Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Security baseline (DRAFT): Windows 10 and Windows Server, version 20H2
Published Oct 20 2020 10:00 AM 26.9K Views
Microsoft

The proposed draft of the Windows 10 and Windows Server, version 20H2 (aka the October 2020 Update) security baseline is now available for download!

We invite you to download the draft baseline package (attached to this post), evaluate the proposed baselines, and provide us your comments and feedback below.

Windows 10 and Windows Server, version 20H2 bring very few new policy settings. All new settings are listed in the accompanying documentation. At this point, none of  the new policy settings meet the criteria for inclusion in the security baseline; however, there are a few existing policies we plan to change, and these are highlighted below along with our recommendations.

Block at first sight

We started the journey for cloud protection several years ago. Based on our analysis of the security value versus the cost of implementation, we feel it is time to add the Microsoft Defender Antivirus block at first sight feature to the security baseline. Block at first sight was first introduced in Windows 10, version 1607 and allows new malware to be detected and blocked within seconds by leveraging various machine learning techniques and the power of the Microsoft cloud.

Block at first sight currently requires six settings to be configured. Our baseline already sets two of them, Join Microsoft MAPS and Send file sample when further analysis is required. We are now recommending the addition of the following settings to enable block at first sight:

Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Configure the ‘Block at first sight’ feature set to Enabled

Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Scan all downloaded files and attachments set to Enabled

Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn off real-time protection set to Disabled

Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MPEngine\Select cloud protection level set to High blocking level

These new settings have been added to the MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus group policy.

For more information on block at first sight, see Turn on block at first sight.

Attack surface reduction rules

We routinely evaluate our attack surface reduction configuration and, based on diagnostic data and customer feedback, we now recommend configuring two additional attack surface reduction controls:

  • Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Use advanced protection against ransomware
  • Block persistence through WMI event subscription.

Introduced in Windows 10, version 1709 the Use advanced protection against ransomware rule will scan any executable files and determine, using advanced cloud analytics, if the file looks malicious. If so, that file will be blocked unless it is added to an exclusion list. This rule does have a cloud dependency, so you must have Join Microsoft MAPS also configured (which is already part of the security baseline).

Block persistence through WMI event subscription is a rule that was released in Windows 10, version 1903. This rule attempts to ensure Windows Management Instrumentation (WMI) persistence—a common technique adversaries use to evade detection—is not achieved. Unlike many of the other attack surface reduction rules, this rule does not allow any sort of exclusions since it is solely based on the WMI repository.

A friendly reminder that the security baselines for Windows 10 and Windows Server, version 20H2 set all attack surface reduction rules to block mode. We recommend first configuring them to audit mode, testing to ensure you understand the impacts these rules will have in your environment, and then configuring them to block mode. Microsoft Defender for Endpoint (formally Microsoft Defender Advanced Threat Protection, or Microsoft Defender ATP) will greatly enhance the experience of testing, deploying, and managing attack surface reduction rules. We encourage you to look at evaluating, monitoring and customizing attack surface reduction rules to better prepare your environment.

These new settings have been added to the MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus group policy.

UEFI memory attribute tables

You might recall that, in the draft release of our security baseline for Windows 10, version 1809, we enabled UEFI memory attribute tables; however, based on your feedback we removed that recommendation from the final version. (Thank you to the testers who provided that feedback!) After further testing and discussions, we are again recommending that you enable the setting for Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security\Require UEFI Memory Attributes Table.

Microsoft Edge

Starting with Windows 10, version 20H2, Microsoft Edge on Chromium is now installed as part of the operating system. As a result, please ensure you are applying the security baseline for Microsoft Edge to your Windows 10, version 20H2 devices. We have received questions and feedback about including the Microsoft Edge in the Windows security baseline, but since Microsoft Edge is a cross-platform product and has a different release cadence, we are going to keep it a separate security baseline.

Baseline criteria

We follow a streamlined and efficient approach to defining a baseline when compared with the baselines we published before Windows 10 . The foundation of that approach is as follows:

  • Baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks it mitigates.
  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.

For additional discussion, please see the “Why aren’t we enforcing more defaults?” section of this blog post.

 

13 Comments
Copper Contributor

Hi Rick,

 

for the reports, you forgot to import e few ADMx templates. Wouldn´t it be easier to always use the same demo environment? ;)

(admpwd, MSS-legacy, PtH and SecGuide)

 

Mark

Microsoft

@gruppenrichtlinien thanks for the catch. We will look into what happened and ensure it is addressed in the final package.

Copper Contributor

Rick what is the preferred method to provide feedback to settings applied in the templates?  I have some feedback to report with M365 Apps and AIP client integration. 

Microsoft

@MattWailes it really depends on the issues.  Feel free to DM me and we can see how best to help you.

Copper Contributor

I have found that template's windows 10 policy disabling "Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow Basic authentication" breaks powershell connectivity to O365.  As such, is it really a setting that baseline templates needs to enforce?

Copper Contributor

I have enabled the Microsoft Security Baseline via GPO on Servers. Now, we observe that we are no longer able to logon with Internet Explorer to Azure AD. It just hangs with a blank screen on login.microsoftonline.com … no error message, the site is also added to the trusted sites. I know we should not browse on servers, but some server apps require it.

 browser-blank.PNG

 

I could identify that if I set “Windows Components\Internet Explorer\Security Zones: Use only machine settings” setting to “Not Configured” instead of the proposed “Enabled” then it’s working again:

 

It has something to do with user settings, but:

  • I have not applied any User GPO Settings
  • It’s a plain from ISO installed Server 2016
  • On a Windows 10 device with the exact same GPO in the same OU it’s working (For sure also tested with IE)
  • I compared the IE settings in the registry but could not identify a difference between Windows 10 and Server 2016

 

Does somebody had the same issue or a tip for me?

Microsoft

@jfinNZ 

Not an easy answer, we had an internal discussion on the topic when someone asked about it.

 

If you're using basic auth AND you're also not using HTTPS/SSL, then you're sending your creds in clear text over the network and it's obvious why that's bad. But as long as you're using SSL, it's only kind-of bad.

 

Your creds are still secure with basic auth as long you're using SSL/TLS, but there are two other things that make basic auth still less preferable than Kerberos auth.

1) Performance. Kerberos performs better. NTLM or Username/Password auth requires a round trip to the domain controller for every authentication. Kerberos does not. Hence it performs better.
2) Mutual authentication. With Kerberos, you have mutual authentication, which means not only is the server validating your identity, but you as the client have the added benefit of being able to trust that you're talking to the server that you think you are.

 

Lee Holmes, discussed this also in the following article:

https://web.archive.org/web/20190110105609/https:/blogs.msdn.microsoft.com/powershell/2015/10/27/com...

 

Bottom line, if you need to use Basic Auth you should take a deviation for only the machines that require it.

Steel Contributor

@Rick_Munck  I can't run the baseline on Server Core because Set-ProcessMitigation fails because "C:\Windows\System32\MitigationConfiguration.dll" does not exist on Server Core. Did you test the baseline with server core?

Iron Contributor

@Rick_Munck Do you have an estimate for when the final version of the 20H2 baselines will be released? Thanks!

Microsoft

@Jay Michaud we plan to release this week

Microsoft

@Daniel Niccoli yes it has been tested against Server Core.  I will see if they can re-run the test after the first of the year.

Copper Contributor

@Rick_Munck Did you manage to run it yet?

 

Since:

>> & "$localInstallFile" -WS2019NonDomainJoined
--------------------------------------------------------------------------------------------------
Windows Server 2019 - non-domain-joined
GPOs to be installed:
        ...
==================================================================================================
Copy custom administrative templates...
Configuring Client Side Extensions...
Running LGPO.exe /v /e mitigation /e audit /e zone
Installing Exploit Protection settings...
Set-ProcessMitigation : Unable to load DLL 'MitigationConfiguration.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)
At C:\tmp\baseline\Local_Script\BaselineLocalInstall.ps1:250 char:1
+ Set-ProcessMitigation -PolicyFilePath $rootDir\ConfigFiles\EP.xml
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-ProcessMitigation], DllNotFoundException
    + FullyQualifiedErrorId : System.DllNotFoundException,Microsoft.Samples.PowerShell.Commands.SetProcessMitigationsCommand
...

 

 

Microsoft

@Dynom looks like you are failing on Exploit Protection.  We have removed EP from our recommendations start in the fall of 2019 if I recall.

Version history
Last update:
‎Dec 17 2020 12:11 PM
Updated by: