Forum Widgets
Latest Discussions
Welcome
Welcome to the new home for blogs & discussion around the Security Compliance Toolkit (SCT) and the Microsoft Security Baselines. Please bear with Aaron Margosis and me as we sort through the old content from the SecGuide TechNet blog and get it migrated over to here. This new platform will give us the ability to more easily collaborate with the community. Also, we heard your feedback, be on the lookout for a new DRAFT security baseline (coming very soon) that we have been working on… Office 365 ProPlus!Rick_MunckJun 13, 2019Microsoft2.2KViews7likes2CommentsWindows 10/11 22h2 Security Baseline missing in Intune
Hi, can you please enlighten when the Windows 10/11 Security Baseline will be updated to 22H2? The current baseline is of November 2021, I am sure that there are new recommedations in the new baseline (Windows 10, version 22H2 Security baseline - Microsoft Community Hub) that would be helpful while managing Windows in a more modern way. As an example, currently missing the 22H2 option "Allow Administrator account lockout" to manage it without the need of a GPO.7.9KViews4likes24Comments- DeletedApr 30, 202016KViews4likes32Comments
Security Baseline for Office 365 July 2017 DRAFT Feedback
A bit of feedback on the "Security baseline for Office 365 ProPlus (v1907, July 2019) - DRAFT" settings. For reference, I deployed the settings via Group Policy andmy Office suite at the time was on version 1907 (Build 11901.20176). Macro Runtime Scan Scope With the "Macro Runtime Scan Scope" policy, I have had difficulties related to some built-in functionality in Access. When the Scan Scope is set to "Enable for all documents", and used at the same time as with Windows Defender Attack Surface Reduction, I seem to receive blocks against the "Block Win32 API calls from Office macro" (92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B) rule from the .accde files within"C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ACCWIZ". Example: Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Detection time: 2019-08-12T23:08:11.700Z User: (unknown user) Path: C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ACCWIZ\ACWZMAIN.ACCDE Process Name: OFFICE_VBA Security intelligence Version: 1.299.1840.0 Engine Version: 1.1.16200.1 Product Version: 4.18.1907.4 That particular event was a result of making a new local Access Database, putting 1 record in a table and then Create -> Query Wizard -> Simple Query Wizard -> OK. While I am not a fan of Access, we have a number of users who leverage the tool quite a bit and these blocks make Access "less than functional" to them. If I set the "Macro Runtime Scan Scope" back to my previously configured "Enable for low trust documents", the built-in Access functions work fine, since I have that specific folder added to Trusted Locations, as it is a default trusted location when the Office suite installs. Interestingly enough, adding exceptions to ASR for the respective folder or specific .accde does not work. (I also attempted a simultaneous Path exception to Windows Defender itself, with no luck.) I assume that this is a result of the way in which the data is passed to Windows Defender via AMSI due to the "Macro Runtime Scan Scope", which perhaps makes it difficult/impossible to make exclusions. Excel File Block prevents copy/paste from Access On a somewhat different note, the file block settings setting "Excel 97-2003 workbooks and templates" which prevents Open/Save, conflicts with, again, Access. If you have query results, or a table you wish to cut and paste into Excel, the default paste mechanism seems to require the ability to open"Excel 97-2003 workbooks and templates". If you set the file block settings for that file type to "Save Blocked", the paste from Access to Excel will work. If you set it to another value other than "Do not block", the paste will fail and you will receive a warning that Excel 97-2003 files are blocked. If you choose an alternative paste method, such as "Paste Special -> Text" or "Paste, match destination formatting", it will work, but depending on the data in Access, there could be some clean up needed (leading zeroes could be stripped). The remaining difficulties my organization may have with file block settings will be a result of how we operate, and those we work with, but this particular instance seemed worthy of note, since it impacts what could be viewed as a standard workflow/interplay between two Microsoft developed applications. Hope the information is useful. If you can think of something I have overlooked that will allow these to work and enable me to tighten up the policies a bit more, please let me know.Alex EntringerAug 13, 2019Copper Contributor4.4KViews3likes3CommentsEdge - Bypass HTTPS Warning Page
In the latest security baselines for Microsoft Edge v81, the setting "Allow users to proceed from the HTTPS warning page" is recommended to set as Disabled. Setting to Disabled prevents users from clicking through warning pages about invalid SSL certificates. With this setting in place, users are prevented from accessing sites with expired SSL certificates, often due to an administrator forgetting to renew it. This happens fairly often to sites/services on the Internet, which of course is something my company cannot control. For example, earlier this year Microsoft forgot to renew a certificate for Teams that caused an outage. I can imagine this recommended setting has potential to cause a significant problem for organizations if users are unable to access a critical site because they are unable to bypass the SSL warning. That leads me to a few questions: Given the risk of this setting blocking access to sites, why is this a recommended setting? Does Microsoft have this setting set to "Disabled" internally? Are any workarounds available for allowing bypass to specific sites, including when a certificate has expired? Some hotel Wi-Fi Internet access is only accessible after logging in via a captive portal page, which is sometimes hosted internally on RFC1918 private IP space and can not have a valid public certificate. How would users access the portal in order to connect to the Internet? Would they need to add the Certificate Authority to their Trusted Roots? I'm struggling to see how many companies could implement this setting without increasing the risk of an outage by being unable to access a critical site.ericwrightMay 13, 2020Copper Contributor26KViews3likes2CommentsPolicy Analyzer Command Line or any way to automate Policy Analyzer?
We are looking for a way to scan systems against a backup GPO in an automated fashion. The Policy Analyzer works great, but there doesn't seem to be a way to run it in an automated fashion. Are there any plans to offer this functionality? Or am I unaware of another tool or technique I should be using? Thank you.SolvedDavidBloomJun 21, 2019Copper Contributor11KViews2likes7CommentsSecurity Baselines for Linux
Currently only Windows OS is in scope of the Security Baseline assessments. Are there any plans to expand it for Linux (RedHat) as well? I mean our organization has deployed Defender on Linux, so it might be possible Microsoft will support this on Linux OS'es as well. Thanks, DragiamazingdragiJun 20, 2022Copper Contributor2.8KViews2likes5CommentsUAC elevation prompt for standard users
MSFT Windows 10 21H2 - Computer have the following setting recommendation Policy:User Account Control: Behavior of the elevation prompt for standard users Setting: Automatically deny elevation requests How do I provide support if I need to install software that requires Run as Administrator permissions? Will I need to switch user to the Administrator, and install the software?andreaskrovelMar 23, 2022Copper Contributor4.9KViews2likes12CommentsSecurity baseline with Hyper-V default switch
Continued from old TechNet blog discussion... ThanksAaron Margosis. I've figured out what is preventing clipboard file copying. It is the GPO setting "Do not allow drive redirection" (Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection). Haven't figured out why applying the security baseline disables guest VM network connectivity through the "Default Switch" (automatically created on Client Hyper-V), but a solution is to connect guest VMs directly to the external network adapter using the "External Switch". UPDATE: Network connectivity issues caused by GPO blocking local firewall rules (inbound allow rules are needed for Default Switch to work, see below discussion).DeletedJul 17, 20198.3KViews1like5CommentsHow can I safely implement required ldap signing?
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network... "If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts." Given this - how in the world can you safely implement this? It seems to me that unless everything processed right at the same time - you're guaranteed to have some clients that cannot communicate to even get group policy anymore?Solvedajm-bJun 24, 2019Brass Contributor7.5KViews1like7Comments
Resources
Tags
- security baseline21 Topics
- security11 Topics
- windows11 Topics
- security compliance toolkit7 Topics
- compliance5 Topics
- microsoft 3653 Topics
- updates2 Topics
- guides2 Topics
- Microsoft Edge1 Topic
- final1 Topic