Home
%3CLINGO-SUB%20id%3D%22lingo-sub-890940%22%20slang%3D%22en-US%22%3ESecurity%20baseline%20(Sept2019Update)%20for%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890940%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20updated%20our%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%20security%20configuration%20baseline%20recommendations%20to%20address%20some%20issues%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20first%20and%20most%20important%20change%20is%20that%20we%20are%20removing%20the%20Computer%20Configuration%20setting%2C%20%E2%80%9CEnable%20svchost.exe%20mitigation%20options%E2%80%9D%20(in%20System%5CService%20Control%20Manager%20Settings%5CSecurity%20Settings)%20from%20the%20Windows%2010%20and%20Windows%20Server%20baselines%20at%20this%20time%20because%20of%20reports%20that%20in%20its%20current%20implementation%20it%20causes%20more%20compatibility%20issues%20than%20we%20had%20anticipated.%3C%2FLI%3E%0A%3CLI%3EWe%20have%20also%20adjusted%20a%20few%20auditing%20settings%20in%20the%20Domain%20Controller%20baseline%20to%20align%20more%20closely%20with%20recommendations%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D52630%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%2010%20and%20Windows%20Server%202016%20security%20auditing%20and%20monitoring%20reference%3C%2FA%3E%20document%20(also%20reflected%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fauditing%2Fadvanced-security-audit-policy-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E).%20Those%20changes%20are%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CBLOCKQUOTE%3E%0A%3CTABLE%20style%3D%22border-style%3A%20solid%3B%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EAudit%20category%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EAudit%20subcategory%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EWas%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3ENow%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EAudit%20Policy%5CAccount%20Logon%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ECredential%20Validation%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ESuccess%20and%20Failure%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EFailure%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EAudit%20Policy%5CAccount%20Logon%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EKerberos%20Service%20Ticket%20Operations%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EFailure%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EAudit%20Policy%5CDS%20Access%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EDirectory%20Service%20Access%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ESuccess%20and%20Failure%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EFailure%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EAudit%20Policy%5CDS%20Access%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EDirectory%20Service%20Changes%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ESuccess%20and%20Failure%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ESuccess%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20also%20added%20a%20Baseline-ADImport.ps1%20PowerShell%20script%20to%20import%20all%20the%20baseline%E2%80%99s%20GPOs%20into%20Active%20Directory%20Group%20Policy%2C%20and%20improved%20other%20scripts%2C%20including%20preventing%20the%20local-policy%20script%20from%20running%20on%20Domain%20Controllers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-890940%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20updated%20our%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%20security%20configuration%20baseline%20recommendations%20to%20address%20some%20issues%2C%20including%20removing%20the%20recommendation%20to%20%22Enable%20svchost.exe%20mitigation%20options.%22%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-890940%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Esecurity%20baselines%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006989%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(Sept2019Update)%20for%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006989%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I've%20just%20been%20playing%20around%20with%20the%20Windows%2010%201903%20computer%20baseline%20and%20noticed%20that%20%22Prohibit%20use%20of%20Internet%20Connection%20Sharing%20on%20your%20DNS%20domain%20network%22%20is%20configured%2C%20but%20according%20to%20the%20%22Supported%20on%22%20info%20for%20that%20setting%20it's%20only%20supported%20on%20Server%202003%2C%20Windows%20XP%2C%20and%20Windows%202000%20SP1.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20setting%20still%20required%20and%20does%20it%20actually%20apply%20on%20Windows%2010%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

We have updated our Windows 10 v1903 and Windows Server v1903 security configuration baseline recommendations to address some issues:

  • The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated.
  • We have also adjusted a few auditing settings in the Domain Controller baseline to align more closely with recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document (also reflected here). Those changes are:
Audit category Audit subcategory Was Now
Audit Policy\Account Logon Credential Validation Success and Failure Failure
Audit Policy\Account Logon Kerberos Service Ticket Operations   Failure
Audit Policy\DS Access Directory Service Access Success and Failure Failure
Audit Policy\DS Access Directory Service Changes Success and Failure Success

 

We have also added a Baseline-ADImport.ps1 PowerShell script to import all the baseline’s GPOs into Active Directory Group Policy, and improved other scripts, including preventing the local-policy script from running on Domain Controllers.

1 Comment
Visitor

Hi, I've just been playing around with the Windows 10 1903 computer baseline and noticed that "Prohibit use of Internet Connection Sharing on your DNS domain network" is configured, but according to the "Supported on" info for that setting it's only supported on Server 2003, Windows XP, and Windows 2000 SP1.

 

Is this setting still required and does it actually apply on Windows 10?

 

Thanks :)