What's New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11

Published Jun 18 2019 01:14 PM 1,486 Views
Former Employee
First published on TechNet on Aug 15, 2014

The attachment on this post describes what's new in the security baseline recommendations for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11, relative to the baselines published for Windows 8, Windows Server 2012 and Internet Explorer 10 .  It is included as a Word document in the download from yesterday's announcement blog post .  We are posting the document here for easier access.  I tried to post the full document content, but the tables it contains are too wide for this blog's layout, so I'm just posting the background/summary and table of contents.


[2 September 2014: document updated for v1.1 with change to "Deny access to this computer from the network" for the Member Server baseline.]



Background and Summary


This document outlines recommended security configuration settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11, using the previously-published baselines for Windows 8, Windows Server 2012 and Internet Explorer 10 as the starting point. These guidelines are intended for well-managed enterprises.


Some of the more interesting changes from the Windows 8/2012/IE10 baselines:




  • Use of new and existing settings to help block some Pass the Hash attack vectors




  • Blocking the use of web browsers on domain controllers




  • Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines




  • Removal of almost all service startup settings, and all server role baselines that contain only service startup settings




  • Removal of the recommendation to enable “FIPS mode”




Contents


Background and Summary


Settings New to Windows 8.1 and Windows Server 2012 R2


Settings New to Internet Explorer 11


Changes to Settings Inherited from Existing Baselines


Changes to all Windows Server product baselines


Pass the Hash


Blocking the use of Web Browsers on Domain Controllers


EMET


Updated Guidance


Advanced Auditing


Removed Windows Recommendations


Removed Internet Explorer Recommendations


Bugs



[download the attachment for the rest...]





Recommended Security Baseline Settings.docx

%3CLINGO-SUB%20id%3D%22lingo-sub-701041%22%20slang%3D%22en-US%22%3EWhat's%20New%20in%20Recommended%20Security%20Baseline%20Settings%20for%20Windows%208.1%2C%20Windows%20Server%202012%20R2%2C%20and%20Internet%20Explorer%2011%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-701041%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TechNet%20on%20Aug%2015%2C%202014%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3E%3CEM%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3Bfont-size%3Amedium%3B%22%3EThe%20attachment%20on%20this%26nbsp%3Bpost%20describes%26nbsp%3Bwhat's%20new%20in%20the%20security%20baseline%20recommendations%20for%20Windows%208.1%2C%20Windows%20Server%202012%20R2%20and%20Internet%20Explorer%2011%2C%20%3C%2FSPAN%3E%20%3C%2FEM%3E%20%3CSPAN%20style%3D%22font-family%3ACalibri%3Bfont-size%3Amedium%3B%22%3E%20relative%20to%20the%20baselines%20published%20for%20Windows%208%2C%20Windows%20Server%202012%20and%20Internet%20Explorer%2010%20%3C%2FSPAN%3E%20%3CEM%3E%20%3CSPAN%20style%3D%22font-family%3ACalibri%3Bfont-size%3Amedium%3B%22%3E%20.%26nbsp%3B%20It%20is%20included%20as%20a%20Word%20document%20in%20the%20download%20from%20yesterday's%20announcement%20blog%20post%20.%26nbsp%3B%20We%20are%20posting%26nbsp%3Bthe%20document%26nbsp%3Bhere%20for%20easier%20access.%26nbsp%3B%20I%20tried%20to%20post%20the%20full%20document%20content%2C%20but%20the%20tables%20it%20contains%26nbsp%3Bare%20too%20wide%20for%20this%20blog's%20layout%2C%20so%20I'm%20just%20posting%20the%20background%2Fsummary%20and%20table%20of%20contents.%20%3C%2FSPAN%3E%20%3C%2FEM%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CEM%3E%20%3CSPAN%20style%3D%22font-family%3ACalibri%3Bfont-size%3Amedium%3B%22%3E%20%5B2%20September%202014%3A%26nbsp%3Bdocument%20updated%20for%20v1.1%20with%20change%20to%20%22Deny%20access%20to%20this%20computer%20from%20the%20network%22%20for%20the%20Member%20Server%20baseline.%5D%20%3CBR%20%2F%3E%20%3C%2FSPAN%3E%20%3C%2FEM%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CH2%20id%3D%22toc-hId-1787756860%22%20id%3D%22toc-hId-1787757726%22%3E%3CSPAN%20style%3D%22color%3A%232e74b5%3Bfont-family%3ACalibri%20Light%3B%22%3E%20Background%20and%20Summary%20%3C%2FSPAN%3E%3C%2FH2%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3Bfont-size%3Amedium%3B%22%3E%20This%20document%20outlines%20recommended%20security%20configuration%20settings%20for%20Windows%208.1%2C%20Windows%20Server%202012%20R2%20and%20Internet%20Explorer%2011%2C%20using%20the%20previously-published%20baselines%20for%20Windows%208%2C%20Windows%20Server%202012%20and%20Internet%20Explorer%2010%20as%20the%20starting%20point.%20These%20guidelines%20are%20intended%20for%20well-managed%20enterprises.%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3Bfont-size%3Amedium%3B%22%3E%20Some%20of%20the%20more%20interesting%20changes%20from%20the%20Windows%208%2F2012%2FIE10%20baselines%3A%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3E%3CBR%20%2F%3E%3CP%3EUse%20of%20new%20and%20existing%20settings%20to%20help%20block%20some%20Pass%20the%20Hash%20attack%20vectors%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3E%3CBR%20%2F%3E%3CP%3EBlocking%20the%20use%20of%20web%20browsers%20on%20domain%20controllers%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3E%3CBR%20%2F%3E%3CP%3EIncorporation%20of%20the%20Enhanced%20Mitigation%20Experience%20Toolkit%20(EMET)%20into%20the%20standard%20baselines%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3E%3CBR%20%2F%3E%3CP%3ERemoval%20of%20almost%20all%20service%20startup%20settings%2C%20and%20all%20server%20role%20baselines%20that%20contain%20only%20service%20startup%20settings%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3E%3CBR%20%2F%3E%3CP%3ERemoval%20of%20the%20recommendation%20to%20enable%20%E2%80%9CFIPS%20mode%E2%80%9D%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22color%3A%232e74b5%3Bfont-family%3ACalibri%20Light%3Bfont-size%3Ax-large%3B%22%3E%20Contents%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Background%20and%20Summary%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Settings%20New%20to%20Windows%208.1%20and%20Windows%20Server%202012%20R2%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Settings%20New%20to%20Internet%20Explorer%2011%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Changes%20to%20Settings%20Inherited%20from%20Existing%20Baselines%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Changes%20to%20all%20Windows%20Server%20product%20baselines%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Pass%20the%20Hash%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Blocking%20the%20use%20of%20Web%20Browsers%20on%20Domain%20Controllers%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20EMET%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Updated%20Guidance%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Advanced%20Auditing%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Removed%20Windows%20Recommendations%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Removed%20Internet%20Explorer%20Recommendations%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3B%22%3E%20%3CSPAN%20style%3D%22font-size%3Amedium%3B%22%3E%20Bugs%20%3C%2FSPAN%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3ACalibri%3Bfont-size%3Amedium%3B%22%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CEM%3E%20%3CSPAN%20style%3D%22font-family%3ACalibri%3Bfont-size%3Amedium%3B%22%3E%20%5Bdownload%20the%20attachment%20for%20the%20rest...%5D%20%3C%2FSPAN%3E%20%3C%2FEM%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CH2%20id%3D%22toc-hId--764400101%22%20id%3D%22toc-hId--764399235%22%3E%3C%2FH2%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FTNBlogsFS%2Fprod.evol.blogs.technet.com%2Ftelligent.evolution.components.attachments%2F01%2F4062%2F00%2F00%2F03%2F63%2F60%2F95%2FRecommended%2520Security%2520Baseline%2520Settings.docx%22%20original-url%3D%22http%3A%2F%2Fblogs.technet.com%2Fcfs-filesystemfile.ashx%2F__key%2Ftelligent-evolution-components-attachments%2F01-4062-00-00-03-63-60-95%2FRecommended-Security-Baseline-Settings.docx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20Recommended%20Security%20Baseline%20Settings.docx%20%3C%2FA%3E%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-701041%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TechNet%20on%20Aug%2015%2C%202014%20The%20attachment%20on%20this%26nbsp%3Bpost%20describes%26nbsp%3Bwhat's%20new%20in%20the%20security%20baseline%20recommendations%20for%20Windows%208.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-701041%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ebaseline%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Escm%20update%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%20baseline%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%20baselines%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%20compliance%20manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%20guide%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Jun 18 2019 01:14 PM
Updated by: