Sponsored by Keepnet Labs

The NEW Security baseline for Windows

While I was still a Full-Time Employee at Microsoft I was fully aware of this “new baseline” recommendations, but I was waiting for the final announcement which came yesterday from my good friend Aaron Margosis,

Here is the new security configuration baseline settings for Windows 10 and Windows Server (version 1903)

Please note that the new Windows Server has been confirmed to be “Core” only ( no Graphical Interface or Desktop Experience), as a result, Microsoft had to do some updates compared to Windows Server 2016 ,

This new Windows Feature Update brings very few new Group Policy settings, which Microsoft list in the accompanying documentation. This baseline recommends configuring only two of those. However, Microsoft has made several changes to existing settings, including some changes since the draft version of this baseline that Microsoft published last month.

No more  password expiration policies.

To make it clear, Microsoft has only removed removing password-expiration policies , there is no change to the minimum password length, history, or complexity.

Aaron points out that “Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem. If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password

No more enforced disabling of the built-in Administrator and Guest accounts

The built-in Guest account. The Guest account (RID -501) is disabled by default on Windows 10 and Windows Server. Only an administrator can enable the Guest account, and an admin would presumably do so only for a valid reason such as for a kiosk system.

The built-in Administrator account. The local Administrator account (RID -500) is disabled by default on Windows 10 but not on Windows Server. When installing Windows 10, Windows Setup prompts you for a new account which becomes the primary administrative account for the computer. By contrast, Windows Server’s setup prompts you for a new password for the Administrator account. The main differences between the built-in -500 Administrator account (when enabled) and a custom administrative local account are

1) the -500 account is not subject to account lockout, account expiration, password expiration, or logon hours;

2) the –500 account cannot be removed from the Administrators group; and

3) that by default the -500 account always runs with full administrative rights without UAC prompts, including over the network. This third difference can be removed (as our baselines always do) by enabling the security option, “User Account Control: Admin Approval Mode for the Built-in Administrator account.”

The changes from the Windows 10 v1809 and Windows Server 2019 baselines include:

  • Enabling the new “Enable svchost.exe mitigation options” policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. Please pay special attention to this one as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.
  • Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.
  • Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
  • Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. Microsoft has added a setting to the custom “MS Security Guide” ADMX to enable managing this configuration setting through Group Policy.
  • Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
  • Dropping the password-expiration policies that require periodic password changes. This change is discussed in further detail below.
  • Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. Microsoft is removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware, there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.
  • Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off-heap termination on corruption” settings, as it turns out they merely enforce default behavior, as Raymond Chen describes here.

Additional changes that Microsoft has adopted since publishing the draft version of this baseline includes:

  • Dropping the enforcement of the default behavior of disabling the built-in Administrator and Guest accounts. Microsoft had floated this proposal at the time of the draft baseline, and have since decided to accept it. The change is discussed in more detail below.
  • Dropped a Windows Defender Antivirus setting that applies only to legacy email file formats.
  • Changed the Windows Defender Exploit Protection XML configuration to allow Groove.exe (OneDrive for business) to launch child processes, particularly MsoSync.exe which is necessary for file synchronization.

You can read Aaron’s blog post here

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *