Sep 28 2024 02:24 PM - edited Oct 08 2024 09:59 AM
Announcing Windows Server 2025 Security Baseline Preview
Hello Windows Server Insiders!
Today we are pleased to announce the Windows Server 2025 Security Baseline Preview. You can enable security right from the start by applying the recommended security posture for your device or VM role through application of a tailored security baseline, with over 350 preconfigured Windows security settings that help you apply and enforce granular security settings that support best practices recommended by Microsoft and Industry standards. We have organized the Windows Server 2025 Security Baseline content into three categories based on your server role:
In addition, you can apply baselines with dedicated security settings specific to:
Main Highlights of the security baseline are the following enforcements:
Please review the GitHub repository for what settings comprise of each definition:
Customer Experience:
The customer experience to apply baselines for individual machines, including image customizations are:
For at-scale operations, you can apply baseline and monitor using Azure Policy and Azure Automanage Machine Configuration and see your compliance score.
The baseline experience is powered by ‘OSConfig - our newly introduced security configuration platform’. Once applied, your baseline settings are protected from any drift automatically, which is one of the key features of the security platform.
The WAC, Azure Policy and Azure Automanage Machine Configuration experiences will be released soon to the Windows Insider Program. This mechanism will not work for any earlier version of Windows Server.
1. Download prerelease modules from the PowerShell Gallery
If you have not previously configured your system to pull modules from the PowerShell Gallery, please do so using the following steps:
a. Open an elevated PowerShell window (not the x86 version)
b. Run Install-PackageProvider NuGet, PowerShellGet -Force
c. Open a new elevated PowerShell window
d. Run Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
2. Install the OSConfig PowerShell module
3. Apply the Security Baseline via PowerShell cmdlets
4. Customize the Security Baseline via PowerShell cmdlets
Example using AuditDetailedFileShare for Member Server device (where the default value is 2)
5. View compliance of the Security Baseline via PowerShell cmdlets
Run Get-OSConfigDesiredConfiguration -Scenario SecuredCoreState
Run Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap
6. Most Common tasks impacted/Known Issues after applying baseline
Note: (Please read before exercising the scenario! Also, these scripts are for preview only and should not be used in production.)
Password requirements are Complexity and Minimum of 14-character length. This only applies to local user accounts; when signing in with a domain account, domain requirements prevail for domain accounts.
TLS connections are subject to a minimum of TLS/DTLS 1.2 or higher. May prevent connections to older systems.
Copy/Paste of files from RDP sessions is disabled. If you need to use this function, run: Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\[role being applied] -Name RemoteDesktopServicesDoNotAllowDriveRedirection -Value 0 and then reboot.
SMB connections are subject to a minimum of 3.0 or higher (available as of WS2012). Connecting to non-windows systems (like Linux SAMBA) must support SMB 3.0, or adjustments to the baseline are needed.
You may run into a few user rights errors depending on your domain configuration. It does not impact the rest of the security baseline and can be ignored. We are working on fixing it. See MSLearn doc for details.
If you are configuring the same settings with two different tools (one being OSConfig in this case), there will be conflicts, especially with drift control involved. See MSLearn doc for details.
We value your feedback!
Please provide feedback as to what is working and what needs to be improved as your feedback is extremely valued to make the product experience better. Please use Feedback Hub app for Windows Server 2025. Category: Windows Server->Security Configuration Management
You can also reach us via email at heseccon@microsoft.com Edge Security Connect.
What’s coming?
We will also share a Windows Admin Center, Azure Policy and Azure Automanage Machine Configuration experience, to try out for getting full E2E experience & Application control for Windows Insider Program!!