Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL


Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions of Windows and IE):

  • Use of new and existing settings to help block some Pass the Hash attack vectors;

  • Recommendations to control the storage of plaintext-equivalent passphrases;

  • Blocking the use of web browsers on domain controllers;

  • Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines;

  • Removal of the recommendation to enable "FIPS mode" (this is discussed in greater detail in this blog post: Why We’re Not Recommending “FIPS Mode” Anymore);

  • Removal of almost all service startup settings, and all server role baselines that contain only service startup settings.

Settings are provided as four separate sets of baselines, for the following configurations: Windows 8.1, Windows Server 2012 R2 Domain Controller, Windows Server 2012 R2 Member Server, and Internet Explorer 11. The attachment to this blog post includes scripts to apply those baselines to a computer’s local policy and GPO backups you can import into Active Directory Group Policy.

There are a few changes between these recommendations and the beta version we released in April. We discuss those changes in more detail in two other blog posts: one about most of the changes, and another detailed post about the issues around account lockout recommendations.

[Update 2 September 2014: updated the guidance with a change to Member Server baseline and "Deny access to this computer from the network" setting. For more info, see Blocking Remote Use of Local Accounts.]

While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a download package attached to this blog post. The download includes a Word document describing various aspects of the changes from baselines for earlier versions of Windows and IE, a spreadsheet listing all the baseline settings and highlighting all the new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, a new custom ADMX to expose some important settings that aren't currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems.

Download and extract the attached "Win81-WS2012R2-IE11-Baselines-FINAL.zip". It contains the following folders:

  • Documentation: "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings.

  • Administrative Template: an ADMX and (US English) ADML file surfacing some "pass the hash"-relevant settings through the Group Policy editor. (Note: the Local_Script folder contains scripts that install these files to the appropriate location.)

  • GP Reports: Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets).

  • GPOs: Group Policy Object backups for the four separate sets of baselines described earlier. These can be imported into Active Directory Group Policy.

  • Local_Script: This directory contains three batch files that apply appropriate settings to the current machine: 81_Client_Install.cmd, 2012R2_DomainController_Install.cmd, and 2012R2_MemberServer_Install.cmd. 

  • WMI Filters: This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems.

We will follow up on this blog when the SCM cab files become available.

We would like to acknowledge and express our appreciation to the Center for Internet Security for their collaboration in the development of this guidance.

Win81-WS2012R2-IE11-Baselines-FINAL.zip

Comments (27)

  1. Ed (DareDevil57) says:

    thank you

  2. lazerpld says:

    I am having an issue with creating a new corporate baseline, based on the SCM Server 2012 R2 member server baseline. I have made a duplicate of it, making it available under the "Custom Baseline" node. But if i want to add a Server 2012 R2 setting (choosing
    Product: Server 2012 R2), the settings window is completely empty. If i choose "Server 2012" as product, i get all the settings available.
    I am missing a point?

  3. Ehtesham1601 says:

    It's nice to find out that there is a final release of the baseline, however there is no news on the Microsoft SCM 3.0 update/support… it would have been great if Microsoft would have release an updated version of SCM along side MDT 2013… Guys please post when the update is available, also share the GPOPack.wsf file update with windows 8.1 support & guidelines around using it.

    [Aaron Margosis]  Should be released before the end of August.  We could have held back on release of the materials we did publish, but it made more sense to release them when they were ready rather than hold back.

  4. Beckham says:

    When can it be downloaded through SCM 3.0 ?

    [Aaron Margosis] We anticipate publishing the .cab files this month. We will of course announce here.

  5. Christian says:

    Hi, any chances to get these integrated/passed along to CIS for incorporation into their benchmark tooling?
    Thank you! :)

    [Aaron Margosis] We have been collaborating with CIS on the development of these baselines. I don't know what their current timetables are for their own releases, though.

  6. Rob Ralston says:

    This is really helpful information and tools. Thanks to everyone involved that produced this.

  7. Awesome stuff… I will definitely cover this at my TechEd NZ Group Policy PtH session in a few weeks.

  8. Patrick says:

    Finally, the settings for Server 2012 R2 are available for download in SCM.
    As there is no "Upgrade" of existing custom configure polices associate with Server 2012 (or any earlier OS) I did export my Policy as GPO and re-imported it back, knowing to loose some settings as the export and Import process renames setting, uses sometimes
    integers as boolean or vice-versa, and then tried to associate it with Server 2012 R2.

    "0 unique settings from the GPO's 346 Settings apply to this product."!
    Whow, that's a surprise now. OK. What would happen if I Export the 2012 R2 Policy, Import it back as GPO and associate it with Server 2012 R2 again.
    "0 unique settings from the GPO's 157Settings apply to this product.".
    That's even better. Not only that it cannot find any matches, it looses most of the 421 (see below) settings.

    So what happened? Why can't I associate a GPO import with server 2012 R2?
    The release notes state:
    • If the Microsoft Windows Server 2012 R2 Security Compliance Baseline is exported to a Group Policy object (GPO) from SCM 3.0, the exported GPO cannot be re-imported into SCM 3.0. Importing the exported GPO will not result in the same information and structure
    as was originally exported.
    But it does not tell that the association does not work at all any-more.

    Will there be a way to associate GPO imports to Server 2012 R2?
    Will SCM be fixed to export meta data on GPO exports to allow re-import including comments?
    Will SCM be fixed to use the same syntax checks for exports and imports?

    Thank you very much for letting us know
    Best regards
    Patrick

  9. Sigurd Flaatten says:

    Still waiting for SCCM .cab files! :o)

    [Aaron Margosis]  I assume you mean SCM (Security Compliance Manager) and not SCCM, right?  We published those .cab files almost three weeks ago.

  10. dunketh says:

    >[Aaron Margosis] I assume you mean SCM (Security Compliance Manager) and not SCCM, right? We published those .cab files almost three weeks ago.
    Thanks for (not) updating this article then! LOL. Guess you guys are only human like the rest of us..
    "We will follow up on this blog when the SCM cab files become available." haha.. its OK, I'm always forgetting stuff myself.

    [Aaron Margosis] Umm… we DID update this blog — my last reply had a link to the post we published announcing it. We didn't say we'd update this specific blog post, but that we'd announce it on the blog, which we did right away.

  11. Kevin says:

    Unfortunately, even after importing the CAB files, there is still no way to customer our own baselines. No settings show up.

    http://i.imgur.com/yTIpdki.png

    [Aaron Margosis]  Known issue. Unfortunately there's nothing I can do about it.  The text below is from the Release Notes for the Win8.1 baselines; similar language is in the notes for the other baselines:

    • If the Microsoft Windows 8.1 Security Compliance Baseline is exported to a Group Policy object (GPO) from SCM 3.0, the exported GPO cannot be re-imported into SCM 3.0. Importing the exported GPO will not result in the same information and structure as was originally exported.

  12. Fred says:

    Applied the 2012 R2 Member profile with the Local script on a non domain joined server. I can't figure out how to reenable local user remote desktop login, are there more settings that affect this besides what's in Local Security Policy, User Rights Assignment: Deny log on through RDS and Allow log on through RDS? My user is a local admin, can't login though. Looked all through the User Rights Assignment entries. Tried creating a new admin user, adding the admin user to RDS Users, no luck. makes no sense.

    Testing on 2 different servers, one complains about no Remote Desktop login right and the other complains about unable to contact the LSAuthority

    [Aaron Margosis] Try removing the Local Account restriction on the "Deny access to this computer from the network" policy.

  13. Fred says:

    yes that works. Sorry I was actually testing against the wrong server, too many VMs I have to keep straight. duh!
    Thank you

  14. The field really needs updated SCAP solutions/support for SCCM. Government agencies need this sooner vs later.

    Why isn't Microsoft supporting the most recent SCAP version requirements yet? Isn't this a priority?

  15. Fred says:

    2 questions, is there an easy way to reverse all the changes that are applied from this baseline? Specifically I'm applying the windows 2012 R2 member server script from the "Local Script" directory.

    Also are their known performance issues when applying this baseline? We run a custom app that uses IIS/java/web browser and I see a noticeable performance decrease when applying this script to the server. It's going to be hard to find out which settings caused the decrease in performance if anything.

    [Aaron Margosis] No good way to revert the entire thing, as some of the settings tattoo.

    No known perf issues that I'm aware of.

  16. CJ says:

    Have you guys reviewed the documentation? The Recommended Security Baseline Settings.docx states that Policy Name Account lockout threshold's old value was 50? Really it was never 50, it was 5 right? The Delta-BetaToFinal doc also talks about this setting change. The doc reads ".. this setting in a separate blog post [add hyperlink], but clearly no one added that hyperlink.

    [Aaron Margosis] Yes, of course we reviewed it.That's not to say that every mistake got caught. Every program has bugs and every book has errata. Thanks for the feedback — I do hate making mistakes, no matter how small.

    The account lockout threshold was 50 in the Windows 7 / Server 2008 R2 guidance, then dropped to 5 in the Windows 8 / Server 2012 guidance, then changed to 10 in the 8.1/2012R2 guidance. More details in this blog post. Since the comparison should have been against the Windows 8 / 2012 guidance, that's a bug in that document.

    The blog post referenced in the Delta-BetaToFinal.docx Word doc hadn't been posted yet when the document was written, hence the placeholder. The placeholder was updated when the document became a blog post itself (here), but the original Word doc never got updated. That's a bug.

    Thanks again for the feedback.

  17. Benjamin Lange says:

    Why don't you allow the 2.16.840.1.101.3.4.1.12 standard? 2.16.840.1.101.3.4.1.2 and 2.16.840.1.101.3.4.1.42 are allowed, so this seems like a mistake?

    [Aaron Margosis] What is the …3.4.1.12 standard? I searched for that OID but found no references to it anywhere.

  18. Benjamin Lange says:

    It's the 192bit mode for AES-CBC. Currently only 128bit and 256bit are allowed.
    See: http://www.alvestrand.no/objectid/2.16.840.1.101.3.4.1.html
    Is it unsupported maybe? Just stumbled across it :)

    [Aaron Margosis] Did you mean ".22" instead of ".12", then?  That is supported.  https://msdn.microsoft.com/en-us/library/windows/desktop/aa378177(v=vs.85).aspx

  19. Benjamin Lange says:

    My bad, I meant 2.16.840.1.101.3.4.1.22 of course.
    GP has only .2 and .42 set.
    "Restrict crypto algorithms or cipher suites to the following: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42"
    Any reason .22 is missing there?

  20. Andreas Decker says:

    Why is the setting "Software channel permission" still in the baseline for IE11 (and IE8, 9 and 10)? After all it is only supported on "Only Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 through IE7 inclusive"

    [Aaron Margosis] It's not.  We changed it from "High Safety" to "Not configured" in the IE11 baseline specifically because it's no longer applicable.

  21. Dale Walton says:

    Good Morning,
    Can you please tell me if the Server 2012 R2 Baselines are CIS compliant?

    [Aaron Margosis]  We worked closely with CIS in the development of these baselines.  You should find no differences between Microsoft's and CIS' baselines for Server 2012 R2, or any other recent baselines.

  22. Tom says:

    Aaron – I've noticed both the DoD STIG and the Microsoft baseline for IE 11 specify Java permissions for each IE zone. It's my understanding that this GPO setting applies only to the long-defunct Microsoft Java, last included with Windows XP prior to Service Pack 2. It has no impact on the functionality of Oracle Java.

    So for any version of Internet Explorer from 9 on up, this setting is meaningless (since IE 8 is the last version that works on XP). Does this sound right? Should these settings be removed from all the various baselines? Thank you.

  23. oyvsi says:

    Is the excel spreadsheet updated? On the user tab it has several settings which are not included in the GPO (Internet Communications settings, Attachment Manager, Network sharing and WMP codec download)

    [Aaron Margosis] I don't think I understand what you mean. Settings that are "Not Configured" never appear in GPO backups – only settings that are explicitly configured.

  24. oyvsi says:

    In the excep spreadsheet, these are shown as configured. But they do not appear in the GPO. For instance in the spreadsheet "Prevent Codec Download" shows "Enabled" (for 2012 R2).

    [Aaron Margosis] Ah, yes, you're correct. The spreadsheet lists some settings in the 2012R2 column that don't need to be there. The 2012R2 guidance should generally match that of the 8.1 guidance.  On the other hand, there are two User Config Attachment Manager settings in the 8.1 baseline that are not in the GPOs for Server. Those appear to be oversights as well. Because those settings enforce defaults, impact should be low.

  25. Eddie says:

    The solution accelerator website for SCM states "This tool is no longer supported by Microsoft"
    https://technet.microsoft.com/en-au/solutionaccelerators/cc835245.aspx

    So what is the officially supported method for hardening standalone servers? Back to using security templates?

    [Aaron Margosis] "Not supported" simply means that we won't necessarily provide bug fixes for the SCM tool itself. The Sysinternals tools are similarly "not supported".  SCM or the lightweight policy downloads/tools on the blog posts here for Win8.1/2012R2/IE11 and for Win10 are the best ways to deploy the security configuration recommendations.

  26. Martin Franqueira says:

    I have found that the 'MSFT Windows Server 2012 R2 Member Server Baseline' GPO prevents Advanced Auditing from applying. If I remove the policy the settings apply properly again.

    Does anyone know which of the settings in this policy would cause this?

    Thanks!

    [Aaron Margosis] Never heard of that problem before – are you quite sure?

  27. Cindy Fisher says:

    You say "We worked closely with CIS in the development of these baselines. You should find no differences between Microsoft's and CIS' baselines for Server 2012 R2, or any other recent baselines." The CIS Benchmarks for Server 2012 R2 include many more settings than what are available in the SCM. Why did you remove so many settings and can they be gotten somewhere and imported into the SCM so I can make a policy that adheres to CIS recommended benchmarks?

    [Aaron Margosis] CIS defines two levels of their Windows settings, "L1" and "L2". Their L1 settings generally line up very closely if not identically with our baselines.