Microsoft Security Baselines topics Microsoft Security Baselines topics Sat, 23 Oct 2021 10:25:44 GMT Security-Baselines 2021-10-23T10:25:44Z How to integrate Security baselines settings in my Windows 10 laptop <P>Hi,</P><P>&nbsp;</P><P>I ran the policy analyzer with the GPO's imported. I can see grey and yellow cells highlighted.</P><P>how to incorporate the baselines settings into my Laptop.</P><P>&nbsp;</P><P>I cannot find local group policy management in Windows 10 version&nbsp; 21H1 version laptop.</P><P>&nbsp;</P><P>Thank you!</P> Mon, 27 Sep 2021 00:10:39 GMT Anusha_Sama 2021-09-27T00:10:39Z Which script (s) to run.. <P>Hello,</P><P>I'm new to this and noticed that in the scripts folder there is a local install one and a AD one. My logic is that I don't need to install both.&nbsp; The AD one if I want to control the servers from AD or the local one if local control is desired. Please let me know what your experience&nbsp; is:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hello105_0-1632696817334.png" style="width: 400px;"><img src=";px=400" role="button" title="hello105_0-1632696817334.png" alt="hello105_0-1632696817334.png" /></span></P><P>&nbsp;</P> Mon, 27 Sep 2021 14:17:42 GMT hello105 2021-09-27T14:17:42Z Microsoft Edge 93 GPO missing settings <P>Hello,</P><P>I'm trying to update my GPOs with the new settings for Microsoft Edge but some of the settings are not on the GPO. I confirmed that I have the latest ADM and ADMX files on the Sysvol and downloaded again the template from May for W10 21H1 and the new templates&nbsp; and got some of the settings to display but there is a couple that are still missing.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSEdge.PNG" style="width: 783px;"><img src=";px=999" role="button" title="MSEdge.PNG" alt="MSEdge.PNG" /></span></P> Tue, 21 Sep 2021 16:27:29 GMT pedro_salazar2350 2021-09-21T16:27:29Z M365 Registry Entries Location <P>Moving to Microsoft baselines since CIS has apparently stopped developing baselines for Office.&nbsp; But looking at the M365-2104 GPOs, it appears the registry location for Office 365 is the same as Office 2016 so now I am not sure.&nbsp; I would have thought the registry location for settings for M365 would be independent of Office releases or on par with Office 2019.&nbsp; So every M365 app will still use 2016 registry locations going forward?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 Sep 2021 20:01:56 GMT EddieRowe 2021-09-10T20:01:56Z Win2019 standalone baseline testing (lab) <P>Hello,</P><P>&nbsp;</P><P>I'm running a Win2019 Core lab instance where I'm experimenting with the application of an SCT baseline to harden the system. The use case for the production rollout would be for an standalone Internet facing web server, so I'd like to ensure that I've done my best to prep it for exposure. The lab 2019 instance is running in Hyper-V and has been fully patched.</P><P>&nbsp;</P><P>-) Any recommendations on running the PolicyAnalyzer on a server running Core? I can execute the PolicyAnalyzer software from the server CLI console, but I think that, since Windows Explorer isn't available, certain key aspects of the tool become unusable (Example: when I try to select a directory for Policy Templates, the directory/location selection area is blank and I cannot select an alternate directory. See screenshot)</P><P>&nbsp;</P><P>-) When running the Baseline installation PS script, there is an error message that is displayed during the installation:</P><P>&nbsp;</P><P>-----</P><P>Installing Exploit Protection settings...<BR />Set-ProcessMitigation : Unable to load DLL 'MitigationConfiguration.dll': The specified module could not be found.<BR />(Exception from HRESULT: 0x8007007E)<BR />At C:\sct\Windows 10 Version 1809 and Windows Server 2019 Security Baseline\Local_Script\BaselineLocalInstall.ps1:250<BR />char:1<BR />+ Set-ProcessMitigation -PolicyFilePath $rootDir\ConfigFiles\EP.xml<BR />+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<BR />+ CategoryInfo : NotSpecified: (:) [Set-ProcessMitigation], DllNotFoundException<BR />+ FullyQualifiedErrorId : System.DllNotFoundException,Microsoft.Samples.PowerShell.Commands.SetProcessMitigationsC<BR />ommand</P><P>-----</P><P>&nbsp;</P><P>Is there any way to understand what this error is and why it is occurring?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>T.</P> Thu, 02 Sep 2021 08:15:44 GMT Mughal1 2021-09-02T08:15:44Z M365 security recommendations on Block-Listed domain <P>Don't know if this is the correct place to post my question, but here we go.</P><P>I'm busy on baselining some tenants for customers and I'm struggling with the allow-listing and block-listing of domains to allow sharing and collaborating.</P><P>&nbsp;</P><P>Allow-listing all the domains is quite impossible due to the nature of the business, but at least we should be able to block-list certain domains.</P><P>&nbsp;</P><P>To do so, I'm trying to find a list of domains which are untrustworthy, and which should definitely be blocked. This as an alternative solution....<BR /><BR /></P><P>In the meantime I'm also building the allow-list, as I know this should be the way to go off course&nbsp;<img class="lia-deferred-image lia-image-emoji" src="" alt=":smile:" title=":smile:" /></P><P>&nbsp;</P><P>Any help is welcome, or some feedback from peers who went through the same experience.</P><P>&nbsp;</P><P>Thanks already!</P> Wed, 23 Jun 2021 07:38:05 GMT Matthias Vandenberghe 2021-06-23T07:38:05Z Defender's Group Policy Setting for "Network Protection" <P>I recently began implementing the 21H1 security baselines on a Win 10 Pro workstation.&nbsp; After implementing the group policy setting for "Network Protection" in Defender (Set-MpPreference -EnableNetworkProtection Enabled), I found that GoToMyPC (current version v3161) no longer connects properly.&nbsp; The connection hangs on "Connecting to Host."&nbsp; Reported the bug to LogMeIn support, but no resolution yet.&nbsp;</P><P>&nbsp;</P><P>Has anyone encountered this, and/or found a way to exclude an app, while allowing the "Network Protection" to remain on?</P> Thu, 03 Jun 2021 02:52:35 GMT rdolph 2021-06-03T02:52:35Z Baseline rules <P>Hello,</P><P>I started working with security compliance toolkit and noticed that the number of rules listed in the xlsx file is different from what is listed in the .PolicyRules file. Could you please explain what is the difference between these files or rules? (is there a difference between the policy and baseline terms used by the toolkit)</P><P>Also is there anyway to download all policy rules in a standard format such as xml or oval, SCAP?</P><P>Thanks.</P><P>&nbsp;</P> Thu, 27 May 2021 17:51:48 GMT fatemk 2021-05-27T17:51:48Z Baselines in SCAP/Nessus audit format Are the latest Windows 10 baselines available in a format that can be ingested by Nessus for compliance checking? SCAP? I know these used to be available from Nessus directly but have since been removed. Mon, 17 May 2021 04:44:34 GMT Ryan Means 2021-05-17T04:44:34Z Tamper protection Microsoft Endpoint Protection Defender for Endpoint Security Baseline <DIV>Why is Tamper Protection not enabled in the Microsoft Endpoint Manager Security Baseline for Defender for Endpoint? It should be enabled in my opinion</DIV> Wed, 12 May 2021 05:54:26 GMT guidovbrakel 2021-05-12T05:54:26Z Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL in Endpoint Manager <P>Hi</P><P>Why is the&nbsp;Security baseline for Microsoft 365 Apps for enterprise v2104 - FINAL not yet avaiable in Endpoint Manager, I can't find it. Is there an expected timeline that this baseline will be added to Endpoint Manager/Intune?</P> Mon, 03 May 2021 11:46:12 GMT guidovbrakel 2021-05-03T11:46:12Z REG_MULTI_SZ are not imported properly <P>Hi,</P><P>&nbsp;</P><P>Just wanted to check if I was doing something wrong, or if I hit a (hopefully known) bug :</P><P>&nbsp;</P><P>When I export a LGPO backup (generated with LGPO.exe /b) as a PolicyRules file (using the GPO2PolicyRules.exe binary), multi-lines registry (REG_MULTI_SZ) values are exported with \0 delimiter, but are not imported back with line breaks.</P><P>&nbsp;</P><P>A practical example: I do want to change the ECC curves preferred order on my systems, and I use the related GPEdit entry to change it. The setting is exported correctly in the PolicyRules file, but upon re-import (using LGPO.exe /p), the value is imported as a single-line string (see attached screnshots, I believe it does speak for itself :))</P><P>&nbsp;</P><P>Is it a known behavior, and is there a workaround for it ? Thanks !</P> Thu, 29 Apr 2021 14:03:03 GMT Harvester 2021-04-29T14:03:03Z Missing security parameters using the Baseline-LocalInstall.ps1 script <P>Hello,</P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp; I have a machine that is running windows 10 and it is not connected to a domain, so I applied the Microsoft Baseline security for windows 10 v2004. I applied the&nbsp;Microsoft Baseline security using the script "Baseline-LocalInstall.ps1" using the parameter "Win10NonDomainJoined". The script ran successfully with no errors.&nbsp;</P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp;However, when I ran the policy&nbsp;PolicyAnalyzer I discovered that few of the security parameters were not applies, as shown below:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-04-07 093644.jpg" style="width: 400px;"><img src=";px=400" role="button" title="Screenshot 2021-04-07 093644.jpg" alt="Screenshot 2021-04-07 093644.jpg" /></span></P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; When selecting the Microsoft baseline security for the PolicyAnalyzer, I selected the following:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-04-07 094916.jpg" style="width: 400px;"><img src=";px=400" role="button" title="Screenshot 2021-04-07 094916.jpg" alt="Screenshot 2021-04-07 094916.jpg" /></span></P><P>&nbsp;</P><P>Why the missing security parameters not set using the&nbsp;"Baseline-LocalInstall.ps1" script? do I have to run another script to set the missing paraments?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanking you</P><P>&nbsp;</P><P>Best regards&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp;</P> Wed, 07 Apr 2021 06:59:19 GMT sharkee 2021-04-07T06:59:19Z i cant update microsoft security compliance manager after i installed it <P>Hi everyone. hope you can help. im trying to use microsoft security compliance manager but after i installed it, i cant update it. it says "please check your internet connection, the remote server return an error (404)". i have internet connection no problem, but this error keep on and on and i cant update. thanks.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (1).png" style="width: 999px;"><img src=";px=999" role="button" title="Screenshot (1).png" alt="Screenshot (1).png" /></span></P> Tue, 23 Feb 2021 06:40:41 GMT brian2529 2021-02-23T06:40:41Z Policy Analyzer Windows is not showing correctly <P>Dear all,</P><P>&nbsp;</P><P>somehow the Policy Analyzer window is not showing correctly and cut. Not sure what to do about that?!</P><P>Resizing and in Fullscreen there is no difference. It wouldn't be a problem but I cannot select the PolicyRules.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="helo86_0-1614002782060.jpeg" style="width: 400px;"><img src=";px=400" role="button" title="helo86_0-1614002782060.jpeg" alt="helo86_0-1614002782060.jpeg" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Feb 2021 14:08:28 GMT helo86 2021-02-22T14:08:28Z SQL Server 2016 unable to use internal authentication for maintenance <P>Dear community,</P><P>&nbsp;</P><P>after intergration of current security baseline on our 2019 servers i noticed that the SQL Server 2016 is running and useable, but unable to run any maintenance plan. I am able to login with sql server management studio 18.8 and SA account, but when starting the maintenance plan fails instantly and the SA account get locked for at least 10 minutes. I can repeat this behaviour every time. When i remove the secutity baseline settings everything runs without any issue. It is a bit frighten me that i have to check all +4000 Settings to find the cause. May you have a hint for me to find the setting that cause the error? Or maybe anyone had the same issue and know the exact cause?</P><P>&nbsp;</P><P>Thank you!</P> Wed, 27 Jan 2021 09:23:30 GMT JAG72 2021-01-27T09:23:30Z DFSR Replication broken after applying MSFT Windows Server 20H2 - Domain Controller Baseline <P>Hi,</P><P>&nbsp;</P><P>I did apply the&nbsp;MSFT Windows Server 20H2 - Domain Controller Baseline to my test enviromnent. All clients are fully functional. I added a new Domain Controller to the environment and the SYSVOL Replication won´t start.&nbsp;<BR /><BR />Access to \\mydom.tld\sysvol from this new DC is fully functional, nltest /sc_query succesfull.<BR />Network Security LDAP requirements for clients&nbsp; is set to negotiate. DomainController is set to None</P><P><BR />Any help appreciated,<BR />Mark</P> Thu, 21 Jan 2021 13:17:44 GMT gruppenrichtlinien 2021-01-21T13:17:44Z Windows 2012 R2 and SQL 2014 SP2 Security Baseline & Compliance Automation <P>Hi Guys - Looking for a most feasible option to fetch/pull, collect Security Related configuration and settings from Microsoft Windows 2012 R2 and SQL Server 2014 SP2 using an automated mechanism.</P><P>&nbsp;</P><P>Our solution needs to connect to one or multiple windows servers using a local agent (micro services based docker) installed on a VM on-prem, collect the data using API/SSH then upload that data to our cloud controller for analysis/ML models and display the output on a dashboard</P><P>&nbsp;</P><P>These are the three options that we have identified so far for evaluation and looking for some guidance:</P><P>&nbsp;</P><P>1)&nbsp;<A href="#" target="_blank" rel="noopener noopener noreferrer"></A>&nbsp; - This runs on local machine only (no API available?)</P><P>2)&nbsp;<A href="#" target="_blank" rel="noopener noopener noreferrer"></A></P><P>3)&nbsp;<A href="#" target="_blank" rel="noopener noopener noreferrer"></A></P><P>&nbsp;</P><P>Can someone here help with pointers which one is most suitable to accomplish the task as outlined above OR suggest a better option.</P><P>&nbsp;</P><P>Thanks in advance!</P> Mon, 11 Jan 2021 23:21:38 GMT Saeed_A480 2021-01-11T23:21:38Z When to use additional security policies <P>Are there any rules of thumb or guidelines about when an organization should create additional security policies in Endpoint manager after the Baselines have been implemented. i.e. what are the scenarios in which the baselines are not sufficient and additional configuration is recommended?</P> Mon, 21 Dec 2020 15:39:40 GMT Dean Gross 2020-12-21T15:39:40Z More exhaustive list than "Top 10 ways to secure Microsoft 365" <P>Dear community,</P><P>&nbsp;</P><P>is there a more exhaustive and detailed checklist than Microsoft's security baseline?&nbsp;<A href="#" target="_blank" rel="noopener"></A></P><P>&nbsp;</P> Fri, 11 Dec 2020 09:17:35 GMT Kiril Valev 2020-12-11T09:17:35Z Windows Server 2016/2019 SCT Baseline vs. Exchange Server 2016/2019 <P>Hi,</P><P>&nbsp;</P><P>I tried to find blog without any results. Is there any knows issues or settings on Windows Server 2016/2019 SCT Baselines, which generates problems on Exchange Server 2016/2019?</P><P>&nbsp;</P><P>Somebody had problem with Health Service which was went to Unknown state 0x6ba (RPC Server Unavailable) after applied Windows Server 2016 SCT Baseline to Exchange Server 2016.</P> Wed, 09 Dec 2020 10:21:49 GMT Heino_Pasi 2020-12-09T10:21:49Z Baseline with VBS disabled due to massive performance hit. <P>I'm currently evaluating the Baseline for our 2019 servers. One thing that just created massive performance issues was VBS. With it enabled, the most basic things started to slow to a crawl, such as opening the Windows Explorer or IE11. After manually disabling VBS we gained a 40% performance boost.</P><P>&nbsp;</P><P>My suggestion is to make VBS entirely optional. Opposed to all other settings in the baseline, VBS does rely heavily on hardware support and comes with a performance hit. The way the baseline is designed, it's currently quite complicated to opt-out of VBS.</P> Tue, 08 Dec 2020 06:51:47 GMT Daniel Niccoli 2020-12-08T06:51:47Z Baseline throws a silent error. Suggestion for a quick fix in BaselineLocalInstall.ps1 <P>Hi,</P><P>&nbsp;</P><P>the BaselineLocalInstall.ps1 in SCT 1.0 for Server 2019 throws a silent error under certain circumstances that is added to the error variable. Responsible is line 147:</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><STRONG><SPAN>if</SPAN><SPAN>&nbsp;(</SPAN><SPAN>$null</SPAN><SPAN>&nbsp;-eq&nbsp;(</SPAN><SPAN>Get-Command</SPAN><SPAN>&nbsp;</SPAN><SPAN>LGPO.exe</SPAN><SPAN>&nbsp;-ErrorAction&nbsp;SilentlyContinue))</SPAN></STRONG></P><P>&nbsp;</P><P><SPAN>When the script runs successful, this is the only error in $Error. Since $Error is currently the only way to check whether the baseline script ran successful or not, this causes an issue.</SPAN></P><P>&nbsp;</P><P><SPAN>The fix is simple, however. Please replace the error action with <STRONG>Ignore</STRONG>.</SPAN></P><P>&nbsp;</P><P><SPAN><STRONG>if&nbsp;($null&nbsp;-eq&nbsp;(Get-Command&nbsp;LGPO.exe&nbsp;-ErrorAction&nbsp;Ignore))</STRONG></SPAN></P><P>&nbsp;</P><P><SPAN>This acts like SilentlyContinue but does not add the error to the $Error variable, and if the script ran successful $Error will be empty.</SPAN></P><P>&nbsp;</P> Thu, 03 Dec 2020 05:06:58 GMT Daniel Niccoli 2020-12-03T05:06:58Z How to detect whether BaselineLocalInstall.ps1 finished successfully? <P>I'm invoking&nbsp;BaselineLocalInstall.ps1 as part of my automated server deployment. I need to detect if it ran successfully and without errors, or if it failed. The script doesn't return a status code, nor any output that let's me know whether the script completed successfully or failed.</P><P>&nbsp;</P><P>What's the best way to check if the script ran successfully, so I can decide if the VM is safe to be deployed, or needs to be destroyed?</P> Tue, 24 Nov 2020 12:40:24 GMT Daniel Niccoli 2020-11-24T12:40:24Z PolicyAnalyzer GUI discrepancy? <P>My primary work laptop is running Win10 with Hyper-V.&nbsp; I have a main "Win10-Work" instance that I use for work related activities (email, interacting with work resources, VPN, etc.) and I spin up other instances ad-hoc for testing/evaluating/lab.</P><P>&nbsp;</P><P>I continue to perform some evaluation work of the SCT and recently, I've noticed a discrepancy between when I run a relatively recent version of the PolicyAnalyzer GUI tool between my work Win-10 instance vs a lab instances.&nbsp; See the attached screenshot - when running the PolicyAnalyzer in my Win-10 instance, I see all the relevant content/fields of the PolicyAnalyzer GUI tool (the left running instance in the screenshot).</P><P>&nbsp;</P><P>In the right running instance in the screenshot (which is a vanilla Windows 2016 standard instance, patched with the latest OS updates), the bottom of the PolicyAnalyzer tool seems to be "cut off" - I can't see the line options for "Policy Rule sets in" nor "Policy Definitions in".</P><P>&nbsp;</P><P>Does anyone have any insight as to why those options aren't showing up?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>T.</P> Fri, 20 Nov 2020 20:09:57 GMT Mughal1 2020-11-20T20:09:57Z SCT installation - standalone Windows 2019 server? <P>Anyone try installing the SCT baseline on a standalone instance of Win2019?&nbsp; When I try the install of the baseline on the host and reboot, I get punted to the repair window at boot.&nbsp; Does anyone know how to perform the standalone install without incurring a boot repair?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="20201115 - SCT install Win2019 error on boot.png" style="width: 614px;"><img src=";px=999" role="button" title="20201115 - SCT install Win2019 error on boot.png" alt="20201115 - SCT install Win2019 error on boot.png" /></span></P><P>&nbsp;</P><P>Process summary (install via Hyper-V lab):</P><UL><LI>Install Windows 2019 (w/desktop experience)<UL><LI>2GB RAM</LI><LI>127GB disk</LI><LI>2 vCPU</LI></UL></LI><LI>Copy SCT component to the new Win2019 VM (in c:\temp) and extract<UL><LI></LI><LI></LI><LI>Windows 10 Version 1809 and Windows Server 2019 Security</LI></UL></LI><LI>Copy the LGPO.exe binary to the baseline Local_Script/Tools dir</LI><LI>Open an admin powershell window, navigate to the appropriate baseline dir, run the installer script with the appropriate standalone switch<UL><LI>BaselineLocalInstall.ps1 -WS2019NonDomainJoined</LI></UL></LI><LI>Once the installation of the system modifications are complete, reboot</LI></UL><P>Any suggestions would be appreciated.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>T.</P> Sun, 15 Nov 2020 20:37:38 GMT Mughal1 2020-11-15T20:37:38Z Beginner Question - Why is there a baseline for every version and type? <P>Hi everyone,</P><P>&nbsp;</P><P>i am currently double checking my settings against the baseline (2012R2 DC) and i am just curious why there is not one "DC baseline".</P><P>&nbsp;</P><P>There may be new features incoming with each new server OS. But if i configure it on a Win2kR2 DC - it will just ignore it as there is no program that will read this reg key.</P><P>Same with Win10 - if there is the newest security setting out but only affects 1909+ - the older OS will ignore it.</P><P>&nbsp;</P><P>So bottom-line i do not understand why it is separated by OS instead of just the roles (member server, dc, client,..)</P><P>I would assign the newest baseline for the domain controller to the OU "Domain Controllers" without the WMI filter - in my understanding that cannot break anything because of the older OS in this OU?&nbsp;</P><P>&nbsp;</P><P>Best regards</P><P>Stephan</P><P>&nbsp;</P> Wed, 04 Nov 2020 10:07:36 GMT StephanGee 2020-11-04T10:07:36Z Security baseline in my LGPO is gray out. I can’t edit it I applied the security baseline to my non-domain joined windows 10 machine. Using this command .\Baseline-LocalInstal.ps1.<BR />After I applied it. I wanted to disable to some policies in my local gpo but it’s all grayed out.<BR /><BR />Please help, i need to disable some policies that the security baseline enabled.<BR /><BR />Kindly give me guidance or link. Thanks Sun, 01 Nov 2020 12:36:11 GMT fresh23434 2020-11-01T12:36:11Z Baseline settings for VMs <P><SPAN>Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Which baseline settings are not recommended for VM's?</SPAN></P> Tue, 27 Oct 2020 16:46:28 GMT Lindspea 2020-10-27T16:46:28Z Edge Baseline for Computer Settings Only? <P>thank you for your work providing the Edge baselines as part of the Security Compliance Toolkit.</P><P>&nbsp;</P><P>I notice in the zip the computer baseline is provided for import, but not a user one, as with other baselines MS supply. How come there is no user baseline?</P> Wed, 14 Oct 2020 10:48:08 GMT divadiow 2020-10-14T10:48:08Z Microsoft Baseline Security for windows 10 v2004 <P>Hello,</P><P>&nbsp;</P><P>&nbsp; &nbsp;I have a group of PCs that are under a separate active directory OU, that are running windows 10 v2004. I would like to apply on these PCs the Microsoft baseline security, my question is that the baseline security for windows 10 v2004 comes with 11 policies (listed below):</P><P>&nbsp;</P><P><FONT size="1 2 3 4 5 6 7">1. MSFT Internet Explorer 11 - Computer</FONT><BR /><FONT size="1 2 3 4 5 6 7">2. MSFT Internet Explorer 11 - User</FONT><BR /><FONT size="1 2 3 4 5 6 7">3. MSFT Windows 10 2004 - BitLocker</FONT><BR /><FONT size="1 2 3 4 5 6 7">4. MSFT Windows 10 2004 - Computer</FONT><BR /><FONT size="1 2 3 4 5 6 7">5. MSFT Windows 10 2004 - User</FONT><BR /><FONT size="1 2 3 4 5 6 7">6. MSFT Windows 10 2004 and Server 2004 - Defender Antivirus</FONT><BR /><FONT size="1 2 3 4 5 6 7">7. MSFT Windows 10 2004 and Server 2004 - Domain Security</FONT><BR /><FONT size="1 2 3 4 5 6 7">8. MSFT Windows 10 2004 and Server 2004 Member Server - Credential Guard</FONT><BR /><FONT size="1 2 3 4 5 6 7">9. MSFT Windows Server 2004 - Domain Controller Virtualization Based Security</FONT><BR /><FONT size="1 2 3 4 5 6 7">10. MSFT Windows Server 2004 - Domain Controller</FONT><BR /><FONT size="1 2 3 4 5 6 7">11. MSFT Windows Server 2004 - Member Server</FONT></P><P>&nbsp;</P><P>Do I have to apply all the baseline security policies to the OU? or only the windows 10 ones, such as :</P><P>&nbsp;</P><P><FONT size="1 2 3 4 5 6 7">1. MSFT Internet Explorer 11 - Computer</FONT><BR /><FONT size="1 2 3 4 5 6 7">2. MSFT Internet Explorer 11 - User</FONT><BR /><FONT size="1 2 3 4 5 6 7">3. MSFT Windows 10 2004 - BitLocker</FONT><BR /><FONT size="1 2 3 4 5 6 7">4. MSFT Windows 10 2004 - Computer</FONT><BR /><FONT size="1 2 3 4 5 6 7">5. MSFT Windows 10 2004 - User</FONT><BR /><FONT size="1 2 3 4 5 6 7">6. MSFT Windows 10 2004 and Server 2004 - Defender Antivirus</FONT><BR /><FONT size="1 2 3 4 5 6 7">7. MSFT Windows 10 2004 and Server 2004 - Domain Security</FONT><BR /><FONT size="1 2 3 4 5 6 7">8. MSFT Windows 10 2004 and Server 2004 Member Server - Credential Guard</FONT></P><P>&nbsp;</P><P>Also, what should be the lining order of the policies?&nbsp;</P><P>&nbsp;</P><P>Thanking you</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 13 Sep 2020 09:00:09 GMT sharkee 2020-09-13T09:00:09Z Applying the SCT to standalone hardened systems? <P>I'm experimenting with the use of the SCT to speed up the hardening process for "elevated risk" servers for my company, such as systems residing within an Internet DMZ.&nbsp; My tests are currently relegated to the use of Windows 2016.</P><P>&nbsp;</P><P>In my environment, the DMZ placed systems would likely be standalone and not members of any domain.&nbsp; The SCT for Win10/Win2016 includes three main processing scripts for the application of the relevant GPO content to the targeted system:</P><P>&nbsp;</P><P>-) Client_Install.cmd</P><P>-) Domain_Controller_Install.cmd</P><P>-) Member_Server_Install.cmd</P><P>&nbsp;</P><P>Is there any guidance as to which particular processing script I should use for my standalone application on the target system?&nbsp; None of the "names" for the processing scripts above exactly match my scenario.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tariq</P> Thu, 10 Sep 2020 22:37:09 GMT Mughal1 2020-09-10T22:37:09Z Unsafe font block in windows <P>one of my windows admin say we should not use unsafe font like opensans</P><P>&nbsp;</P><P>by mentioning the following article</P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P>but in MSForum it is says that setting is dropped</P><P>&nbsp;</P><P><A href="" target="_blank"></A></P><P>&nbsp;</P><P>which is correct ?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 09 Sep 2020 08:27:41 GMT shivashankars 2020-09-09T08:27:41Z Learning tutorials on working with Security and compliance toolkit <P>Looking for materials on how to use the Security and Compliance toolkit.&nbsp; New to it, and now sure how to proceed.&nbsp; Can't find anything on the internet or learning materials of any kind at book stores as well.&nbsp; Any and all assistance it greatly appreciated.&nbsp; Thank you,</P><P>Tom</P> Thu, 27 Aug 2020 19:13:51 GMT thomaswdonovanjr 2020-08-27T19:13:51Z MS Security Baselines vs CIS Benchmarks vs DoD STIGs <P>I am trying to understand the differences between these sources for secure configuration of a Windows 10 machine and why someone would choose one over the other. I figured I would ask the community if there is a good source I am overlooking before trying to sift through thousands of settings.</P> Mon, 20 Jul 2020 19:13:09 GMT bbmsei 2020-07-20T19:13:09Z Why o365 can't sysprep in a wim? I did all kinds of sysprep test about o365. (I see the mdt+sequence like image+o365 setup command can deploy it well, but I cannot sysprep in a image file). The result is that sysprep is success(capture is also well), but can not install or dism this wim file. Something wrong about o365 file can not rollback or restore.<BR />I see the setuperr log, it displayed an o365 dll named "AppvIsvSubsystems32.dll" can not amount like that.<BR />2020-07-03 14:26:30, Error [0x0b0043] WDS SelectImage: No images matched the specified criteria.[gle=0x00000002]<BR />2020-07-03 14:26:30, Error [0x0b0049] WDS CallBack_WdsClient_ConnectToImageStore: Error processing unattended image selection. Error [0x80070002][gle=0x00000002]<BR />2020-07-03 14:49:25, Error [0x0600af] IBS ApplyWIMCallback: Error applying C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\AppvIsvSubsystems32.dll. GLE [4392][gle=0x00001128]<BR />2020-07-03 14:49:26, Error [0x0606cc] IBS WIMApplyImage failed; hr = 0x80071128[gle=0x00001128]<BR />2020-07-03 14:49:26, Error [0x0600a1] IBS DeployImage:Image application failed; hr = 0x80071128[gle=0x00000057]<BR />2020-07-03 14:49:26, Error [0x060082] IBS Callback_ImageTransfer:Failed to lay down the OS image; hr = 0x80071128[gle=0x00000057] Sat, 11 Jul 2020 20:54:26 GMT Michaelyu 2020-07-11T20:54:26Z Securing Group Policy Template and importing it to windows server 2016 Group Policy <P>Hi,</P><P>I'm working on the Security Hardening of windows server 2016 according to [CIS Benchmark V 1.2.0][1], for this I found a Security Compliance project from Microsoft which is [Microsoft Security Compliance Toolkit 1.0][2]. This project works on a preconfigured Group Policy for Member Server or Domain Controller and that group policy has a Hardened configuration that complies with the CIS Benchmark.</P><P>Microsoft Security Compliance Toolkit 1.0 has some tools and configurations that can be installed from [here][3]. the main problem with this toolkit and its group policy configuration is they are not implementing all the CIS Benchmark for windows server 2016 so I start working on my own Group Policy Template.</P><P>For building my Hardening Group Policy Template I started by taking snapshot from my windows server 2016 so I can work on a system, like the production, then deploying the Hardened Group policy that comes with the Toolkit (as a starting point) then check every point from the CIS Benchmark document and reflect the Recommended configuration on that Template Group Policy. after finishing some of those Security recommendations I took another snapshot from the production server and used the LGPO.exe (included in the toolkit) tool to import the Hardened Group Policy Template that I was working on and apply it to the new server snapshot. after importing the Hardened Group Policy to the test server I start facing many problems when trying to log in to my administrator account, as seen in the photos :<BR /><BR /></P><P>1. After login, I receive this error, and if log in again it doesn't occur again :<BR /><A href="#" target="_blank"></A><BR /><BR /></P><P>2. After login sometimes the server hangs on the following state :<BR /><A href="#" target="_blank"></A></P><P><BR />3. receive this error sometimes :<BR /><A href="#" target="_blank"></A></P><P><BR />Note that the previous errors occur sometimes and if you try to access the same thing again it works,</P><P>4.this occurs every time I log in to the account :<BR /><A href="#" target="_blank"></A><BR /><BR /><BR /></P><P>All of these errors start happening after deploying the Hardened Group Policy to the test server, Also I had another snapshot from the production server where I tried to do the same Security Recommendations Manually, so I did the same Security Recommendations that I configured in the Group Policy and caused all the previous errors but this time manually and everything was working as expected with no errors !!</P><P>So my Issue Is what goes wrong with having a tool such as LGPO.exe (official Microsoft tool) that imports Group Policy GPO to the current Group Policy, and why I had all the previous issues when doing that? but when doing manual works it worked well?</P><P>what is the best way to Make Secure Group Policy as per CIS Benchmark and export it then import to each Server you have ? what is the best way for doing this?</P><P>**Note:**<BR />1. I have only one admin user that I'm using during the work<BR />2. my win server 2016 is non-domain machine - stand alone</P><P>Thanks in advance</P><P><BR />[1]: <A href="#" target="_blank">;utm_medium=ppc&amp;utm_source=adwords&amp;utm_term=&amp;hsa_acc=2189148223&amp;hsa_cam=134925607&amp;hsa_grp=78721086889&amp;hsa_src=g&amp;hsa_tgt=dsa-688559004445&amp;hsa_kw=&amp;hsa_ad=361557470862&amp;hsa_net=adwords&amp;hsa_mt=b&amp;hsa_ver=3&amp;gclid=Cj0KCQjw3ZX4BRDmARIsAFYh7ZIAuQlReBpbGLHvKYCCQxq7QQrBYKgvrhxZu7tJne57NuBNQtT7gDIaAjDYEALw_wcB</A><BR />[2]: <A href="#" target="_blank"></A><BR />[3]: <A href="#" target="_blank"></A></P> Thu, 09 Jul 2020 14:29:59 GMT muradmomani 2020-07-09T14:29:59Z How to apply baseline for multiple OS <P>Have an org which has mutlple OS, range from 2012 R2 to 2019. What is the best practice when applying Baselines, we import CIS baseline gpo, should we apply baselines for each OS and link them in their seperate OU OR will a single import of 2019 baseline and link it to all OSes upto 2012 ?</P> Fri, 26 Jun 2020 22:37:54 GMT godwin daniel 2020-06-26T22:37:54Z Guidance on Domain Controller Virtualization Based Security and Defender Antivirus Baselines <P>Am I correct in assuming the 1909 - Domain Controller Virtualization Based Security should be targeting &lt;only&gt; my Domain Controllers running as Virtual Machines?</P><P>&nbsp;</P><P>Is the 1909 Defender Antivirus baseline only applicable for those companies using Windows/Microsoft Defender (and not a third party AV/Endpoint solution) or does it apply and play nicely with third party AV/Endpoint solutions?</P> Thu, 28 May 2020 15:51:59 GMT Brian Steingraber 2020-05-28T15:51:59Z Disable EAF for firefox.exe as a part of the security baseline <P>Hi!</P><P>&nbsp;</P><P>I'm working for Mozilla.&nbsp; We have <A href="#" target="_self">a case</A> that Firefox does not launch because EAF is turned on for firefox.exe by the customer's corporate IT policy.&nbsp; Since Firefox does not support EAF, what we can do is to ask customers to disable EAF, but they can't if they don't have admin rights.</P><P>&nbsp;</P><P>The current security baseline contains a script to disable EAF for several executables such as onedrive.exe or acrord32.&nbsp; Could you please add an entry to disable EAF for firefox.exe as well?</P><P>&nbsp;</P><P>I also confirmed Chrome (chrome.exe) and the new MS Edge (msedge.exe) has the same issue.</P><P>&nbsp;</P><P>Thanks,</P><P>Toshihito</P> Thu, 21 May 2020 17:50:24 GMT tokikuch 2020-05-21T17:50:24Z Edge - Bypass HTTPS Warning Page <P>In the latest security baselines for Microsoft Edge v81, the setting "Allow users to proceed from the HTTPS warning page" is recommended to set as Disabled. Setting to Disabled prevents users from clicking through warning pages about invalid SSL certificates.</P><P>&nbsp;</P><P>With this setting in place, users are prevented from accessing sites with expired SSL certificates, often due to an administrator forgetting to renew it. This happens fairly often to sites/services on the Internet, which of course is something my company cannot control. For example, earlier this year <A href="#" target="_self">Microsoft forgot to renew a certificate for Teams that caused an outage</A>. I can imagine this recommended setting has potential to cause a significant problem for organizations if users are unable to access a critical site because they are unable to bypass the SSL warning.<BR /><BR />That leads me to a few questions:</P><P>&nbsp;</P><OL><LI>Given the risk of this setting blocking access to sites, why is this a recommended setting?<BR />Does Microsoft have this setting set to "Disabled" internally?</LI><LI>Are any workarounds available for allowing bypass to specific sites, including when a certificate has expired?</LI><LI>Some hotel Wi-Fi Internet access is only accessible after logging in via a captive portal page, which is sometimes hosted internally on RFC1918 private IP space and can not have a valid public certificate. How would users access the portal in order to connect to the Internet? Would they need to add the Certificate Authority to their Trusted Roots?</LI></OL><P>I'm struggling to see how many companies could implement this setting without increasing the risk of an outage by being unable to access a critical site.</P> Thu, 14 May 2020 22:15:39 GMT ericwright 2020-05-14T22:15:39Z Any way to modify Security Baseline GPOs before we import them on target? <P>I am okay with 90% of the security baseline parameters to be applied on the system. However, the 10% I am not very comfortable with and would like to remove them from GPOs/Baseline before actually applying this baseline on the target system.</P><P>OS: Windows 10 IoT</P><P>&nbsp;</P><P>Could anyone provide a way to achieve this?</P> Tue, 12 May 2020 15:39:16 GMT r0x0t 2020-05-12T15:39:16Z Documentation error for Security Compliance Toolkit Office 365 ProPlus baseline - FINAL - Sept 2019 <P>This should be reflecting the proper applications instead of just MS Access.</P><P>&nbsp;</P><P>User tab, line item 366.</P><P>&nbsp;</P><P>Policy Path:&nbsp;Microsoft Office 2016\Global Options\Customize</P><P>Policy Setting Name:&nbsp;Disable UI extending from documents and templates</P><P>MSFT Office 365 Baseline:</P><P>Disallow in Access = True<BR />Disallow in Access = False<BR />Disallow in Access = True<BR />Disallow in Access = False<BR />Disallow in Access = True<BR />Disallow in Access = True<BR />Disallow in Access = True<BR />Disallow in Access = True<BR />Disallow in Access = True</P> Sun, 10 May 2020 05:58:56 GMT Desmond_Kung 2020-05-10T05:58:56Z LGPO and system services <P>So i'm probably missing something rudimentary here, that being said, my bing'fu is failing me.</P><P>&nbsp;</P><P>Here is the scenario:<BR />Offline Client</P><P>Clean install of <STRONG>Windows 10 1909 x64 Enterprise</STRONG> En-US</P><P><STRONG>LGPO 2.2</STRONG> and a clean download of the Security baseline from security compliance&nbsp; toolkit.</P><P><BR />Executing the following as administrator<STRONG>: BaselineLocalInstall.ps1 -Win10NonDomainJoined</STRONG> and it looks ok from the output. Looking at the Baseinstall logfile nothing stands out.</P><P>&nbsp;</P><P>Looking at the result, registry settings are applied for user and computer, advanced audit policy applies fine, however, the security templates seems off.</P><P><BR />For instance, none of the services configured in MSFT Windows 10 1909 - Computer GPO are applied.</P><P>Running a gpresult /h test.htm has no settings reported in:</P><P><STRONG>Local Policies/security settings/Security</STRONG> <STRONG>Options</STRONG> or&nbsp;</P><P><STRONG>Local Policies/security settings/User Rights assignment</STRONG> but looking at secpol they seem applied.</P><P>&nbsp;</P><P>c:\windows\system32\group policy\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecPol is not there (while the Audit folder is).</P><P>&nbsp;</P><P>I've been trying to add for instance AppID.svc to start automatically, also tried with /S for a specific policy to configure just services, but it doesnt seem to fly.</P><P>&nbsp;</P><P>Anyone got some recommendations on what i need to read up on?</P><P>Am i missing something obvious?</P><P>&nbsp;</P><P>Thanks a bunch,</P><P>Cheers, Trax</P> Mon, 04 May 2020 16:00:18 GMT traxelotl_ 2020-05-04T16:00:18Z Policy Analyzer not working <P>Hello! My Policy Analyzer is not working correctly.&nbsp;</P><P>I am currently running the latest Policy Analyzer version (v3.2.1803.28001) on Windows 10, Version 1909.</P><P>&nbsp;</P><P>It says "<SPAN>Error message: An error occured while parsing EntityName. Line 152, position 82."</SPAN></P><P>&nbsp;</P><P><A href="" target="_blank" rel="noopener"></A></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_2.png" style="width: 400px;"><img src=";px=400" role="button" title="Screenshot_2.png" alt="Screenshot_2.png" /></span></P><P>When it is generating the report the error comes on, It does create a report, but i am unable to open it.</P><P>&nbsp;</P><P>Is there any way to fix this?</P><P>&nbsp;</P><P>Thank you!</P><P>Dear regards,</P><P>Bennn2806</P> Thu, 30 Apr 2020 09:43:49 GMT bennn2806 2020-04-30T09:43:49Z How do I Install Microsoft Security Compliance Manager 4.0 with MSSQL 2016 <P>Hi</P><P>&nbsp;</P><P>I have a MSSQL 2016 already.</P><P>&nbsp;</P><P>In order to make security team work together</P><P>How do I install Microsoft Security Compliance Manager 4.0 with MSSQL 2016(not SQL express)?</P> Thu, 23 Apr 2020 06:45:27 GMT KevinLin 2020-04-23T06:45:27Z Guidance on multiple window 10 builds and baselines <P>Good Afternoon,</P><P>&nbsp;</P><P>I am wondering if anyone out there has some guidance on managing multiple baselines.&nbsp; Meaning, I have Windows 10 1803, 1809, 1903 and 1909 versions.&nbsp; What is the best way to manage baselines with multiple version of Windows 10? Same question might apply to Microsoft 365 suite as well as Edge Browser (80, 81).</P><P>&nbsp;</P><P>A. Do I have a baseline for each OS? (WMI filtering?)</P><P>B. Do I have a baseline for each with delta changes only?</P><P>C. Do I have a single baseline with deltas added for each version of Windows 10</P><P>&nbsp;</P><P>What are enterprises doing to manage this?</P><P>&nbsp;</P><P>Thanks</P> Thu, 09 Apr 2020 18:55:15 GMT Chad Brower 2020-04-09T18:55:15Z How do you manage the Server 2019 Domain Controller baseline? <P>I'm interested in implementing the Server 2019 security baselines.</P><P>&nbsp;</P><P>How do you manage the Server 2019 Domain Controller baseline? The <STRONG>Local Policies/User Rights Assignment</STRONG> and <STRONG>Local Policies/Security Options</STRONG> are very different from the DDCP (Default Domain Controller Policy).</P><P>&nbsp;</P><P>Do you merge it with the DDCP? Or do you add the baseline GPO to the <EM>Domain Controllers</EM> OU with a higher link order?</P><P>&nbsp;</P><P>What's the best practice here?</P> Mon, 30 Mar 2020 20:08:06 GMT Daniel Niccoli 2020-03-30T20:08:06Z Edge security baseline and all other security baselines <P>Hello all,</P><P>&nbsp;</P><P>I say sorry in advance for this stupid question and by having asked it in a new conversation.</P><P>&nbsp;</P><P>I want to know why on Intune we have the possibility to configure devices with those security baselines AND/OR with the (almost?) same settings on Device configuration profiles.</P><P>I mean, why? Two places? Would it be better to just have Security baselines settings or just Device configuration settings? This is confusing and in my company we realize that both are doing the job... or one settings is set to enabled on one side, then disabled on the other side.</P><P>&nbsp;</P><P>Please consider closing this thread only when a proper answer is given.</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P><P>Gianluca</P> Wed, 25 Mar 2020 10:52:58 GMT GianlucaSB 2020-03-25T10:52:58Z Edge - Extensions - Developer and other store toggle <P>Hi all,</P><P>&nbsp;</P><P>We set the following policy:</P><P>Microsoft Edge\Extensions\Control which extensions cannot be installed - Enabled - *</P><P>This to block all extensions which we do not whitelist.</P><P>&nbsp;</P><P>Next to that we set the following setting:</P><P>Microsoft Edge\Extensions\Allow specific extensions to be installed - enabled - {GUID}</P><P>To whitelist all the guids we want to whitelist. This also includes guids from the Google Chrome webstore.&nbsp;</P><P>This works perfectly.</P><P>&nbsp;</P><P>Now, what I didn't find, is a policy to control the following settings:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Annotation 2020-02-11 083435.png" style="width: 472px;"><img src="" width="472" height="536" role="button" title="Annotation 2020-02-11 083435.png" alt="Annotation 2020-02-11 083435.png" /></span></P><P>&nbsp;</P><P>It would be nice to have control over those toggles.</P><P>Procmon didn't deliver any results, so I guess this is save somewhere in a config file now.</P><P>&nbsp;</P> Tue, 11 Feb 2020 07:36:40 GMT Matthias Vandenberghe 2020-02-11T07:36:40Z Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 79 <P>On the edge://flags-Page (Version 79.x) is written "experimental, this could cause security and privacy" or so. On the other hand, it is recommended&nbsp;to disable “Allow users to proceeded from the HTTPS warnings page.</P><P>Well, in the new Edge there`s no policy to restrict access to experimental feature – in the ‚old‘ Edge there was one, Microsoft mind think about this.</P><P>Kind Regards,</P><P>Dennis</P> Thu, 30 Jan 2020 07:56:20 GMT Dennis Scherrer 2020-01-30T07:56:20Z Security baseline for Chromium-based Microsoft Edge, version 79 <P>A customer asked me to design security settings for the new Edge browser. So I noticed the baseline for the new Edge browser. I`ll give the Feedback that I understand MSFT recommendations.</P><P>&nbsp;</P><P>But. In a world with a formal (security) management (ISO 27001/ISO 9001) this is useless.</P><P>&nbsp;</P><P>Following the <FONT>principles</FONT> of Quality Management (ISO 27001 is based on ISO 9001) a decision is based on Facts ("<FONT>QMP 6 – Evidence-based decision maki</FONT>ng"). Where are this Facts?&nbsp;</P><P>&nbsp;</P><P>Let´s face it. I can´t document here: set this because MSFT wrote it without any further information.</P><P>&nbsp;</P><P>Very simple example: hinder users from changing sandbox setting. Is there telemetry data at Microsoft that Shows that thousands of the millions of Windows Enterprise users changing that Settings? If so, please let us know. That kind of evaluated data would give companies the fundamental facts to drive real good decisions.&nbsp;</P><P>&nbsp;</P><P>My two cents, Kind regards</P><P>Dennis&nbsp;</P> Wed, 22 Jan 2020 10:40:33 GMT Dennis Scherrer 2020-01-22T10:40:33Z Guidance on process and logging <P>I am after some guidance and information on the process logins take. By this I mean things like is what is evaluated first? If I login, when is conditional access evaluated? When does the login appear in the Azure AD logs. Does this vary depending on the protocol I use, i.e. if I have basic auth off when does a POP request get rejected? I'd like to know what gets evaluated when during the login process.</P> <P>&nbsp;</P> <P>I'd also like to better understand when something appears in the log. If I have an alert for impossible travel in MCAS say, after that is tripped how long is it before I receive a notification? is there any documentation on how long alerts from different processes take from incident to display?</P> Fri, 17 Jan 2020 10:10:17 GMT Robert Crane 2020-01-17T10:10:17Z Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 79 <P><SPAN><LI-USER uid="171536"></LI-USER>&nbsp;:</SPAN></P><P>&nbsp;</P><P><SPAN>Feedback and questions on the latest Edge Chromium baselines:</SPAN></P><P>&nbsp;</P><P><STRONG>Extensions:</STRONG></P><P><SPAN>Blocking all extensions may not be possible for many organizations.&nbsp; If an organization wants to maintain a list&nbsp;of extensions and extension sources that are allowable, what settings are required?&nbsp; I have configured the following:</SPAN></P><P>- Allow specific extensions to be installed</P><P>- Configure extension and user script install sources (MS and Google URLs specified here)</P><P>- Control which extensions are installed silently</P><P>However, if I do the * block on "C<SPAN>ontrol which extensions cannot be installed", the extensions that are specified&nbsp;as allowed but not silently installed immediately disable themselves.&nbsp; I've tried different combinations of settings over the last several months with no success.&nbsp; I want our conversion from Chrome to move us from the wild west for extensions to a curated, approved list.&nbsp; How can this be achieved?</SPAN></P><P>&nbsp;</P><P><STRONG>Passwords:</STRONG></P><P><SPAN>- Microsoft and Google have recently added policies to prevent corporate password reuse and direct users to change passwords if they enter it on a phishing site.&nbsp; I think these would be good to encourage use of, but documentation is needed somewhere on how to configure these for a typical Microsoft customer (e.g., Office 365).&nbsp; References:<BR /></SPAN></P><P><SPAN><A href="#" target="_blank" rel="noopener"></A><BR /></SPAN></P><P><SPAN><A href="#" target="_blank" rel="noopener"></A><BR /></SPAN></P><P>&nbsp;</P><P><SPAN><STRONG>SmartScreen:</STRONG><BR />- Why not configure "Configure Microsoft Defender SmartScreen to block potentially unwanted apps"?</SPAN></P><P><SPAN>- Why is "Force Microsoft Defender SmartScreen checks on downloads from trusted sources" configured to Disabled?&nbsp; Isn't it better to have SmartScreen on for trusted sourced (default) and allow the user to turn it off if required.&nbsp; This seems like a configuration appropriate for a STIG, rather than an MS baseline.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 27 Dec 2019 15:24:21 GMT Doug Howell 2019-12-27T15:24:21Z Microsoft Ready Video <P>Does anyone have access to the Security Baselines, DISA Stigs video that Rick and Aaron presented in Microsoft Ready 2018 Las Vegas.&nbsp; I'm having a hard time finding it on the site.&nbsp;&nbsp;</P> Sun, 15 Dec 2019 00:02:28 GMT Malcolm Walker 2019-12-15T00:02:28Z User Logon Scripts Headache <P>Hello,</P><P>&nbsp;</P><P>I'm hardening a workstation in a workgroup environment, which means I have to rely on MDT, LGPO.exe and PowerShell scripts to achieve my goals - in an automated way of course.</P><P>&nbsp;</P><P>Sadly LGPO.exe does not support scripts, neither Group Policy Preferences. I have to use logon scripts, which wasn't hard on old OSes - just drop them to the appropriate "C:\Windows\System32\GroupPolicy\Scripts" subfolders on the target computer.</P><P>&nbsp;</P><P>In Windows 10 this is a different story - you also need to add a ini file to those folders, as well as create registry keys - for machine scripts, stuff under "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "<SPAN>HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".</SPAN></P><P>&nbsp;</P><P>While it works for machine scripts, it fails for user scripts - I have tried with "<SPAN>HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]" registry hives without success - error is "incorrect function" (the same I had for computer scripts until I configured all required registry keys).</SPAN></P><P><SPAN>ProcMon detects some more updated key when manually adding login scripts using gpedit.msc, however those seems created automatically by those above.</SPAN></P><P>&nbsp;</P><P><SPAN>Did anyone manage to successfully add user logon/logoff scripts to a workstation preconfigured with LGPO ? Could it be some kind of permissions issue instead ?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Tue, 26 Nov 2019 14:50:13 GMT Alban1999 2019-11-26T14:50:13Z Microsoft security baseline applied: admin acccount does not load, no runas available !!!! <P>Can not login in the administrator account, black screen !</P><P>I could not run programs as administrator, I thought ok I login. After login black screen only can move the mouse,&nbsp; I could change password so it contains small letters big letters and numbers. I thought that was the problem old password was small letters+numbers. Still doesnt bring up the administrators desktop.</P><P>I would create a new account but for runas command or psexec says Access denied.</P><P>Windows update cannot connect for updates on my standard user account.</P><P>I cannot login to admin account.</P><PRE>I run the powershell script from latest baseline with -Win10NonDomainJoined option.<BR />My win10 is latest fully patched.<BR />Baseline-LocalInstall.ps1 was the powershell script.<BR />Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline - Sept2019Update<BR />This above was downloaded.</PRE><P>&nbsp;How can I get back to my administrator account or create a new admin account?</P><P>I know the password, but access denied for runas. Login black screen.</P><P>&nbsp;</P><P>On the machine is installed Andyroid a vmware based virtual machine.</P><P>I do not know if that is a problem too.</P><P>But without administrator I cannot uninstall.</P><P>I got a quadro fx1800 card with nvidia driver 342.00.</P><P>I get only black screen with mouse cursor, CTRL+ALT+Delete and I can change password</P><P>on my Administrator account, I run task manager nothing comes up just black screen with mouse cursor.</P><P>&nbsp;</P><P>Let me know what can be done.</P><P>I do a repair could help? It would set up as a fresh install?</P><P>Can I revert the changes made? Is there a bootable DVD I can download and revert back</P><P>to Original settings?</P><P>&nbsp;</P><P>Any help is appreciated!</P><P>&nbsp;</P><P>Issue was resolved partially. I booted to safe mode and could login as Administrator and created a backup admin account. In safe mode when login a critical error occurred all the time.</P><P>New admin account working.</P><P>Old admin I tried profile reset, did not work. Renamed Admin folder but windows did not create a new.</P><P>Finally I disabled original admin account, because I could not login to other accounts.</P><P>Disabling it solved the problem.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Nov 2019 15:13:49 GMT Jonny39 2019-11-13T15:13:49Z LGPO - SECEDIT.EXE exited with exit code 1 <P>Hi, when I run this command:</P><P><EM>.\LGPO.exe /g "\\server\folder1\folder2\LGPO" /v</EM></P><P>&nbsp;</P><P>I get this error as part of my output:</P><P><EM>Apply security template: \\server\folder1\folder2\LGPO\DefaultPolicy_Backup\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf</EM></P><P><EM>[[[ Security template log file output follows: C:\Users\Username\AppData\Local\Temp\GPTA2AC.tmp ]]]</EM></P><P><BR /><EM>Access is denied.</EM></P><P>&nbsp;</P><P><EM>The task has completed with an error.</EM></P><P><EM>SECEDIT.EXE exited with exit code 1</EM></P><P>&nbsp;</P><P>Any ideas what is going on?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Josh</P> Fri, 08 Nov 2019 18:05:43 GMT ittech 2019-11-08T18:05:43Z Policy Analyzer - provides no output <P>I've followed the directions and am able to analyse local polices but when I take one or more GPO backups and attempt to compare them, I get no output.</P> Thu, 07 Nov 2019 20:06:19 GMT MikeLo2005 2019-11-07T20:06:19Z Microsoft Policy Analyzer not working <P>Hi all,</P><P>&nbsp;</P><P>every time I try to run the Policy Analyzer v.3.2.1803.28001 on my Win 10 1809 the tool fails to read the local registry or the local policy despite having local admin rights.</P><P>&nbsp;</P><P>Error message: An error occured while parsing EntityName. Line 156, position 82.</P><P>&nbsp;</P><P>Anybody else getting that message or any idea how to overcome? Even if I log on with my admin account I get the same message.</P><P>&nbsp;</P><P>Thx &amp; BR<BR />Dan</P> Mon, 30 Sep 2019 11:18:43 GMT Daniel_Schmitz_FNC 2019-09-30T11:18:43Z Security Baseline for Office 365 July 2017 DRAFT Feedback <P>A bit of feedback on the "<SPAN class="lia-message-unread"><A href="" target="_blank" rel="noopener">Security baseline for Office 365 ProPlus (v1907, July 2019) - DRAFT</A>"</SPAN></P><P>settings. For reference, I deployed the settings via Group Policy and&nbsp;my Office suite at the time was on version 1907 (Build 11901.20176).</P><P>&nbsp;</P><P><U><STRONG>Macro Runtime Scan Scope</STRONG></U></P><P>With the "Macro Runtime Scan Scope" policy, I have had difficulties related to some built-in functionality in Access. When the Scan Scope is set to "Enable for all documents", and used at the same time as with Windows Defender Attack Surface Reduction, I seem to receive blocks against the "<SPAN>Block Win32 API calls from Office macro" (92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B) rule from the .accde files within&nbsp;"C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ACCWIZ".</SPAN></P><P>&nbsp;</P><P>Example:</P><PRE>Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Detection time: 2019-08-12T23:08:11.700Z User: (unknown user) Path: C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ACCWIZ\ACWZMAIN.ACCDE Process Name: OFFICE_VBA Security intelligence Version: 1.299.1840.0 Engine Version: 1.1.16200.1 Product Version: 4.18.1907.4</PRE><P>That particular event was a result of making a new local Access Database, putting 1 record in a table and then Create -&gt; Query Wizard -&gt; Simple Query Wizard -&gt; OK. While I am not a fan of Access, we have a number of users who leverage the tool quite a bit and these blocks make Access "less than functional" to them. If I set the "Macro Runtime Scan Scope" back to my previously configured "Enable for low trust documents", the built-in Access functions work fine, since I have that specific folder added to Trusted Locations, as it is a default trusted location when the Office suite installs.</P><BLOCKQUOTE><HR /></BLOCKQUOTE><P>Interestingly enough, adding exceptions to ASR for the respective folder or specific .accde does not work. <EM>(I also attempted a simultaneous Path exception to Windows Defender itself, with no luck.)</EM> I assume that this is a result of the way in which the data is passed to Windows Defender via AMSI due to the "Macro Runtime Scan Scope", which perhaps makes it difficult/impossible to make exclusions.</P><P>&nbsp;</P><P><U><STRONG>Excel File Block prevents copy/paste from Access</STRONG></U></P><P>On a somewhat different note, the file block settings setting "Excel 97-2003 workbooks and templates" which prevents Open/Save, conflicts with, <EM>again</EM>, Access. If you have query results, or a table you wish to cut and paste into Excel, the default paste mechanism seems to require the ability to open&nbsp;"Excel 97-2003 workbooks and templates". If you set the file block settings for that file type to "Save Blocked", the paste from Access to Excel will work. If you set it to another value other than "Do not block", the paste will fail and you will receive a warning that Excel 97-2003 files are blocked. If you choose an alternative paste method, such as "Paste Special -&gt; Text" or "Paste, match destination formatting", it will work, but depending on the data in Access, there could be some clean up needed (leading zeroes could be stripped).</P><P>&nbsp;</P><P>The remaining difficulties my organization may have with file block settings will be a result of how we operate, and those we work with, but this particular instance seemed worthy of note, since it impacts what could be viewed as a standard workflow/interplay between two Microsoft developed applications.</P><P>&nbsp;</P><P>Hope the information is useful. If you can think of something I have overlooked that will allow these to work and enable me to tighten up the policies a bit more, please let me know.</P> Tue, 13 Aug 2019 00:08:25 GMT Alex Entringer 2019-08-13T00:08:25Z Prompt for consent on secure desktop domain policy is failing to override local policy A domain gpo is set to prompt for consent on the secure desktop. The 1809 security baseline is applied as a local gpo with the -domainjoined argument. The domain policy is not overriding the local policy. This is LTSC 1809.<BR /><BR /><A href="#" target="_blank"></A> Mon, 05 Aug 2019 13:41:58 GMT null null 2019-08-05T13:41:58Z [continued] Security baseline with Hyper-V enhanced session <P>Continued from <A href="#" target="_self">this discussion</A> on the old TechNet blog.</P><P>&nbsp;</P><P>Thanks&nbsp;<LI-USER uid="171536"></LI-USER>. I've figured out what is preventing clipboard file copying. It is the GPO setting "Do not allow drive redirection" (<EM>Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection</EM>).</P><P>&nbsp;</P><P>The description mentions that it disables Clipboard file copy redirection for Windows 8 and earlier, but I have tested and it also disables file copy on Windows 10 guests. (Enabling on the guest disables copying files both into and out of the VM (note: restart required to take effect), but enabling on the host is ok.) Doesn't prevent copying out clipboard <EM>text</EM> though (I misspoke, sorry),</P><P>&nbsp;</P><P>Are there any non-obvious security implications if I leave out this setting (assuming of course I only try to copy out trusted files)? The alternative is to attach a VHDX to the VM, copy the file into the virtual drive, then detach and mount on the host as Admin - but it's a lot easier to just copy and paste.</P><P>&nbsp;</P><P>Regarding internet connectivity - haven't figured out why applying the security baseline on the host messes with guest VM connectivity through the NAT based "Default Switch" (automatically created, Client Hyper-V only), but my solution has been to connect guest VMs directly to the external network adapter using the "External Switch". This approach also has the added benefit of allowing internet on guest VMs while blocking all network connectivity on the host.</P><P>&nbsp;</P><P>On a related note, I was hoping to get your thoughts on the new GPO setting in Windows 10 version 1903 called "Use WDDM graphics display driver for Remote Desktop Connections" (<EM>Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment)</EM>. If RemoteFX is enabled on a 1903 VM, I can't connect to it using Enhanced Session mode or RDP unless I <EM>disable</EM> this new setting. No issues connecting with an 1809 VM (which doesn't have this setting), so I'm guessing disabling this setting just reverts to the default behaviour in 1809.</P><P>&nbsp;</P><P>Still, any material security risks if I disable this new setting? (EDIT: I'm guessing it is because WDDM runs in user-mode and doesn't have permission to connect via RDP. I've tried adding Users and even Everyone to "Allow log on through Remote Desktop Services" security policy, but that didn't work - in fact, doing that still doesn't let standard users log on through Enhanced Session mode, I still have to add the user to the Remote Desktop Users group.)</P><P>&nbsp;</P><P>Best regards</P><P>David</P> Wed, 17 Jul 2019 07:00:13 GMT DavidYangAU 2019-07-17T07:00:13Z How can I safely implement required ldap signing? <P><A href="#" target="_blank" rel="nofollow noopener"></A></P><P><I><STRONG>"If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts."</STRONG></I></P><P>Given this - how in the world can you safely implement this? It seems to me that unless everything processed right at the same time - you're guaranteed to have some clients that cannot communicate to even get group policy anymore?</P> Mon, 24 Jun 2019 12:31:18 GMT ajm-b 2019-06-24T12:31:18Z Does Microsoft have any scripts to create CIS-baselines for on-prem Windows Server images? <P>It appears that there are a bunch of CIS-hardened Virtual Machines available in Azure.<BR /><A href="#" target="_blank">;page=1&amp;filters=partners%3Bpay-as-you-go</A></P><P>&nbsp;</P><P>We would also like to refine the creation of new Windows Server CIS images for data centers, but need an easier way to create them.</P> Fri, 21 Jun 2019 19:05:20 GMT SuperSquatch 2019-06-21T19:05:20Z Policy Analyzer Command Line or any way to automate Policy Analyzer? <P>We are looking for a way to scan systems against a backup GPO in an automated fashion. The Policy Analyzer works great, but there doesn't seem to be a way to run it in an automated fashion. Are there any plans to offer this functionality? Or am I unaware of another tool or technique I should be using?</P><P>&nbsp;</P><P>Thank you.</P> Fri, 21 Jun 2019 00:35:40 GMT DavidBloom 2019-06-21T00:35:40Z Welcome <P>Welcome to the new home for blogs &amp; discussion around the Security Compliance Toolkit (SCT) and the Microsoft Security Baselines. Please bear with <LI-USER uid="171536"></LI-USER> and me as we sort through the old content from the SecGuide TechNet blog and get it migrated over to here. This new platform will give us the ability to more easily collaborate with the community. Also, we heard your feedback, be on the lookout for a new DRAFT security baseline (coming very soon) that we have been working on… <STRONG><EM>Office 365 ProPlus</EM></STRONG>!</P> Thu, 13 Jun 2019 16:25:02 GMT Rick_Munck 2019-06-13T16:25:02Z