Windows Server 2022 Security Baseline

Published Sep 08 2021 07:45 PM 9,534 Views
Microsoft

We are pleased to announce the release of the security baseline package for Windows Server 2022!

 

Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.

 

Three new settings have been added for this release, an AppLocker update for Microsoft Edge, a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions.

 

AppLocker

Now that Microsoft Edge is included within Window Server we have updated the domain controller browser restriction list. The browser restriction list now restricts Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Microsoft Edge. Should additional browsers be used on your domain controllers please update accordingly.

 

Script Scanning

Script scanning was a parity gap we had between Group Policy and MDM. Since this gap is now closed we are enforcing the enablement of script scanning (Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning).

 

Restrict Driver Installations

In July a Knowledge Base article and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide custom administrative template for SecGuide.admx/l (Administrative Templates\MS Security Guide\Limits print driver installation to Administrators) and enforced the enablement.

 

Please let us know your thoughts by commenting on this post or via the Security Baseline Community.

11 Comments
Occasional Contributor

"Administrative Templates\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning" - is it me or "Windows Components" is missing from this path?

Senior Member

When will the (draft) Security Baseline for Windows 10 21H2 and Windows 11 be published?

Occasional Contributor

Hi @Rick_Munck , Bug-Report:

 

  • Baseline-ADImport.ps1 is buggy (outdated?):

 

In "Microsoft Security Toolkit" downloaded on the 2021-09-28

 

Windows Server-2022-Security-Baseline-FINAL\Scripts\Baseline-ADImport.ps1

 

must be replace by e.g. Edge 93 version to get the script run without errors.

 

Same in at least Windows-10-v21H1-Security-Baseline-FINAL

Microsoft

@Rafał Fitt minor typo in the blog but the spreadsheet and GPs are good to go

Occasional Contributor

@Rick_Munck thanks (Server 2022 is still on my agenda).

Microsoft

@Richard_van_Nuland with each release we will only be focusing on the latest version of the product, in this case the next release for the Windows security baseline will be, Windows 11.  That will occur around the same time as the Windows 11 launch, note there will not be a draft release. 

Microsoft

@Peter Richardt just downloaded and tested Windows client and Server as well as Edge and all ran the AD import without any issues.

Occasional Contributor

@Rick_Munck strange, thanks a lot for testing and sorry for false alert. 

Occasional Contributor

Hello Rick, thanks for the hard work.

 

As far as I know, Applocker still isn't supported on Server Core, despite the latest being the new standard for Windows Server installations since ten years (and that's insane from a security viewpoint).

 

Do you plan to release a Domain Controller/Member Server "Core-only" Security Baseline, purged from stuff belonging to Desktop Experience ? Applocker, internet browsers etc...

 

Thanks

Microsoft

@Alban1999 there are no plans at this time for a dedicated Server Core baseline. We will add it as an item to review for future baseline considerations.

Occasional Contributor

That's already awesome !

You may want to add something within Microsoft Docs or built-in reports about this at least for now -I had customers applying those security baselines and got screwed by the Applocker thing.


One more item could get your attention : vulnerable ciphers enabled by default in Active Directory/IIS/ADFS, like RC4, DES...they are actively exploited by malwares and should be disabled by default. Adding it to your Security Baseline would be a goof first step.

 

Regards,

%3CLINGO-SUB%20id%3D%22lingo-sub-2724685%22%20slang%3D%22en-US%22%3EWindows%20Server%202022%20Security%20Baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2724685%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20pleased%20to%20announce%20the%20release%20of%20the%20security%20baseline%20package%20for%20Windows%20Server%202022!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20download%20the%20content%20from%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Security%20Compliance%20Toolkit%3C%2FA%3E%2C%20test%20the%20recommended%20configurations%2C%20and%20customize%20%2F%20implement%20as%20appropriate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThree%20new%20settings%20have%20been%20added%20for%20this%20release%2C%20an%20AppLocker%20update%20for%20Microsoft%20Edge%2C%20a%20new%20Microsoft%20Defender%20Antivirus%20setting%2C%20and%20a%20custom%20setting%20for%20printer%20driver%20installation%20restrictions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3E%3CU%3EAppLocker%3C%2FU%3E%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ENow%20that%20Microsoft%20Edge%20is%20included%20within%20Window%20Server%20we%20have%20updated%20the%20domain%20controller%20browser%20restriction%20list.%20The%20browser%20restriction%20list%20now%20restricts%20Microsoft%20Internet%20Explorer%2C%20Mozilla%20Firefox%2C%20Google%20Chrome%2C%20and%20Microsoft%20Edge.%20Should%20additional%20browsers%20be%20used%20on%20your%20domain%20controllers%20please%20update%20accordingly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3E%3CU%3EScript%20Scanning%3C%2FU%3E%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EScript%20scanning%20was%20a%20parity%20gap%20we%20had%20between%20Group%20Policy%20and%20MDM.%20Since%20this%20gap%20is%20now%20closed%20we%20are%20enforcing%20the%20enablement%20of%20script%20scanning%20(%3CEM%3EAdministrative%20Templates%5CMicrosoft%20Defender%20Antivirus%5CReal-time%20Protection%5CTurn%20on%20script-scanning%3C%2FEM%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3E%3CU%3ERestrict%20Driver%20Installations%3C%2FU%3E%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20July%20a%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fkb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EKnowledge%20Base%20article%3C%2FA%3E%20and%20subsequent%20patch%20was%20released%20for%20CVE-2021-34527%2C%20more%20commonly%20known%20as%20%E2%80%9CPrintNightmare%E2%80%9D.%20We%20have%20added%20a%20new%20setting%20to%20the%20MS%20Security%20Guide%20custom%20administrative%20template%20for%20SecGuide.admx%2Fl%20(%3CEM%3EAdministrative%20Templates%5CMS%20Security%20Guide%5CLimits%20print%20driver%20installation%20to%20Administrators%3C%2FEM%3E)%20and%20enforced%20the%20enablement.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20let%20us%20know%20your%20thoughts%20by%20commenting%20on%20this%20post%20or%20via%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2Fbd-p%2FSecurity-Baselines%22%20target%3D%22_blank%22%3ESecurity%20Baseline%20Community%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2724685%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20pleased%20to%20announce%20the%20release%20of%20the%20security%20baseline%20package%20for%20Windows%20Server%202022!%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Server%202022.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F308317i07DBA75652531E97%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Server%202022.jpg%22%20alt%3D%22Server%202022.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2750312%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202022%20Security%20Baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2750312%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3E%22Administrative%20Templates%5CMicrosoft%20Defender%20Antivirus%5CReal-time%20Protection%5CTurn%20on%20script-scanning%22%3C%2FEM%3E%20-%20is%20it%20me%20or%20%22Windows%20Components%22%20is%20missing%20from%20this%20path%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2791141%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202022%20Security%20Baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2791141%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20will%20the%20(draft)%20Security%20Baseline%20for%20Windows%2010%2021H2%20and%20Windows%2011%20be%20published%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2792961%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202022%20Security%20Baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2792961%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3B%2C%20Bug-Report%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EBaseline-ADImport.ps1%20is%20buggy%20(outdated%3F)%3A%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20%22Microsoft%20Security%20Toolkit%22%20downloaded%20on%20the%202021-09-28%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EWindows%20Server-2022-Security-Baseline-FINAL%3C%2FSTRONG%3E%5CScripts%5C%3CSTRONG%3EBaseline-ADImport.ps1%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emust%20be%20replace%20by%20e.g.%20Edge%2093%20version%20to%20get%20the%20script%20run%20without%20errors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20in%20at%20least%26nbsp%3B%3CSTRONG%3EWindows-10-v21H1-Security-Baseline-FINAL%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2795228%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202022%20Security%20Baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2795228%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129574%22%20target%3D%22_blank%22%3E%40Rafa%C5%82%20Fitt%3C%2FA%3E%26nbsp%3Bminor%20typo%20in%20the%20blog%20but%20the%20spreadsheet%20and%20GPs%20are%20good%20to%20go%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2795236%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202022%20Security%20Baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2795236%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3Bthanks%20(Server%202022%20is%20still%20on%20my%20agenda).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2795238%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202022%20Security%20Baseline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2795238%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F528494%22%20target%3D%22_blank%22%3E%40Richard_van_Nuland%3C%2FA%3E%26nbsp%3Bwith%20each%20release%20we%20will%20only%20be%20focusing%20on%20the%20latest%20version%20of%20the%20product%2C%20in%20this%20case%20the%20next%20release%20for%20the%20Windows%20security%20baseline%20will%20be%2C%20Windows%2011.%26nbsp%3B%20That%20will%20occur%20around%20the%20same%20time%20as%20the%20Windows%2011%20launch%2C%20note%20there%20will%20not%20be%20a%20draft%20release.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Sep 29 2021 06:30 AM
Updated by:
www.000webhost.com