Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1023093%22%20slang%3D%22en-US%22%3ESecurity%20baseline%20(FINAL)%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023093%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20is%20pleased%20to%20announce%20the%20%3CEM%3Efinal%20%3C%2FEM%3Erelease%20of%20the%20security%20configuration%20baseline%20settings%20for%20Windows%2010%20version%201909%20(a.k.a.%2C%20%E2%80%9C19H2%E2%80%9D)%2C%20and%20for%20Windows%20Server%20version%201909.%20Note%20that%20Windows%20Server%20version%201909%20is%20Server%20Core%20only%20and%20does%20not%20offer%20a%20Desktop%20Experience%20(a.k.a.%2C%20%E2%80%9Cfull%E2%80%9D)%20server%20installation%20option.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDownload%20the%20content%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Security%20Compliance%20Toolkit%3C%2FA%3E%20(click%20Download%20and%20select%20%E2%80%9CWindows%2010%20Version%201909%20and%20Windows%20Server%20Version%201909%20Security%20Baseline.zip%E2%80%9D).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20new%20Windows%20Feature%20Update%20brings%20very%20few%20new%20Group%20Policy%20settings%2C%20which%20we%20list%20in%20the%20accompanying%20documentation.%20None%20of%20them%20meet%20the%20criteria%20for%20inclusion%20in%20the%20baseline%20(which%20are%20reiterated%20below)%2C%20but%20customers%20interested%20in%20controlling%20the%20use%20of%20USB%20drives%20and%20other%20devices%20should%20be%20interested%20in%20the%20new%20and%20very%20granular%20device%20installation%20restrictions.%20More%20about%20that%20later%20in%20this%20post.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20few%20changes%20we%20are%20making%20in%20the%20baseline%20since%20the%20September%20update%20to%20the%20version%201903%20baselines%20are%20to%20remove%20a%20few%20settings%20that%20we%20have%20reevaluated%3A%20the%20restrictions%20on%20Thunderbolt%20devices%20in%20the%20BitLocker%20GPO%2C%20the%20enforcement%20of%20the%20default%20machine%20account%20password%20expiration%20for%20domain-joined%20systems%2C%20and%20the%20removal%20of%20the%20previously-recommended%20Exploit%20Protection%20settings.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%5BAddendum%5D%3C%2FEM%3E%3A%20In%20this%20baseline%20we%20have%20also%20removed%20the%20enforcement%20of%20the%20%22%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EManage%20auditing%20and%20security%20log%3C%2FFONT%3E%22%20privilege%20(SeSecurityPrivilege)%20on%20Domain%20Controllers%20because%20when%20Microsoft%20Exchange%20is%20installed%20it%20needs%20to%20grant%20this%20privilege%20to%20the%20Exchange%20Servers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EBaseline%20criteria%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%26nbsp%3B%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ETo%20reiterate%2C%20we%20follow%20a%20streamlined%20and%20efficient%20approach%20to%20baseline%20definition%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2015%2F11%2F18%2Fchanges-from-the-windows-8-1-baseline-to-the-windows-10-th11507-baseline%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewhen%20compared%20with%20the%20baselines%20we%20published%20before%20Windows%2010%3C%2FA%3E.%20The%20foundation%20of%20that%20approach%20is%20essentially%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EThe%20baselines%20are%20designed%20for%20well-managed%2C%20security-conscious%20organizations%20in%20which%20standard%20end%20users%20do%20not%20have%20administrative%20rights.%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EA%20baseline%20enforces%20a%20setting%20only%20if%20it%20mitigates%20a%20contemporary%20security%20threat%20%3CEM%3Eand%3C%2FEM%3E%20does%20not%20cause%20operational%20issues%20that%20are%20worse%20than%20the%20risks%20they%20mitigate.%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EA%20baseline%20enforces%20a%20default%20only%20if%20it%20is%20otherwise%20likely%20to%20be%20set%20to%20an%20insecure%20state%20by%20an%20authorized%20user%3A%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20a%20non-administrator%20can%20set%20an%20insecure%20state%2C%20enforce%20the%20default.%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20setting%20an%20insecure%20state%20requires%20administrative%20rights%2C%20enforce%20the%20default%20only%20if%20it%20is%20%3CEM%3Elikely%3C%2FEM%3E%20that%20a%20misinformed%20administrator%20will%20otherwise%20choose%20poorly.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20further%20illustration%2C%20see%20the%20%E2%80%9CWhy%20aren%E2%80%99t%20we%20enforcing%20more%20defaults%3F%E2%80%9D%20section%20in%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2015%2F11%2F18%2Fchanges-from-the-windows-8-1-baseline-to-the-windows-10-th11507-baseline%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20blog%20post%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EThunderbolt%20devices%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CU%3E%26nbsp%3B%3C%2FU%3E%3C%2FP%3E%0A%3CP%3EFirst%20published%20in%202011%2C%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fkb%2F2516445%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Knowledge%20Base%20article%202516445%3C%2FA%3E%20describes%20device%20installation%20restrictions%20for%20certain%20types%20of%20devices%20to%20mitigate%20DMA%20threats%20to%20BitLocker%2C%20including%20Thunderbolt%20devices.%20The%20BitLocker%20GPOs%20in%20our%20baselines%20have%20included%20these%20restrictions.%20Because%20Thunderbolt%20is%20popular%2C%20and%20newer%20computers%20can%20now%20mitigate%20that%20threat%20with%20kernel%20DMA%20protection%20%E2%80%93%20also%20in%20our%20baseline%20%E2%80%93%20we%20are%20removing%20the%20Thunderbolt%20restriction%20from%20our%20baseline.%20Customers%20on%20platforms%20that%20do%20not%20support%20kernel%20DMA%20protection%20can%20choose%20to%20continue%20blocking%20Thunderbolt%2C%20but%20we%20are%20no%20longer%20including%20it%20in%20our%20broad%20recommendations%20for%20all%20customers.%20For%20more%20information%2C%20see%20the%20KB%20article%20linked%20above%20and%20the%20articles%20to%20which%20it%20links.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EMachine%20account%20password%20expiration%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%26nbsp%3B%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20Active%20Directory%2C%20each%20domain-joined%20computer%20has%20an%20Active%20Directory%20account%20with%20a%20strong%2C%20randomly-generated%20password.%20By%20default%2C%20these%20machine%20account%20passwords%20have%20a%2030-day%20expiration%2C%20and%20computers%20automatically%20change%20their%20own%20passwords%20without%20any%20user%20involvement.%20Our%20baselines%20have%20always%20enforced%20these%20defaults.%20Note%20that%20reducing%20the%20expiration%20period%20will%20result%20in%20additional%20replication%20traffic.%20Also%20note%20that%20unlike%20with%20user%20account%20passwords%2C%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Faskds%2F2009%2F02%2F15%2Fmachine-account-password-process-2%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAD%20doesn%E2%80%99t%20actually%20enforce%20password%20expiration%20for%20computer%20accounts%3C%2FA%3E.%20Password%20expiration%20and%20change%20is%20driven%20entirely%20by%20client%20systems.%20The%20password%20remains%20valid%20until%20it%20gets%20changed%2C%20irrespective%20of%20how%20%E2%80%9CDomain%20member%3A%20Maximum%20machine%20account%20password%20age%E2%80%9D%20is%20configured.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20problem%20that%20occasionally%20crops%20up%20is%20that%20when%20a%20domain-joined%20virtual%20machine%20is%20reverted%20to%20an%20earlier%20state%20that%20is%20prior%20to%20its%20most%20recent%20password%20change%2C%20the%20older%20password%20is%20no%20longer%20recognized%20by%20the%20domain%20controller%2C%20the%20computer%20has%20no%20way%20to%20authenticate%20to%20the%20domain%2C%20and%20it%20thus%20loses%20domain%20trust.%20Domain%20accounts%20cannot%20authenticate%20to%20it%20remotely%2C%20and%20interactive%20logon%20with%20a%20domain%20account%20works%20only%20if%20the%20computer%20has%20a%20cached%20credential%20verifier%20for%20the%20account%20and%20the%20person%20logging%20in%20remembers%20which%20password%20was%20used%20when%20its%20verifier%20was%20cached.%20Typically%20when%20this%20happens%2C%20a%20LAPS-managed%20local%20account%20cannot%20be%20used%20either%2C%20as%20the%20local%20account%20password%20will%20also%20have%20been%20reverted%20and%20not%20match%20the%20newer%20one%20stored%20in%20Active%20Directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENon-persistent%20VDI%20implementations%20and%20devices%20with%20write%20filters%20that%20disallow%20permanent%20changes%20to%20the%20OS%20volume%20are%20also%20examples%20of%20scenarios%20where%20machine%20account%20password%20expiration%20is%20problematic.%20When%20such%20systems%20change%20their%20passwords%20in%20Active%20Directory%20and%20then%20revert%20to%20their%20previous%20passwords%2C%20they%20can%20no%20longer%20authenticate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20absence%20of%20issues%20such%20as%20these%2C%20we%20recommend%20leaving%20the%20default%2030-day%20expiration%20in%20place.%20But%20following%20the%20baseline%20criteria%20stated%20above%2C%20we%20are%20removing%20the%20explicit%20enforcement%20of%20those%20defaults%20from%20our%20baselines.%20Situations%20that%20necessitate%20disabling%20machine%20account%20password%20expiration%20can%20now%20be%20handled%20without%20being%20out%20of%20compliance%20with%20our%20baselines.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20risks%20of%20turning%20off%20machine%20account%20password%20expiration%20are%20relatively%20low.%20To%20steal%20a%20computer%20account%20password%2C%20you%20must%20first%20have%20already%20gained%20full%20administrative%20control%20of%20the%20computer.%20Having%20a%20computer%20account%E2%80%99s%20password%20gives%20you%20only%20the%20ability%20to%20act%20as%20that%20computer%20on%20the%20network%20from%20other%20systems.%20For%20example%2C%20if%20Mary%20gets%20administrative%20control%20of%20CONTOSO%5CCOMPUTER_ONE%20and%20extracts%20its%20domain%20account%20password%20(which%20is%20stored%20as%20an%20LSA%20secret)%2C%20she%20can%20then%20connect%20to%20domain%20resources%20from%20CONTOSO%5CCOMPUTER_TEN%20but%20pretending%20to%20be%20CONTOSO%5CCOMPUTER_ONE.%20Default%20password%20expiration%20policy%20would%20limit%20her%20ability%20to%20do%20so%20to%20a%20maximum%20of%2030%20days.%20However%2C%20given%20that%20she%20had%20full%20control%20of%20COMPUTER_ONE%2C%20she%20could%20presumably%20go%20back%20in%20and%20retrieve%20its%20new%20password%2C%20or%20have%20applied%20nefarious%20techniques%20to%20disable%20password%20change%2C%20keeping%20the%20password%20valid%20indefinitely.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EExploit%20Protection%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%26nbsp%3B%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EBecause%20of%20reported%20compatibility%20issues%20with%20the%20Exploit%20Protection%20settings%20that%20we%20began%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2017%2F10%2F18%2Fsecurity-baseline-for-windows-10-fall-creators-update-v1709-final%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eincorporating%20with%20the%20Windows%2010%20v1709%20baselines%3C%2FA%3E%2C%20we%20have%20elected%20to%20remove%20the%20settings%20from%20the%20baseline%20and%20to%20provide%20a%20script%20for%20removing%20the%20settings%20from%20machines%20that%20have%20had%20those%20settings%20applied.%20(See%20Remove-EPBaselineSettings.ps1%20in%20the%20download%20package%E2%80%99s%20Scripts%20folder.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3ENew%20device%20installation%20restrictions%20available%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%26nbsp%3B%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFor%20many%20years%2C%20Windows%20has%20enabled%20administrators%20to%20allow%20or%20block%20devices%20such%20as%20external%20USB%20drives%20based%20on%20attributes%20such%20as%20vendor%20and%20product%20IDs.%20Windows%20now%20also%20enables%20control%20at%20a%20far%20more%20granular%20level%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Finstall%2Fdevice-instance-ids%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edevice%20instance%20IDs%3C%2FA%3E.%20For%20example%2C%20you%20could%20have%20ten%20identical%20thumb%20drives%20of%20the%20same%20brand%2C%20model%2C%20and%20capacity%2C%20pick%20two%20of%20them%2C%20and%20create%20a%20policy%20that%20allows%20just%20those%20to%20be%20mounted%3B%20the%20others%20would%20be%20blocked.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBecause%20the%20way%20these%20settings%20would%20be%20configured%20are%20always%20specific%20to%20each%20customer%E2%80%99s%20situation%2C%20we%20don%E2%80%99t%20configure%20them%20in%20our%20baselines.%20But%20we%20wanted%20to%20highlight%20their%20availability%20as%20a%20major%20improvement%20in%20Windows%E2%80%99%20device%20control.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20configure%20the%20new%20%E2%80%9CAllow%20installation%20of%20devices%20that%20match%20any%20of%20these%20device%20instance%20IDs%E2%80%9D%20and%20%E2%80%9CPrevent%20installation%20of%20devices%20that%20match%20any%20of%20these%20device%20instance%20IDs%E2%80%9D%20Group%20Policy%20settings%20in%20Computer%20Configuration%5CAdministrative%20Templates%5CSystem%5CDevice%20Installation%5CDevice%20Installation%20Restrictions.%20For%20more%20information%2C%20also%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fdevice-control%2Fcontrol-usb-devices-using-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20control%20USB%20devices%20and%20other%20removable%20media%20using%20Microsoft%20Defender%20ATP%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1023093%22%20slang%3D%22en-US%22%3E%3CP%3EAnnouncing%20the%20release%20of%20the%20security%20baseline%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909.%20Relatively%20minor%20changes%20since%20the%20v1903%20baselines%2C%20but%20removing%20blocks%20on%20Thunderbolt%20devices%2C%20removing%20enforcement%20of%20machine%20account%20password%20expiration%2C%20and%20removal%20of%20Exploit%20Protection%20settings%20from%20the%20baseline.%20This%20announcement%20also%20describes%20newly-available%20device%20installation%20restrictions.%20Read%20the%20full%20post%20for%20details.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1023495%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(FINAL)%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023495%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20all%20the%20information%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024918%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(FINAL)%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024918%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20good%20to%20hear%20you're%20removing%20the%20Exploit%20Protection%20settings%20because%20those%20were%20causing%20more%20harm%20than%20good%E2%80%A6%20Any%20timeframe%20on%20when%20you're%20updating%20MDM%20Security%20Baseline%20for%20version%201909%20in%20Intune%20as%20well%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1025093%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(FINAL)%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1025093%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20to%20hear%20the%20loosening%20of%20computer%20account%20password%20expiration.%26nbsp%3B%20IMHO%2C%20computer%20account%20expiration%20policies%20just%20make%20it%20more%20likely%20that%20over%20time%20more%20and%20more%20machines%20will%20become%20non-compliant%20with%20important%20security%20settings%20pushed%20out%20via%20GPO.%26nbsp%3B%20Ensuring%20that%20a%20higher%20%25%20of%20machines%20are%20getting%20up-to-date%20GPO%20settings%20is%2C%20IMHO%2C%20more%20important%20than%20the%20risk%20of%20an%20attacker%20being%20given%20the%20access%20of%20a%20single%20computer%20account%3B%20if%20they%20can%20compromise%20one%20machine%20to%20local%20admin%2Fsystem%2C%20they%20probably%20already%20have%20a%20regular%20everyday%20account%20to%20use%20of%20equal%20or%20greater%20privilege%2C%20anyway.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1032976%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(FINAL)%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1032976%22%20slang%3D%22en-US%22%3E%3CP%3EMoin%20from%20Germany%2C%3C%2FP%3E%0A%3CP%3EI%20read%20the%20change%20regarding%20Exploit%20Protection%20in%20the%20blog%20article.%20I%20also%20saw%20the%20remove%20script%20in%20the%20download%20package%3CBR%20%2F%3EBut%20which%20setting%20regarding%20the%20Exploit%20Protection%20within%20the%20GPOs%20has%20changed%3F%20I%20don't%20see%20anything%20there%20in%20the%20change%20history.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158937i6A985E528211B77E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3E%5BAaron%20Margosis%5D%20Good%20question.%20The%20way%20Exploit%20Protection%20(EP)%20is%20intended%20to%20be%20deployed%20through%20Group%20Policy%20is%20with%20the%20%22%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EUse%20a%20common%20set%20of%20exploit%20protection%20settings%3C%2FFONT%3E%22%20setting%20in%20%22Computer%20Configuration%5CAdministrative%20Templates%5C%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWindows%20Components%5CWindows%20Defender%20Exploit%20Guard%5CExploit%20Protection.%22%20You%20configure%20that%20setting%20with%20the%20full%20path%20to%20an%20XML%20file%20(specific%20path%20is%20up%20to%20you%2C%20for%20example%20on%20a%20file%20share)%20that%20contains%20EP%20configuration%20settings.%20We%20could%20never%20include%20that%20directly%20in%20the%20baselines%20because%20we%20can't%20specify%20a%20path%20that%20works%20for%20everyone.%20If%20you%20never%20deployed%20that%20XML%20file%20then%20you%20don't%20need%20to%20do%20anything%20to%20undo%20its%20effects!%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1065120%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(FINAL)%20for%20Windows%2010%20v1909%20and%20Windows%20Server%20v1909%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1065120%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20please%20shed%20light%2C%20as%20an%20industry%20best%20practice%20%2C%20would%20you%20recommend%20the%20setting%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20of%20reported%20compatibility%20issues%26nbsp%3B%20-%20This%20is%20contextual%26nbsp%3B%20do%20you%20mind%20sharing%20all%20the%20reported%20compatibility%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understood%20this%20for%20an%20enterprise%2C%20this%20is%20a%20valid%20setting%20%2C%20so%20all%20known%20programs%20can%20get%20the%20wavier%20through%20a%20controlled%20process%2C%20or%20certified%20by%20Microsoft%20%2C%20we%20could%20make%20a%20GPO%20to%20wave%20certain%20exploit%20settings%20for%20the%20programs%20hosted%20under%20program%20files.%20For%20users%20who%20download%20from%20www%20%2C%20all%20the%20exploit%20settings%20should%20apply%20by%20default%2C%20I%20was%20tending%20towards%20this%20thinking.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20please%20share%20%2C%20how%20Microsoft%20populates%20by%20default%20a%20bunch%20of%20.exe%20%2C%20if%20a%20vendor%20reaches%20out%20to%20us%20with%20an%20.exe%2C%20is%20there%20a%20a%20way%20for%20users%20within%20enterprise%20to%20certify%20that%20.exe%20is%20harmless%26nbsp%3B%20and%20include%20in%20the%20list%20of%20trusted.%20How%20does%20Microsoft%20go%20about%20certifying%20for%20the%20overrides.%3C%2FP%3E%3CP%3EPlease%20share%20your%20views%20on%20this%20topic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1909 (a.k.a., “19H2”), and for Windows Server version 1909. Note that Windows Server version 1909 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option.

 

Download the content from the Microsoft Security Compliance Toolkit (click Download and select “Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip”).

 

This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. None of them meet the criteria for inclusion in the baseline (which are reiterated below), but customers interested in controlling the use of USB drives and other devices should be interested in the new and very granular device installation restrictions. More about that later in this post.

 

The few changes we are making in the baseline since the September update to the version 1903 baselines are to remove a few settings that we have reevaluated: the restrictions on Thunderbolt devices in the BitLocker GPO, the enforcement of the default machine account password expiration for domain-joined systems, and the removal of the previously-recommended Exploit Protection settings.

 

[Addendum]: In this baseline we have also removed the enforcement of the "Manage auditing and security log" privilege (SeSecurityPrivilege) on Domain Controllers because when Microsoft Exchange is installed it needs to grant this privilege to the Exchange Servers.

 

Baseline criteria

 

To reiterate, we follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially this:

 

  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.

For further illustration, see the “Why aren’t we enforcing more defaults?” section in this blog post.

 

Thunderbolt devices

 

First published in 2011, Microsoft Knowledge Base article 2516445 describes device installation restrictions for certain types of devices to mitigate DMA threats to BitLocker, including Thunderbolt devices. The BitLocker GPOs in our baselines have included these restrictions. Because Thunderbolt is popular, and newer computers can now mitigate that threat with kernel DMA protection – also in our baseline – we are removing the Thunderbolt restriction from our baseline. Customers on platforms that do not support kernel DMA protection can choose to continue blocking Thunderbolt, but we are no longer including it in our broad recommendations for all customers. For more information, see the KB article linked above and the articles to which it links.

 

Machine account password expiration

 

In Active Directory, each domain-joined computer has an Active Directory account with a strong, randomly-generated password. By default, these machine account passwords have a 30-day expiration, and computers automatically change their own passwords without any user involvement. Our baselines have always enforced these defaults. Note that reducing the expiration period will result in additional replication traffic. Also note that unlike with user account passwords, AD doesn’t actually enforce password expiration for computer accounts. Password expiration and change is driven entirely by client systems. The password remains valid until it gets changed, irrespective of how “Domain member: Maximum machine account password age” is configured.

 

A problem that occasionally crops up is that when a domain-joined virtual machine is reverted to an earlier state that is prior to its most recent password change, the older password is no longer recognized by the domain controller, the computer has no way to authenticate to the domain, and it thus loses domain trust. Domain accounts cannot authenticate to it remotely, and interactive logon with a domain account works only if the computer has a cached credential verifier for the account and the person logging in remembers which password was used when its verifier was cached. Typically when this happens, a LAPS-managed local account cannot be used either, as the local account password will also have been reverted and not match the newer one stored in Active Directory.

 

Non-persistent VDI implementations and devices with write filters that disallow permanent changes to the OS volume are also examples of scenarios where machine account password expiration is problematic. When such systems change their passwords in Active Directory and then revert to their previous passwords, they can no longer authenticate.

 

In the absence of issues such as these, we recommend leaving the default 30-day expiration in place. But following the baseline criteria stated above, we are removing the explicit enforcement of those defaults from our baselines. Situations that necessitate disabling machine account password expiration can now be handled without being out of compliance with our baselines.

 

The risks of turning off machine account password expiration are relatively low. To steal a computer account password, you must first have already gained full administrative control of the computer. Having a computer account’s password gives you only the ability to act as that computer on the network from other systems. For example, if Mary gets administrative control of CONTOSO\COMPUTER_ONE and extracts its domain account password (which is stored as an LSA secret), she can then connect to domain resources from CONTOSO\COMPUTER_TEN but pretending to be CONTOSO\COMPUTER_ONE. Default password expiration policy would limit her ability to do so to a maximum of 30 days. However, given that she had full control of COMPUTER_ONE, she could presumably go back in and retrieve its new password, or have applied nefarious techniques to disable password change, keeping the password valid indefinitely.

 

Exploit Protection

 

Because of reported compatibility issues with the Exploit Protection settings that we began incorporating with the Windows 10 v1709 baselines, we have elected to remove the settings from the baseline and to provide a script for removing the settings from machines that have had those settings applied. (See Remove-EPBaselineSettings.ps1 in the download package’s Scripts folder.)

 

New device installation restrictions available

 

For many years, Windows has enabled administrators to allow or block devices such as external USB drives based on attributes such as vendor and product IDs. Windows now also enables control at a far more granular level: device instance IDs. For example, you could have ten identical thumb drives of the same brand, model, and capacity, pick two of them, and create a policy that allows just those to be mounted; the others would be blocked.

 

Because the way these settings would be configured are always specific to each customer’s situation, we don’t configure them in our baselines. But we wanted to highlight their availability as a major improvement in Windows’ device control.

 

You can configure the new “Allow installation of devices that match any of these device instance IDs” and “Prevent installation of devices that match any of these device instance IDs” Group Policy settings in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. For more information, also see How to control USB devices and other removable media using Microsoft Defender ATP.

5 Comments

Thanks for all the information :cool:

New Contributor

Hi, good to hear you're removing the Exploit Protection settings because those were causing more harm than good… Any timeframe on when you're updating MDM Security Baseline for version 1909 in Intune as well?

Microsoft

Good to hear the loosening of computer account password expiration.  IMHO, computer account expiration policies just make it more likely that over time more and more machines will become non-compliant with important security settings pushed out via GPO.  Ensuring that a higher % of machines are getting up-to-date GPO settings is, IMHO, more important than the risk of an attacker being given the access of a single computer account; if they can compromise one machine to local admin/system, they probably already have a regular everyday account to use of equal or greater privilege, anyway.

New Contributor

Moin from Germany,

I read the change regarding Exploit Protection in the blog article. I also saw the remove script in the download package
But which setting regarding the Exploit Protection within the GPOs has changed? I don't see anything there in the change history.

 

 

 

clipboard_image_0.png

 

[Aaron Margosis] Good question. The way Exploit Protection (EP) is intended to be deployed through Group Policy is with the "Use a common set of exploit protection settings" setting in "Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection." You configure that setting with the full path to an XML file (specific path is up to you, for example on a file share) that contains EP configuration settings. We could never include that directly in the baselines because we can't specify a path that works for everyone. If you never deployed that XML file then you don't need to do anything to undo its effects!

 

 

Occasional Visitor

Can you please shed light, as an industry best practice , would you recommend the setting?

 

Because of reported compatibility issues  - This is contextual  do you mind sharing all the reported compatibility issues.

 

I understood this for an enterprise, this is a valid setting , so all known programs can get the wavier through a controlled process, or certified by Microsoft , we could make a GPO to wave certain exploit settings for the programs hosted under program files. For users who download from www , all the exploit settings should apply by default, I was tending towards this thinking.

 

Also please share , how Microsoft populates by default a bunch of .exe , if a vendor reaches out to us with an .exe, is there a a way for users within enterprise to certify that .exe is harmless  and include in the list of trusted. How does Microsoft go about certifying for the overrides.

Please share your views on this topic.