Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 (BETA)

Update, 13 August 2014:  The final version of this guidance has been posted here.
The changes since the beta are described here, with a separate discussion about the changes in the Account Lockout policy here.

Microsoft is pleased to announce the beta release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11.  Some of the highlights of the new security baselines (many of which we intend to backport to older versions of Windows and IE):

  • Use of new and existing settings to help block some Pass the Hash attack vectors;
  • Blocking the use of web browsers on domain controllers;
  • Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines;
  • Removal of the recommendation to enable "FIPS mode" (this is discussed in greater detail in this blog post: Why We’re Not Recommending “FIPS Mode” Anymore);
  • Removal of almost all service startup settings, and all server role baselines that contain only service startup settings.

Settings are provided as four separate sets of baselines, for the following configurations:  Windows 8.1, Windows Server 2012 R2 Domain Controller, Windows Server 2012 R2 Member Server, and Internet Explorer 11.

While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a download package attached to this blog post.  The download includes a Word document describing various aspects of the changes from previous baselines, a spreadsheet listing all the baseline settings and highlighting all the new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, a new custom ADMX to expose some important settings that aren't currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems.

Download and extract the attached "".  It contains the following folders:

  • Administrative Template:  an ADMX and (US English) ADML file surfacing some "pass the hash"-relevant settings through the Group Policy editor.  (Note: the Local_Script folder contains scripts that install these files to the appropriate location.)
  • Documentation:  "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings.
  • GP Reports:  Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets).
  • GPOs:  Group Policy Object backups for the four separate sets of baselines described earlier.
  • Local_Script:  This directory contains three batch files that apply appropriate settings to the current machine:  81_Client_Install.cmd, 2012R2_DomainController_Install.cmd, and 2012R2_MemberServer_Install.cmd. 
  • WMI Filters:  This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems.

We will follow up on this blog with additional announcements and details.

Comments (18)

  1. Anonymous says:

    In the latest review of the official Microsoft security baselines for all versions of Windows client

  2. Changes says:

    Why service startup states are removed?

    [Aaron Margosis]  We describe it in the Word doc included in the download:

    One change that we recommend for all Windows Server baselines is to create and maintain baselines only for “Domain Controller Security Compliance”, “Domain Security Compliance” and “Member Server Security Compliance”.  We recommend not creating (and deleting where they now exist) server role baselines for AD Certificate Services, DHCP, DNS, File Server, Hyper-V, Network Policy and Access, Print Server, Remote Access Services, Remote Desktop Services or Web Server.

    The reason for this change is because those baselines contain only configuration for service startup and simply try to enforce the defaults for their respective roles.  The problems with these baselines are that 1) they are time-consuming to define and maintain, as service startup defaults may change between OS versions; 2) as one can safely assume that the built-in Server Manager or other configuration tools do their job correctly, the baselines provide almost no security benefit; and 3) they can create serious problems when they get it wrong.  For example, in some scenarios, Windows temporarily configures the Windows Installer service (which is normally a Manual start service) to be an Automatic start service so that it can perform actions immediately following a reboot.  The security baseline that forces it back to Manual-start thus causes updates not to be correctly installed.

    For those reasons, we have also decided to remove all the service startup settings from the Server baselines that include them (e.g., Windows Server 2012 Domain Controller Security Compliance”).  The one exception is the service startup configuration setting for the Application Identity service in Domain Controllers, which is required to support the use of AppLocker (described in the section below, “Blocking the use of Web Browsers on Domain Controllers”).

  3. bmmcrm says:

    Is the a .cab file to import in to SCM for Windows 8.1?

    [Aaron Margosis] That's being worked on, but it's not ready yet.

  4. Wolf-Peter says:

    Are these settings in-line with the recommendations given by CSI (

    [Aaron Margosis]  Our guidance for Windows 8 / Server 2012 / IE10 aligns with CIS’ guidance, as we collaborated closely.  We also collaborated with CIS during the development of these new baselines.  Although I haven’t yet seen what CIS is publishing
    for 8.1/2012R2/IE11, I’ve been told they are largely the same.

  5. Beckham says:

    When will the final version be released?

    [Aaron Margosis]  Schedule has not been determined.  Once it is finalized, we will release another .zip file here.  There will probably be a bit of a lag before the content is available in the format that SCM consumes.

  6. GMann22 says:

    Trying to export IE11 BaseLine int .CAB file and IE 11 doesnt exist in SCM. Is there a way to associate IE 11 with the export tool?

    [Aaron Margosis]  Not yet.  We are still preparing the content in the format that SCM uses.

  7. rprante says:

    When I look at my group policy settings, some of the settings listed in the documentation for Windows 8 and Server 2012 don't exist in the policy. How can I get these new policy settings to appear in my group policy management on my domain server?

  8. Tyrgoth says:

    Any ideas when the SCM CAB file for 2012 R2 will be completed?

    [Aaron Margosis] We expect to publish a final update to the beta in the next week or two in the same format that we published the beta.  The content that can be consumed by SCM will follow in the next month or two.

  9. lcg says:

    Curious if anyone else has had problems logging in via rdp as the Administrator account after applying the Window Server 2012 R2 Member Server Security Baseline. I keep getting the error, "the user has not been granted the requested logon type at this computer". Double whammy, I'm testing on EC2, so this is pretty much a terminal error for the instance as its unmanageable at this point and it's really hard to troubleshoot what's happening after the fact.

    [Aaron Margosis] That sounds like the "Deny log on through Remote Desktop Services" and the new setting that applies the "Deny" to all local accounts. That setting is intended for domain-joined machines as part of a Pass-the-Hash mitigation strategy. Remove that restriction if your machine is not joined to a domain. See the Word doc in the Documentation directory for more information.

  10. lcg says:

    Ahh, ok, thanks. I'll give that a shot. Didn't realize "NT AUTHORITYLocal account" mapped to all local accounts, either. That's a good detail to know.

  11. lcg says:

    Fyi, for anyone who happens upon this post with the same issue, the fix was to modify two of the settings in the security template, "Deny logon through Remote Desktop Services" and "Deny access to this computer from the network". Remove the SID *S-1-5-113
    (NT AuthorityLocal account) and the local administrator account will be able to logon via remote desktop. Modifying only one of those settings was not sufficient.

  12. lnhg says:

    I am also missing AMDX files to add some configuration option in GPMC. I know I have to download them but I don't know from where either how to add them to SCM.
    The options I am looking for in GPMC are from SCM: Pass the Hash Mitigations
    Apply UAC restrictions to local accounts on network logons
    Set WDigest Authentication

    Any help or ideas on how to do it?

    [Aaron Margosis]  My apologies – I thought those were included with the baselines' attachments.  Apparently not.  They are in the download file associated with this blog post.

  13. Savager says:

    Hi aaron, just want to check if I could just create a template from 8.1 (beta) and use it on a windows 8 machine?

    [Aaron Margosis]  I'd use the final rather than the beta, but I don't know of any issues that would arise. The policies that apply only to 8.1 or newer will be ignored on Win8.  BTW, why haven't you upgraded the Win8 to 8.1?

  14. If anyone is looking for a good reference on how to get started with the Microsoft Security Baselines, I put together a presentation on the topic:

    [Aaron Margosis] This looks very good! Thanks! A few comments:

    • Windows 10 is (obviously) still pre-release and has been going through too many changes to publish a security guide for it yet.
    • Application whitelisting with AppLocker is a very good idea. E.g., don't allow standard users to execute anything that's in a user-writable directory. However, the app-compat impact for most organizations is probably too large for us to include that as part of a generic "go do this now" kind of baseline, which is the intent of these baselines.
    • Adding web sites to the Trusted Sites zone is generally not a good idea. Most web app incompatibility (at least for public web sites) is not because of zone permissions.
  15. IT-POL says:

    Has SCM been discontinued? @ its say’s "This tool is no longer supported by Microsoft" has it been replaced by something else?

  16. IT-POL says:

    Has SCM been discontinued? @ its say’s "This tool is no longer supported by Microsoft" has it been replaced by something else?

  17. Robert says:

    Is there a similar release for Server 2008 R2 – SP1?

    [Aaron Margosis] I don't have an SCM on this box, but there's a set of Server 2008 R2 baselines. I don't think it's labeled "SP1", but we didn't change the baselines between 2008 R2 and 2008 R2 SP1.

  18. ITS says:

    is there any issues with applying the SCM template to Server 2012R2. I am executing LocalGPO and providing the Backup GPO path the command returns success and the inf and policy applied. I restart the server and I do not see the policy been applied. is there anything else I need to change is the VB script to get it to work/

    [Aaron Margosis]  I suspect that the problem is that the LocalGPO tool has not been maintained and has version checks built in that don't allow it to run on anything newer than Win8 and 2012.  See the download packages here and here for scripts and tools that do work.