Over on the Microsoft Security Guidance blog Aaron Margosis has posted the release of the final security configuration baseline settings for Windows 10, version 1709, and that they have been added to the Microsoft Security Compliance Toolkit. He includes the following information on the differences between the 1703 and 1709 baselines, which are as follows..
- Implementing Attack Surface Reduction rules within Windows Defender Exploit Guard. Exploit Guard is a new feature of v1709 that helps prevent a variety of actions often used by malware. You can read more about Exploit Guard here: Reduce attack surfaces with Windows Defender Exploit Guard. Note that we have enabled “block” mode for all of these settings. We are continuing to watch the “Block office applications from injecting into other process” setting; if it creates compatibility problems then we might change the baseline recommendation to “audit” mode for that setting. Please let us know what you observe.
- Enabling Exploit Guard’s Network Protection feature to prevent any application from accessing web sites identified as dangerous, including those hosting phishing scams and malware. This extends the type of protection offered by SmartScreen to all programs, including third-party browsers.
- Enabling a new setting that prevents users from making changes to the Exploit protection settings area in the Windows Defender Security Center.
Check out Aaron's post for more details, and to see the conversations in the comments section.