cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909
By
Aaron Margosis
Published Nov 20 2019 03:24 PM 85.7K Views
Aaron Margosis
Former Employee
‎Nov 20 2019 03:24 PM

Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909

‎Nov 20 2019 03:24 PM

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1909 (a.k.a., “19H2”), and for Windows Server version 1909. Note that Windows Server version 1909 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option.

 

Download the content from the Microsoft Security Compliance Toolkit (click Download and select “Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip”).

 

This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. None of them meet the criteria for inclusion in the baseline (which are reiterated below), but customers interested in controlling the use of USB drives and other devices should be interested in the new and very granular device installation restrictions. More about that later in this post.

 

The few changes we are making in the baseline since the September update to the version 1903 baselines are to remove a few settings that we have reevaluated: the restrictions on Thunderbolt devices in the BitLocker GPO, the enforcement of the default machine account password expiration for domain-joined systems, and the removal of the previously-recommended Exploit Protection settings.

 

[Addendum]: In this baseline we have also removed the enforcement of the "Manage auditing and security log" privilege (SeSecurityPrivilege) on Domain Controllers because when Microsoft Exchange is installed it needs to grant this privilege to the Exchange Servers.

 

Baseline criteria

 

To reiterate, we follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially this:

 

  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.

For further illustration, see the “Why aren’t we enforcing more defaults?” section in this blog post.

 

Thunderbolt devices

 

First published in 2011, Microsoft Knowledge Base article 2516445 describes device installation restrictions for certain types of devices to mitigate DMA threats to BitLocker, including Thunderbolt devices. The BitLocker GPOs in our baselines have included these restrictions. Because Thunderbolt is popular, and newer computers can now mitigate that threat with kernel DMA protection – also in our baseline – we are removing the Thunderbolt restriction from our baseline. Customers on platforms that do not support kernel DMA protection can choose to continue blocking Thunderbolt, but we are no longer including it in our broad recommendations for all customers. For more information, see the KB article linked above and the articles to which it links.

 

Machine account password expiration

 

In Active Directory, each domain-joined computer has an Active Directory account with a strong, randomly-generated password. By default, these machine account passwords have a 30-day expiration, and computers automatically change their own passwords without any user involvement. Our baselines have always enforced these defaults. Note that reducing the expiration period will result in additional replication traffic. Also note that unlike with user account passwords, AD doesn’t actually enforce password expiration for computer accounts. Password expiration and change is driven entirely by client systems. The password remains valid until it gets changed, irrespective of how “Domain member: Maximum machine account password age” is configured.

 

A problem that occasionally crops up is that when a domain-joined virtual machine is reverted to an earlier state that is prior to its most recent password change, the older password is no longer recognized by the domain controller, the computer has no way to authenticate to the domain, and it thus loses domain trust. Domain accounts cannot authenticate to it remotely, and interactive logon with a domain account works only if the computer has a cached credential verifier for the account and the person logging in remembers which password was used when its verifier was cached. Typically when this happens, a LAPS-managed local account cannot be used either, as the local account password will also have been reverted and not match the newer one stored in Active Directory.

 

Non-persistent VDI implementations and devices with write filters that disallow permanent changes to the OS volume are also examples of scenarios where machine account password expiration is problematic. When such systems change their passwords in Active Directory and then revert to their previous passwords, they can no longer authenticate.

 

In the absence of issues such as these, we recommend leaving the default 30-day expiration in place. But following the baseline criteria stated above, we are removing the explicit enforcement of those defaults from our baselines. Situations that necessitate disabling machine account password expiration can now be handled without being out of compliance with our baselines.

 

The risks of turning off machine account password expiration are relatively low. To steal a computer account password, you must first have already gained full administrative control of the computer. Having a computer account’s password gives you only the ability to act as that computer on the network from other systems. For example, if Mary gets administrative control of CONTOSO\COMPUTER_ONE and extracts its domain account password (which is stored as an LSA secret), she can then connect to domain resources from CONTOSO\COMPUTER_TEN but pretending to be CONTOSO\COMPUTER_ONE. Default password expiration policy would limit her ability to do so to a maximum of 30 days. However, given that she had full control of COMPUTER_ONE, she could presumably go back in and retrieve its new password, or have applied nefarious techniques to disable password change, keeping the password valid indefinitely.

 

Exploit Protection

 

Because of reported compatibility issues with the Exploit Protection settings that we began incorporating with the Windows 10 v1709 baselines, we have elected to remove the settings from the baseline and to provide a script for removing the settings from machines that have had those settings applied. (See Remove-EPBaselineSettings.ps1 in the download package’s Scripts folder.)

 

New device installation restrictions available

 

For many years, Windows has enabled administrators to allow or block devices such as external USB drives based on attributes such as vendor and product IDs. Windows now also enables control at a far more granular level: device instance IDs. For example, you could have ten identical thumb drives of the same brand, model, and capacity, pick two of them, and create a policy that allows just those to be mounted; the others would be blocked.

 

Because the way these settings would be configured are always specific to each customer’s situation, we don’t configure them in our baselines. But we wanted to highlight their availability as a major improvement in Windows’ device control.

 

You can configure the new “Allow installation of devices that match any of these device instance IDs” and “Prevent installation of devices that match any of these device instance IDs” Group Policy settings in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. For more information, also see How to control USB devices and other removable media using Microsoft Defender ATP.

12 Comments
James van den Berg
MVP
‎Nov 20 2019 10:45 PM
‎Nov 20 2019 10:45 PM

Thanks for all the information :cool:

0 Likes
Like
Pavel Otych
Brass Contributor
‎Nov 21 2019 12:56 PM
‎Nov 21 2019 12:56 PM

Hi, good to hear you're removing the Exploit Protection settings because those were causing more harm than good… Any timeframe on when you're updating MDM Security Baseline for version 1909 in Intune as well?

Adam Arndt
Microsoft
‎Nov 21 2019 02:20 PM
‎Nov 21 2019 02:20 PM

Good to hear the loosening of computer account password expiration.  IMHO, computer account expiration policies just make it more likely that over time more and more machines will become non-compliant with important security settings pushed out via GPO.  Ensuring that a higher % of machines are getting up-to-date GPO settings is, IMHO, more important than the risk of an attacker being given the access of a single computer account; if they can compromise one machine to local admin/system, they probably already have a regular everyday account to use of equal or greater privilege, anyway.

0 Likes
Like
GerritEllmer
Brass Contributor
‎Nov 26 2019 01:10 AM
‎Nov 26 2019 01:10 AM

Moin from Germany,

I read the change regarding Exploit Protection in the blog article. I also saw the remove script in the download package
But which setting regarding the Exploit Protection within the GPOs has changed? I don't see anything there in the change history.

 

 

 

clipboard_image_0.png

 

[Aaron Margosis] Good question. The way Exploit Protection (EP) is intended to be deployed through Group Policy is with the "Use a common set of exploit protection settings" setting in "Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection." You configure that setting with the full path to an XML file (specific path is up to you, for example on a file share) that contains EP configuration settings. We could never include that directly in the baselines because we can't specify a path that works for everyone. If you never deployed that XML file then you don't need to do anything to undo its effects!

 

 

RavindraR
Copper Contributor
‎Dec 13 2019 05:46 AM
‎Dec 13 2019 05:46 AM

Can you please shed light, as an industry best practice , would you recommend the setting?

 

Because of reported compatibility issues  - This is contextual  do you mind sharing all the reported compatibility issues.

 

I understood this for an enterprise, this is a valid setting , so all known programs can get the wavier through a controlled process, or certified by Microsoft , we could make a GPO to wave certain exploit settings for the programs hosted under program files. For users who download from www , all the exploit settings should apply by default, I was tending towards this thinking.

 

Also please share , how Microsoft populates by default a bunch of .exe , if a vendor reaches out to us with an .exe, is there a a way for users within enterprise to certify that .exe is harmless  and include in the list of trusted. How does Microsoft go about certifying for the overrides.

Please share your views on this topic.

 

 

wroot
Silver Contributor
‎Dec 30 2019 05:41 AM
‎Dec 30 2019 05:41 AM

"EnableInstallerDetection" is 1 in the baselines. But the GPO itself says that it is 1 for home and 0 for enterprise. I'm running Policy Analyzer on Enterprise. So, is this setting now 1 for enterprises also?

 

[Aaron Margosis] It's always been 1 everywhere. 

0 Likes
Like
RavindraR
Copper Contributor
‎Dec 30 2019 06:01 AM
‎Dec 30 2019 06:01 AM

you are right, it is not default on enterprise, i am setting standards for 1809 and CIS says  , set it to 1 , but am interested the reason behind this rollback. 

I am planning to enforce this on my enterprise, since we have locked down on admin and would like to  know, how Microsoft populates by default a bunch of .exe , if a vendor reaches out to us with an .exe, is there a a way for users within enterprise to certify that .exe is harmless  and include in the list of trusted. How does Microsoft go about certifying for the overrides. Thanks, 

 

[Aaron Margosis] What rollback? EnableInstallerDetection has always been enabled.

I don't know what you're referring to with the rest of your question. We never make any assertion about "harmless" - if you're asking about why we configured EP for some apps (and similarly EMET several years ago) it was just that they were/are popular and could potentially have had exploitable vulnerabilities.

0 Likes
Like
wroot
Silver Contributor
‎Jan 02 2020 01:46 AM
‎Jan 02 2020 01:46 AM

I'm continuing to compare our settings to 1909 baselines and this one is weird also. So i get that MS is de-emphasizing passwords lately. So account lockout settings are less strict in baselines (10 bad logons, 15 minutes duration). But then password length is 14 chars. I wonder was it always 14 in the baselines? Why hasn't it changed along with less strict lockout settings?

 

[Aaron Margosis] The lockout settings are not a strict recommendation - just a starting point. See this link.

Re the password length: it's been 14 going back to the Windows 8 baseline (prior to that it was set to 12). As discussed here, we offer better alternatives (such as MFA and Azure AD Password Protection) but we don't have a way today to put that into these GPO-centered baselines. 

0 Likes
Like
Rob1956
Copper Contributor
‎Jan 06 2020 07:04 AM
‎Jan 06 2020 07:04 AM

Which baselines are used in Microsoft Advanced Threat Management for domain joined Windows10 PC's  and W1ndows2019 servers?

DugTan
Copper Contributor
‎Feb 05 2020 03:34 PM
‎Feb 05 2020 03:34 PM

Why are the MSBs still GPO specific? Only one of the new recommended settings "Let Windows apps activate with voice while the system is locked" seems to have made it into the Intune Security Baseline. "Turn off multicast name resolution" and "Turn off multicast name resolution". Nor does the Policy CSPs seem to have been updated to include them.

0 Likes
Like
AakashShah
Brass Contributor
‎Feb 10 2020 04:59 PM
‎Feb 10 2020 04:59 PM

LSA Protection Not Recommended?

 

I noticed that the Windows 10 security guides do not include configuring LSA protection at https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/confi....  Is there a reason for this?  We are considering enabling this in our organization, but don't want to configure this if it is no longer recommended by Microsoft.

 

If this question is better posed elsewhere, please let me know.

 

Thanks!

 

[Aaron Margosis] When this mitigation was introduced in Windows 8.1, there were some compatibility issues, and also, cred-theft tools very quickly found ways to bypass the protection. Credential Guard (introduced in Windows 10) is much stronger protection.

RippieUK
Brass Contributor
‎Apr 22 2020 03:46 AM
‎Apr 22 2020 03:46 AM

Hi team,

I would like to ask if there is a recommendation which security baseline to use?

For example Windows Server 2019 with a GUI I believe is only 1809 but the latest MSB is for 1909. Should I use 1809 MSB or 1909 MSB ??

0 Likes
Like
Version history
Last update:
‎Nov 20 2019 04:31 PM
Updated by: