href="#" target="_blank" rel="noopener">here</A>.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Microsoft Defender Antivirus File Hash</H2> <P style="margin-top: 20px;">Microsoft Defender Antivirus continues to enable new features to better protect consumers and enterprises alike. As part of this journey we have added a new setting to compute file hashes for every executable file that is scanned, if it wasn’t previously computed. You can find this new setting here: <EM>Computer Configurations\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature</EM>.</P> <P style="margin-top: 20px;">You should consider using this feature to improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). This new feature forces the engine to compute the full file hash for all executable files that are scanned. This can have a performance cost but we are trying to keep it to a minimum by only generating hashes on first sight.&nbsp; The scenarios where performance might be impacted would be new executable content being generated (for example, developers) or where you frequently install or update applications.</P> <P style="margin-top: 20px;">Because this setting is less helpful for customers who are not using Microsoft Defender ATP, we have not added it to the baseline, but we felt it was potentially impactful enough to call out. If you chose to enable this setting, we recommend throttling the deployment to ensure you measure the impact on your users’ machines.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Account Password Length</H2> <P style="margin-top: 20px;">In the Windows 10 1903 security baselines we <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1903-and-windows-server/ba-p/701084" target="_blank" rel="noopener">announced</A> the removal of the account password expiration policy. We continue to invest in improving this experience. With Windows 10, version 2004, two new security settings have been added for password policies: <EM>‘Minimum password length audit’</EM> and ‘<EM>Relax minimum password length limits’</EM>. These new settings can be found under <EM>Account Policies\Password Policy</EM>.</P> <P style="margin-top: 20px;">Previously, you could not require passwords/phrase greater than 14 characters. Now you can! Being able to require a length of more than 14 characters (maximum of 128) can help better secure your environment until you can fully implement a multi-factor authentication strategy. Our vision remains unchanged in achieving a password-less future, but we also recognize that this takes time to fully implement across both your users and your existing applications and systems.</P> <P style="margin-top: 20px;">You should be cautious with this new setting because it can potentially cause compatibility issues with existing systems and processes. That’s why we introduced the ‘<EM>Minimum password length audit’</EM> setting, so you can see what will happen if you increase your password/phrase length. With auditing you can set your limit anywhere between 1 and 128. Three new events are also created as part of this setting and will be logged as new SAM events in the System event log: one event for awareness, one for configuration, and one for error.</P> <P style="margin-top: 20px;">This setting will not be added to the baseline as the minimum password length should be audited before broad enforcement due to the risk of application compatibility issues. However, we urge organizations to consider these two settings. Additional details about these new settings will be found <A href="#" target="_blank" rel="noopener">here</A>, once the new article get published in the coming days.</P> <P style="margin-top: 20px;">As a reminder, length alone is not always the best predictor of password strength, so we strongly recommend considering solutions such as the <A href="#" target="_blank" rel="noopener">on-premises Azure Active Directory Password Protection</A> which does sub-string matching using a dictionary of known weak terms, and rejects passwords that don’t meet a certain score.</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Tooling</H2> <P style="margin-top: 20px;">Finally, we do have some enhancements for LGPO and Policy Analyzer coming. We will go into more details on these enhancements in a future blog post!</P> <H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 20px; color: #333333;">Baseline criteria</H2> <P style="margin-top: 20px;">We follow a streamlined and efficient approach to baseline definition <A href="#" target="_blank" rel="noopener">when compared with the baselines we published before Windows 10</A>. The foundation of that approach is essentially:<BR /><BR /></P> <UL> <LI style="margin-bottom: 8px; margin-top: 20px;">The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.</LI> <LI style="margin-bottom: 8px;">A baseline enforces a setting only if it mitigates a contemporary security threat <EM>and</EM> does not cause operational issues that are worse than the risks they mitigate.</LI> <LI style="margin-bottom: 8px;">A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:</LI> <LI style="margin-bottom: 8px;"> <UL> <LI style="margin-bottom: 8px; margin-top: 8px;">If a non-administrator can set an insecure state, enforce the default.</LI> <LI style="margin-bottom: 8px;">If setting an insecure state requires administrative rights, enforce the default only if it is <EM>likely</EM> that a misinformed administrator will otherwise choose poorly.</LI> </UL> </LI> </UL> <P style="margin-top: 20px;">For further illustration, see the “Why aren’t we enforcing more defaults?” section in <A href="#" target="_blank" rel="noopener">this blog post</A>.</P> <P style="margin-top: 20px;">As always, please let us know your thoughts by commenting on this post.</P> Tue, 04 Aug 2020 20:16:03 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-draft-windows-10-and-windows-server-version/ba-p/1419213 Rick_Munck 2020-08-04T20:16:03Z Security baseline for Microsoft Edge v83 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v83/ba-p/1417634 <P>Microsoft is pleased to announce the enterprise-ready release of the security baseline for v83 of Microsoft Edge.</P> <P>&nbsp;</P> <P>We have reviewed the new settings in version 83 of Microsoft Edge and determined that no new security settings are required. The settings recommended in the version 80 baseline will continue to be the security baseline for version 83! This means we will not be releasing our typical package. We continue to welcome feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Baselines Discussion site</A>.</P> <P>&nbsp;</P> <P>Version 83 of Microsoft Edge adds 19 new computer- and user-based settings. There are now 311 enforceable Computer Configuration policy settings and 286 User Configuration policy settings. Using our streamlined approach, our baseline remains at <STRONG>12</STRONG> Group Policy settings. We have attached a spreadsheet with the new settings to make it easier for you to find them.</P> <P>&nbsp;</P> <P>The version 80 package continues to be available as part of the <A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A>. Like all our baseline packages, this package includes:</P> <UL> <LI>Importable GPOs</LI> <LI>A script to apply the GPOs to local policy</LI> <LI>A script to import the GPOs into Active Directory Group Policy</LI> <LI>A spreadsheet documenting all recommended settings in spreadsheet form (minus the version 83 settings that are attached to this blog)</LI> <LI>Policy Analyzer rules</LI> <LI>GP Reports</LI> </UL> <P>In case you aren’t aware, all the available settings for Microsoft Edge are documented <A href="#" target="_blank" rel="noopener">here</A>.&nbsp; Additionally, Microsoft Edge Update settings are documented <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>One ask to the community, we are trying to determine how often we should update the baseline package on the Download Center for Microsoft Edge if new security settings have not been added and would like your feedback.&nbsp; Do you think we should update it quarterly, just to keep it fresh, or only when new settings get added?</P> Tue, 26 May 2020 15:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v83/ba-p/1417634 Rick_Munck 2020-05-26T15:00:00Z Security baseline for Microsoft Edge v81 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v81/ba-p/1303621 <P>We have reviewed the new settings in version 81 of Microsoft Edge and determined that no new security settings are required.&nbsp; The settings recommended in the version 80 baseline will continue to be the security baseline for version 81!&nbsp; This means we will not be releasing our typical package.</P> <P>&nbsp;</P> <P>Version 81 of Microsoft Edge adds 15 new computer- and user-based settings.&nbsp; There are now 285 enforceable Computer Configuration policy settings and 269 User Configuration policy settings.&nbsp; Using our streamlined approach, our baseline remains at <STRONG>12</STRONG> Group Policy settings.&nbsp; We have attached a spreadsheet with the new settings to make it easier for you to find them.</P> <P>&nbsp;</P> <P>The version 80 package continues to be available as part of the <A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A>. Like all our baseline packages, this package includes:</P> <UL> <LI>Importable GPOs</LI> <LI>A script to apply the GPOs to local policy</LI> <LI>A script to import the GPOs into Active Directory Group Policy</LI> <LI>A spreadsheet documenting all recommended settings in spreadsheet form (minus the version 81 setting that are attached to this blog)</LI> <LI>Policy Analyzer rules</LI> <LI>GP Reports</LI> </UL> <P>We always welcome feedback through the <A style="font-family: inherit; background-color: #ffffff;" href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Baselines Discussion site</A><SPAN style="font-family: inherit;">.</SPAN></P> Mon, 13 Apr 2020 19:31:39 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v81/ba-p/1303621 Rick_Munck 2020-04-13T19:31:39Z Security baseline for Microsoft Edge v80 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v80/ba-p/1233193 <P>Microsoft is pleased to announce the enterprise-ready release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 80. The settings recommended in this baseline are the same as the ones we recommended in version 79, with the additional of one new setting that we have added and that will discuss. We continue to welcome feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Baselines Discussion site</A>.</P> <P>&nbsp;</P> <P>The one addition to this baseline since version 79 is that we have added the recommendation to enforce a new setting “Configure Microsoft Defender SmartScreen to block potentially unwanted apps”. &nbsp;Potentially Unwanted Apps (PUA) was first introduced with our Microsoft Defender Antivirus (MDAV) baseline as part of Windows 10.&nbsp; PUA are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use (such as adware or other low-reputation applications, you can see more PUA criteria <A href="#" target="_blank" rel="noopener">here</A>).&nbsp; Starting with Microsoft Edge 80, you can now block PUA downloads and associated resource URLs.&nbsp; By default, PUA is an opt-in setting, meaning a user must deliberately configure this.&nbsp; Well-managed enterprises should ensure positive control of necessary security settings, and therefore we have enabled this setting as part of the baseline (as we have with the MDAV recommendation).</P> <P>&nbsp;</P> <P>Version 80 of the Chromium-based version of Microsoft Edge has 270 enforceable Computer Configuration policy settings and another 254 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of <EM>twelve</EM> Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.</P> <P>&nbsp;</P> <P>The baseline package is now available as part of the <A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A>. Like all our baseline packages, the downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports.</P> Fri, 27 Mar 2020 16:08:52 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v80/ba-p/1233193 Rick_Munck 2020-03-27T16:08:52Z Security baseline (FINAL) for Chromium-based Microsoft Edge, version 79 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-chromium-based-microsoft-edge/ba-p/1111863 <P>Microsoft is pleased to announce the enterprise-ready release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 79. The settings recommended in this baseline are identical to the ones we recommended in the version 79 draft, minus one setting that we have removed and that we discuss below. We continue to welcome feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank">Baselines Discussion site</A>.</P> <P>&nbsp;</P> <P>The baseline package is now available as part of the <A href="#" target="_blank">Security Compliance Toolkit</A>. Like all our baseline packages, the downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports.</P> <P>&nbsp;</P> <P>Microsoft Edge is being <A href="#" target="_blank">rebuilt with the open-source Chromium project</A>, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the <A href="#" target="_blank">Microsoft Edge Enterprise landing page</A>. To learn more about managing the new version of Microsoft Edge, see <A href="#" target="_blank">Configure Microsoft Edge for Windows</A>.</P> <P>&nbsp;</P> <P>As with our current Windows and Office security baselines, our recommendations for Microsoft Edge configuration follow a streamlined and efficient approach to baseline definition <A href="#" target="_blank">when compared with the baselines we published before Windows 10</A>. The foundation of that approach is essentially this:</P> <UL> <LI>The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.</LI> <LI>A baseline enforces a setting only if it mitigates a contemporary security threat <EM>and</EM> does not cause operational issues that are worse than the risks they mitigate.</LI> <LI>A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user: <UL> <LI>If a non-administrator can set an insecure state, enforce the default.</LI> <LI>If setting an insecure state requires administrative rights, enforce the default only if it is <EM>likely</EM> that a misinformed administrator will otherwise choose poorly.</LI> </UL> </LI> </UL> <P>(For further explanation, see the “Why aren’t we enforcing more defaults?” section in <A href="#" target="_blank">this blog post</A>.)</P> <P>&nbsp;</P> <P>Version 79 of the Chromium-based version of Microsoft Edge has 216 enforceable Computer Configuration policy settings and another 200 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of <EM>eleven</EM> Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.</P> <P>&nbsp;</P> <P>The one difference between this baseline and the version 79 draft is that we have removed the recommendation to disable “Force Microsoft Defender SmartScreen checks on downloads from trusted sources.” By default, SmartScreen will perform these checks. While performing checks on files from trusted sources increases the likelihood of false positives – particularly from intranet sources that host files that are seldom if ever seen in the outside world – we have decided not to apply that decision to all customers adopting our baseline. Depending on who can store files in locations that are considered “trusted sources” and the rigor they apply to restricting what gets stored there, internal sites might in fact end up hosting untrustworthy content that should be checked. Our baseline therefore neither enables nor disables the setting. Organizations choosing to disable this setting can therefore do so without contradicting our baseline recommendations.</P> Thu, 16 Jan 2020 05:25:23 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-chromium-based-microsoft-edge/ba-p/1111863 Aaron Margosis 2020-01-16T05:25:23Z Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 79 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-draft-for-chromium-based-microsoft-edge/ba-p/1066051 <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">Microsoft is pleased to announce the <EM style="box-sizing: border-box;">draft</EM> release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 79. Please evaluate this proposed baseline and send us your feedback through the <A style="background-color: transparent; box-sizing: border-box; color: #146cac; text-decoration: underline;" href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank">Baselines Discussion site</A>.</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">&nbsp;</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">The settings recommended in this baseline are identical to the ones we recommended in the version 78 draft. None of the settings introduced in the version 79 policies meet the bar for inclusion in the baseline for broad use. We are republishing the baseline package because the names of several of the recommended settings were changed (for example, references to “SSL” were replaced with “HTTPS” or “TLS”).</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">&nbsp;</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">Like all our baseline packages, the downloadable draft baseline package (attached to this blog post) includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports. It also includes a spreadsheet showing the changes in the available GPO settings between versions 78 and 79.</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">&nbsp;</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">Microsoft Edge is being <A style="background-color: transparent; box-sizing: border-box; color: #146cac; text-decoration: underline;" href="#" target="_blank">rebuilt with the open-source Chromium project</A>, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the <A style="background-color: transparent; box-sizing: border-box; color: #146cac; text-decoration: underline;" href="#" target="_blank">Microsoft Edge Enterprise landing page</A>. To learn more about managing the new version of Microsoft Edge, see <A style="background-color: transparent; box-sizing: border-box; color: #146cac; text-decoration: underline;" href="#" target="_blank">Configure Microsoft Edge for Windows</A>.</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">&nbsp;</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">As with our current Windows and Office security baselines, our recommendations for Microsoft Edge configuration follow a streamlined and efficient approach to baseline definition <A style="background-color: transparent; box-sizing: border-box; color: #146cac; text-decoration: underline;" href="#" target="_blank">when compared with the baselines we published before Windows 10</A>. The foundation of that approach is essentially this:</P> <UL style="box-sizing: border-box; clear: left; color: #333333; font-family: &amp;quot; segoeui&amp;quot;,&amp;quot;lato&amp;quot;,&amp;quot;helvetica neue&amp;quot;,helvetica,arial,sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; list-style-image: none; list-style-position: outside; list-style-type: disc; margin-bottom: 12px; margin-top: 0px; orphans: 2; padding-left: 2.5em; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;"> <LI style="box-sizing: border-box; font-family: &amp;quot;">The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.</LI> <LI style="box-sizing: border-box; font-family: &amp;quot;">A baseline enforces a setting only if it mitigates a contemporary security threat <EM style="box-sizing: border-box;">and</EM> does not cause operational issues that are worse than the risks they mitigate.</LI> <LI style="box-sizing: border-box; font-family: &amp;quot;">A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user: <UL style="box-sizing: border-box; clear: left; list-style-image: none; list-style-position: outside; list-style-type: disc; margin-bottom: 0px; margin-top: 0px; padding-left: 2.5em;"> <LI style="box-sizing: border-box; font-family: &amp;quot;">If a non-administrator can set an insecure state, enforce the default.</LI> <LI style="box-sizing: border-box; font-family: &amp;quot;">If setting an insecure state requires administrative rights, enforce the default only if it is <EM style="box-sizing: border-box;">likely</EM> that a misinformed administrator will otherwise choose poorly.</LI> </UL> </LI> </UL> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">&nbsp;</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">(For further explanation, see the “Why aren’t we enforcing more defaults?” section in <A style="background-color: transparent; box-sizing: border-box; color: #146cac; text-decoration: underline;" href="#" target="_blank">this blog post</A>.)</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">&nbsp;</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">Version 79 of the Chromium-based version of Microsoft Edge has 217 enforceable Computer Configuration policy settings and another 201 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of <EM style="box-sizing: border-box;">twelve</EM> Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.</P> <P style="box-sizing: border-box; color: #333333; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px;">&nbsp;</P> Fri, 13 Dec 2019 22:33:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-draft-for-chromium-based-microsoft-edge/ba-p/1066051 Aaron Margosis 2019-12-13T22:33:57Z Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093 <P>Microsoft is pleased to announce the <EM>final </EM>release of the security configuration baseline settings for Windows 10 version 1909 (a.k.a., “19H2”), and for Windows Server version 1909. Note that Windows Server version 1909 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option.</P> <P>&nbsp;</P> <P>Download the content from the <A href="#" target="_blank" rel="noopener">Microsoft Security Compliance Toolkit</A> (click Download and select “Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip”).</P> <P>&nbsp;</P> <P>This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. None of them meet the criteria for inclusion in the baseline (which are reiterated below), but customers interested in controlling the use of USB drives and other devices should be interested in the new and very granular device installation restrictions. More about that later in this post.</P> <P>&nbsp;</P> <P>The few changes we are making in the baseline since the September update to the version 1903 baselines are to remove a few settings that we have reevaluated: the restrictions on Thunderbolt devices in the BitLocker GPO, the enforcement of the default machine account password expiration for domain-joined systems, and the removal of the previously-recommended Exploit Protection settings.</P> <P>&nbsp;</P> <P><EM>[Addendum]</EM>: In this baseline we have also removed the enforcement of the "<FONT style="background-color: #ffffff;">Manage auditing and security log</FONT>" privilege (SeSecurityPrivilege) on Domain Controllers because when Microsoft Exchange is installed it needs to grant this privilege to the Exchange Servers.</P> <P>&nbsp;</P> <P><STRONG><U>Baseline criteria</U></STRONG></P> <P><STRONG><U>&nbsp;</U></STRONG></P> <P>To reiterate, we follow a streamlined and efficient approach to baseline definition <A href="#" target="_blank" rel="noopener">when compared with the baselines we published before Windows 10</A>. The foundation of that approach is essentially this:</P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;">The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.</LI> <LI style="font-weight: 400;">A baseline enforces a setting only if it mitigates a contemporary security threat <EM>and</EM> does not cause operational issues that are worse than the risks they mitigate.</LI> <LI style="font-weight: 400;">A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:</LI> <UL> <LI style="font-weight: 400;">If a non-administrator can set an insecure state, enforce the default.</LI> <LI style="font-weight: 400;">If setting an insecure state requires administrative rights, enforce the default only if it is <EM>likely</EM> that a misinformed administrator will otherwise choose poorly.</LI> </UL> </UL> <P>For further illustration, see the “Why aren’t we enforcing more defaults?” section in <A href="#" target="_blank" rel="noopener">this blog post</A>.</P> <P>&nbsp;</P> <P><STRONG><U>Thunderbolt devices</U></STRONG></P> <P><U>&nbsp;</U></P> <P>First published in 2011, <A href="#" target="_blank" rel="noopener">Microsoft Knowledge Base article 2516445</A> describes device installation restrictions for certain types of devices to mitigate DMA threats to BitLocker, including Thunderbolt devices. The BitLocker GPOs in our baselines have included these restrictions. Because Thunderbolt is popular, and newer computers can now mitigate that threat with kernel DMA protection – also in our baseline – we are removing the Thunderbolt restriction from our baseline. Customers on platforms that do not support kernel DMA protection can choose to continue blocking Thunderbolt, but we are no longer including it in our broad recommendations for all customers. For more information, see the KB article linked above and the articles to which it links.</P> <P>&nbsp;</P> <P><STRONG><U>Machine account password expiration</U></STRONG></P> <P><STRONG><U>&nbsp;</U></STRONG></P> <P>In Active Directory, each domain-joined computer has an Active Directory account with a strong, randomly-generated password. By default, these machine account passwords have a 30-day expiration, and computers automatically change their own passwords without any user involvement. Our baselines have always enforced these defaults. Note that reducing the expiration period will result in additional replication traffic. Also note that unlike with user account passwords, <A href="#" target="_blank" rel="noopener">AD doesn’t actually enforce password expiration for computer accounts</A>. Password expiration and change is driven entirely by client systems. The password remains valid until it gets changed, irrespective of how “Domain member: Maximum machine account password age” is configured.</P> <P>&nbsp;</P> <P>A problem that occasionally crops up is that when a domain-joined virtual machine is reverted to an earlier state that is prior to its most recent password change, the older password is no longer recognized by the domain controller, the computer has no way to authenticate to the domain, and it thus loses domain trust. Domain accounts cannot authenticate to it remotely, and interactive logon with a domain account works only if the computer has a cached credential verifier for the account and the person logging in remembers which password was used when its verifier was cached. Typically when this happens, a LAPS-managed local account cannot be used either, as the local account password will also have been reverted and not match the newer one stored in Active Directory.</P> <P>&nbsp;</P> <P>Non-persistent VDI implementations and devices with write filters that disallow permanent changes to the OS volume are also examples of scenarios where machine account password expiration is problematic. When such systems change their passwords in Active Directory and then revert to their previous passwords, they can no longer authenticate.</P> <P>&nbsp;</P> <P>In the absence of issues such as these, we recommend leaving the default 30-day expiration in place. But following the baseline criteria stated above, we are removing the explicit enforcement of those defaults from our baselines. Situations that necessitate disabling machine account password expiration can now be handled without being out of compliance with our baselines.</P> <P>&nbsp;</P> <P>The risks of turning off machine account password expiration are relatively low. To steal a computer account password, you must first have already gained full administrative control of the computer. Having a computer account’s password gives you only the ability to act as that computer on the network from other systems. For example, if Mary gets administrative control of CONTOSO\COMPUTER_ONE and extracts its domain account password (which is stored as an LSA secret), she can then connect to domain resources from CONTOSO\COMPUTER_TEN but pretending to be CONTOSO\COMPUTER_ONE. Default password expiration policy would limit her ability to do so to a maximum of 30 days. However, given that she had full control of COMPUTER_ONE, she could presumably go back in and retrieve its new password, or have applied nefarious techniques to disable password change, keeping the password valid indefinitely.</P> <P>&nbsp;</P> <P><STRONG><U>Exploit Protection</U></STRONG></P> <P><STRONG><U>&nbsp;</U></STRONG></P> <P>Because of reported compatibility issues with the Exploit Protection settings that we began <A href="#" target="_blank" rel="noopener">incorporating with the Windows 10 v1709 baselines</A>, we have elected to remove the settings from the baseline and to provide a script for removing the settings from machines that have had those settings applied. (See Remove-EPBaselineSettings.ps1 in the download package’s Scripts folder.)</P> <P>&nbsp;</P> <P><STRONG><U>New device installation restrictions available</U></STRONG></P> <P><STRONG><U>&nbsp;</U></STRONG></P> <P>For many years, Windows has enabled administrators to allow or block devices such as external USB drives based on attributes such as vendor and product IDs. Windows now also enables control at a far more granular level: <A href="#" target="_blank" rel="noopener">device instance IDs</A>. For example, you could have ten identical thumb drives of the same brand, model, and capacity, pick two of them, and create a policy that allows just those to be mounted; the others would be blocked.</P> <P>&nbsp;</P> <P>Because the way these settings would be configured are always specific to each customer’s situation, we don’t configure them in our baselines. But we wanted to highlight their availability as a major improvement in Windows’ device control.</P> <P>&nbsp;</P> <P>You can configure the new “Allow installation of devices that match any of these device instance IDs” and “Prevent installation of devices that match any of these device instance IDs” Group Policy settings in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. For more information, also see <A href="#" target="_blank" rel="noopener">How to control USB devices and other removable media using Microsoft Defender ATP</A>.</P> Thu, 21 Nov 2019 00:31:06 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093 Aaron Margosis 2019-11-21T00:31:06Z Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 78 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-draft-for-chromium-based-microsoft-edge/ba-p/949991 <P>Microsoft is pleased to announce the <EM>draft</EM> release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 78. Please evaluate this proposed baseline and send us your feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Baselines Discussion site</A>.</P> <P>&nbsp;</P> <P>Like all our baseline packages, the downloadable draft baseline package (attached to this blog post) includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports.</P> <P>&nbsp;</P> <P>Microsoft Edge is being <A href="#" target="_blank" rel="noopener">rebuilt with the open-source Chromium project</A>, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the <A href="#" target="_blank" rel="noopener">Microsoft Edge Enterprise landing page</A>. To learn more about managing the new version of Microsoft Edge, see <A href="#" target="_blank" rel="noopener">Configure Microsoft Edge for Windows</A>.</P> <P>&nbsp;</P> <P>As with our current Windows and Office security baselines, our recommendations for Microsoft Edge configuration follow a streamlined and efficient approach to baseline definition <A href="#" target="_blank" rel="noopener">when compared with the baselines we published before Windows 10</A>. The foundation of that approach is essentially this:</P> <UL> <LI>The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.</LI> <LI>A baseline enforces a setting only if it mitigates a contemporary security threat <EM>and</EM> does not cause operational issues that are worse than the risks they mitigate.</LI> <LI>A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user: <UL> <LI>If a non-administrator can set an insecure state, enforce the default.</LI> <LI>If setting an insecure state requires administrative rights, enforce the default only if it is <EM>likely</EM> that a misinformed administrator will otherwise choose poorly.</LI> </UL> </LI> </UL> <P>(For further explanation, see the “Why aren’t we enforcing more defaults?” section in <A href="#" target="_blank" rel="noopener">this blog post</A>.)</P> <P>&nbsp;</P> <P>Version 78 of the Chromium-based version of Microsoft Edge has 205 enforceable Computer Configuration policy settings and another 190 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of <EM>twelve</EM> Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.</P> <P>&nbsp;</P> Fri, 25 Oct 2019 02:16:48 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-draft-for-chromium-based-microsoft-edge/ba-p/949991 Aaron Margosis 2019-10-25T02:16:48Z Security baseline (Sept2019Update) for Windows 10 v1903 and Windows Server v1903 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-sept2019update-for-windows-10-v1903-and/ba-p/890940 <P>We have updated our Windows 10 v1903 and Windows Server v1903 security configuration baseline recommendations to address some issues:</P> <UL> <LI>The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated.</LI> <LI>We have also adjusted a few auditing settings in the Domain Controller baseline to align more closely with recommendations in the <A href="#" target="_blank" rel="noopener">Windows 10 and Windows Server 2016 security auditing and monitoring reference</A> document (also reflected&nbsp;<A href="#" target="_blank" rel="noopener">here</A>). Those changes are:</LI> </UL> <BLOCKQUOTE> <TABLE style="border-style: solid;"> <TBODY> <TR> <TD><FONT size="2"><EM><STRONG>Audit category</STRONG></EM></FONT></TD> <TD><FONT size="2"><EM><STRONG>Audit subcategory</STRONG></EM></FONT></TD> <TD><FONT size="2"><EM><STRONG>Was</STRONG></EM></FONT></TD> <TD><FONT size="2"><EM><STRONG>Now</STRONG></EM></FONT></TD> </TR> <TR> <TD><FONT size="2">Audit Policy\Account Logon</FONT></TD> <TD><FONT size="2">Credential Validation</FONT></TD> <TD><FONT size="2">Success and Failure</FONT></TD> <TD><FONT size="2">Failure</FONT></TD> </TR> <TR> <TD><FONT size="2">Audit Policy\Account Logon</FONT></TD> <TD><FONT size="2">Kerberos Service Ticket Operations</FONT></TD> <TD>&nbsp;</TD> <TD><FONT size="2">Failure</FONT></TD> </TR> <TR> <TD><FONT size="2">Audit Policy\DS Access</FONT></TD> <TD><FONT size="2">Directory Service Access</FONT></TD> <TD><FONT size="2">Success and Failure</FONT></TD> <TD><FONT size="2">Failure</FONT></TD> </TR> <TR> <TD><FONT size="2">Audit Policy\DS Access</FONT></TD> <TD><FONT size="2">Directory Service Changes</FONT></TD> <TD><FONT size="2">Success and Failure</FONT></TD> <TD><FONT size="2">Success</FONT></TD> </TR> </TBODY> </TABLE> </BLOCKQUOTE> <P>&nbsp;</P> <P>We have also added a Baseline-ADImport.ps1 PowerShell script to import all the baseline’s GPOs into Active Directory Group Policy, and improved other scripts, including preventing the local-policy script from running on Domain Controllers.</P> Fri, 04 Oct 2019 04:44:38 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-sept2019update-for-windows-10-v1903-and/ba-p/890940 Aaron Margosis 2019-10-04T04:44:38Z Security baseline for Office 365 ProPlus (v1908, Sept 2019) - FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-office-365-proplus-v1908-sept-2019-final/ba-p/873084 <P>Microsoft is pleased to announce the <EM>final </EM>release of the recommended security configuration baseline settings for Microsoft Office 365 ProPlus, version 1908. Please evaluate this proposed baseline and send us your feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Baselines Discussion site</A>.</P> <P>This baseline builds on the overhauled <A href="#" target="_blank" rel="noopener">Office baseline we released in early 2018</A>. The highlights of this baseline include:</P> <UL> <LI>Componentization of GPOs so that “challenging” settings can be added or removed as a unit.</LI> <LI>Comprehensive blocking of legacy file formats</LI> <LI>Blocking Excel from using Dynamic Data Exchange (DDE)</LI> </UL> <P>Also see the announcements at the end of this post regarding the new Security Policy Advisor and Office cloud policy services.</P> <P><STRONG>Download the content from the </STRONG><A href="#" target="_blank" rel="noopener"><STRONG>Security Compliance Toolkit</STRONG></A><STRONG>.</STRONG></P> <P>The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, a custom administrative template (ADMX) file for Group Policy settings, all the recommended settings in spreadsheet form and as Policy Analyzer rules. The recommended settings correspond with the Office 365 ProPlus administrative templates version 4909 released on September 5, 2019 that can be downloaded <A href="#" target="_blank" rel="noopener">here</A>.</P> <P><STRONG>Componentization of GPOs</STRONG></P> <P>Most organizations can implement most of the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We have broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script, Baseline-LocalInstall.ps1, offers command-line options to control whether these GPOs are installed.</P> <P>The “MSFT Office 365 ProPlus 1907” GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs, each of which is described later:</P> <UL> <LI>“Legacy File Block – User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.</LI> <LI>“Require Macro Signing – User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.</LI> <LI>“Excel DDE Block – User” is a User Configuration GPO that blocks Excel from using DDE to search for existing DDE server processes or to start new ones.</LI> </UL> <P><STRONG>Comprehensive blocking of legacy file formats</STRONG></P> <P>In the previous Office baseline we published, we tried to end the use of legacy file formats, including all the old Office document formats such as *.doc, *.xls, and *.ppt. However, we missed some important ones. So we just went ahead and fixed the glitch.</P> <P>One of the threats of these old binary file formats is that their inherent complexity too often led to exploitable bugs in their parsers. The bigger threat is that many of these formats can include macros or other executable instructions that are easily abused. By contrast, macros are disabled with the most-commonly used Office Open XML (OOXML) document formats, which were first introduced with Office 2007. Only macro-enabled formats such as *.docm and *.xlsm support macros, and these can be filtered at the point of ingress.</P> <P>While fixing the glitch, however, we also recognized that many organizations cannot entirely end their use of legacy Office document formats, so we broke out the file-blocking settings into a separate GPO, so they can be added or removed as a cohesive unit.</P> <P><STRONG>Blocking Excel from using DDE</STRONG></P> <P>Dynamic Data Exchange (DDE) is a <EM>very</EM> old interprocess communication method that is still used in some parts of Windows and remains supported for applications to use, primarily for backward compatibility. A few years ago, malware authors began embedding specially-formed DDE references in Office documents that were sent to victims and that would run attacker-chosen code. Since then, most Office apps have disabled the use of DDE. Excel by default blocks the ability to launch arbitrary DDE servers and now also supports user-configurable settings to enable DDE server process lookup and launch. These can now be configured through Group Policy, and this baseline recommends disabling both settings. Because of the likelihood that some organizations still depend on this functionality, we have broken out “Excel DDE Block” as a separate GPO.</P> <P><STRONG>Macro signing</STRONG></P> <P>The baseline also retains the “VBA Macro Notification Settings” options from our previous baselines that require that macros embedded in Office documents be signed by a trusted publisher. We recognize that some organizations have had workflows and processes relying on such macros for a long time, and that enforcing these particular settings can cause operational issues. It can also be challenging to identify all the documents and VBA projects that need to be signed. We have decided at this time to move these settings into a separate GPO to make it easier to switch the settings on or off without affecting the rest of the baseline.</P> <P>Note that the “<A href="#" target="_blank" rel="noopener">Block macros from running in Office files from the Internet</A>” settings we <A href="#" target="_blank" rel="noopener">turned on in the previous baseline</A> are retained in the main GPOs and should be enforced by all security-conscious organizations.</P> <P>Also see below about how the new Security Policy Advisor service can provide tailored recommendations for VBA macro policies.</P> <P><STRONG>Other changes in the baseline</STRONG></P> <P>“Block macros from running in Office files from the Internet” is now supported for Access, so we added it.</P> <P>Implemented new settings to block the opening of certain untrusted files and to open others in Protected View.</P> <P>Enabled the new “Macro Runtime Scan Scope” setting.</P> <P>Removed the file block setting for “PowerPoint beta converters,” as Office no longer implements that block.</P> <P><STRONG>Changes in the baseline since the draft release</STRONG></P> <P>First, thanks to everyone who took the time to evaluate our draft baseline and provide us with feedback. Based on your feedback, we have made several minor adjustments to the baseline since publishing <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/Security-baseline-for-Office-365-ProPlus-v1907-July-2019-DRAFT/ba-p/771308" target="_blank" rel="noopener">the draft release</A> in July:</P> <UL> <LI>Changed several User Configuration settings from “Disabled” to Enabled with specific choices, as we have found that doing so is more effective at enforcing the desired policies:</LI> </UL> <TABLE> <TBODY> <TR> <TD> <P><STRONG>Path</STRONG></P> </TD> <TD> <P><STRONG>Policy Name</STRONG></P> </TD> <TD> <P><STRONG>New value</STRONG></P> </TD> </TR> <TR> <TD> <P>Microsoft Office 2016\Security Settings</P> </TD> <TD> <P>ActiveX Control Initialization</P> </TD> <TD> <P>Enabled + 6</P> </TD> </TR> <TR> <TD> <P>Microsoft Office 2016\Security Settings</P> </TD> <TD> <P>Load Controls in Forms3</P> </TD> <TD> <P>Enabled + 1</P> </TD> </TR> <TR> <TD> <P>Microsoft Outlook 2016\Security\Security Form Settings\Attachment Security</P> </TD> <TD> <P>Remove file extensions blocked as Level 1</P> </TD> <TD> <P>Enabled + empty list of extensions</P> </TD> </TR> <TR> <TD> <P>Microsoft Outlook 2016\Security\Security Form Settings\Attachment Security</P> </TD> <TD> <P>Remove file extensions blocked as Level 2</P> </TD> <TD> <P>Enabled + empty list of extensions</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <UL> <LI>Removed the User Configuration setting, “Configure trusted add-ins” (in Microsoft Outlook 2016\Security\Security Form Settings\Programmatic Security\Trusted Add-ins) from the baseline, as we determined that it did not mitigate a contemporary security threat. In particular, the concept of “trusted” merely grants the COM add-in the ability to invoke Outlook Object Model interfaces without triggering user prompts. However, these add-ins can’t be installed without administrative privileges, and once installed they can also invoke more powerful Extended MAPI interfaces without triggering prompts.</LI> </UL> <UL> <LI>Removed the User Configuration setting, “Always open untrusted text-based files in Protected View” (in Microsoft Excel 2016\Excel Options\Security\Trust Center\Protected View) for the time being, as we discovered a bug in its implementation. We anticipate adding this policy control back into the baseline at a later time.</LI> </UL> <UL> <LI>Removed the User Configuration setting, “Excel 2007 and later binary workbooks” (in Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings) because it’s not needed to block legacy Excel file formats (unlike the similarly-titled Word policy) and it blocks use of the Personal Macro Workbook (personal.xlsb).</LI> </UL> <P><STRONG>Deploy policies from the cloud, and get tailored recommendations for specific security policies</STRONG></P> <P>In addition to being able deploy these policies through Active Directory Group Policy or through Local Group Policy, you now have a new way to deploy user-based policies from the cloud to any Office 365 ProPlus client through the new Office cloud policy service.</P> <P>The <A href="#" target="_blank" rel="noopener">Office cloud policy service</A> allows administrators to define policies for Office 365 ProPlus and assign these policies to users via Azure Active Directory security groups. Once defined, policies are automatically enforced as users sign in and use Office 365 ProPlus. No need to be domain joined or MDM enrolled, and it works with corporate-owned devices or BYOD. To learn more about Office cloud policy service, check out the announcement here: <A href="#" target="_blank" rel="noopener">https://aka.ms/ocpsannouncement</A>.</P> <P>We also have a new service called <A href="#" target="_blank" rel="noopener">Security Policy Advisor</A> that can help you with deploying security policies. Security Policy Advisor can provide you with tailored recommendations for specific security policies based on how Office is used in your enterprise. For example, in most customer environments, macros are typically used in specific apps such as Excel and only by specific groups of users. Security Policy Advisor can help you identify groups of users and applications where macros can be disabled with minimal productivity impact, and optionally integrate with <A href="#" target="_blank" rel="noopener">Office 365 Advanced Threat P</A><SPAN>rotection</SPAN> to provide you information on who is being attacked. To learn more about Security Policy Advisor, check out the announcement here: <A href="#" target="_blank" rel="noopener">https://aka.ms/spaannouncement</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 03 Oct 2019 11:42:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-office-365-proplus-v1908-sept-2019-final/ba-p/873084 Aaron Margosis 2019-10-03T11:42:57Z Security baseline for Office 365 ProPlus (v1907, July 2019) - DRAFT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-office-365-proplus-v1907-july-2019-draft/ba-p/771308 <P><FONT color="#FF0000"><EM>[Update, 24 September 2019: final version of this baseline released and is now available as part of the <A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A>.]</EM></FONT></P> <P>&nbsp;</P> <P>Microsoft is pleased to announce the <EM>draft </EM>release of the recommended security configuration baseline settings for Microsoft Office 365 ProPlus, version 1907. Please evaluate this proposed baseline and send us your feedback through the <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/bd-p/Security-Baselines" target="_blank" rel="noopener">Baselines Discussion site</A>.</P> <P>&nbsp;</P> <P>This baseline builds on the overhauled <A href="#" target="_blank" rel="noopener">Office baseline we released in early 2018</A>. The highlights of this baseline include:</P> <UL> <LI>Componentization of GPOs so that “challenging” settings can be added or removed as a unit.</LI> <LI>Comprehensive blocking of legacy file formats</LI> <LI>Blocking Excel from using Dynamic Data Exchange (DDE)</LI> </UL> <P>Also see the announcements at the end of this post regarding the new Security Policy Advisor and Office cloud policy services.</P> <P>&nbsp;</P> <P>The downloadable attachment to this blog post includes importable GPOs, a script to apply the GPOs to local policy, a custom administrative template (ADMX) file for Group Policy settings, all the recommended settings in spreadsheet form and as Policy Analyzer rules. The recommended settings correspond with the Office 365 ProPlus administrative templates version 4888 released on July 17, 2019 that can be downloaded <A href="#" target="_blank" rel="noopener">here</A>. The download for the final version of this baseline will be released through the <A href="#" target="_blank" rel="noopener">Security Compliance Toolkit</A>.</P> <P>&nbsp;</P> <P><STRONG>Componentization of GPOs</STRONG></P> <P>Most organizations can implement most of the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We have broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script, BaselineLocalInstall.ps1, offers command-line options to control whether these GPOs are installed.</P> <P>The “MSFT Office 365 ProPlus 1907” GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs, each of which is described later:</P> <UL> <LI>“Legacy File Block – User” is a User Configuration GPO that prevents Office applications from loading or saving legacy file formats.</LI> <LI>“Require Macro Signing – User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.</LI> <LI>“Excel DDE Block – User” is a User Configuration GPO that blocks Excel from using DDE to search for existing DDE server processes or to start new ones.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Comprehensive blocking of legacy file formats</STRONG></P> <P>In the previous Office baseline we published, we tried to end the use of legacy file formats, including all the old Office document formats such as *.doc, *.xls, and *.ppt. However, we missed some important ones. So we just went ahead and fixed the glitch.</P> <P>&nbsp;</P> <P>One of the threats of these old binary file formats is that their inherent complexity too often led to exploitable bugs in their parsers. The bigger threat is that many of these formats can include macros or other executable instructions that are easily abused. By contrast, macros are disabled with the most-commonly used Office Open XML (OOXML) document formats, which were first introduced with Office 2007. Only macro-enabled formats such as *.docm and *.xlsm support macros, and these can be filtered at the point of ingress.</P> <P>&nbsp;</P> <P>While fixing the glitch, however, we also recognized that many organizations cannot entirely end their use of legacy Office document formats, so we broke out the file-blocking settings into a separate GPO, so they can be added or removed as a cohesive unit.</P> <P>&nbsp;</P> <P><STRONG>Blocking Excel from using DDE</STRONG></P> <P>Dynamic Data Exchange (DDE) is a <EM>very</EM> old interprocess communication method that is still used in some parts of Windows and remains supported for applications to use, primarily for backward compatibility. A few years ago, malware authors began embedding specially-formed DDE references in Office documents that were sent to victims and that would run attacker-chosen code. Since then, most Office apps quietly disabled the use of DDE. Excel retained user-configurable settings to enable DDE server process lookup and launch. These can now be configured through Group Policy, and this baseline recommends disabling both settings. Because of the likelihood that some organizations still depend on this functionality, we have broken out “Excel DDE Block” as a separate GPO.</P> <P>&nbsp;</P> <P><STRONG>Macro signing</STRONG></P> <P>The baseline also retains the “VBA Macro Notification Settings” options from our previous baselines that require that macros embedded in Office documents be signed by a trusted publisher. We recognize that some organizations have had workflows and processes relying on such macros for a long time, and that enforcing these particular settings can cause operational issues. It can also be challenging to identify all the documents and VBA projects that need to be signed. We have decided at this time to move these settings into a separate GPO to make it easier to switch the settings on or off without affecting the rest of the baseline.</P> <P>&nbsp;</P> <P>Note that the “<A href="#" target="_blank" rel="noopener">Block macros from running in Office files from the Internet</A>” settings we <A href="#" target="_blank" rel="noopener">turned on in the previous baseline</A> are retained in the main GPOs and should be enforced by all security-conscious organizations.</P> <P>&nbsp;</P> <P>Also see below about how the new Security Policy Advisor service can provide tailored recommendations for VBA macro policies.</P> <P>&nbsp;</P> <P><STRONG>Other changes in the baseline</STRONG></P> <UL> <LI>“Block macros from running in Office files from the Internet” is now supported for Access, so we added it.</LI> <LI>Implemented new settings to block the opening of certain untrusted files and to open others in Protected View.</LI> <LI>Enabled the new “Macro Runtime Scan Scope” setting.</LI> <LI>Removed the file block setting for “PowerPoint beta converters,” as Office no longer implements that block.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Deploy policies from the cloud, and get tailored recommendations for specific security policies</STRONG></P> <P>In addition to being able deploy these policies through Active Directory Group Policy or through Local Group Policy, you now have a new way to deploy user-based policies from the cloud to any Office 355 ProPlus client through the new Office cloud policy service.</P> <P>&nbsp;</P> <P>The <A href="#" target="_blank" rel="noopener">Office cloud policy service</A> allows administrators to define policies for Office 365 ProPlus and assign these policies to users via Azure Active Directory security groups. Once defined, policies are automatically enforced as users sign in and use Office 365 ProPlus. No need to be domain joined or MDM enrolled, and it works with corporate-owned devices or BYOD. To learn more about Office cloud policy service, check out the announcement here: <A href="#" target="_blank" rel="noopener">https://aka.ms/ocpsannouncement</A>.</P> <P>&nbsp;</P> <P>We also have a new service in public preview called Security Policy Advisor that can help you with deploying security policies. Security Policy Advisor can provide you with tailored recommendations for specific security policies based on how Office is used in your enterprise. For example, in most customer environments, macros are typically used in specific apps such as Excel and only by specific groups of users. Security Policy Advisor can help you identify groups of users and applications where macros can be disabled with minimal productivity impact, and optionally integrate with <A href="#" target="_blank" rel="noopener">Office 365 Advanced Threat P</A><SPAN>rotection</SPAN> to provide you information on who is being attacked. To learn more about Security Policy Advisor, check out the announcement here: <A href="#" target="_blank" rel="noopener">https://aka.ms/spaannouncement</A>.</P> Tue, 24 Sep 2019 18:13:31 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-office-365-proplus-v1907-july-2019-draft/ba-p/771308 Aaron Margosis 2019-09-24T18:13:31Z Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1903-and-windows-server/ba-p/701084 <P><STRONG> First published on TechNet on May 23, 2019 </STRONG> <BR />Microsoft is pleased to announce the <EM> final </EM> release of the security configuration baseline settings for Windows 10 version 1903 (a.k.a., “19H1”), and for Windows Server version 1903. <BR /><BR />Download the content from the <A href="#" target="_blank" rel="noopener"> Microsoft Security Compliance Toolkit </A> (click Download and select Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline.zip). <BR /><BR />Note that Windows Server version 1903 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option. In the past we have published baselines only for “full” server releases – Windows Server 2016 and 2019. Beginning with this release we intend to publish baselines for Core-only Windows Server versions as well. However, we do not intend at this time to distinguish settings in the baseline that apply only to Desktop Experience. When applied to Server Core, those settings are inert for all intents and purposes. <BR /><BR />This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. This baseline recommends configuring only two of those. However, we have made several changes to existing settings, including some changes since <A href="#" target="_blank" rel="noopener"> the draft version of this baseline </A> that we published last month. <BR /><BR />The changes from the Windows 10 v1809 and Windows Server 2019 baselines include: <BR /><BR /></P> <UL> <UL> <LI><STRIKE>Enabling the new “Enable svchost.exe mitigation options” policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. <STRONG> <EM> Please pay special attention to this one </EM> </STRONG> as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.</STRIKE> <FONT color="#ff0000"><STRONG>[Update 3 October 2019: we have <A href="https://gorovian.000webhostapp.com/?exam=t5/Microsoft-Security-Baselines/Security-baseline-Sept2019Update-for-Windows-10-v1903-and/ba-p/890940" target="_blank" rel="noopener">republished the baseline</A> with this setting removed.]</STRONG></FONT></LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. We have added a setting to the custom “MS Security Guide” ADMX to enable managing this configuration setting through Group Policy.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Dropping the password-expiration policies that require periodic password changes. This change is discussed in further detail below.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. We are removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off heap termination on corruption” settings, as it turns out they merely enforce default behavior, as Raymond Chen describes <A href="#" target="_blank" rel="noopener"> here </A> .</LI> </UL> </UL> <P><BR /><BR />Additional changes that we have adopted since publishing the draft version of this baseline include: <BR /><BR /></P> <UL> <UL> <LI>Dropping the enforcement of the default behavior of disabling the built-in Administrator and Guest accounts. We had floated this proposal at the time of the draft baseline, and have since decided to accept it. The change is discussed in more detail below.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Dropped a Windows Defender Antivirus setting that applies only to legacy email file formats.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Changed the Windows Defender Exploit Protection XML configuration to allow Groove.exe (OneDrive for Business) to launch child processes, particularly MsoSync.exe which is necessary for file synchronization.</LI> </UL> </UL> <P><BR /><BR /><STRONG> <EM> <U> D</U></EM></STRONG><STRONG><EM><U>ropping the password expiration policies. </U> </EM> </STRONG> <BR /><BR />There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use. <BR /><BR />Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being <A href="https://gorovian.000webhostapp.com/?exam=t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-p/377487" target="_blank" rel="noopener"> Azure AD password protection </A> ) and multi-factor authentication. While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values. <BR /><BR />This reinforces a larger important point about our baselines: while they are a solid foundation and should be <EM> part </EM> of your security strategy, they are not a <EM> complete </EM> security strategy. In this particular case, the small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management. Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards. It simply reinforces that security cannot be achieved entirely with baselines. <BR /><BR /><STRONG> <EM> Why are we removing password-expiration policies? </EM> </STRONG> <BR /><BR /><EM> First, to try to avoid inevitable misunderstandings, we are talking here </EM> only <EM> about removing password-expiration policies – we are not proposing changing requirements for minimum password length, history, or complexity. </EM> <BR /><BR />Periodic password expiration is a defense <EM> only </EM> against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem. <BR /><BR />If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a <EM> ridiculously long time </EM> ? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s <EM> not </EM> a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you. <BR /><BR />Our baselines are intended to be usable with minimal if any modification by most well-managed, security-conscious enterprises. They are also intended to serve as guidance for auditors. So, what should the recommended expiration period be? If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need <EM> any </EM> periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they <EM> really </EM> gain from password expiration? <BR /><BR />The results of baseline compliance scans are usually measured by how many settings are out of compliance: “How much red do we have on the chart?” It is not unusual for organizations during audit to treat compliance numbers as more important than real-world security. If a baseline recommends 60 days and an organization with advanced protections opts for 365 days – or no expiration at all – they will get dinged in an audit unnecessarily and might be compelled to adhere to the 60-day recommendation. <BR /><BR />Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we <EM> strongly </EM> recommend additional protections even though they cannot be expressed in our baselines. <BR /><BR /><STRONG> <EM> <U> Dropping the enforced disabling of the built-in Administrator and Guest accounts </U> </EM> </STRONG> <BR /><BR />To keep baselines useful and manageable, we tend to enforce secure defaults for policy settings only when 1) non-administrative users could otherwise override those defaults, or 2) misinformed administrators are otherwise likely to make poor choices about the setting. Neither of those conditions are true regarding enforcing the default disabling of the Administrator and Guest accounts. Note that removing these settings from the baseline does <EM> not </EM> mean that we recommend that these accounts be enabled, nor does removing these settings mean that the accounts <EM> will </EM> be enabled. Removing the settings from the baselines simply means that administrators can now choose to enable these accounts as needed. <BR /><BR /><STRONG> <EM> The built-in Guest account. </EM> </STRONG> The Guest account (RID -501) is disabled by default on Windows 10 and Windows Server. Only an administrator can enable the Guest account, and an admin would presumably do so only for a valid reason such as for a kiosk system. <BR /><BR /><STRONG> <EM> The built-in Administrator account. </EM> </STRONG> The local Administrator account (RID -500) is disabled by default on Windows 10 but not on Windows Server. When installing Windows 10, Windows Setup prompts you for a new account which becomes the primary administrative account for the computer. By contrast, Windows Server’s setup prompts you for a new password for the Administrator account. The main differences between the built-in -500 Administrator account (when enabled) and a custom administrative local account are 1) the -500 account is not subject to account lockout, account expiration, password expiration, or logon hours; 2) the -500 account cannot be removed from the Administrators group; and 3) that by default the -500 account always runs with full administrative rights without UAC prompts, including over the network. This third difference can be removed (as our baselines always do) by enabling the security option, “User Account Control: Admin Approval Mode for the Built-in Administrator account.” <BR /><BR />Our recommendations for administrative local accounts include: <BR /><BR /></P> <UL> <UL> <LI>You can choose not to have any administrative local accounts enabled and to administer domain-joined systems only with domain accounts.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>If you choose to use local accounts for computer administration, you should have only one administrative local account enabled per computer. With this change in the baseline, you can choose to use the -500 Administrator account or a custom account, according to your needs. Note that if you rely on account lockout for defense against password-guessing attacks, you should <EM> not </EM> enable the -500 account – and you should consider disabling it on Windows Server.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>The administrative local account’s password should be strong and should be different from the same account’s password on every other computer. We recommend the Local Administrator Password Solution (LAPS) or a similar tool to ensure that passwords are random and strong. LAPS can manage the password of the -500 account or a custom named local account on Active Directory domain-joined Windows clients and domain-joined member servers (but not for Domain Controllers). Note also that LAPS’ password-expiration enforcement is independent from Windows’ password-expiration mechanism, and always applies to whatever account LAPS manages.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Renaming the Administrator account is perfectly fine but is “security by obscurity.” Renaming is easy to do through Group Policy and doing so can mitigate some threats, but it’s less than a speedbump against other threats.</LI> </UL> </UL> <P>&nbsp;</P> Thu, 03 Oct 2019 11:44:33 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1903-and-windows-server/ba-p/701084 Aaron Margosis 2019-10-03T11:44:33Z Remote Use of Local Accounts: LAPS Changes Everything https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/remote-use-of-local-accounts-laps-changes-everything/ba-p/701083 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Dec 10, 2018 </STRONG> <BR /> <BR /> <BR /> <I> Long overdue post revisiting the question about whether and when to block the use of local accounts, particularly for remote administration. </I> <BR /> <DIV> <BR /> <P class="MsoNormal"> Beginning in 2014 with our baselines for Windows 8.1 and Windows Server 2012R2, our security baselines have been <SPAN class="MsoHyperlink"> <A href="#" target="_blank"> blocking remote use of local accounts </A> </SPAN> . Back then, Windows had yet to offer anything resembling secure management of administrative local account credentials. It was typical for an entire organization to have an administrative local user account with the same username and password on every Windows computer. One problem with that is that the common password often becomes a well-known secret over time with no way to revoke access from anyone who ever received it. But by far the biggest problem is that an attacker with administrative rights on one machine can easily obtain the account’s password hash from the local Security Accounts Manager (SAM) database and use it to gain administrative rights over the other machines using “pass the hash” techniques. </P> <BR /> <P class="MsoNormal"> In May 2015, Microsoft released the <SPAN class="MsoHyperlink"> <A href="#" target="_blank"> Local Administrator Password Solution (LAPS) </A> </SPAN> . LAPS is an elegant and lightweight mechanism for Active Directory domain-joined systems that periodically sets each computer’s admin account password to a new random and unique value, storing the password in a secured confidential attribute on the corresponding computer object in Active Directory where only specifically-authorized users can retrieve it. </P> <BR /> <P class="MsoNormal"> LAPS changes everything. </P> <BR /> <P class="MsoNormal"> Not only does LAPS neutralize both the pass-the-hash and well-known-secret problems, it creates new opportunities for remote management. With LAPS – or in fact, with any solution that makes local account passwords unique and not guessable – using local accounts for remote computer management actually offers some advantages over using domain accounts. They can, that is, provided that their use isn’t blocked by security policy – which our baselines do today. </P> <BR /> <P class="MsoNormal"> It’s all about credential hygiene. Good credential hygiene means not exposing credentials on a potentially-compromised system when those credentials can be used to compromise another system. Credentials can be a plaintext password, an account’s NTLM hash, or a Kerberos TGT. Microsoft’s <SPAN class="MsoHyperlink"> <A href="#" target="_blank"> Pass the Hash whitepapers </A> </SPAN> go into detail about which remote logon types and tools expose credentials and which ones don’t. </P> <BR /> <P class="MsoNormal"> Let’s say your helpdesk technicians each have a domain account that is granted administrative rights on all workstations in the domain. User Umberto reports computer issues, so Helen helpdesk technician logs on remotely to the workstation using her privileged domain account, not realizing that the workstation has been compromised with credential theft malware. Depending on how Helen logged on, her account credentials could be stolen and the thief can now gain administrative control over all workstations. All the technicians might follow the whitepapers’ recommendations, but they must do it the right way every single time. One technician with a privileged account making one mistake just one time can lead to a domain-wide compromise. </P> <BR /> <P class="MsoNormal"> Let’s say instead of using a privileged domain account, Helen helpdesk technician retrieves the LAPS password for the workstation and uses the LAPS-managed administrative local account to log on. Credential theft is not a problem. If the thief gets the hash or even the plaintext password, it’s useful only on the computer that the thief already controls. So Helen can use whichever logon type or remote tool is most convenient for the work being performed. </P> <BR /> <P class="MsoNormal" style="margin-left: .5in;"> <I> <SPAN style="font-variant: small-caps;"> Note: </SPAN> One caveat about using remote desktop: do not enable drive redirection for your local volumes when connecting to a potentially-compromised system. And avoid clipboard redirection as well. This caveat applies whether you’re using a LAPS-managed account, /restrictedAdmin, or anything else. </I> </P> <BR /> <P class="MsoNormal"> If you have deployed LAPS or another local account password management solution and you want to use local accounts for the remote administration of Windows computers, you need to change three of the Computer Configuration settings that we recommend in the baselines for Windows client and Windows Server in the Member Server role. We recommend these changes only if you plan to use LAPS-managed local accounts for remote administration. Note also that the local-policy scripts included with the Windows <SPAN class="MsoHyperlink"> <A href="#" target="_blank"> 1803 </A> </SPAN> and <SPAN class="MsoHyperlink"> <A href="#" target="_blank"> 1809 </A> </SPAN> baseline packages include “Non-Domain” options that implement these same changes. </P> <BR /> <BR /> <TABLE border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none;"> <BR /> <TBODY> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Policy path </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> Windows Settings\Security Settings\Local Policies\User Rights Assignment </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Policy name </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> Deny access to this computer from the network </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Baseline setting </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <I> <SPAN style="font-size: 10.0pt;"> Win client </SPAN> </I> <SPAN style="font-size: 10.0pt;"> : NT AUTHORITY\Local Account </SPAN> </P> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <I> <SPAN style="font-size: 10.0pt;"> Win Server </SPAN> </I> <SPAN style="font-size: 10.0pt;"> : NT AUTHORITY\Local account and member of Administrators group </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Updated setting </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> [empty] </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> </TBODY> <BR /> </TABLE> <BR /> <BR /> <TABLE border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none;"> <BR /> <TBODY> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Policy path </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> Windows Settings\Security Settings\Local Policies\User Rights Assignment </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Policy name </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> Deny log on through Remote Desktop Services </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Baseline setting </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> NT AUTHORITY\Local Account </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Updated setting </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> [empty] </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> </TBODY> <BR /> </TABLE> <BR /> <BR /> <TABLE border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none;"> <BR /> <TBODY> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Policy path </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> Administrative Templates\MS Security Guide <I> (*) </I> </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Policy name </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> Apply UAC restrictions to local accounts on network logon </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Baseline setting </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> Enabled </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid windowtext 1.0pt; border-top: none; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <B> <I> <SPAN style="font-size: 10.0pt;"> Updated setting </SPAN> </I> </B> </P> <BR /> </TD> <BR /> <TD style="border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt;" valign="top"> <BR /> <P class="MsoNormal" style="margin-bottom: .0001pt; line-height: normal;"> <SPAN style="font-size: 10.0pt;"> Disabled </SPAN> </P> <BR /> </TD> <BR /> </TR> <BR /> </TBODY> <BR /> </TABLE> <BR /> <P class="MsoNormal"> (*) “MS Security Guide” is a collection of custom settings that comes with the security baselines and is represented in SecGuide.admx. You can configure the updated setting directly by configuring the registry value LocalAccountTokenFilterPolicy to REG_DWORD value 1 in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. </P> <BR /> <BR /> </DIV> </BODY></HTML> Tue, 18 Jun 2019 20:16:25 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/remote-use-of-local-accounts-laps-changes-everything/ba-p/701083 Aaron Margosis 2019-06-18T20:16:25Z Security baseline (FINAL) for Windows 10 v1809 and Windows Server 2019 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Nov 20, 2018 </STRONG> <BR /> Microsoft is pleased to announce the <EM> final </EM> release of the security configuration baseline settings for Windows 10 October 2018 Update (a.k.a., version 1809, “Redstone 5” or “RS5”), and for Windows Server 2019. <BR /> <BR /> <STRONG> Download the content from the <A href="#" target="_blank"> Microsoft Security Compliance Toolkit </A> (click Download and select <I> Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip </I> ). </STRONG> <BR /> <BR /> The downloadable attachment to this blog post includes importable GPOs, a PowerShell script for applying the GPOs to local policy, custom ADMX files for Group Policy settings, documentation in spreadsheet form and as a set of Policy Analyzer files. In this release, we have changed the documentation layout in a few ways: <BR /> <UL> <BR /> <LI> <EM> MS Security Baseline Windows 10 v1809 and Server 2019.xlsx </EM> – multi-tabbed workbook listing all Group Policy settings that ship in-box with Windows 10 v1809 or Windows Server 2019. Columns for “Windows 10 v1809,” “WS2019 Member Server,” and “WS2019 DC” show the recommended settings for those three scenarios. A small number of cells are color-coded to indicate that the settings should not be applied to systems that are not joined to an Active Directory domain. Cells in the “WS2019 DC” columns are also highlighted when they differ from the corresponding cells in the “WS2019 Member Server” column. Another change from past spreadsheets is that we have combined tabs that used to be separate. Specifically, we are no longer breaking out Internet Explorer and Windows Defender AV settings into separate tabs, nor the settings for LAPS, MS Security Guide, and MSS (Legacy). All these settings are now in the Computer and User tabs. </LI> <BR /> <LI> A set of Policy Analyzer files: <BR /> <UL> <BR /> <LI> <EM> MSFT-Win10-v1809-RS5-WS2019-FINAL.PolicyRules </EM> – a Policy Analyzer file representing all the GPOs in the combined Windows 10 and Server 2019 baselines. </LI> <BR /> <LI> <EM> MSFT-Win10-v1809-RS5-FINAL.PolicyRules </EM> – a Policy Analyzer file representing the GPOs intended to be applied to Windows 10 v1809. </LI> <BR /> <LI> <EM> MSFT-WS2019-MemberServer-FINAL.PolicyRules </EM> – a Policy Analyzer file representing the GPOs intended to be applied to Windows Server 2019, Member Server. </LI> <BR /> <LI> <EM> MSFT-WS2019-DomainController-FINAL.PolicyRules </EM> – a Policy Analyzer file representing the GPOs intended to be applied to Windows Server 2019, Domain Controller. </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> <EM> BaselineDiffs-to-v1809-RS5-FINAL.xlsx </EM> – This Policy Analyzer-generated workbook lists the differences in Microsoft security configuration baselines between the new baselines and the corresponding previous baselines. The Windows 10 v1809 settings are compared against those for Windows 10 v1803, and the Windows Server 2019 baselines are compared against those for Windows Server 2016. </LI> <BR /> <LI> <EM> Windows 10 1803 to 1809 New Settings.xlsx </EM> – Lists all the settings that are available in Windows 10 v1809 that were added since Windows 10 v1803. (We used to highlight these settings in the big all-settings spreadsheets.) </LI> <BR /> <LI> <EM> Server 2016 to 2019 New Settings.xlsx </EM> – Lists all the settings that are available in Windows Server 2019 that were added since Windows Server 2016. (We used to highlight these settings in the big all-settings spreadsheets.) </LI> <BR /> </UL> <BR /> Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-FINAL.xlsx: <BR /> <UL> <BR /> <LI> Added two new Attack Surface Reduction rules in Windows Defender Exploit Guard: “Block Office communication applications from creating child processes” (which includes Outlook), and “Block Adobe Reader from creating child processes.” Note that these were added since the draft release of these baselines. </LI> <BR /> <LI> Since the draft baseline, we removed the “Turn off printing over HTTP” setting in “Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.” This setting had been in our baselines at least as far back as Windows XP because of the mistaken belief that it distinguished between HTTP and HTTPS. Enabling this setting also disables printing over HTTPS, which breaks legitimate and necessary functionality for no security benefit. </LI> <BR /> <LI> The MS Security Guide custom setting protecting against potentially unwanted applications (PUA) has been deprecated, and is now implemented with a new setting under Computer Configuration\...\Windows Defender Antivirus. </LI> <BR /> <LI> We have enabled the “Encryption Oracle Remediation” setting we <SPAN> <A href="#" target="_blank"> had considered for v1803 </A> </SPAN> . At the time we were concerned that enabling the newly-introduced setting would break too many not-yet-patched systems. We assume that systems have since been brought up to date. (You can read information about the setting <SPAN> <A href="#" target="_blank"> here </A> </SPAN> and <SPAN> <A href="#" target="_blank"> here </A> </SPAN> .) </LI> <BR /> <LI> Changes to Virtualization-Based Security settings (used by Credential Guard and Code Integrity): <BR /> <UL> <BR /> <LI> “Platform Security Level” changed from “Secure Boot and DMA Protection” to “Secure Boot.” If system hardware doesn’t support DMA protection, selecting “Secure Boot and DMA Protection” prevents Credential Guard from operating. If you can affirm that your systems support the DMA protection feature, choose the stronger option. We have opted for “Secure Boot” (only) in the baseline to reduce the likelihood that Credential Guard fails to run. </LI> <BR /> <LI> Enabled the new System Guard Secure Launch setting which will enable Secure Launch on new capable hardware. Secure Launch changes the way windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment. </LI> <BR /> <LI> <EM> Disabled </EM> the “Require UEFI Memory Attributes Table” option. This is a change from the draft release, and is intended to increase compatibility. </LI> <BR /> <LI> Removed Credential Guard from the Domain Controller baseline, while retaining the rest of the VBS settings. This is implemented in a new DC-only GPO named “MSFT Windows Server 2019 - Domain Controller Virtualization Based Security.” Note that this is a change from the draft baseline in which we had removed all VBS settings from the DC baseline. (Credential Guard is not useful on domain controllers and is not supported there.) </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Enabled the new Kernel DMA Protection feature described <SPAN> <A href="#" target="_blank"> here </A> </SPAN> . The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. </LI> <BR /> <LI> Removed the BitLocker setting, “Allow Secure Boot for integrity validation,” as it merely enforced a default that was unlikely to be modified even by a misguided administrator. </LI> <BR /> <LI> Removed the BitLocker setting, “Configure minimum PIN length for startup,” as new hardware features reduce the need for a startup PIN, and the setting increased Windows’ minimum by only one character. </LI> <BR /> <LI> Since the draft release, we removed “Prevent users from modifying settings” from “Computer Configuration\Administrative Templates\Windows Components\Windows Security\App and browser protection,” as it merely enforced a default that non-admins could not override. </LI> <BR /> <LI> Enabled the new Microsoft Edge setting to prevent users from bypassing certificate error messages, bringing Edge in line with a similar setting for Internet Explorer. </LI> <BR /> <LI> Removed the block against handling PKU2U authentication requests, as the feature is increasingly necessary. </LI> <BR /> <LI> Removed the configuration of the “Create symbolic links” user rights assignment, as it merely enforced a default, was unlikely to be modified by a misguided administrator or for malicious purposes, and needs to be changed to a different value when Hyper-V is enabled. </LI> <BR /> <LI> <EM> [Update to this text, Dec 27 2018] </EM> Removed the configuration of the "Increase scheduling priority" user rights assignment, as the default is good and is unlikely to be modified by a misguided administrator or malicious actor. In addition, the Windows default recently changed and is now granted to Administrators and to "Window Manager\Window Manager Group," under which Dwm.exe processes execute. Our previous guidance was overriding the new default. </LI> <BR /> <LI> Removed the deny-logon restrictions against the Guests group as unnecessary: by default, the Guest account is the only member of the Guests group, and the Guest account is disabled. Only an administrator can enable the Guest account or add members to the Guests group. </LI> <BR /> <LI> Removed the disabling of the xbgm (“Xbox Game Monitoring”) service, as it is not present in Windows 10 v1809. (By the way, consumer services such as the Xbox services have been removed from Windows Server 2019 with Desktop Experience!) </LI> <BR /> <LI> Created and enabled a new custom MS Security Guide setting for the domain controller baseline, “Extended Protection for LDAP Authentication (Domain Controllers only),” which configures the LdapEnforceChannelBinding registry value described <SPAN> <A href="#" target="_blank"> here </A> </SPAN> . </LI> <BR /> <LI> The Server 2019 baselines pick up all the changes accumulated in the four Windows 10 releases since Windows Server 2016. </LI> <BR /> </UL> <BR /> We received and have been evaluating recommendations for more extensive changes to the baselines that we are continuing to evaluate for future releases. <BR /> <BR /> We have replaced the collection of .cmd batch files for applying the baselines to local policy with a single PowerShell script that takes one of these five command-line switches to indicate which baseline you want to apply: <BR /> <BLOCKQUOTE> <BR /> <PRE>.\BaselineLocalInstall.ps1 -Win10DomainJoined&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; - for Windows 10 v1809, domain-joined<BR /><BR />.\BaselineLocalInstall.ps1 -Win10NonDomainJoined&nbsp;&nbsp; - for Windows 10 v1809, non-domain-joined<BR /><BR />.\BaselineLocalInstall.ps1 -WS2019Member&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; - for Windows Server 2019, domain-joined<BR /><BR />.\BaselineLocalInstall.ps1 -WS2019NonDomainJoined&nbsp; - for Windows Server 2019, non-domain-joined<BR /><BR />.\BaselineLocalInstall.ps1 -WS2019DomainController - for Windows Server 2019, domain controller</PRE> <BR /> </BLOCKQUOTE> <BR /> A couple of important notes about using the BaselineLocalInstall.ps1 script: <BR /> <UL> <BR /> <LI> PowerShell execution policy must be configured to allow script execution. You can configure this with a command line such as the following: <BR /> Set-ExecutionPolicy RemoteSigned </LI> <BR /> <LI> exe must be in the Tools subdirectory or somewhere in the Path. LGPO.exe is part of the Security Compliance Toolkit and can be downloaded from this URL: <BR /> <SPAN> <A href="#" target="_blank"> https://www.microsoft.com/download/details.aspx?id=55319 </A> </SPAN> </LI> <BR /> </UL> <BR /> Windows 10 v1809 has greatly expanded its manageability using Mobile Device Management (MDM). The Intune team is preparing documentation about the Microsoft Windows MDM security baseline and how to use Intune to implement the baseline, and will publish it very soon. We will post information to this blog when that happens. </BODY></HTML> Tue, 18 Jun 2019 20:16:23 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082 Aaron Margosis 2019-06-18T20:16:23Z Security baseline for Windows 10 "April 2018 Update" (v1803) – FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-quot-april-2018-update-quot/ba-p/701078 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Apr 30, 2018 </STRONG> <BR /> Microsoft is pleased to announce the <EM> final </EM> release of the security configuration baseline settings for Windows 10 “April 2018 Update,” also known as version 1803, “Redstone 4,” or RS4. <BR /> <BR /> <STRONG> Download the content from the <A href="#" target="_blank"> Microsoft Security Compliance Toolkit </A> (click Download and select <I> Windows 10 Version 1803 Security Baseline.zip </I> ). </STRONG> <BR /> <BR /> The downloadable attachment to this blog post (which will be incorporated into the <A href="#" target="_blank"> Security Compliance Toolkit </A> shortly) includes importable GPOs, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, all the recommended settings in spreadsheet form and as a Policy Analyzer file (MSFT-Win10-v1803-RS4-FINAL.PolicyRules), and a Policy Analyzer-generated spreadsheet showing the differences from the RS3/v1709 baseline. <BR /> <BR /> The only change from <A href="#" target="_blank"> the draft version of this baseline </A> is that after discussion we have removed the recommendation to configure the “Microsoft network server: Amount of idle time required before suspending session” security option. Enforcing that setting does not mitigate a contemporary security threat. <BR /> <BR /> The differences between this baseline package and that for Windows 10 v1709 (a.k.a., “Fall Creators Update,” “Redstone 3”, RS3) include: <BR /> <UL> <BR /> <LI> Two scripts to apply settings to local policy: one for domain-joined systems and a separate one that removes the prohibitions on remote access for local accounts, which is particularly helpful for non-domain-joined systems, and for remote administration using LAPS-managed accounts. </LI> <BR /> <LI> Increased alignment with the Advanced Auditing recommendations in the <A href="#" target="_blank"> Windows 10 and Windows Server 2016 security auditing and monitoring reference </A> document (also reflected <A href="#" target="_blank"> here </A> ). </LI> <BR /> <LI> Updated Windows Defender Exploit Guard Exploit Protection settings (separate EP.xml file). </LI> <BR /> <LI> New Windows Defender Exploit Guard Attack Surface Reduction (ASR) mitigations. </LI> <BR /> <LI> Removed numerous settings that were determined no longer to provide mitigations against contemporary security threats. The GPO differences are listed in the “Delta RS3 to RS4 baseline.xlsx” spreadsheet in the package’s Documentation folder. (Since <A href="#" target="_blank"> the draft release </A> of the RS4 baseline, we removed one more setting: “Microsoft network server: Amount of idle time required before suspending session.”) </LI> <BR /> </UL> <BR /> After the draft baseline was released, Windows added another GPO setting that we considered adding to the baseline but ultimately decided not to configure at this time. The GPO path is Computer Configuration\Administrative Templates\System\Credentials Delegation\Encryption Oracle Remediation. You can read information about the setting <A href="#" target="_blank"> here </A> and <A href="#" target="_blank"> here </A> . (Note that the term “Oracle” here refers to a cryptographic concept and not to anything having to do with Oracle Corporation or its products.) While we recommend patching systems and incorporating this setting as soon as possible, we opted not to include it in the baseline for broad use in the short term because if all servers and clients aren’t patched in a timely fashion the setting will block remote desktop connections. We anticipate incorporating this setting in the next baseline that we publish. <BR /> <BR /> When we published the draft baseline for RS4, we <A href="#" target="_blank"> requested feedback </A> about replacing the firewall’s logging facility with Advanced Auditing, such as by auditing failure events for <A href="#" target="_blank"> Filtering Platform Connection </A> . At this time, we’re going to keep the baseline as it is rather than introduce more changes. But remember that the baseline is just that: a starting point. If monitoring security events works better for you than monitoring firewall logs, do so. Or if you want to use both, do so. <BR /> <BR /> Windows 10 v1803 (RS4) has greatly expanded its manageability using Mobile Device Management (MDM). However, our mapping from the baseline’s GPO settings to MDM is not ready to publish at this time. We will publish the baseline in MDM form as soon as it is ready. </BODY></HTML> Tue, 18 Jun 2019 20:16:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-quot-april-2018-update-quot/ba-p/701078 Aaron Margosis 2019-06-18T20:16:21Z Security baseline for Office 2016 and Office 365 ProPlus apps - FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-office-2016-and-office-365-proplus-apps/ba-p/701077 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Feb 13, 2018 </STRONG> <BR /> Microsoft is pleased to announce the <EM> final </EM> release of the recommended security configuration baseline settings for Microsoft Office Professional Plus 2016 and Office 365 ProPlus 2016 apps. There are no changes from the draft release we published a few weeks ago, other than minor corrections within the spreadsheet. <BR /> <BR /> Highlights of this baseline: <BR /> <UL> <BR /> <LI> Streamlined baseline </LI> <BR /> <LI> Stronger macro security </LI> <BR /> <LI> Defending against malware by blocking Flash ActiveX activation within Office documents </LI> <BR /> </UL> <BR /> <STRONG> Download the content from the <A href="#" target="_blank"> Microsoft Security Compliance Toolkit </A> (click Download and select <I> Office-2016-baseline.zip </I> ). </STRONG> <BR /> <BR /> The downloadable attachment to this blog post includes importable GPOs, scripts for applying the GPOs to local policy, a custom administrative template (ADMX) file for Group Policy settings, all the recommended settings in spreadsheet form and as Policy Analyzer rules. The recommended settings correspond with the Office 2016 administrative templates version 4639 released on December 15, 2017; we have included those ADMX and ADML files in a zip file in the package's Templates subdirectory. <BR /> <BR /> Instead of retaining the entire Office 2013 baseline and simply adding settings that were newly introduced in the Office 2016 GPOs, we have conducted a thorough review of all available configuration settings – as we did <A href="#" target="_blank"> beginning with the Windows 10 baselines </A> – including in the baseline only those settings that address contemporary security threats. In the process we removed over eight dozen settings that had been in previous baselines but that were determined not to advance security posture in a meaningful way, and added a handful of new settings. The result is a more streamlined, purposeful baseline that is easier to configure, deploy, and validate. <BR /> <BR /> <STRONG> Macro security </STRONG> <BR /> <BR /> Office’s support for macros remains a vital tool for enterprise automation and at the same time a vector for attack, so macro security remains an important consideration. Office 2016 introduced a new GPO setting, “ <A href="#" target="_blank"> Block macros from running in Office files from the Internet </A> ” that was also later <A href="#" target="_blank"> backported </A> to Office 2013. Enabling the setting disables macros embedded in Office documents that came from the internet, including through email from an external sender. Office displays a notification that does not give the user an option to enable the macros. This baseline enables the setting for all apps that offer it: Excel, PowerPoint, Visio, and Word. Because this setting affects only Office documents received from the Internet that contain embedded macros, we anticipate that enabling this setting should rarely if ever cause operational problems for enterprises. The settings do not affect documents that are received from the enterprise’s Intranet or Trusted Sites zones. <BR /> <BR /> The baseline also retains the “VBA Macro Notification Settings” options from our previous baselines that require that macros embedded in Office documents be signed by a trusted publisher. We recognize that some organizations have had workflows and processes relying on such macros for a long time, and that enforcing these particular settings can cause operational issues. It can also be challenging to identify all the documents and VBA projects that need to be signed. We will continue considering moving these settings into a separate GPO to make it easier to switch the settings on or off without affecting the rest of the baseline. Please let us know via the comments on this post what you think of that idea. <BR /> <BR /> <STRONG> Blocking Flash activation </STRONG> <BR /> <BR /> We have also added a setting to the custom “MS Security Guide” ADMX that prevents the Adobe Flash ActiveX control from being loaded by Office applications. Vulnerabilities in Adobe Flash are often exploited by sending the victim a Microsoft Office document that contains malformed Flash data and an OLE reference that activates Flash and passes it the malformed data, which triggers the exploit code. This setting allows you to either (1) block all activation of Flash from within Office or (2) only block activation of Flash when it is directly embedded or linked in an Office document. The baseline recommends that you block all activation as it is the safest option available but note that it can impact productivity scenarios (e.g. consuming embedded videos in PowerPoint) within your enterprise. Please test this setting within your environment to identify the appropriate level of protection that balances your security and productivity requirements. <BR /> <BR /> Office has long included a <A href="#" target="_blank"> “kill-bit” feature </A> similar to Windows’ that enables administrators to block specific controls from being activated within Office processes. Enabling the new setting in “MS Security Guide” configures Flash kill-bit registry values to block Flash activation in Office processes, reducing your security exposure. <BR /> <BR /> <STRONG> Other changes </STRONG> <BR /> <BR /> Although we have removed many settings from the baseline, there are a few changes to which we would like to call attention. All of these are under User Configuration\Administrative Templates. <BR /> <UL> <BR /> <LI> Microsoft Outlook 2016\Account Settings\Exchange, Authentication with Exchange Server: we are keeping this setting enabled, but changing its configuration from “Kerberos/NTLM Password Authentication” to “Kerberos Password Authentication.” We do not anticipate operational issues from strengthening this setting. Please test this change in your environments and let us know what you observe. </LI> <BR /> <LI> Microsoft Office 2016\Manage Restricted Permissions, Always require users to connect to verify permission: we are removing this setting from the baseline, but there is a security and usability tradeoff, and our finding is that the security benefit is too small for the usability degradation. The setting ensures that if someone’s access to a rights-managed document or email is revoked after they have received it, they will be blocked from opening it the next time they try. The downside is that this blocks all offline access. In our experience, this kind of revocation is far less common than the need to open rights-managed items when in airplane mode. </LI> <BR /> <LI> We have dropped the “Disable all trusted locations” Trust Center settings, but disabled two additional “Allow Trusted Locations on the network” settings that had been overlooked in past baselines for Project and Visio. </LI> <BR /> </UL> <BR /> We believe that this baseline strikes the correct balance between security and usability, but as always we welcome your feedback for opportunities to improve it. Thank you. <BR /> <BR /> </BODY></HTML> Tue, 18 Jun 2019 20:16:19 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-office-2016-and-office-365-proplus-apps/ba-p/701077 Aaron Margosis 2019-06-18T20:16:19Z Security baseline for Windows 10 “Fall Creators Update” (v1709) – FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-8220-fall-creators-update-8221/ba-p/701076 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Oct 18, 2017 </STRONG> <BR /> Microsoft is pleased to announce the <EM> final </EM> release of the recommended security configuration baseline settings for Windows 10 “Fall Creators Update,” also known as version 1709, “Redstone 3,” or RS3. There are no changes from the <A href="#" rel="noopener noreferrer" target="_blank"> draft release </A> we published a few weeks ago. <BR /> <BR /> The 1709 baseline package has been added to the <A href="#" rel="noopener noreferrer" target="_blank"> Microsoft Security Compliance Toolkit </A> . On that page, click the Download button, then select "Windows 10 Version 1709 Security Baseline.zip" and any other content you want to download. <BR /> <BR /> The 1709 baseline package includes GPOs that can be imported in Active Directory, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, and all the recommended settings in spreadsheet form. The spreadsheet also includes the corresponding settings for configuring through Windows’ Mobile Device Management (MDM). <BR /> <BR /> We're also happy to announce the revamping of the <A href="#" rel="noopener noreferrer" target="_blank"> Windows Security Baselines landing page </A> . <BR /> <BR /> The differences between the 1709 baseline and that for <A href="#" rel="noopener noreferrer" target="_blank"> Windows 10 v1703 </A> (a.k.a., “Creators Update,” “Redstone 2”, RS2) are: <BR /> <UL> <BR /> <LI> Implementing Attack Surface Reduction rules within Windows Defender Exploit Guard. Exploit Guard is a new feature of v1709 that helps prevent a variety of actions often used by malware. You can read more about Exploit Guard here: <A href="#" target="_blank"> Reduce attack surfaces with Windows Defender Exploit Guard </A> . Note that&nbsp;we have enabled “block” mode for all of these settings. We are continuing to watch the “Block office applications from injecting into other process” setting; if it creates compatibility problems then we might change the baseline recommendation to “audit” mode for that setting. Please let us know what you observe. </LI> <BR /> <LI> Enabling Exploit Guard’s Network Protection feature to prevent any application from accessing web sites identified as dangerous, including those hosting phishing scams and malware. This extends the type of protection offered by SmartScreen to all programs, including third-party browsers. </LI> <BR /> <LI> Enabling a new setting that prevents users from making changes to the Exploit protection settings area in the Windows Defender Security Center. </LI> <BR /> </UL> <BR /> We also recommend enabling <A href="#" target="_blank"> Windows Defender Application Guard </A> . Our testing has proven it to be a powerful defense. We would have included it in this baseline, but its configuration settings are organization-specific. <BR /> <BR /> The old Enhanced Mitigation Experience Toolkit (EMET) add-on is not supported on Windows 10 v1709. Instead, we offer Windows Defender Exploit Guard’s <A href="#" target="_blank"> Exploit Protection </A> , which is now a built-in, fully-configurable feature of Windows 10. Exploit Protection brings the granular control you remember from EMET into a new, modern feature. Our download package includes a pre-configured, customizable XML file to help you add exploit mitigations to many common applications. You can use it as-is, or customize it for your own needs. Note that you configure the corresponding Group Policy setting by specifying the full local or server file path to the XML file. Because our baseline cannot specify a path that works for everyone, it is not included in the baseline packages GPOs – you must add it yourself. <BR /> <BR /> Thank you to the Center for Internet Security (CIS) and to everyone else who gave us feedback. </BODY></HTML> Tue, 18 Jun 2019 20:16:18 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-8220-fall-creators-update-8221/ba-p/701076 Aaron Margosis 2019-06-18T20:16:18Z Security baseline for Windows 10 “Creators Update” (v1703) – FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-8220-creators-update-8221-v1703/ba-p/701075 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Aug 30, 2017 </STRONG> <BR /> Microsoft is pleased to announce the <SPAN> </SPAN> <EM> final </EM> release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. <SPAN> The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form </SPAN> . <BR /> <BR /> <STRONG> Download the content from the <A href="#" target="_blank"> Microsoft Security Compliance Toolkit </A> (click Download and select <I> Windows 10 Version 1703 Security Baseline.zip </I> ). </STRONG> <BR /> <BR /> This updated content will be incorporated into the <A href="#" rel="noopener" target="_blank"> Security Compliance Toolkit </A> shortly. (Note that the Security Compliance Manager tool <A href="#" rel="noopener" target="_blank"> has been retired </A> .) <BR /> <BR /> The differences in this baseline from <A href="#" rel="noopener" target="_blank"> the v1703 draft version </A> are: <BR /> <UL> <BR /> <LI> The security settings that disallowed&nbsp;Internet Explorer from using downloaded fonts in the Internet and Restricted Sites zones have been removed. This change in IE11 recommendations applies only to Windows 10, and is possible because of Windows 10's additional mitigations as described in the blog post, <EM> <A href="#" rel="noopener" target="_blank"> Dropping the "Untrusted Font Blocking" setting </A> </EM> . </LI> <BR /> <LI> The enforcement of the default for the User Rights Assignment, <EM> Generate security audits (SeAuditPrivilege) </EM> , has been removed.&nbsp;Enforcing the default does not mitigate contemporary security threats, and&nbsp;hampers the functionality of programs such as System Center Operations Manager (SCOM) that need to change the default. </LI> <BR /> <LI> We are enabling the setting, "Do not suggest third-party content in Windows spotlight" in&nbsp;User Configuration\Administrative Templates\Windows Components\Cloud Content. Enabling this setting is consistent with&nbsp;our having previously enabled "Turn off Microsoft consumer experiences." </LI> <BR /> </UL> <BR /> Thank you to the Center for Internet Security (CIS) and to everyone else who gave us feedback. <BR /> <BR /> </BODY></HTML> Tue, 18 Jun 2019 20:16:16 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-8220-creators-update-8221-v1703/ba-p/701075 Aaron Margosis 2019-06-18T20:16:16Z Disabling SMBv1 through Group Policy https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/disabling-smbv1-through-group-policy/ba-p/701069 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Jun 15, 2017 </STRONG> <BR /> Version 1 of the Server Message Block (SMB) protocol was developed in the early days of personal computer networking, and as Ned Pyle describes in his blog post, <A href="#" target="_blank"> <EM> Stop using SMB1 </EM> </A> there are many reasons to cease using it on your networks. We have added that recommendation to our baseline, and have exposed a way to do so through Group Policy editors for local or domain GPOs by adding to the custom “MS Security Guide” ADMX. That said, the <A href="#" target="_blank"> settings that need to be manipulated </A> are not a natural fit for GPO management, so you need to be careful while using it. Applying settings incorrectly can cause serious problems. <BR /> <BR /> We wanted these custom settings to work for all supported versions of Windows and to be reversible so that SMBv1 could be re-enabled if necessary. Due to the limitations of the ADMX syntax, we ended up implementing it through three separate settings: <BR /> <UL> <BR /> <LI> <STRONG> <EM> Configure SMB v1 server </EM> </STRONG> , to disable or enable server-side processing of the SMBv1 protocol. This is a simple Enabled/Disabled/Not Configured setting that controls the “SMB1” registry value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. </LI> <BR /> <LI> <STRONG> <EM> Configure SMB v1 client driver </EM> </STRONG> , to configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb10. Note that choosing the “Disabled” radio button <EM> deletes </EM> the “Start” value, so <STRONG> don’t do that! </STRONG> See the explain text shown in the table below if you need to restore default behavior. Note that the “Disabled” radio button is not the same thing as the dropdown value, “Disable driver (recommended).” </LI> <BR /> <LI> <STRONG> <EM> Configure SMB v1 client (extra setting…) </EM> </STRONG> , which is needed only for older Windows versions. This setting controls the “DependOnService” REG_MULTI_SZ value in HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation, which represents the service and driver dependencies of the Workstation service (internal name: LanmanWorkstation). Older versions of Windows configure LanmanWorkstation with a dependency on the SMBv1 client driver (MrxSmb10) running, which can be problematic if MrxSmb10 is disabled. So this setting enables you to configure the LanmanWorkstation service’s dependencies directly. The setting’s Explain text describes exactly what to enter into the text box. Unfortunately, there is no way for the ADMX to offer a choice of predefined REG_MULTI_SZ values. You have to type – or copy/paste – the text yourself. And here again, choosing the “Disabled” radio button deletes the DependOnService value, which <STRONG> would be very bad, so don’t do that! </STRONG> </LI> <BR /> </UL> <BR /> This table lists the settings and corresponding explain text from the Group Policy editor: <BR /> <TABLE cellpadding="0" cellspacing="0" style="margin-left: .5in; border-collapse: collapse;"> <BR /> <TBODY> <BR /> <TR> <BR /> <TD style="border: solid;" valign="top"> <STRONG> Setting name </STRONG> </TD> <BR /> <TD style="border: solid;" valign="top"> <STRONG> Explain text </STRONG> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid;" valign="top"> Configure SMB v1 server </TD> <BR /> <TD style="border: solid;" valign="top"> Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.) <BR /> <BR /> Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.) <BR /> <BR /> Changes to this setting require a reboot to take effect. <BR /> <BR /> For more information, see <A href="#" target="_blank"> https://support.microsoft.com/kb/2696547 </A> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid;" valign="top"> Configure SMB v1 client driver </TD> <BR /> <TD style="border: solid;" valign="top"> Configures the SMB v1 client driver's start type. <BR /> <BR /> To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown. <BR /> <BR /> WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES! <BR /> <BR /> For Windows 7 and Servers 2008, 2008R2, and 2012, you must also configure the "Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)" setting. <BR /> <BR /> To restore default SMBv1 client-side behavior, select "Enabled" and choose the correct default from the dropdown: <BR /> * "Manual start" for Windows 7 and Windows Servers 2008, 2008R2, and 2012; <BR /> * "Automatic start" for Windows 8.1 and Windows Server 2012R2 and newer. <BR /> <BR /> Changes to this setting require a reboot to take effect. <BR /> <BR /> For more information, see <A href="#" target="_blank"> https://support.microsoft.com/kb/2696547 </A> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD style="border: solid;" valign="top"> Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2) </TD> <BR /> <TD style="border: solid;" valign="top"> APPLIES ONLY TO: Windows 7 and Windows Servers 2008, 2008R2 and 2012 (NOT 2012R2): <BR /> <BR /> To disable client-side processing of the SMBv1 protocol (recommended), do ALL of the following: <BR /> * Set the SMBv1 client driver to "Disable driver" using the "Configure SMB v1 client driver" setting; <BR /> * Enable this setting; <BR /> * In the "Configure LanmanWorkstation dependencies" text box, enter the following three lines of text: <BR /> Bowser <BR /> MRxSmb20 <BR /> NSI <BR /> <BR /> To restore the default behavior for client-side SMBv1 protocol processing, do ALL of the following: <BR /> * Set the SMBv1 client driver to "Manual start" using the "Configure SMB v1 client driver" setting; <BR /> * Enable this setting; <BR /> * In the "Configure LanmanWorkstation dependencies" text box, enter the following four lines of text: <BR /> Bowser <BR /> MRxSmb10 <BR /> MRxSmb20 <BR /> NSI <BR /> <BR /> WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES! <BR /> <BR /> Changes to this setting require a reboot to take effect. <BR /> <BR /> For more information, see <A href="#" target="_blank"> https://support.microsoft.com/kb/2696547 </A> </TD> <BR /> </TR> <BR /> </TBODY> <BR /> </TABLE> <BR /> You can obtain the "MS Security Guide" ADMX template in the download associated with the draft baseline for Windows 10 v1703 <A href="#" target="_blank"> here </A> . Copy SecGuide.admx into your %windir%\PolicyDefinitions directory, and copy SecGuide.adml into the en-us subdirectory. </BODY></HTML> Tue, 18 Jun 2019 20:16:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/disabling-smbv1-through-group-policy/ba-p/701069 Aaron Margosis 2019-06-18T20:16:14Z Dropping the "Untrusted Font Blocking" setting https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Jun 15, 2017 </STRONG> <BR /> With the Windows 10 v1703 security configuration baseline, Microsoft is removing the recommendation to enable the “Untrusted Font Blocking” Group Policy setting in Computer Configuration | Administrative Templates | System | Mitigation Options. Windows 10 includes additional mitigations that make this setting far less important, while blocking untrusted fonts breaks several legitimate scenarios unnecessarily. <BR /> <BR /> Parsing and rendering font data involves significant complexity, so it is not surprising that font-rendering engines have had bugs – particularly when handling font data that does not conform to expected formats. Nor is it surprising that malicious actors target these bugs with malformed font data to deliver exploit code through web pages and document files that support embedded or downloaded fonts. On versions of Windows prior to Windows 10 and Windows Server 2016, that problem has been compounded for programs that use Windows’ graphics device interface (GDI) APIs to load and render fonts. In addition to the threat of remote code execution in a compromised user-mode process, a GDI font-rendering bug can also result in kernel-mode execution and local elevation of privilege because most of GDI’s font logic was in Win32k.sys which runs in kernel mode. <BR /> <BR /> The first release of Windows 10 introduced a new Group Policy setting, “ <A href="#" target="_blank"> Untrusted Font Blocking </A> ,” that offers a powerful mitigation against attacks on GDI’s font logic. Our prior security baseline configuration recommendations for Windows 10 have included the enforcement of this setting. The setting enables IT admins to disallow all programs from using GDI to load and render font data from any location outside of the %windir%\Fonts directory. Only administrators can put files into the Fonts directory, so this setting keeps standard user programs from using GDI to handle fonts downloaded through web pages, embedded in Office or PDF documents, or downloaded by users. Note that this block applies only to font-rendering through GDI and not to other user-mode font-rendering engines such as DirectWrite which is used by the Microsoft Edge and Google Chrome web browsers. <BR /> <BR /> It turns out that at the same time, Windows 10 introduced a separate, always-on mitigation against GDI font-rendering bugs. However, Microsoft didn’t publicly discuss it until an August 2016 BlackHat presentation, <A href="#" target="_blank"> <EM> Windows 10 Mitigation Improvements </EM> </A> (see&nbsp;p. 34), and in a January 2017 blog post, <A href="#" target="_blank"> <EM> Hardening Windows 10 with zero-day exploit mitigations </EM> </A> (see the “Mitigating font exploits with AppContainer” section). <BR /> <BR /> With Windows 10, GDI font parsing is no longer performed in kernel mode. Instead, it is performed in a sandboxed user-mode process, fontdrvhost.exe, which executes in a highly-restricted, per-session AppContainer process under a limited-scope, system-generated virtual account. The AppContainer process is granted no Capabilities and minimal privileges. (When a process in an AppContainer requests access to a resource, the Windows security access check applies tighter rules than it does for traditional, non-AppContainer processes, granting access only if the resource explicitly grants access to it.) <BR /> <BR /> One of the most visible downsides of blocking downloaded and embedded fonts is that many web sites rely on them, and blocking them can substantially diminish usability. For example, here is the MSN home page’s banner rendered in Microsoft Edge, which is not affected by the Untrusted Font Blocking setting: <BR /> <P style="padding-left: 30px;"> <IMG alt="" class="alignnone size-full wp-image-735" height="120" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119325i02886325B9758937" width="1093" /> </P> <BR /> And here is the same banner rendered in Internet Explorer with font-blocking enabled: <BR /> <P style="padding-left: 30px;"> <IMG alt="" class="alignnone size-full wp-image-765" height="120" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119326iF8A49AD1D4E3F307" width="1093" /> </P> <BR /> As you can see, the MSN and Bing logos are represented using downloaded fonts, as are most of the Microsoft application logos. In addition to app logos, Microsoft’s Office 365 also makes liberal use of downloaded fonts for web application graphics such as navigation aids and actions such as “delete” and “flag this message.” These screenshots show the differences: the first shows Microsoft Edge without font blocking; the second shows Internet Explorer with font blocking enforced: <BR /> <P style="padding-left: 30px;"> <IMG alt="" class="alignnone wp-image-745" height="271" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119327i9085F2DF34BA6576" width="707" /> <IMG alt="" class="alignnone wp-image-755" height="271" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119328iEC1C7FBD69C27452" width="707" /> </P> <BR /> With GDI font parsing performed in a restrictive AppContainer, the risk of handling untrusted fonts in GDI is now acceptably low enough that we feel confident that the costs of font-blocking exceed its benefits. Therefore, we are removing our previous recommendation to enable untrusted font blocking. </BODY></HTML> Tue, 18 Jun 2019 20:16:12 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068 Aaron Margosis 2019-06-18T20:16:12Z Security Compliance Manager (SCM) retired; new tools and procedures https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-compliance-manager-scm-retired-new-tools-and-procedures/ba-p/701059 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Jun 15, 2017 </STRONG> <BR /> Microsoft reluctantly announces the retirement of the Security Compliance Manager (SCM) tool. At the same time, we are reaffirming our commitment to delivering robust and useful security guidance for Windows, and tools to manage that guidance. <BR /> <BR /> Microsoft first released the Security Compliance Manager (SCM) in 2010. It was a mammoth program that combined GPO-based security configuration recommendations; Threats &amp; Countermeasures text for each setting; automatic downloading of new baselines as they are published; creating and editing custom baselines; comparing baselines; and importing and exporting, including export to GPO backup, SCCM DCM, SCAP v1.0, and Excel. However, the program’s design is incredibly complex, with an entirely separate (and incredibly complex) authoring tool to create and edit baselines in SCM’s proprietary format. The SCM tool itself needed to be updated for every Windows release, to be able to represent baselines for newer operating systems correctly even when SCM was installed on an earlier Windows version. Otherwise, baselines would not accurately represent new advanced auditing policies or new security entities such as “Local account” and “NT SERVICE” accounts, and couldn’t recognize operating system versions correctly for import and export. In addition, SCM is designed for GPO management and would require a massive overhaul to be able to handle Desired State Configuration (DSC) or Mobile Device Management (MDM). In short, SCM has become too inflexible and unwieldy to continue investing in it, particularly with other alternatives at hand. We will continue to publish security baselines, but not in the .cab file format used by SCM. <BR /> <BR /> Beginning with the baselines for Windows 8.1, Windows Server 2012R2, and Internet Explorer 11, we have been publishing baselines through this blog site in lightweight .zip files containing GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. We will continue to deliver security configuration guidance in that format. The GPO backups can be imported directly into Active Directory Group Policy along with corresponding WMI filters to apply policies to the correct machines. To take the place of SCM’s offline GPO-editing abilities, consider standing up an otherwise non-functional domain controller, importing Group Policy (.ADMX) templates as needed. To compare GPOs or to export to Excel, take a look at Policy Analyzer, which has much richer abilities in both areas than SCM had. We had previously retired the LocalGPO.wsf tool that had shipped with SCM and replaced it with the more-functional LGPO. Note that both tools have recently been updated and are now part of the new “Security Compliance Toolkit” which you can download <A href="#" target="_blank"> here </A> . <BR /> <BR /> We recognize that the new tool set does not currently include support for DCM or SCAP and we will try to fill that gap. Meanwhile, though, the PowerShell-based Desired State Configuration (DSC) is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs to DSC and to validate system configuration. Examples: <BR /> <UL> <BR /> <LI> BaselineManagement module: <A href="#" target="_blank"> https://github.com/Microsoft/BaselineManagement </A> </LI> <BR /> <LI> DSC Environment Analyzer (DSCEA) announcement: <A href="#" target="_blank"> https://blogs.technet.microsoft.com/ralphkyttle/2017/03/21/introducing-dscea/ </A> </LI> <BR /> <LI> DSCEA repository: <A href="#" target="_blank"> https://github.com/Microsoft/DSCEA </A> </LI> <BR /> </UL> <BR /> Continue monitoring this blog site for additional announcements ( <A href="#" target="_blank"> https://blogs.technet.microsoft.com/secguide/ </A> ). </BODY></HTML> Tue, 18 Jun 2019 20:15:42 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-compliance-manager-scm-retired-new-tools-and-procedures/ba-p/701059 Aaron Margosis 2019-06-18T20:15:42Z Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/guidance-on-disabling-system-services-on-windows-server-2016/ba-p/701058 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on May 29, 2017 </STRONG> <BR /> <EM> [Primary authors: Dan Simon and Nir Ben Zvi] </EM> <BR /> <BR /> <SPAN style="color: #ff0000;"> <EM> [Note that this guidance applies only to Windows Server 2016 with Desktop Experience. It does not need to be applied to Windows Server 2019.] </EM> </SPAN> <BR /> <BR /> The Windows operating system includes many system services that provide important functionality.&nbsp; Different services have different default startup policies:&nbsp; some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run.&nbsp; These defaults were chosen carefully for each service to balance performance, functionality and security for typical customers. <BR /> <BR /> However, some enterprise customers may prefer a more security-focused balance for their Windows PCs and servers—one that reduces their attack surface to the absolute minimum—and may therefore wish to fully disable all services that are not needed in their specific environments.&nbsp; For those customers, Microsoft is providing the accompanying guidance regarding which services can safely be disabled for this purpose. <BR /> <BR /> The guidance is for Windows Server 2016 with Desktop Experience (unless used as a desktop replacement for end users). Each service on the system is categorized as follows: <BR /> <UL> <BR /> <LI> <STRONG> Should Disable </STRONG> : A security-focused enterprise will most likely prefer to disable this service and forgo its functionality (see additional details below). </LI> <BR /> <LI> <STRONG> OK to Disable </STRONG> : This service provides functionality that is useful to some but not all enterprises, and security-focused enterprises that don’t use it can safely disable it. </LI> <BR /> <LI> <STRONG> Do Not Disable </STRONG> : Disabling this service will impact essential functionality or prevent specific roles/features from functioning correctly. It therefore should not be disabled. </LI> <BR /> <LI> <STRONG> (No guidance) </STRONG> : These services should not be disabled. </LI> <BR /> </UL> <BR /> Customers can configure their Windows PCs and servers to disable selected services using the Security Templates in their Group Policies or using PowerShell automation.&nbsp; In some cases, the guidance includes specific Group Policy settings that disable the service’s functionality directly, as an alternative to disabling the service itself. <BR /> <BR /> We recommend that customers disable the following services and their respective scheduled tasks on Windows Server 2016 with Desktop Experience: <BR /> <BR /> <U> Services: </U> <BR /> <OL> <BR /> <LI> Xbox Live Auth Manager </LI> <BR /> <LI> Xbox Live Game Save </LI> <BR /> </OL> <BR /> <U> Scheduled tasks: </U> <BR /> <OL> <BR /> <LI> \Microsoft\XblGameSave\XblGameSaveTask </LI> <BR /> <LI> \Microsoft\XblGameSave\XblGameSaveTaskLogon </LI> <BR /> </OL> <BR /> <SPAN style="color: #ff0000;"> <EM> <STRONG> Download this&nbsp;spreadsheet for more information: </STRONG> </EM> </SPAN> <STRONG> <U> <A href="#" target="_blank"> Service-management-WS2016.xlsx </A> </U> </STRONG> </BODY></HTML> Tue, 18 Jun 2019 20:15:40 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/guidance-on-disabling-system-services-on-windows-server-2016/ba-p/701058 Aaron Margosis 2019-06-18T20:15:40Z Security baseline for Windows 10 v1607 (“Anniversary Update”) and Windows Server 2016 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-v1607-8220-anniversary-update/ba-p/701057 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Oct 17, 2016 </STRONG> <BR /> Microsoft is pleased to announce the release of the security configuration baseline settings for Windows 10 version 1607, also known as “Anniversary Update” and internally as “Redstone 1”. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for “pass the hash” mitigation and legacy MSS settings, and all the settings in spreadsheet form. It also includes spreadsheets generated from Policy Analyzer that show differences from past baselines and brief descriptions of the reasons for the differences, and a similar spreadsheet listing the differences between the Member Server and Domain Controller baselines. <BR /> <BR /> <STRONG> Download the content from the <A href="#" target="_blank"> Microsoft Security Compliance Toolkit </A> (click Download and select <I> Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip </I> ). </STRONG> <BR /> <BR /> The .CAB files corresponding to these baselines for the Security Compliance Manager (SCM) are being worked on and should be available for download through SCM by the end of October. In the meantime, the downloadable materials on this blog post should provide most everything you need to move forward. We are also preparing an updated version of Policy Analyzer and hope to publish it soon. <SPAN style="color: #ff0000;"> [ <STRONG> Update, 17-Nov-2016 </STRONG> : the SCM CAB files corresponding to these baselines are now published. Install and start <A href="#" rel="noopener" target="_blank"> SCM v4.0 </A> on an internet-connected system: it will notify you that the new baselines are available if it is configured to check for updates automatically, or you can select "Check for updates" from the File menu.] </SPAN> <BR /> <BR /> The main changes in the Windows 10 v1607 baseline since that for Windows 10 v1511 include: <BR /> <UL> <BR /> <LI> Windows Defender is recommended for enterprise use and important Defender settings are now part of the Windows baseline. </LI> <BR /> <LI> Enforcing the blocking of use of SSL 3.0 and out-of-date ActiveX controls in Internet Explorer. </LI> <BR /> <LI> Disabling the Mobile Hotspot feature, which non-admins could otherwise enable. </LI> <BR /> <LI> Improvements in auditing settings. </LI> <BR /> <LI> Change in User Rights Assignment so that administrators can choose to enable Remote Desktop. </LI> <BR /> <LI> Continued removing unnecessary enforcement of defaults, consistent with our previously-documented philosophy. </LI> <BR /> </UL> <BR /> In addition to those, the Windows Server 2016 Member Server baseline removes settings for the Microsoft Edge browser that were in the Windows Server 2016 Technical Preview 5 baseline, as Microsoft Edge is no longer present in Windows Server. <BR /> <BR /> To assist with evaluation, we have&nbsp;built spreadsheets listing differences between the latest baselines and previous baselines, along with explanations for the differences. <B> <A href="#" target="_blank"> Download here </A> </B> . The&nbsp;spreadsheets with "Raw" in the file name includes detailed information about the differences; the ones with "Explanation" in the file name removes detailed columns such as raw registry value and data type, and adds a "Reason for difference" column. The differences captured are between: <BR /> <UL> <BR /> <LI> Windows 10 v1511 (TH2) to Windows 10 v1607 (RS1) </LI> <BR /> <LI> Windows Server 2012 R2 to Windows Server 2016 - Member Server </LI> <BR /> <LI> Windows Server 2012 R2 to Windows Server 2016 - Domain Controller </LI> <BR /> <LI> Windows Server 2016 TP5 to Windows Server 2016 RTM - Member Server </LI> <BR /> <LI> Windows Server 2016 Member Server to Domain Controller </LI> <BR /> </UL> <BR /> For those who have used the Local_Script tools in the download packages for previous baselines, we’ve changed its implementation. We used to copy GPO artifacts such as registry.pol files into the Local_Script directory and rename them. This time, the scripts reference the GPO files in their original locations. Because all GPO backup directory names are GUIDs, it can be difficult to identify which GUID is associated with which GPO. To help, we have added a simple PowerShell script that maps the GUIDs in a GPO backup directory hierarchy to the corresponding GPO names. This screenshot demonstrates: <BR /> <BR /> <IMG alt="blog post - v1607 - screenshot" class="alignnone size-full wp-image-605" height="648" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119324i1BB7B1173855C356" width="917" /> </BODY></HTML> Tue, 18 Jun 2019 20:15:38 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-v1607-8220-anniversary-update/ba-p/701057 Aaron Margosis 2019-06-18T20:15:38Z The MSS settings https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/the-mss-settings/ba-p/701055 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Oct 02, 2016 </STRONG> <BR /> <SPAN style="font-size: large;"> <STRONG> You can download the custom Administrative Template for the "MSS (Legacy)" settings here: </STRONG> </SPAN> <STRONG> <A href="#" target="_blank"> MSS-legacy </A> </STRONG> . Note that it is available only for "en-us"&nbsp;(US English). <BR /> <BR /> Explanation: <BR /> <BR /> Many years ago, before the advent of Trustworthy Computing, some Microsoft security experts identified about 20 Windows registry values (many or perhaps all of which were undocumented at the time) that could be tweaked for what was then perceived to be significant security gain. For manageability, they developed a script that added these entries to the local security settings editor with descriptive names prefixed with "MSS:" as seen in the screenshot below. [Historical note: I believe they landed there because these tweaks predated Windows 2000, Group Policy, and Administrative Templates.] <BR /> <BLOCKQUOTE> <IMG alt="MSS settings in Security Options" class="alignnone size-full wp-image-575" height="572" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119322i992EB5E7B6DFA58E" width="710" /> </BLOCKQUOTE> <BR /> <BR /> <BR /> Many of the settings remained part of our security configuration guidance until our <A href="#" target="_blank"> "reset" </A> with the Windows 10 recommendations. As part of the reset, we also created a custom ADMX and ADML and moved the settings from the Security Options section of the policy editor to Administrative Templates, as shown in this screenshot: <BR /> <BLOCKQUOTE> <IMG alt="MSS Settings in Administrative Templates" class="alignnone size-full wp-image-585" height="615" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119323iEB05B771C584A386" width="887" /> </BLOCKQUOTE> <BR /> <BR /> <BR /> The reason we did this was because adding them to Security Options relied on a technique that is no longer supportable. The script that had added them to the security editor did so in part by modifying %windir%\inf\sceregvl.inf, a text file. With the introduction of service identities in Windows Vista and Windows Server 2008, Windows configured many OS-owned resources as read-only to everyone except to the TrustedInstaller service. When a resource is configured this way, Windows explicitly tells you that even if you're an administrator, modifying the resource is unsupported. Sceregvl.inf is one of those resources, so the script was updated to take ownership and change the permissions of the file so that the script could edit its content. <BR /> <BR /> The new custom ADMX and ADML file reference the same registry settings as the older script, but in a manner that is supportable. We have included these files in the download packages with our Windows 10 and Windows Server 2016 baselines, and offer them here separately for your convenience. Note that our baselines&nbsp;no longer include recommendations to configure many of the MSS settings we had recommended in the past, as they have no security value against contemporary threats. The few that are still configured in our baseline have limited benefit at most. </BODY></HTML> Tue, 18 Jun 2019 20:15:29 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/the-mss-settings/ba-p/701055 Aaron Margosis 2019-06-18T20:15:29Z LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg-qword/ba-p/701052 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Sep 23, 2016 </STRONG> <BR /> LGPO.exe is a&nbsp;command-line utility to automate the management of local group policy objects (LGPO). <A href="#" target="_blank"> Version 1.0 </A> was released last January. The <EM> <STRONG> PRE-RELEASE </STRONG> </EM> LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. It also adds support for <STRONG> /e </STRONG> mnemonic options&nbsp;to enable the GP client side extensions for LAPS, Credential Guard, and Device Guard. <BR /> <BR /> Full details are in the LGPO.pdf in the download. For more information about MLGPO, please review this: <A href="#" target="_blank"> Step-by-Step Guide to Managing Multiple Local Group Policy Objects </A> . <BR /> <BR /> If these new features are valuable to you, please test them in your environments and let us know through the comments on this blog post how well it meets your needs. <BR /> <BR /> Thanks. <BR /> <BR /> <SPAN style="color: #ff0000;"> [Update: the latest version of LGPO.exe is <A href="#" target="_blank"> here </A> .] </SPAN> </BODY></HTML> Tue, 18 Jun 2019 20:15:12 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg-qword/ba-p/701052 Aaron Margosis 2019-06-18T20:15:12Z Security baseline for Windows 10 (v1511, "Threshold 2") -- FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-v1511-quot-threshold-2-quot/ba-p/701051 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Jan 22, 2016 </STRONG> <BR /> <P> Microsoft is pleased to announce the <EM> final </EM> release of the security configuration baseline settings for Windows 10 version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2." The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will also be publishing SCM .CAB files for this Windows 10 baseline shortly, and will announce their availability on the Security Guidance blog. (Note that we will not be providing updated SCM .CAB files for the IE11 guidance. For that content, see the attachment on this blog post.) </P> <BR /> <P> These are the&nbsp;updates we have made since the draft release in November, following continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers: </P> <BR /> <UL> <BR /> <LI> Enabled "Turn off Microsoft consumer experiences," which is a new setting&nbsp;as of&nbsp;version 1511. </LI> <BR /> <LI> Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule. </LI> <BR /> <LI> Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly&nbsp;on Windows Vista and newer. (The DISA STIG has also removed this restriction.) </LI> <BR /> <LI> Removed the screen saver timeout from User configuration, as the computer-wide "Interactive logon: Machine inactivity limit" setting removes that need. </LI> <BR /> <LI> Removed all EMET settings from the baseline <EM> for the time being </EM> . Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta. </LI> <BR /> <LI> Removed the configuration setting for "Recovery console: Allow automatic administrative logon." This setting has been obsolete since Windows XP and its removal just got missed until now. </LI> <BR /> </UL> <BR /> <P> </P> <BR /> <P> <A href="#" original-url="http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-4062-00-00-03-65-94-81/Windows-10-TH2-Security-Baseline.zip" target="_blank"> Windows 10 TH2 Security Baseline.zip </A> </P> </BODY></HTML> Tue, 18 Jun 2019 20:15:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-v1511-quot-threshold-2-quot/ba-p/701051 Aaron Margosis 2019-06-18T20:15:09Z Security baseline for Windows 10 (v1507, build 10240, TH1, LTSB) -- UPDATE https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb/ba-p/701050 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Jan 22, 2016 </STRONG> <BR /> <P> Based on continuing discussions with&nbsp;security experts in Microsoft, the Center for Internet Security, and customers, we are publishing a few changes to the security configuration baseline recommendations for Windows 10, version 1507. Version 1507 was the original RTM release of Windows 10, and is also known as "Build 10240," "Threshold 1," or "TH1." Version 1507 is also the current Long Term Servicing Branch (LTSB) build, which is the primary reason for continuing to update the baseline for this version. Those who are not relying on the LTSB track should have already updated to version 1511. Note that we are simultaneously releasing final guidance for version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2." </P> <BR /> <P> These are the&nbsp;updates we have made: </P> <BR /> <UL> <BR /> <LI> Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule. </LI> <BR /> <LI> Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly&nbsp;on Windows Vista and newer. (The DISA STIG has also removed this restriction.) </LI> <BR /> <LI> Removed the screen saver timeout from User configuration, as the computer-wide "Interactive logon: Machine inactivity limit" setting removes that need. </LI> <BR /> <LI> Removed all EMET settings from the baseline <EM> for the time being </EM> . Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta. </LI> <BR /> <LI> Removed the configuration setting for "Recovery console: Allow automatic administrative logon." This setting has been obsolete since Windows XP and its removal just got missed until now. </LI> <BR /> </UL> <BR /> <P> This specific baseline will be delivered only through the downloadable attachment to this blog post. The attachment includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will not be publishing SCM .CAB files for this baseline, as we are focusing our SCM resources on the “Threshold 2” release. </P> <BR /> <P> <A href="#" original-url="http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-4062-00-00-03-65-94-82/Windows-10-Security-Baseline.zip" target="_blank"> Windows 10 Security Baseline.zip </A> </P> </BODY></HTML> Tue, 18 Jun 2019 20:15:07 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb/ba-p/701050 Aaron Margosis 2019-06-18T20:15:07Z New tool: Policy Analyzer https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/new-tool-policy-analyzer/ba-p/701049 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Jan 22, 2016 </STRONG> <BR /> Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet. <BR /> <BR /> Policy Analyzer lets you treat a set of GPOs as a single unit.&nbsp; This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values.&nbsp; It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. <BR /> <BR /> For example, the US Government Configuration Baseline (USGCB) for Windows 7 includes seven different GPOs.&nbsp; Policy Analyzer can treat them as a single set, and show all the differences between them and the Microsoft recommended baselines for Windows 10 and Internet Explorer 11 with a single comparison.&nbsp; You can also use it to verify changes that were made to your production GPOs. <BR /> <BR /> The following screenshot shows two baselines compared with each other and to corresponding registry values on the local system. The lower pane displays the Group Policy setting, location, and other information associated with the selected row. Conflicting settings are highlighted in yellow; absent settings are shown as a grey cell. Policy Analyzer also offers options to display only rows containing conflicts or other differences. <BR /> <P style="margin-left: 30px;"> <IMG alt=" " border="0" original-url="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-40-62/ViewCompare.png" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119320i7FDC58E883D5F3BA" /> </P> <BR /> The following screenshot shows Policy Analyzer’s Excel output. Policy Analyzer sorts results primarily by the Group Policy path and setting name columns, which are the leftmost columns. <BR /> <P style="margin-left: 30px;"> <IMG alt=" " border="0" original-url="http://blogs.technet.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-00-40-62/ExportToExcel.png" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/119321i3E69AD9EA5121875" /> </P> <BR /> Policy Analyzer is a lightweight standalone application that doesn’t require installation, and doesn’t require administrative rights (except for the “local policy” feature). <BR /> <BR /> The downloadable attachment to this blog post contains Policy Analyzer, its full documentation and sample GPO sets taken from the Microsoft security configuration baselines. <BR /> <BR /> <STRONG> [Updated 3 February 2016: download now includes representations of all Windows, IE, and Office GPOs published in the Security Compliance Manager.] </STRONG> <BR /> <BR /> <SPAN style="color: #ff0000;"> [Update: the latest version of Policy Analyzer is <A href="#" target="_blank"> here </A> .] </SPAN> </BODY></HTML> Tue, 18 Jun 2019 20:15:06 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/new-tool-policy-analyzer/ba-p/701049 Aaron Margosis 2019-06-18T20:15:06Z LGPO.exe - Local Group Policy Object Utility, v1.0 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Jan 21, 2016 </STRONG> <BR /> LGPO.exe is a new command-line utility to&nbsp;automate the management of&nbsp;local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped&nbsp;with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools. <BR /> <BR /> Features: <BR /> <UL> <BR /> <LI> Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files. </LI> <BR /> <LI> Export local policy to a GPO backup. </LI> <BR /> <LI> Parse a Registry Policy (registry.pol) file to readable "LGPO text" directly to the console or redirected to a file which can edited and imported into local policy. </LI> <BR /> <LI> Build a new Registry Policy (registry.pol) file from "LGPO text". </LI> <BR /> <LI> Enable group policy client side extensions for local policy processing. </LI> <BR /> </UL> <BR /> The zip file attached to this post includes LGPO.exe and full documentation. This is the command line syntax: <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> LGPO.exe v1.00 - Local Group Policy Object utility </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> LGPO.exe has four modes: </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> * Import and apply policy settings; </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> * Export local policy to a GPO backup; </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> * Parse a registry.pol file to "LGPO text" format; </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> * Build a registry.pol file from "LGPO text". </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> To apply policy settings: </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> LGPO.exe command [...] </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> where "command" is one or more of the following (each of which can be repeated): </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> /g path&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; import settings from one or more GPO backups under "path" </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /m path\registry.pol&nbsp; import settings from registry.pol into machine config </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /u path\registry.pol&nbsp; import settings from registry.pol into user config </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /s path\GptTmpl.inf&nbsp;&nbsp; apply security template </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /a[c] path\Audit.csv&nbsp; apply advanced auditing settings; /ac to clear policy first </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /t path\lgpo.txt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; apply registry commands from LGPO text </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /e &lt;name&gt;|&lt;guid&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; enable GP extension for local policy processing; specify a </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> GUID, or one of these names: </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> * "zone" for IE zone mapping extension </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> * "mitigation" for mitigation options, including font blocking </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> * "audit" for advanced audit policy configuration </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /boot&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; reboot after applying policies </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /v&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; verbose output </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /q&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; quiet output (no headers) </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> To create a GPO backup from local policy: </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> LGPO.exe /b path [/n GPO-name] </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> /b path&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Create GPO backup in "path" </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /n GPO-name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Optional GPO display name (use quotes if it contains spaces) </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> To parse a Registry.pol file to LGPO text (stdout): </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> LGPO.exe /parse [/q] {/m|/u} path\registry.pol </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> /m path\registry.pol&nbsp; parse registry.pol as machine config commands </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /u path\registry.pol&nbsp; parse registry.pol as user config commands </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /q&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; quiet output (no headers) </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> To build a Registry.pol file from LGPO text: </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v] </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> /r path\lgpo.txt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Read input from LGPO text file </SPAN> <BR /> <SPAN style="font-family: courier new,courier;"> /w path\registry.pol&nbsp; Write new registry.pol file </SPAN> <BR /> <BR /> <SPAN style="font-family: courier new,courier;"> (See the documentation for more information and examples.) </SPAN> <BR /> <BR /> <SPAN style="color: #ff0000;"> [Update: the latest version of LGPO.exe is <A href="#" target="_blank"> here </A> .] </SPAN> </BODY></HTML> Tue, 18 Jun 2019 20:14:44 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045 Aaron Margosis 2019-06-18T20:14:44Z Changes from the Windows 8.1 baseline to the Windows 10 (TH1/1507) baseline https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/changes-from-the-windows-8-1-baseline-to-the-windows-10-th1-1507/ba-p/701044 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Nov 18, 2015 </STRONG> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> In collaboration with Windows security experts from US and UK government organizations and from the Center for Internet Security, we conducted a thorough review not just of the new settings introduced in Windows 10 but of all the accumulated settings inherited from past security baselines. Two goals of the review were to remove settings that do not address contemporary threats, and to remove the enforcement of Windows default settings that require administrative control to change and that are unlikely to be changed by an authorized administrator. The result is that we have removed 122 settings that had been enforced in the Windows 8.1 baseline that aren’t needed. We have added only 38 new settings, and have changed 9. The spreadsheet attached to this blog post lists all the changes from the Windows 8.1 and IE11 baseline to the <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2015/11/13/security-baseline-for-windows-10-build-10240-final.aspx" target="_parent"> Windows 10 (Threshold 1, a.k.a, version 1507) baseline </A> , including updated IE11 settings. </SPAN> </P> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> Why aren’t we enforcing more defaults? </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> As mentioned, we’re enforcing defaults only for security-sensitive settings that are otherwise likely to be set to an insecure state by an authorized user. So, for example, on Windows client the User Rights Assignment, “Change the time zone” (SeTimeZonePrivilege) is granted to Administrators, Users, and Local Service. In the past we enforced that through the security baseline. Changing that setting requires administrative rights, and it’s unlikely that an authorized administrator would change it to a less-secure value. On the other hand, administrators are known to disable User Account Control, so we enforce that default. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Another reason not to enforce defaults in some cases is that it makes it harder for an organization to use a valuable Windows feature that is not enabled by default. “Offer Remote Assistance” is one such feature. It is not inherently insecure, but like many features – especially those involving network communication – it is disabled and should be disabled if it’s not used. But when security guidance says to disable it and that guidance is enforced through mandatory Group Policy settings, an enterprise choosing to use the feature often has to fight compliance auditors, Group Policy administrators, and other security experts and bureaucracies to enable it. Many will misinterpret the purpose of that element in the guidance to infer that “Offer Remote Assistance” opens a gaping hole and that if you enable it you may as well outsource your entire IT management to the criminals. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Including more settings in the baseline also increases cost of configuration, testing, validation, and maintenance. The security baselines aren’t intended to defend all secure default settings against compromise by a malicious actor that has already gained administrative rights. There are approximately 3.71 bajillion values in the registry that should never be messed with and that would cause havoc if messed with. While it may be worth monitoring them to ensure that they haven’t been altered, it’s not practical to enforce them all with a configuration baseline, and not really what the configuration baseline is for. As an example, someone could modify the registry value HKLM \ System \ CurrentControlSet \ Services \ LanmanServer \ DefaultSecurity ! SrvsvcShareAdminConnect and grant Everyone “full control” through the administrative shares (e.g., C$, ADMIN$). We could add that registry value to the baseline and ensure that Group Policy sets it back to its default, and using a similar mechanism, periodically verify that it hasn’t been altered. But if we go down that path, the baseline will quickly become unmanageable as we enforce defaults throughout much of HKLM\Software, HKLM\System, and the file system. </SPAN> </P> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> Removed settings </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> This section summarizes some of the 122 settings that went from a configured value to “Not Configured.” For many of these settings, such as Windows Update settings, specific configuration is best left to the organization. For others, organizations can continue enforcing settings, but we do not consider their enforcement to be necessary. </SPAN> </P> <BR /> <UL> <BR /> <LI> <BR /> <P> Windows Firewall, “Allow location connection security rules” and “Allow local firewall rules” for the Domain and Private profiles. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> The MSS settings, AutoAdminLogon, SafeDllSearchMode, ScreenSaverGracePeriod, and WarningLevel. (We also redefined the ancient MSS settings from Security Options to a custom ADMX for supportability reasons.) </P> <BR /> </LI> <BR /> <LI> <BR /> <P> “Configure Offer Remote Assistance” </P> <BR /> </LI> <BR /> <LI> <BR /> <P> BitLocker: removed the requirement for smart cards and the prohibition on passwords, enforcements of defaults on hardware encryption, enforcement of specific recovery options, and disallowing use of BitLocker in the absence of a TPM. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Internet Explorer settings requiring ActiveX Filtering, disabling geolocation and AutoComplete for forms, control of browser history and proxy settings, unneeded settings in the “Locked Down” security zones, and a couple of settings that became not-applicable after Windows XP but survived past purges of old controls. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Specific Windows Update settings. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> The security option, “Accounts: Block Microsoft accounts.” If this setting is enforced, Cortana won’t work. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Security options to shut down the system if a security audit fails to log, control who can “format and eject removable media,” display of last user name at logon, password-change notifications, and numerous others. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Enforcement of Ctrl+Alt+Del at logon to protect credentials from theft. This is not particularly strong protection. First, it depends on a user that’s looking at a spoofed logon screen remembering that he or she hadn’t pressed Ctrl+Alt+Del before typing a password. Second, so many apps prompt the user for the same credentials on the user’s desktop that the credentials can easily be stolen there. Third, if the adversary has gained administrative control of the computer, the “secure desktop” is no longer a protected space. Finally, with devices offering more keyboard-free logon experiences such as facial recognition, Ctrl+Alt+Del becomes an annoying interference. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> The UAC setting to switch to the secure desktop is redundant with the recommended UAC settings for elevation prompt behavior. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Explicitly denying batch and service logon to the Guests group. </P> <BR /> </LI> <BR /> </UL> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> New settings </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> This section summarizes the 38 net-new settings that were added to the Windows 10 baseline that weren’t in the Windows 8.1 baseline. </SPAN> </P> <BR /> <UL> <BR /> <LI> <BR /> <P> Two new Advanced Auditing settings that were introduced in Windows 10, and auditing removable storage events. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Enabling local password management through the <A href="#" target="_blank"> Local Administrator Password Solution </A> (LAPS). Note that LAPS requires an Active Directory schema extension. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Two MSS settings that were not configured before. (They are probably both very low risk.) </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Hardened UNC paths for the default shares on domain controllers. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Prohibit connecting to non-domain and domain networks at the same time. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Disable Wi-Fi Sense. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Enable Credential Guard. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Block another type of DMA device that can be used to bypass BitLocker protections. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Block GDI from handling untrusted fonts. GDI’s font parser executes in kernel mode. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Disallowing AutoPlay and AutoRun. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Additional EMET protections ( <A href="#" target="_blank"> EMET 5.5 </A> , currently in beta) </P> <BR /> </LI> <BR /> <LI> <BR /> <P> More consistent and complete enforcement for SmartScreen in IE and Edge. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Disallow password manager in Edge (to be consistent with IE settings) </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Encrypt RPC traffic. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Do not store domain passwords in credential manager. </P> <BR /> </LI> <BR /> </UL> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> Changed settings </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> This section summarizes the 9 existing settings that have changed since our Windows 8.1 baseline: </SPAN> </P> <BR /> <UL> <BR /> <LI> <BR /> <P> Advanced auditing setting for “Security State Change” was “Success and Failure.” The default is just “Success,” and it turns out there is no code path in Windows that can log a Failure event for a security state change, so we are now enforcing “Success”. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Disabling display of firewall notifications for the Domain and Private profiles. It’s generally not useful to display complex and confusing error messages to users, particularly when they can’t do anything with them. Leaving the default in place for the Public profile – if a user sees a firewall notification there, they should probably contact an administrator. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Disallowing custom, per-computer firewall rules for the Public profile. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Continuing to deny write access to removable drives not protected by BitLocker, but no longer disallowing write access to devices configured in another organization. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Fixed minor misconfiguration in “Show security warning for potentially unsafe files” in the Internet and Restricted Sites zones. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Allowing only Administrators to authenticate to the computer’s network interfaces such as SMB shares and RPC. Note that this does not apply to Remote Desktop. </P> <BR /> </LI> <BR /> </UL> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> </SPAN> </P> <BR /> <P> <A href="#" original-url="http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-4062-00-00-03-65-72-58/Win81_2D00_to_2D00_Win10TH1_2D00_Diffs.xlsx" target="_blank"> Win81-to-Win10TH1-Diffs.xlsx </A> </P> </BODY></HTML> Tue, 18 Jun 2019 20:14:42 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/changes-from-the-windows-8-1-baseline-to-the-windows-10-th1-1507/ba-p/701044 Aaron Margosis 2019-06-18T20:14:42Z Security baseline for Windows 10 (build 10240) – FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-build-10240-8211-final/ba-p/701043 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Nov 13, 2015 </STRONG> <BR /> <P> <STRONG> <SPAN style="color:#ff0000;font-family:Calibri;font-size:large;"> [Removing the attachment from this post. Please see updated baseline content for <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update.aspx" target="_blank"> Windows 10 v1507 (TH1) </A> and <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1511-quot-threshold-2-quot-final.aspx" target="_blank"> Windows 10 v1511 (TH2) </A> .] <BR /> </SPAN> </STRONG> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Microsoft is pleased to announce the </SPAN> <I> <SPAN style="font-family:Calibri;font-size:medium;"> final </SPAN> </I> <SPAN style="font-family:Calibri;font-size:medium;"> release of the security baseline settings for Windows 10 (Build 10240, a.k.a., <SPAN style="font-family:Calibri;"> “ </SPAN> Version 1507, <SPAN style="font-family:Calibri;"> ” </SPAN> “Threshold 1” or “TH1”) along with updated baseline settings for Internet Explorer 11. Note that we are also <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2015/11/13/security-baseline-for-windows-10-threshold-2-draft.aspx" target="_blank"> separately releasing </A> </SPAN> <I> <SPAN style="font-family:Calibri;font-size:medium;"> <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2015/11/13/security-baseline-for-windows-10-threshold-2-draft.aspx" target="_blank"> draft </A> </SPAN> </I> <SPAN style="font-family:Calibri;font-size:medium;"> <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2015/11/13/security-baseline-for-windows-10-threshold-2-draft.aspx" target="_blank"> guidance for the November Update </A> , a.k.a., <SPAN style="font-family:Calibri;"> “ </SPAN> Version 1511, <SPAN style="font-family:Calibri;"> ” </SPAN> “Threshold 2” or “TH2.” The only differences between the TH1 final and the TH2 draft are the new settings that apply only to TH2. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> This specific baseline will be delivered only through the downloadable attachment to this blog post. The attachment includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will not be publishing SCM .CAB files for this baseline, as we are focusing our SCM resources on the “Threshold 2” release. We anticipate that the vast majority of Windows 10 users will soon upgrade to TH2. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> We will post shortly about technical details and issues in the baselines. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> <EM> [Attachment updated, 15-Nov-2015 15:38 US Eastern to address minor issues.] </EM> <BR /> </SPAN> </P> </BODY></HTML> Tue, 18 Jun 2019 20:14:41 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baseline-for-windows-10-build-10240-8211-final/ba-p/701043 Aaron Margosis 2019-06-18T20:14:41Z Blocking Remote Use of Local Accounts https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/blocking-remote-use-of-local-accounts/ba-p/701042 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Sep 02, 2014 </STRONG> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> The use of local accounts for remote access in Active Directory environments is problematic for a number of reasons. By far, the biggest problem is that when an administrative local account has the same user name and password on multiple machines, an attacker with administrative rights on one machine can easily obtain the account’s password hash from the local Security Accounts Manager (SAM) database and use it to gain administrative rights over the other machines using “pass the hash” techniques. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Our latest security guidance responds to these problems by taking advantage of new Windows features to block remote logons by local accounts. Windows 8.1 and Windows Server 2012 R2 introduced two new security identifiers (SIDs), which are also defined on Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012 after installing </SPAN> <A href="#" target="_blank"> <SPAN style="color:#0563c1;font-family:Calibri;font-size:medium;"> KB 2871997 </SPAN> </A> <SPAN style="font-family:Calibri;font-size:medium;"> : </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> S-1-5-113: NT AUTHORITY\Local account </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> S-1-5-114: NT AUTHORITY\Local account and member of Administrators group </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> The former SID is added to the user’s access token at the time of logon if the user account being authenticated is a local account. The latter SID is also added to the token if the local account is a member of the BUILTIN\Administrators group. These SIDs can grant or deny access to all local accounts or all administrative local accounts – for example, in User Rights Assignments to “Deny access to this computer from the network” and “Deny log on through Remote Desktop Services”, as we recommend in our latest security guidance. Prior to the definition of these SIDs, you would have had to explicitly name each local account to be restricted to achieve the same effect. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> In the initial release of the Windows 8.1 and Windows Server 2012 R2 guidance, we denied network and remote desktop logon to “Local account” (S-1-5-113) for all Windows client and server configurations, which blocks all remote access for all local accounts. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> We have since discovered that Failover Clustering relies on a non-administrative local account (CLIUSR) for cluster node management and that blocking its network logon access causes cluster services to fail. Because the CLIUSR account is not a member of the Administrators group, replacing S-1-5-113 with S-1-5-114 in the “Deny access to this computer from the network” setting allows cluster services to work correctly while still providing protection against “pass the hash” types of attacks by denying network logon to administrative local accounts. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> While we could keep the guidance as it is and add a “special case” footnote for failover cluster scenarios, we will instead opt to simplify deployments and change the Windows Server 2012 R2 Member Server baseline as follows: </SPAN> </P> <BR /> <TABLE border="1" cellpadding="0" cellspacing="0" style="width:100%;"> <BR /> <TBODY> <BR /> <TR> <BR /> <TD valign="top" width="16%"> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> <BR /> <P> <B> <SPAN style="font-family:Calibri;font-size:medium;"> Policy Path </SPAN> </B> </P> <BR /> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> </TD> <BR /> <TD valign="top" width="83%"> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Computer Configuration\Windows Settings\Local Policies\User Rights Assignment </SPAN> </P> <BR /> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD valign="top" width="16%"> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> <BR /> <P> <B> <SPAN style="font-family:Calibri;font-size:medium;"> Policy Name </SPAN> </B> </P> <BR /> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> </TD> <BR /> <TD valign="top" width="83%"> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Deny access to this computer from the network </SPAN> </P> <BR /> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD valign="top" width="16%"> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> <BR /> <P> <B> <SPAN style="font-family:Calibri;font-size:medium;"> Original Value </SPAN> </B> </P> <BR /> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> </TD> <BR /> <TD valign="top" width="83%"> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Guests, Local account (*) </SPAN> </P> <BR /> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD valign="top" width="16%"> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> <BR /> <P> <B> <SPAN style="font-family:Calibri;font-size:medium;"> New Value </SPAN> </B> </P> <BR /> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> </TD> <BR /> <TD valign="top" width="83%"> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Guests, Local account and member of Administrators group (*) </SPAN> </P> <BR /> <SPAN style="font-family:Times New Roman;font-size:medium;"> </SPAN> </TD> <BR /> </TR> <BR /> </TBODY> <BR /> </TABLE> <BR /> <P style="margin-left:30px;"> <I> <SPAN style="font-family:Calibri;font-size:medium;"> (*) The guidance also recommends adding Domain Admins and Enterprise Admins to these restrictions except on domain controllers and dedicated admin workstations.&nbsp; DA and EA are domain-specific and can’t be specified in generic GPO baselines. </SPAN> </I> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Note that this change applies only to the Member Server baseline and that the restriction on remote desktop logon is not being changed. Organizations can still choose to deny network access to “Local account” for non-clustered servers. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Note also that the restrictions on local accounts are intended for Active Directory domain-joined systems. Non-joined, workgroup Windows computers cannot authenticate domain accounts, so if you apply restrictions against remote use of local accounts on these systems, you will be able to log on only at the console. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> </SPAN> </P> <BR /> <P> </P> </BODY></HTML> Tue, 18 Jun 2019 20:14:38 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/blocking-remote-use-of-local-accounts/ba-p/701042 Aaron Margosis 2019-06-18T20:14:38Z What's New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11 https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/what-s-new-in-recommended-security-baseline-settings-for-windows/ba-p/701041 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Aug 15, 2014 </STRONG> <BR /> <P> <EM> <SPAN style="font-family:Calibri;font-size:medium;"> The attachment on this&nbsp;post describes&nbsp;what's new in the security baseline recommendations for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11, </SPAN> </EM> <SPAN style="font-family:Calibri;font-size:medium;"> relative to the baselines published for Windows 8, Windows Server 2012 and Internet Explorer 10 </SPAN> <EM> <SPAN style="font-family:Calibri;font-size:medium;"> .&nbsp; It is included as a Word document in the download from <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx" target="_blank"> yesterday's announcement blog post </A> .&nbsp; We are posting&nbsp;the document&nbsp;here for easier access.&nbsp; I tried to post the full document content, but the tables it contains&nbsp;are too wide for this blog's layout, so I'm just posting the background/summary and table of contents. </SPAN> </EM> </P> <BR /> <P> <EM> <SPAN style="font-family:Calibri;font-size:medium;"> [2 September 2014:&nbsp;document updated for v1.1 with change to "Deny access to this computer from the network" for the Member Server baseline.] <BR /> </SPAN> </EM> </P> <BR /> <P> </P> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> Background and Summary </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> This document outlines recommended security configuration settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11, using the previously-published baselines for Windows 8, Windows Server 2012 and Internet Explorer 10 as the starting point. These guidelines are intended for well-managed enterprises. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Some of the more interesting changes from the Windows 8/2012/IE10 baselines: </SPAN> </P> <BR /> <UL> <BR /> <LI> <BR /> <P> Use of new and existing settings to help block some Pass the Hash attack vectors </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Blocking the use of web browsers on domain controllers </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Removal of almost all service startup settings, and all server role baselines that contain only service startup settings </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Removal of the recommendation to enable “FIPS mode” </P> <BR /> </LI> <BR /> </UL> <BR /> <P> <SPAN style="color:#2e74b5;font-family:Calibri Light;font-size:x-large;"> Contents </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Background and Summary </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Settings New to Windows 8.1 and Windows Server 2012 R2 </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Settings New to Internet Explorer 11 </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Changes to Settings Inherited from Existing Baselines </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Changes to all Windows Server product baselines </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Pass the Hash </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Blocking the use of Web Browsers on Domain Controllers </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> EMET </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Updated Guidance </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Advanced Auditing </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Removed Windows Recommendations </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Removed Internet Explorer Recommendations </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> Bugs </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> </SPAN> </P> <BR /> <P> <EM> <SPAN style="font-family:Calibri;font-size:medium;"> [download the attachment for the rest...] </SPAN> </EM> </P> <BR /> <P> </P> <BR /> <H2> </H2> <BR /> <P> </P> <BR /> <P> <A href="#" original-url="http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-4062-00-00-03-63-60-95/Recommended-Security-Baseline-Settings.docx" target="_blank"> Recommended Security Baseline Settings.docx </A> </P> </BODY></HTML> Tue, 18 Jun 2019 20:14:31 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/what-s-new-in-recommended-security-baseline-settings-for-windows/ba-p/701041 Aaron Margosis 2019-06-18T20:14:31Z Configuring Account Lockout https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/configuring-account-lockout/ba-p/701040 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Aug 13, 2014 </STRONG> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> We can recommend an ideal configuration for most of the settings in our security guidance. For example, the “Debug programs” privilege should be granted to Administrators and to no one else. For account lockout, however, there is no “one size fits all” setting, but there’s a lot of heated discussion whenever anyone tries to pick one. Ultimately, each organization must determine what best meets their own needs. This blog post tries to help by discussing the issues and tradeoffs of enabling account lockout and how tightly to enforce it. We had to pick <I> something </I> for <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx" target="_blank"> the baseline </A> , so we discuss the settings we selected and why we changed them from what we had selected for other recent baselines. Again, though, this is one where you should take a close look at the threats and tradeoffs for your own environment before applying the settings we picked. </SPAN> </P> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> The Basics of Account Lockout </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> The purpose of account lockout is to make it harder for password-guessing attacks to succeed. If account lockout is not configured, an attacker can automate an attempt to log on with different user accounts, trying common passwords as well as every possible combination of eight or fewer characters in a very short amount of time, until one finally works. When account lockout is configured, Windows locks the account after a certain number of failed logon attempts, and blocks further logon attempts even if the correct password is supplied. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Windows account lockout can be configured with these three settings: </SPAN> </P> <BR /> <UL> <BR /> <LI> <BR /> <P> <I> Account lockout threshold </I> : the number of failed logon attempts that trigger account lockout. If set to 0, account lockout is disabled and accounts are never locked out. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> <I> Account lockout duration </I> : the number of minutes that an account remains locked out before it’s automatically unlocked. If set to 0, the account remains locked out until an administrator explicitly unlocks it. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> <I> Reset account lockout counter after </I> : the number of minutes after a failed logon attempt before the bad-logon counter is reset to 0. The counter is also reset after a successful logon. </P> <BR /> </LI> <BR /> </UL> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> Account Lockout Tradeoffs </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> While account lockout can help prevent intrusion, it can also expose your organization to accidental lockouts as well as to denial of service attacks. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Not every bad logon attempt reflects an attempt to gain unauthorized access. Users sometimes forget their passwords. Also, applications, particularly those that use saved passwords, are often unaware of a password change and continue to use the old password, sometimes automatically retrying the same password many times in a short amount of time. This becomes increasingly true as users have more devices such as phones and tablets that log on to get email or other corpnet access. If the account lockout threshold is set too low, you are likely to see a lot of accidental lockouts. In addition to users not being able to perform their work, lockouts can lead to expensive helpdesk calls, especially when administrator intervention is required to unlock the account. Finding the root cause of accidental lockouts can be time-consuming as well. It’s therefore good to set a threshold that avoids accidental lockouts, while not setting the threshold so high that attackers are given too much opportunity to succeed. Setting the lockout duration to a “reasonable” non-zero value can also reduce helpdesk calls. The combination of threshold, lockout duration and reset settings determines how many guesses attackers get per day; ideally you slow them down to the point that it becomes impractical or at least not worthwhile for them to pursue this type of attack. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> At the same time, whenever account lockout is configured at all it is easy for an attacker to conduct a denial of service attack and deliberately lock out accounts. It doesn’t matter whether you set the threshold to 5 or 50 – an automated attack can perform that many deliberately failed logon attempts on a large number of accounts very quickly and lock them out. If the lockout duration is short, an attacker can still maintain a sustained attack, locking out accounts as soon as they become unlocked. If the lockout duration is indefinite (0), then this can be a crippling attack. </SPAN> </P> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> Reducing or Eliminating the Need for Account Lockout </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> If you employ other mitigations against password-guessing attacks, you can afford to set a higher lockout threshold or even disable account lockout altogether. Some of these mitigations are: </SPAN> </P> <BR /> <UL> <BR /> <LI> <BR /> <P> Proactively monitor for failed logon events and have a robust response mechanism in place when password-guessing is detected. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Configure “Smart card required for interactive logon” (SCRIL), and do not manually set a password for the account after doing so. When SCRIL is configured, the account’s password hash is replaced with a random value, making a password logon effectively impossible. When SCRIL is configured, therefore, account lockout should be disabled to prevent denial of service. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Require long passwords. The entire set of eight-character passwords can be tested in a short amount of time. Windows policies allow you to set a minimum length of up to 14 characters, which is the setting we recommend. Passwords can be up to 256 characters <SPAN style="text-decoration:line-through;"> , but Windows won’t let you <I> demand </I> more than 14 without a custom password filter </SPAN> . <EM> [7-Feb-2015 - Correction: You can set a minimum password length greater than 14 by using <STRONG> Fine-Grained Password Policies </STRONG> -- see <A href="#" target="_blank"> this description </A> and&nbsp;the <A href="#" target="_blank"> Step By Step Guide </A> for more information.] </EM> </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Require password complexity. Requiring multiple types of characters increases the likelihood that users will pick strong passwords. Note, however, that it does not guarantee strong passwords: for example, “Password!” meets the complexity requirement but is easily guessed. </P> <BR /> </LI> <BR /> </UL> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> Baseline Selections </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> As we said at the outset, there is no single account lockout configuration that works for all organizations. Our recommendation regarding account lockout is to consider the tradeoffs and pick what’s right for your situation. However, our <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx" target="_blank"> security guidance </A> includes GPOs and security templates that you can apply directly, and it’s not possible to set the account lockout threshold in them to “do the right thing”. So we have to pick something. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> The settings in our baselines are intended for large audiences. We recognize that many organizations will apply these settings without reading the fine print or considering the nuances and tradeoffs. We have to try to find the right balance between security and “break everything” that will work reasonably well for most organizations. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> We have selected a threshold of 10 bad attempts, a 15 minute lockout duration, and counter reset after 15 minutes (10/15/15). That threshold value is a change from the Windows 8.1 / Windows Server 2012 R2 beta guidance as well as from past baselines. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> The threshold we published with the Windows 7 / Windows Server 2008 R2 guidance was 50 bad attempts. With the 15 minute duration and 15 minute counter reset, that gave attackers up to 200 guesses per hour. For Windows 8 / Server 2012 we had changed it to 5, after much discussion with the external security community, including the Center for Internet Security (CIS), the US National Security Agency (NSA), the US Defense Information Systems Agency (DISA) and others. The thinking at that point was that a typical user is unlikely to mistype their password five times unless they really don’t remember it, in which case they’ll probably need to call the helpdesk anyway. We have increased that threshold to 10 because our support engineers have seen many accidental lockouts, particularly with the increase in devices per user. Increasing the threshold to 10 should reduce the number of accidental lockouts, while at the same time not giving attackers 200 guesses per hour again. </SPAN> </P> <BR /> <H2> <SPAN style="color:#2e74b5;font-family:Calibri Light;"> Account Lockout Technical Errata </SPAN> </H2> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> The public documentation may not be clear about these points, and they are worth knowing: </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> An attempted logon using either of an account’s two most recent previous passwords will not succeed, but will not increment the bad-logon counter either. In other words, repeated use of a saved password will trigger account lockout only after the third password change. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Failed attempts to unlock a workstation can cause account lockout even if the “Interactive logon: Require Domain Controller authentication to unlock workstation” security option is disabled. Windows doesn’t need to contact a DC for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a DC in case you had changed your password from another machine. It’s actually easy to lock out an account on a locked workstation in seconds just by pressing Ctrl+Alt+Del and then holding down the Enter key. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> </SPAN> </P> <BR /> <P> </P> </BODY></HTML> Tue, 18 Jun 2019 20:14:26 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/configuring-account-lockout/ba-p/701040 Aaron Margosis 2019-06-18T20:14:26Z Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/changes-in-the-security-guidance-for-windows-8-1-server-2012-r2/ba-p/701039 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Aug 13, 2014 </STRONG> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> We have made a small number of changes in the <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx" target="_blank"> baseline security guidance </A> for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 since we released the beta version of our guidance last April. This blog post discusses those changes and the reasons for them. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Account Lockout Threshold: </B> we’re changing the incorrect-password threshold that triggers account lockout from “5” in the beta to “10”. Account lockout is an involved and controversial setting, so we discuss the thinking behind this setting in <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/08/13/configuring-account-lockout.aspx" target="_blank"> a separate blog post </A> . This change applies to all supported versions of Windows. </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Include command line in process creation events </B> : The beta guidance recommended enabling this setting in Computer Configuration\Administrative Templates\System\Audit Process Creation. We are reverting that recommendation back to “Not Configured”. The original idea for the previous recommendation was to make more information available for forensic purposes. The command line data being logged is captured in the Security event log, which requires administrative or admin-equivalent privilege to read, and administrators have many other ways to capture full command line data and much more from running systems, so in our initial estimate the guidance assumed that there was minimal security risk to capture full command lines in process creation audit events. However, although it’s certainly discouraged, command lines such as NET.EXE USE and PsExec often contain passwords and other sensitive information, and logging those command lines could make months of such captured data available to an attacker the instant they compromise a machine. For this reason we are reverting the recommendation back to “Not configured”; the resulting default behavior is not to include the command line in the audit events. By not explicitly recommending “Disabled”, organizations can still enable the policy when situations dictate. This change applies to Windows 8.1 and Server 2012 R2. </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Disabling Digest Authentication </B> :&nbsp; Digest Authentication, documented in RFCs 2617 and 2831, is a standards-based authentication protocol that was intended to improve upon earlier authentication protocols such as Basic Authentication by using a challenge/response mechanism to prove knowledge of a password instead of sending the password to the remote server. The Windows implementation (often called WDigest) provided single-sign-on support for Digest Authentication by default. This support required that Lsass.exe retain an encrypted copy of the user’s password in memory so that it could be decrypted and used whenever needed without having to prompt the user. External security researchers reverse-engineered Lsass.exe’s behavior and determined how to extract the decrypted password. Because Digest Authentication is not widely used and to help prevent credential theft, Windows disabled Digest Authentication by default beginning in Windows 8.1 and Windows Server 2012 R2 and created a registry setting to control whether Digest is enabled. With the release of KB 2871997, that same setting is now available for earlier versions of Windows going back to Windows 7 and Windows Server 2008 R2. However, installing the update does not disable Digest on those systems. The final version of the security guidance for Windows 8.1 and Server 2012 R2 includes an additional entry to the custom “SCM: Pass the Hash Mitigations” ADMX so that Digest can be disabled through Group Policy on all versions of Windows going back to Windows 7 and Server 2008 R2. </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> EMET 5.0 </B> : Version 5.0 of the Enhanced Mitigation Experience Toolkit was released between the beta and final versions of this security guidance. We have replaced the EMET 4.1 policy settings from the beta with the corresponding EMET 5.0 policy settings, which are almost identical. EMET 5.0 can be downloaded from </SPAN> </SPAN> <A href="#" target="_blank"> <SPAN style="color:#0563c1;font-family:Calibri;font-size:medium;"> http://www.microsoft.com/emet </SPAN> </A> <SPAN style="font-family:Calibri;font-size:medium;"> . </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Deny access to this computer from the network / Deny log on through Remote Desktop Services </B> : the recommendation to set these deny-logon rights to Guests and Local Account remains true for Windows 8.1 and Server 2012 R2. With the release of KB 2871997, “NT AUTHORITY\Local Account” is now defined on Windows 7, Windows 8, Server 2008 R2 and Server 2012, so the guidance applies there as well. We also recommend adding your Domain Admins and Enterprise Admins to these deny-logon rights for all versions of Windows except for domain controllers and for dedicated administrative workstations. <EM> <STRONG> [11 Sept 2014: &nbsp;please see <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/09/02/blocking-remote-use-of-local-accounts.aspx" target="_blank"> this clarification </A> for important changes to this setting.] </STRONG> </EM> </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Bypass traverse checking privilege </B> : If a user requests access to a file, directory or registry key and does not possess this privilege, Windows checks not only the permissions on the requested object but also verifies that the user has “traverse” permissions on parent keys or directories all the way up to the root container, which can incur significant performance penalties. This is a security “feature” available since Windows NT 3.1 that no one has ever wanted. Windows grants this privilege – internally called SeChangeNotifyPrivilege – to Everyone by default, as well as to BUILTIN\Users and several other groups (although one would think “Everyone” would be all-encompassing enough). The Local Security Policy editor and KB 823659 ( </SPAN> </SPAN> <A href="#" target="_blank"> <SPAN style="color:#0563c1;font-family:Calibri;font-size:medium;"> http://support.microsoft.com/kb/823659 </SPAN> </A> <SPAN style="font-family:Calibri;font-size:medium;"> ) warn that changing the defaults can cause serious problems. Nevertheless, security guidance from Microsoft and others has long recommended removing “Everyone” from the list. This probably ends up having little effect, as BUILTIN\Users is a very broad group. Rather than try to continue to track the other default grantees, such as “Windows Manager\Windows Manager Group” which was added to the list in Windows 8, we recommend not defining an explicit value and instead allowing the out-of-the-box default to remain in place. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> The only scenario in which this could be a problem is if a caller who is a member of Everyone but not of Users (unusual enough in itself) is able to request access to a file or registry key, and the permissions on the object allow the request, but it’s in a directory or key hierarchy that does not grant the user the Traverse permission all the way to the top – AND that the expected behavior would be to deny access. This is too unusual a scenario to consider a security risk. If the expected behavior is to deny access, don’t grant non-Users access to the requested resources. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Increase a process working set privilege </B> : A process’ “working set” is the amount of physical memory assigned to the process by the memory manager. We are removing the guidance that has recommended granting this privilege only to Administrators and Local Service; instead we recommending leaving this privilege at the operating system default value. On Windows 7 the default is “Users”; on Windows 8 and newer it is also granted to “Window Manager\Window Manager Group”. Because future versions of Windows may change the value again, we recommend not defining an explicit value and instead allowing the out-of-the-box default to remain in place. </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> The existing Threats and Countermeasures text for the privilege says, “It would be possible for malicious code to increase the process working set to a level that could severely degrade system performance and potentially cause a denial of service.” However, any process that does not have memory quotas applied to it can always allocate memory and then page it into the working set simply by accessing it. The “Increase…” privilege grants only the ability for a process to call certain APIs that request specific minimum and maximum working set sizes; however, even if the APIs report success, Windows does not guarantee that the request will be honored. Removing the privilege from Users can cause application compatibility problems for programs that expect to have the privilege, while providing no real security benefit. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> This change should be applied to all versions of Windows. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Increase event log sizes on Windows client </B> : We are increasing the maximum log file sizes for the Application, Security and System event logs for Windows client to match the sizes for Windows Server. The log file sizes had been left at the default 20480 KB; we are changing them to 32768 KB for the Application and System event logs, and 196608 KB for the Security event log. It makes sense to take advantage of increasing storage to increase diagnostic and forensic capabilities. This change should be applied to all Windows client versions. </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Apply UAC restrictions to local accounts on network logons (LocalAccountTokenFilterPolicy) </B> : We are removing this setting from the Domain Controller baseline because it does not have meaning on domain controllers. It remains in the Windows client and Member Server baselines. </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Access this computer from the network </B> : On Windows client, we are changing this from Adminstrators and Users to Administrators and Authenticated Users, to make it consistent with the Member Server baselines. This change does not have significant security implications. </SPAN> </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;"> <SPAN style="font-size:medium;"> <B> Specify the search server for device driver updates </B> : We are reverting this setting in Computer Configuration\Administrative Templates\System\Device Installation to “Not configured” because configuration is organization-specific and depends upon whether the organization has an internal server to host driver updates. </SPAN> </SPAN> </P> <BR /> <P> </P> </BODY></HTML> Tue, 18 Jun 2019 20:14:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/changes-in-the-security-guidance-for-windows-8-1-server-2012-r2/ba-p/701039 Aaron Margosis 2019-06-18T20:14:21Z Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 - FINAL https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baselines-for-windows-8-1-windows-server-2012-r2-and/ba-p/701038 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Aug 13, 2014 </STRONG> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions of Windows and IE): </SPAN> </P> <BR /> <UL> <BR /> <LI> <BR /> <P> Use of new and existing settings to help block some Pass the Hash attack vectors; </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Recommendations to control the storage of plaintext-equivalent passphrases; </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Blocking the use of web browsers on domain controllers; </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines; </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Removal of the recommendation to enable "FIPS mode" (this is discussed in greater detail in&nbsp;this blog post: <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx" target="_blank"> Why We’re Not Recommending “FIPS Mode” Anymore </A> ); </P> <BR /> </LI> <BR /> <LI> <BR /> <P> Removal of almost all service startup settings, and all server role baselines that contain only service startup settings. </P> <BR /> </LI> <BR /> </UL> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Settings are provided as four separate sets of baselines, for the following configurations: Windows 8.1, Windows Server 2012 R2 Domain Controller, Windows Server 2012 R2 Member Server, and Internet Explorer 11. The attachment to this blog post includes scripts to apply those baselines to a computer’s local policy and GPO backups you can import into Active Directory Group Policy. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> There are a few changes between these recommendations and the beta version we released in April. We discuss those changes in more detail in two other blog posts: one about <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/08/13/changes-in-the-security-guidance-for-windows-8-1-server-2012-r2-and-ie11-since-the-beta.aspx" target="_blank"> most of the changes </A> , and another detailed post about the <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/08/13/configuring-account-lockout.aspx" target="_blank"> issues around account lockout recommendations </A> . </SPAN> </P> <BR /> <P> <STRONG> <EM> <SPAN style="font-family:Calibri;font-size:medium;"> [Update 2 September 2014: updated the guidance with a change to Member Server baseline and "Deny access to this computer from the network" setting. For more info, see <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/09/02/blocking-remote-use-of-local-accounts.aspx" target="_blank"> Blocking Remote Use of Local Accounts </A> .] <BR /> </SPAN> </EM> </STRONG> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a <A href="#" original-url="http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-4062-00-00-03-63-59-73/Win81_2D00_WS2012R2_2D00_IE11_2D00_Baselines_2D00_FINAL.zip" target="_blank"> download package attached to this blog post </A> . The download includes a Word document describing various aspects of the changes from baselines for earlier versions of Windows and IE, a spreadsheet listing all the baseline settings&nbsp;and highlighting all the&nbsp;new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, a new custom ADMX to expose some important settings that aren't currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems. </SPAN> </P> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> Download and extract the attached "Win81-WS2012R2-IE11-Baselines-FINAL.zip". It contains the following folders: </SPAN> </P> <BR /> <UL> <BR /> <LI> <BR /> <P> <B> Documentation </B> : "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> <B> Administrative Template </B> : an ADMX and (US English) ADML file surfacing some "pass the hash"-relevant settings through the Group Policy editor. (Note: the Local_Script folder contains scripts that install these files to the appropriate location.) </P> <BR /> </LI> <BR /> <LI> <BR /> <P> <B> GP Reports </B> : Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets). </P> <BR /> </LI> <BR /> <LI> <BR /> <P> <B> GPOs </B> : Group Policy Object backups for the four separate sets of baselines described earlier. These can be imported into Active Directory Group Policy. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> <B> Local_Script </B> : This directory contains three batch files that apply appropriate settings to the current machine: 81_Client_Install.cmd, 2012R2_DomainController_Install.cmd, and 2012R2_MemberServer_Install.cmd. </P> <BR /> </LI> <BR /> <LI> <BR /> <P> <B> WMI Filters </B> : This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems. </P> <BR /> </LI> <BR /> </UL> <BR /> <P> <SPAN style="font-family:Calibri;font-size:medium;"> We will follow up on this blog when the SCM cab files become available. </SPAN> </P> <BR /> <P> We would like to acknowledge and express our appreciation to the Center for Internet Security for their collaboration in the development of this guidance. </P> <BR /> <P> <A href="#" original-url="http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-4062-00-00-03-63-59-73/Win81_2D00_WS2012R2_2D00_IE11_2D00_Baselines_2D00_FINAL.zip" target="_blank"> Win81-WS2012R2-IE11-Baselines-FINAL.zip </A> </P> </BODY></HTML> Tue, 18 Jun 2019 20:14:17 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/security-baselines-for-windows-8-1-windows-server-2012-r2-and/ba-p/701038 Aaron Margosis 2019-06-18T20:14:17Z Why We’re Not Recommending “FIPS Mode” Anymore https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/why-we-8217-re-not-recommending-8220-fips-mode-8221-anymore/ba-p/701037 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TechNet on Apr 07, 2014 </STRONG> <BR /> <SPAN style="font-family: Calibri; font-size: medium; color: #ff0000;"> [Note added 3 Oct 2017 to clarify an occasional misinterpretation: <SPAN style="text-decoration: underline;"> at no point does this blog post recommend <EM> against </EM> using FIPS mode. </SPAN> As stated near the end of the post, " <SPAN> we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. </SPAN> "] </SPAN> <BR /> <BR /> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> In <A href="https://gorovian.000webhostapp.com/?exam=b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx" rel="noopener noreferrer" target="_blank"> the latest review of the official Microsoft security baselines </A> for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.”&nbsp; In our previous guidance we had recommended a setting of “Enabled”, primarily to align with US Federal government recommendations. In our updated guidance, the recommendation is “Not Defined”, meaning that we leave the decision to customers. Many people will correctly see this as a significant change, and it deserves explanation. </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data. An implementation of an approved cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation. A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithm. Note that the requirement to use approved and validated algorithms applies only to the protection of sensitive data. Systems and applications are always free to use weak or non-validated cryptographic implementations for non-security purposes, such as in a hash table for indexing and lookup purposes. </SPAN> <BR /> <H2> <SPAN style="color: #2e74b5; font-family: Calibri Light;"> What FIPS mode does </SPAN> </H2> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. An example is Schannel, which is the system component that provides SSL and TLS to applications. When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. (Note that the same results can be achieved without FIPS mode by configuring Schannel according to </SPAN> <A href="#" target="_blank"> <SPAN style="color: #0563c1; font-family: Calibri; font-size: medium;"> KB 245030 </SPAN> </A> <SPAN style="font-family: Calibri; font-size: medium;"> and </SPAN> <A href="https://gorovian.000webhostapp.com/?exam=b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx" target="_blank"> <SPAN style="color: #0563c1; font-family: Calibri; font-size: medium;"> this blog post </SPAN> </A> <SPAN style="font-family: Calibri; font-size: medium;"> .) </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms. (More on this later, under “Why FIPS mode is particularly onerous.”) </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> A more complete listing of the effects of enabling FIPS mode can be found in </SPAN> <A href="#" target="_blank"> <SPAN style="color: #0563c1; font-family: Calibri; font-size: medium;"> KB 811833 </SPAN> </A> <SPAN style="font-family: Calibri; font-size: medium;"> . </SPAN> <BR /> <H2> <SPAN style="color: #2e74b5; font-family: Calibri Light;"> What FIPS mode does not do </SPAN> </H2> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Beyond the effects described above, FIPS mode is merely advisory to applications. Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled. For example, a Win32 application – or third party disk encryption software – written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled. </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Further, FIPS mode does not and cannot ensure that applications even use encryption at all when appropriate. There is nothing Windows can do to prevent an application from saving plaintext passwords or other sensitive data in unprotected files or registry values. The bottom line here is that just because a software product works when FIPS mode is enabled does not mean that it adheres to government standards. </SPAN> <BR /> <H2> <SPAN style="color: #2e74b5; font-family: Calibri Light;"> Why FIPS mode is particularly onerous </SPAN> </H2> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved. </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> For example, the .NET Framework currently provides three implementations of the SHA256 hashing algorithm: SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed. The first two use “platform invoke” (a.k.a., “p/invoke”) to use Windows’ underlying implementations, which are FIPS-validated. By contrast, SHA256Managed, like all the other crypto classes ending with “Managed”, is implemented strictly in .NET managed code and doesn’t use the underlying platform implementations. Although it is an acceptably strong hashing algorithm for most uses, the Managed implementations have never been submitted to NIST for validation. And so if an application tries to use this class and FIPS mode is enabled, the Framework will raise an exception and not allow the class to be used; this exception will almost always cause the application to fail, if not terminate immediately. </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster. </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. Using the relatively new standard for password-based key derivation functions, this is no longer a problem with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards. </SPAN> <BR /> <H2> <SPAN style="color: #2e74b5; font-family: Calibri Light;"> Is Microsoft contradicting government regulations? </SPAN> </H2> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode. </SPAN> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> </SPAN> <BR /> <H2> <SPAN style="color: #2e74b5; font-family: Calibri Light;"> References: </SPAN> </H2> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> FIPS 140 Evaluation <BR /> </SPAN> <A href="#" target="_blank"> <SPAN style="color: #0563c1; font-family: Calibri; font-size: medium;"> http://technet.microsoft.com/en-us/library/cc750357.aspx </SPAN> </A> <BR /> <BR /> <SPAN style="font-family: Calibri; font-size: medium;"> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows <BR /> </SPAN> <A href="#" target="_blank"> <SPAN style="color: #0563c1; font-family: Calibri; font-size: medium;"> http://support.microsoft.com/kb/811833 </SPAN> </A> </BODY></HTML> Tue, 18 Jun 2019 20:14:11 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-baselines/why-we-8217-re-not-recommending-8220-fips-mode-8221-anymore/ba-p/701037 Aaron Margosis 2019-06-18T20:14:11Z