cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Security baseline (Sept2019Update) for Windows 10 v1903 and Windows Server v1903
By
Aaron Margosis
Published Oct 03 2019 04:40 AM 18K Views
Aaron Margosis
Former Employee
‎Oct 03 2019 04:40 AM

Security baseline (Sept2019Update) for Windows 10 v1903 and Windows Server v1903

‎Oct 03 2019 04:40 AM

We have updated our Windows 10 v1903 and Windows Server v1903 security configuration baseline recommendations to address some issues:

  • The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated.
  • We have also adjusted a few auditing settings in the Domain Controller baseline to align more closely with recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document (also reflected here). Those changes are:
Audit category Audit subcategory Was Now
Audit Policy\Account Logon Credential Validation Success and Failure Failure
Audit Policy\Account Logon Kerberos Service Ticket Operations   Failure
Audit Policy\DS Access Directory Service Access Success and Failure Failure
Audit Policy\DS Access Directory Service Changes Success and Failure Success

 

We have also added a Baseline-ADImport.ps1 PowerShell script to import all the baseline’s GPOs into Active Directory Group Policy, and improved other scripts, including preventing the local-policy script from running on Domain Controllers.

4 Comments
Na7han
Copper Contributor
‎Nov 13 2019 02:05 PM
‎Nov 13 2019 02:05 PM

Hi, I've just been playing around with the Windows 10 1903 computer baseline and noticed that "Prohibit use of Internet Connection Sharing on your DNS domain network" is configured, but according to the "Supported on" info for that setting it's only supported on Server 2003, Windows XP, and Windows 2000 SP1.

 

Is this setting still required and does it actually apply on Windows 10?

 

Thanks :)

 

[Aaron Margosis] The "supported on" is incorrect and we're getting it fixed. The setting still has effect on Windows 10 and Windows Server.

0 Likes
Like
Andy1Q7
Copper Contributor
‎Nov 18 2019 11:35 PM
‎Nov 18 2019 11:35 PM

Are you Guys planing to do a 1909 Baseline or is it not worth it due to the minor changes regarding 1903? 

0 Likes
Like
Aaron Margosis
Former Employee
‎Nov 20 2019 04:40 PM
‎Nov 20 2019 04:40 PM

1909 just posted: https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Wind...

0 Likes
Like
Brian Steingraber
Copper Contributor
‎May 22 2020 11:23 AM
‎May 22 2020 11:23 AM

"We have also added a Baseline-ADImport.ps1 PowerShell script to import all the baseline’s GPOs into Active Directory Group Policy,..." - This may be the best new feature to the SCM/Baselines yet!

0 Likes
Like
Co-Authors
Version history
Last update:
‎Nov 29 2021 08:31 AM
Updated by: