Beginner Question - Why is there a baseline for every version and type?

%3CLINGO-SUB%20id%3D%22lingo-sub-1852428%22%20slang%3D%22en-US%22%3EBeginner%20Question%20-%20Why%20is%20there%20a%20baseline%20for%20every%20version%20and%20type%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1852428%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20am%20currently%20double%20checking%20my%20settings%20against%20the%20baseline%20(2012R2%20DC)%20and%20i%20am%20just%20curious%20why%20there%20is%20not%20one%20%22DC%20baseline%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20may%20be%20new%20features%20incoming%20with%20each%20new%20server%20OS.%20But%20if%20i%20configure%20it%20on%20a%20Win2kR2%20DC%20-%20it%20will%20just%20ignore%20it%20as%20there%20is%20no%20program%20that%20will%20read%20this%20reg%20key.%3C%2FP%3E%3CP%3ESame%20with%20Win10%20-%20if%20there%20is%20the%20newest%20security%20setting%20out%20but%20only%20affects%201909%2B%20-%20the%20older%20OS%20will%20ignore%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20bottom-line%20i%20do%20not%20understand%20why%20it%20is%20separated%20by%20OS%20instead%20of%20just%20the%20roles%20(member%20server%2C%20dc%2C%20client%2C..)%3C%2FP%3E%3CP%3EI%20would%20assign%20the%20newest%20baseline%20for%20the%20domain%20controller%20to%20the%20OU%20%22Domain%20Controllers%22%20without%20the%20WMI%20filter%20-%20in%20my%20understanding%20that%20cannot%20break%20anything%20because%20of%20the%20older%20OS%20in%20this%20OU%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EStephan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1852428%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ebaseline%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1923660%22%20slang%3D%22en-US%22%3ERe%3A%20Beginner%20Question%20-%20Why%20is%20there%20a%20baseline%20for%20every%20version%20and%20type%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1923660%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F533323%22%20target%3D%22_blank%22%3E%40StephanGee%3C%2FA%3E%20in%20theory%20that%20would%20seem%20the%20easiest.%26nbsp%3B%20However%20there%20have%20been%20various%20settings%20over%20the%20course%20of%20releases%20that%20do%20indeed%20change%20the%20behavior%20between%20OS%20versions%20and%20in%20those%20cases%20it%20would%20have%20caused%20everything%20from%20a%20crash%20to%20a%20less%20secure%20configuration.%26nbsp%3B%20We%20explored%20this%20in%20the%20past%20and%20the%20safest%20way%20to%20avoid%20conflicts%20is%20to%20keep%20them%20separate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1927232%22%20slang%3D%22en-US%22%3ERe%3A%20Beginner%20Question%20-%20Why%20is%20there%20a%20baseline%20for%20every%20version%20and%20type%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1927232%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20answer.%20Do%20you%20have%20any%20hints%20how%20to%20do%20a%20perfect%20rollout%3F%3CBR%20%2F%3EDo%20it%20all%20at%20once%20because%20some%20settings%20rely%20on%20each%20other%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20have%20a%20100%20percent%20dev%2Ftest%2Fprod%20lab%20to%20test%20all%20settings%20for%20a%20week%20or%20two%20-%20so%20i%20need%20clearance%20that%20even%20if%20it%20breaks%20something%20that%20after%20i%20disabled%20the%20GPO%20and%20performed%20a%20Gpupdate%20%2Fforce%20and%20a%20restart%20-%20it%20is%20back%20to%20%22normal%22%20(the%20way%20it%20was%20before)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebest%20regards%3C%2FP%3E%3CP%3EStephan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1927811%22%20slang%3D%22en-US%22%3ERe%3A%20Beginner%20Question%20-%20Why%20is%20there%20a%20baseline%20for%20every%20version%20and%20type%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1927811%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F533323%22%20target%3D%22_blank%22%3E%40StephanGee%3C%2FA%3E%26nbsp%3Bin%20many%20cases%20you%20can%20roll%20back%20but%20there%20are%20certain%20'tattoo'%20settings%20that%20do%20not%20automatically%20rollback.%26nbsp%3B%20Also%20the%20security%20template%20settings%20do%20not%20roll%20back%2C%20they%20tattoo%20as%20well.%26nbsp%3B%20Within%20GPMC%20you%20will%20see%20the%20icon%20is%20different%20for%20those%20settings%20that%20tattoo%20in%20GP%20(not%20security%20template).%26nbsp%3B%20Take%20a%20look%20at%20the%20settings%20in%20the%20Security%20Compliance%20Toolkit%20area%20of%20the%20GPO%20and%20you%20should%20see%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEvery%20deployment%20is%20different%20so%20it's%20hard%20to%20give%20blanket%20advice.%26nbsp%3B%20We%20are%20working%20on%20an%20attempt%20at%20an%20article%20that%20describes%20many%20different%20options%20but%20due%20to%20several%20factors%20I%20dont%20see%20it%20being%20completed%20till%20after%20the%20first%20of%20the%20year.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20will%20offer%20this%2C%20for%20client%20machines%2C%20I%20wouldn't%20expect%20you%20to%20have%20much%20of%20an%20issue%20but%20I%20would%20be%20careful%20applying%20the%20server%20config%20to%20an%20up%20and%20running%20server%2C%20especially%20if%20it%20already%20has%20various%20roles%20on%20it%20as%20you%20might%20run%20into%20an%20issue%20there%20where%20the%20security%20template%20will%20adjust%20user%20rights.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1940683%22%20slang%3D%22en-US%22%3ERe%3A%20Beginner%20Question%20-%20Why%20is%20there%20a%20baseline%20for%20every%20version%20and%20type%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1940683%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20biggest%20concern%20is%20that%20i%20should%20apply%20them%20all%20at%20once(%3F)%20so%20that%20one%20setting%20does%20not%20collide%20with%20another.%26nbsp%3B%3C%2FP%3E%3CP%3Ee.g.%20the%20SMB%20signing%20is%20forced%20on%20the%20one%20side%20but%20%22disabled%22%20on%20the%20other%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1944444%22%20slang%3D%22en-US%22%3ERe%3A%20Beginner%20Question%20-%20Why%20is%20there%20a%20baseline%20for%20every%20version%20and%20type%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1944444%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F533323%22%20target%3D%22_blank%22%3E%40StephanGee%3C%2FA%3E%26nbsp%3Btesting%20is%20really%20however%20your%20organization%20feels%20comfortable.%26nbsp%3B%20If%20you%20have%20an%20existing%20baseline%20your%20company%20uses%20then%20I%20would%20start%20with%20Policy%20Analyzer.%26nbsp%3B%20This%20will%20help%20you%20identify%20where%20the%20different%20settings%20are.%26nbsp%3B%20From%20there%20you%20need%20to%20make%20a%20risk%20based%20determination%20on%20how%20you%20role%20it%20out.%26nbsp%3B%20I%20always%20recommend%20starting%20small%20and%20ensuring%20you%20dont%20break%20anything%20along%20the%20way.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1951727%22%20slang%3D%22en-US%22%3ERe%3A%20Beginner%20Question%20-%20Why%20is%20there%20a%20baseline%20for%20every%20version%20and%20type%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1951727%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Rick.%20Yes%20-%20the%20policy%20analyzer%20is%20a%20great%20tool.%3C%2FP%3E%3CP%3EI%20have%202-3%20critical%20settings%20that%20were%20set%20long%20time%20ago.%20But%20copied%20the%20DC%20to%20a%20Devlab%20and%20will%20test%20a%20few%20things%20out.%3C%2FP%3E%3CP%3EI%20came%20across%20settings%20like%20%22IP%20Source%20Routing%22%20also.%20But%20these%20are%20not%20available%20for%20me%20in%20the%20GPO.%3C%2FP%3E%3CP%3EIs%20it%20really%20necessary%20to%20execute%20the%20localgpo.wsf%20%2FConfigSCE%20or%20are%20there%20just%20the%20admx%20somewhere%20that%20i%20can%20copy%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi everyone,

 

i am currently double checking my settings against the baseline (2012R2 DC) and i am just curious why there is not one "DC baseline".

 

There may be new features incoming with each new server OS. But if i configure it on a Win2kR2 DC - it will just ignore it as there is no program that will read this reg key.

Same with Win10 - if there is the newest security setting out but only affects 1909+ - the older OS will ignore it.

 

So bottom-line i do not understand why it is separated by OS instead of just the roles (member server, dc, client,..)

I would assign the newest baseline for the domain controller to the OU "Domain Controllers" without the WMI filter - in my understanding that cannot break anything because of the older OS in this OU? 

 

Best regards

Stephan

 

12 Replies

@StephanGee in theory that would seem the easiest.  However there have been various settings over the course of releases that do indeed change the behavior between OS versions and in those cases it would have caused everything from a crash to a less secure configuration.  We explored this in the past and the safest way to avoid conflicts is to keep them separate.

@Rick_Munck 

Thanks for your answer. Do you have any hints how to do a perfect rollout?
Do it all at once because some settings rely on each other?

 

I do not have a 100 percent dev/test/prod lab to test all settings for a week or two - so i need clearance that even if it breaks something that after i disabled the GPO and performed a Gpupdate /force and a restart - it is back to "normal" (the way it was before)

 

best regards

Stephan

@StephanGee in many cases you can roll back but there are certain 'tattoo' settings that do not automatically rollback.  Also the security template settings do not roll back, they tattoo as well.  Within GPMC you will see the icon is different for those settings that tattoo in GP (not security template).  Take a look at the settings in the Security Compliance Toolkit area of the GPO and you should see them.

 

Every deployment is different so it's hard to give blanket advice.  We are working on an attempt at an article that describes many different options but due to several factors I dont see it being completed till after the first of the year.

 

I will offer this, for client machines, I wouldn't expect you to have much of an issue but I would be careful applying the server config to an up and running server, especially if it already has various roles on it as you might run into an issue there where the security template will adjust user rights.

@Rick_Munck 

My biggest concern is that i should apply them all at once(?) so that one setting does not collide with another. 

e.g. the SMB signing is forced on the one side but "disabled" on the other

@StephanGee testing is really however your organization feels comfortable.  If you have an existing baseline your company uses then I would start with Policy Analyzer.  This will help you identify where the different settings are.  From there you need to make a risk based determination on how you role it out.  I always recommend starting small and ensuring you dont break anything along the way.

@Rick_Munck 

Hi Rick. Yes - the policy analyzer is a great tool.

I have 2-3 critical settings that were set long time ago. But copied the DC to a Devlab and will test a few things out.

I came across settings like "IP Source Routing" also. But these are not available for me in the GPO.

Is it really necessary to execute the localgpo.wsf /ConfigSCE or are there just the admx somewhere that i can copy?

@StephanGee -

Don't run localgpo.wsf. The baseline downloads include ADMX/ADML files including the ones you need for some of those old MSS legacy settings, as well as for additional valuable settings exposed by the Security Compliance Toolkit. More information about the legacy MSS settings here:

 

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/the-mss-settings/ba-p/701055

@AaronMargosis_Tanium 

Thanks. Yes i reviewed the WSF file and then decided not to deploy it. Even in my DEVLab ;)

I will try out the link you gave me. Appreciated

Thanks for all your help.

I am pushing the DC baseline step by step at the moment.

 

Another problem: I have some users with LM hashes. Is there an easy way to find out who so i can force them to change their password?

Just an update to get some information about some problems i came across (maybe other have them too)

 

MFP Printers vom HP need to be set to LDAPS with "simple bind" instead of Windows negotiation to work with "Channel binding" = "If supported"

Manage auditing and security log need "Exchange Servers" added to the ACL (if you have some) - or they will stop working (not immediately but within the next 2-3 days ;) ) 

Another question:
Why are the event log file sizes set so low? Is it because you should collect them right away to a SIEM?
If you don't have one - shouldnt they be higher?
32MB for Application seems a bit to low
Some of those log size recommendations haven't been revisited in a long time. 32MB has been the recommendation for the Application log in the baselines going back to Vista (except for an anomaly where 20MB was recommended for Win8).