The NEW Security baseline for Windows

While I was still a Full-Time Employee at Microsoft I was fully aware of this “new baseline” recommendations, but I was waiting for the final announcement which came yesterday from my good friend Aaron Margosis,

Here is the new security configuration baseline settings for Windows 10 and Windows Server (version 1903)

Please note that the new Windows Server has been confirmed to be “Core” only ( no Graphical Interface or Desktop Experience), as a result, Microsoft had to do some updates compared to Windows Server 2016 ,

This new Windows Feature Update brings very few new Group Policy settings, which Microsoft list in the accompanying documentation. This baseline recommends configuring only two of those. However, Microsoft has made several changes to existing settings, including some changes since the draft version of this baseline that Microsoft published last month.

No more  password expiration policies.

To make it clear, Microsoft has only removed removing password-expiration policies , there is no change to the minimum password length, history, or complexity.

Aaron points out that “Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem. If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password

No more enforced disabling of the built-in Administrator and Guest accounts

The built-in Guest account. The Guest account (RID -501) is disabled by default on Windows 10 and Windows Server. Only an administrator can enable the Guest account, and an admin would presumably do so only for a valid reason such as for a kiosk system.

The built-in Administrator account. The local Administrator account (RID -500) is disabled by default on Windows 10 but not on Windows Server. When installing Windows 10, Windows Setup prompts you for a new account which becomes the primary administrative account for the computer. By contrast, Windows Server’s setup prompts you for a new password for the Administrator account. The main differences between the built-in -500 Administrator account (when enabled) and a custom administrative local account are

1) the -500 account is not subject to account lockout, account expiration, password expiration, or logon hours;

2) the –500 account cannot be removed from the Administrators group; and

3) that by default the -500 account always runs with full administrative rights without UAC prompts, including over the network. This third difference can be removed (as our baselines always do) by enabling the security option, “User Account Control: Admin Approval Mode for the Built-in Administrator account.”

The changes from the Windows 10 v1809 and Windows Server 2019 baselines include:

  • Enabling the new “Enable svchost.exe mitigation options” policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. Please pay special attention to this one as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.
  • Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.
  • Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
  • Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. Microsoft has added a setting to the custom “MS Security Guide” ADMX to enable managing this configuration setting through Group Policy.
  • Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
  • Dropping the password-expiration policies that require periodic password changes. This change is discussed in further detail below.
  • Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. Microsoft is removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware, there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.
  • Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off-heap termination on corruption” settings, as it turns out they merely enforce default behavior, as Raymond Chen describes here.

Additional changes that Microsoft has adopted since publishing the draft version of this baseline includes:

  • Dropping the enforcement of the default behavior of disabling the built-in Administrator and Guest accounts. Microsoft had floated this proposal at the time of the draft baseline, and have since decided to accept it. The change is discussed in more detail below.
  • Dropped a Windows Defender Antivirus setting that applies only to legacy email file formats.
  • Changed the Windows Defender Exploit Protection XML configuration to allow Groove.exe (OneDrive for business) to launch child processes, particularly MsoSync.exe which is necessary for file synchronization.

You can read Aaron’s blog post here

Erdal

Watch the Video’s in YouTube

For more Video Tutorials 

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

TechEd NA 2008 Erdal Ozkaya

TechEd NA 2008

TechEd NA 2008 It was my first Microsoft Tech Ed in North America, this year it was in Orlando. I helped the... read more
Time to patch Windows

Time to patch Windows (July 2019 updates)

Time to patch Windows Microsoft has just released today (10 July 2019) new patches, and here is what you need to... read more
Technical Overview: Windows Server by Erdal Ozkaya

Technical Overview Windows Server 2008 R2 Free Video

Technical Overview Windows Server 2008R2 Technical Overview, Free Video Would you like to know the new features of Server 2008 R2?... read more
Mercedes Benz AMG Data Breach

Mercedes Benz AMG Data Breach 2021

 Mercedes Benz AMG Data Breach I regret to inform all of you that I just received an email from Mercedes Benz... read more

Book Review Windows Server 2019 Administration Fundamentals – Great book

Book Review Windows Server 2019 Administration Windows Server 2019 the latest and greatest server operating system from Microsoft, which combines hybrid... read more
Security Exploit

New Windows 10 Security Exploit Can Read All Your Files – What You Need To Know

New Windows 10 Security Exploit A security researcher with a history of releasing zero-day exploits for the Windows operating system has... read more
Core Isolation disabled

Core isolation Memory Integrity not available – (Get it fixed)

Core isolation Memory Integrity not available Windows 11 comes with a great security feature called "Core Isolation " which I highly... read more
Attack

SunBurst APT against Solarwinds , mapped to Kill Chain 2020

SunBurst APT against Solarwinds , mapped to Kill Chain Following the attack on FireEye, the details are revealed and the US... read more
Microsoft Erdal

Windows Security Partner Training by Microsoft Australia – 4 Free

Windows Security Partner Training The Windows Sales Ignite course is intended for Partner Sales and Pre-sales Specialists who are responsible for:... read more
Heroes happen here Erdal Ozkaya

Heroes happen here – Honored to be awarded 2008

Heroes happen here At the Sydney Exhibition Centre, Martin Gregory, director Server and Tools, Microsoft Australia stated that the launch represents... read more