Blog Post

Microsoft Security Baselines Blog
1 MIN READ

Windows Server 2022 Security Baseline

Rick_Munck's avatar
Rick_Munck
Icon for Microsoft rankMicrosoft
Sep 09, 2021

We are pleased to announce the release of the security baseline package for Windows Server 2022!

 

Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.

 

Three new settings have been added for this release, an AppLocker update for Microsoft Edge, a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions.

 

AppLocker

Now that Microsoft Edge is included within Window Server we have updated the domain controller browser restriction list. The browser restriction list now restricts Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Microsoft Edge. Should additional browsers be used on your domain controllers please update accordingly.

 

Script Scanning

Script scanning was a parity gap we had between Group Policy and MDM. Since this gap is now closed we are enforcing the enablement of script scanning (Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning).

 

Restrict Driver Installations

In July a Knowledge Base article and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide custom administrative template for SecGuide.admx/l (Administrative Templates\MS Security Guide\Limits print driver installation to Administrators) and enforced the enablement.

 

Please let us know your thoughts by commenting on this post or via the Security Baseline Community.

Updated Nov 09, 2023
Version 3.0

49 Comments

Show More
  • Alban1999's avatar
    Alban1999
    Iron Contributor
    Oct 01, 2021

    Hello Rick, thanks for the hard work.

     

    As far as I know, Applocker still isn't supported on Server Core, despite the latest being the new standard for Windows Server installations since ten years (and that's insane from a security viewpoint).

     

    Do you plan to release a Domain Controller/Member Server "Core-only" Security Baseline, purged from stuff belonging to Desktop Experience ? Applocker, internet browsers etc...

     

    Thanks

  • Rick_Munck's avatar
    Rick_Munck
    Icon for Microsoft rankMicrosoft
    Sep 29, 2021

    PeRich just downloaded and tested Windows client and Server as well as Edge and all ran the AD import without any issues.

  • Rick_Munck's avatar
    Rick_Munck
    Icon for Microsoft rankMicrosoft
    Sep 29, 2021

    Richard_van_Nuland with each release we will only be focusing on the latest version of the product, in this case the next release for the Windows security baseline will be, Windows 11.  That will occur around the same time as the Windows 11 launch, note there will not be a draft release. 

  • Rick_Munck's avatar
    Rick_Munck
    Icon for Microsoft rankMicrosoft
    Sep 29, 2021

    Deleted minor typo in the blog but the spreadsheet and GPs are good to go

  • PeRich's avatar
    PeRich
    Brass Contributor
    Sep 28, 2021

    Hi Rick_Munck , Bug-Report:

     

    • Baseline-ADImport.ps1 is buggy (outdated?):

     

    In "Microsoft Security Toolkit" downloaded on the 2021-09-28

     

    Windows Server-2022-Security-Baseline-FINAL\Scripts\Baseline-ADImport.ps1

     

    must be replace by e.g. Edge 93 version to get the script run without errors.

     

    Same in at least Windows-10-v21H1-Security-Baseline-FINAL

  • Deleted's avatar
    Deleted
    Sep 14, 2021

    "Administrative Templates\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning" - is it me or "Windows Components" is missing from this path?