Security baseline (Sept2019Update) for Windows 10 v1903 and Windows Server v1903

Published Oct 03 2019 04:40 AM 15.1K Views
Former Employee

We have updated our Windows 10 v1903 and Windows Server v1903 security configuration baseline recommendations to address some issues:

  • The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated.
  • We have also adjusted a few auditing settings in the Domain Controller baseline to align more closely with recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document (also reflected here). Those changes are:
Audit category Audit subcategory Was Now
Audit Policy\Account Logon Credential Validation Success and Failure Failure
Audit Policy\Account Logon Kerberos Service Ticket Operations   Failure
Audit Policy\DS Access Directory Service Access Success and Failure Failure
Audit Policy\DS Access Directory Service Changes Success and Failure Success

 

We have also added a Baseline-ADImport.ps1 PowerShell script to import all the baseline’s GPOs into Active Directory Group Policy, and improved other scripts, including preventing the local-policy script from running on Domain Controllers.

4 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-890940%22%20slang%3D%22en-US%22%3ESecurity%20baseline%20(Sept2019Update)%20for%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890940%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20updated%20our%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%20security%20configuration%20baseline%20recommendations%20to%20address%20some%20issues%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20first%20and%20most%20important%20change%20is%20that%20we%20are%20removing%20the%20Computer%20Configuration%20setting%2C%20%E2%80%9CEnable%20svchost.exe%20mitigation%20options%E2%80%9D%20(in%20System%5CService%20Control%20Manager%20Settings%5CSecurity%20Settings)%20from%20the%20Windows%2010%20and%20Windows%20Server%20baselines%20at%20this%20time%20because%20of%20reports%20that%20in%20its%20current%20implementation%20it%20causes%20more%20compatibility%20issues%20than%20we%20had%20anticipated.%3C%2FLI%3E%0A%3CLI%3EWe%20have%20also%20adjusted%20a%20few%20auditing%20settings%20in%20the%20Domain%20Controller%20baseline%20to%20align%20more%20closely%20with%20recommendations%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D52630%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%2010%20and%20Windows%20Server%202016%20security%20auditing%20and%20monitoring%20reference%3C%2FA%3E%20document%20(also%20reflected%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fauditing%2Fadvanced-security-audit-policy-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E).%20Those%20changes%20are%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CBLOCKQUOTE%3E%0A%3CTABLE%20style%3D%22border-style%3A%20solid%3B%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EAudit%20category%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EAudit%20subcategory%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EWas%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3ENow%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EAudit%20Policy%5CAccount%20Logon%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ECredential%20Validation%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ESuccess%20and%20Failure%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EFailure%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EAudit%20Policy%5CAccount%20Logon%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EKerberos%20Service%20Ticket%20Operations%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EFailure%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EAudit%20Policy%5CDS%20Access%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EDirectory%20Service%20Access%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ESuccess%20and%20Failure%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EFailure%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EAudit%20Policy%5CDS%20Access%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3EDirectory%20Service%20Changes%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ESuccess%20and%20Failure%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%3E%3CFONT%20size%3D%222%22%3ESuccess%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20also%20added%20a%20Baseline-ADImport.ps1%20PowerShell%20script%20to%20import%20all%20the%20baseline%E2%80%99s%20GPOs%20into%20Active%20Directory%20Group%20Policy%2C%20and%20improved%20other%20scripts%2C%20including%20preventing%20the%20local-policy%20script%20from%20running%20on%20Domain%20Controllers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-890940%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20updated%20our%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%20security%20configuration%20baseline%20recommendations%20to%20address%20some%20issues%2C%20including%20removing%20the%20recommendation%20to%20%22Enable%20svchost.exe%20mitigation%20options.%22%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-890940%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Esecurity%20baselines%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016403%22%20slang%3D%22de-DE%22%3ESubject%3A%20Security%20baseline%20(Sept2019Update)%20for%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016403%22%20slang%3D%22de-DE%22%3E%3CP%3EAre%20you%20Guys%20planing%20to%20do%20a%201909%20Baseline%20or%20is%20it%20not%20worth%20it%20due%20to%20the%20minor%20changes%20regarding%201903%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1023160%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(Sept2019Update)%20for%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023160%22%20slang%3D%22en-US%22%3E%3CP%3E1909%20just%20posted%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2FSecurity-baseline-FINAL-for-Windows-10-v1909-and-Windows-Server%2Fba-p%2F1023093%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006989%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(Sept2019Update)%20for%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006989%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I've%20just%20been%20playing%20around%20with%20the%20Windows%2010%201903%20computer%20baseline%20and%20noticed%20that%20%22Prohibit%20use%20of%20Internet%20Connection%20Sharing%20on%20your%20DNS%20domain%20network%22%20is%20configured%2C%20but%20according%20to%20the%20%22Supported%20on%22%20info%20for%20that%20setting%20it's%20only%20supported%20on%20Server%202003%2C%20Windows%20XP%2C%20and%20Windows%202000%20SP1.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20this%20setting%20still%20required%20and%20does%20it%20actually%20apply%20on%20Windows%2010%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3E%5BAaron%20Margosis%5D%20The%20%22supported%20on%22%20is%20incorrect%20and%20we're%20getting%20it%20fixed.%20The%20setting%20still%20has%20effect%20on%20Windows%2010%20and%20Windows%20Server.%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1412370%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(Sept2019Update)%20for%20Windows%2010%20v1903%20and%20Windows%20Server%20v1903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1412370%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%22We%20have%20also%20added%20a%20Baseline-ADImport.ps1%20PowerShell%20script%20to%20import%20all%20the%20baseline%E2%80%99s%20GPOs%20into%20Active%20Directory%20Group%20Policy%2C...%22%20-%20This%20may%20be%20the%20best%20new%20feature%20to%20the%20SCM%2FBaselines%20yet!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Nov 29 2021 08:31 AM
Updated by: