Security baseline for Windows 10 “Creators Update” (v1703) – FINAL

Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for Group Policy settings, and all the settings in spreadsheet…

3

Disabling SMBv1 through Group Policy

Version 1 of the Server Message Block (SMB) protocol was developed in the early days of personal computer networking, and as Ned Pyle describes in his blog post, Stop using SMB1 there are many reasons to cease using it on your networks. We have added that recommendation to our baseline, and have exposed a way…

11

Dropping the “Untrusted Font Blocking” setting

With the Windows 10 v1703 security configuration baseline, Microsoft is removing the recommendation to enable the “Untrusted Font Blocking” Group Policy setting in Computer Configuration | Administrative Templates | System | Mitigation Options. Windows 10 includes additional mitigations that make this setting far less important, while blocking untrusted fonts breaks several legitimate scenarios unnecessarily. Parsing…

6

Security Compliance Manager (SCM) retired; new tools and procedures

Microsoft reluctantly announces the retirement of the Security Compliance Manager (SCM) tool. At the same time, we are reaffirming our commitment to delivering robust and useful security guidance for Windows, and tools to manage that guidance. Microsoft first released the Security Compliance Manager (SCM) in 2010. It was a mammoth program that combined GPO-based security…

12

Security baseline for Windows 10 “Creators Update” (v1703) – DRAFT

Microsoft is pleased to announce the beta release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. Please evaluate this proposed baseline and send us your feedback via blog comments below. Download the content here: Windows-10-RS2-Security-Baseline Microsoft is also announcing changes to the…

9

Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience

[Primary authors: Dan Simon and Nir Ben Zvi] The Windows operating system includes many system services that provide important functionality.  Different services have different default startup policies:  some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run.  These defaults were…

6

Policy Analyzer v3.1 PRE-RELEASE

Lots of updates to Policy Analyzer in this unsigned, pre-release preview build — please post comments here to let me know how well it addresses your needs and what else it could add. [Update: the latest version of Policy Analyzer is here.] Please see the description of the original Policy Analyzer here for context. Partial list of…

26

Security baseline for Windows 10 v1607 (“Anniversary edition”) and Windows Server 2016

Microsoft is pleased to announce the release of the security configuration baseline settings for Windows 10 version 1607, also known as “Anniversary edition” and internally as “Redstone 1”. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for “pass the hash” mitigation and legacy MSS settings,…

38

The MSS settings

You can download the custom Administrative Template for the “MSS (Legacy)” settings here: MSS-legacy. Note that it is available only for “en-us” (US English). Explanation: Many years ago, before the advent of Trustworthy Computing, some Microsoft security experts identified about 20 Windows registry values (many or perhaps all of which were undocumented at the time) that could…

4

LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD

LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. It also adds support for /e mnemonic options to enable the GP…

22