This release includes several changes to further assist in the security of enterprise customers. Changes have been made to provide additional protections to the local admin account, Microsoft Defender Antivirus updates, and a new setting in response to an MSRC bulletin.
Re-introducing the Local Administrator Password Solution (LAPS)
LAPS is a feature that has been around for some time but was always a bolt-on solution. The legacy version of Microsoft LAPS has been deprecated as of October 23, 2023 as noted in our article on Microsoft LAPS deprecation. We have now moved the control for Windows LAPS natively inbox and its settings are located under Administrative Templates/System/LAPS. We have configured three settings:
Configure password backup directory to a value of Enabled: Active Directory
Enable password backup for DSRM accounts to a value of Enabled
Enable password encryption to a value of Enabled
For the backup directory setting, we have selected the option to backup to Active Directory as the baselines are already targeted as such. For Microsoft Entra ID, the best selection will be the Azure Active Directory option which will be reflected in the Intune security baseline when it releases.
A new custom setting has been added to the SecGuide.admx/l, Enable Certificate Padding. Certificate Padding was first introduced in 2013 and republished in January of 2022. This setting affects Portable Executables and should be tested before implementation to a more secure state. At this time, the security baseline does not intend to enforce stricter verification behaviors. For additional information on Certificate Padding, see CVE-2013-3900 - Security Update Guide - Microsoft - WinVerifyTrust Signature Validation Vulnerabilit....
Microsoft Defender Antivirus
With each release the security baseline a full settings review is completed, based on the latest review we are updating the recommended settings for Microsoft Defender Antivirus (MDAV) with the addition of ten settings. These settings are as follows:
Microsoft Defender Antivirus\Configure local administrator merge behavior for lists - set to a value of Disabled
Microsoft Defender Antivirus\Control whether or not exclusions are visible to Local Admins - set to a value of Enabled
Microsoft Defender Antivirus\Turn off routine remediation - set to a value of Disabled
Microsoft Defender Antivirus\MAPS\Send file samples when further analysis is required - set to a value of Enabled: Send all samples
Added Configure monitoring for incoming and outgoing file and program activity - set to a value of Enabled: bi-directional
Added Monitor file and program activity on your computer - set to a value of Enabled
Added Turn on process scanning whenever real-time protection is enabled - set to a value of Enabled
Added Scan packed executables - set to a value of Enabled
There is an additional setting located at Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature that should be configured to an enabled state as long as you have Microsoft Defender for Endpoint deployed as this setting is used in conjunction with File Hash Allow/Block.
Controlled folder access
Controlled folder access (CFA) is a very powerful feature to help protect data from nefarious activity like ransomware. Configure Controlled folder access is not configured in the baseline but it is highly encouraged for the organization to set it to Enabled: Audit Mode for a period of time, until enough logging has occurred to make informed decisions. From there organizations are encourage to fully configure CFA and move from Audit Mode to Block state. For additional information on CFA, see Enable controlled folder access.
While you are enabling the Microsoft Security Baseline, a friendly reminder to make sure to enable Microsoft Defender for Endpoint tamper protection for an additional layer of protection against human-operated ransomware. Want to learn more? See Protect security settings with tamper protection.
The MSS Legacy custom administrative template titles were changed to remove the recommendation from the actual setting name. Based on feedback this was causing confusion as the settings changed over time but the recommendation in the title was static. The legacy Microsoft LAPS admx/l have been removed due to its deprecation.
Advanced Audit Policy\Audit Policies\Privilege Use\Audit Sensitive Privilege Use is being changed to success only (removing failure) from the baseline as we are seeing an increase in noise coming from the failure option. There is low security value to keep both Success and Failure at this point.