Security baseline for Windows 10 - DRAFT

[Removing the attachment from this post. Please see updated baseline content for Windows 10 v1507 (TH1) and Windows 10 v1511 (TH2).]

Microsoft is pleased to announce the beta release of the security baseline settings for Windows 10 along with updated baseline settings for Internet Explorer 11. With this release we have taken a different approach from baselines of the past. Instead of piling on more settings and continuing to grow the size of the baseline, we have reevaluated older settings to determine whether they address contemporary threats, and have removed 44 (so far) that don’t. In many cases, these settings merely enforce defaults that don’t need to be actively enforced through Group Policy. By removing these settings, we allow administrators to focus on real security issues, and allow organizations that choose to enable a technology or feature to be able to do so without having to argue with or receive failing marks from security auditors, or to reverse group policy settings.

Microsoft released the Local Administrator Password Solution (LAPS) earlier this year, and we strongly recommend that enterprises deploy it to workstations and member servers. LAPS is a simple and elegant solution that randomizes local account passwords so that no two computers on your network have a matching local account and password. When computers have identical local account passwords, an attacker who gets administrative rights on one computer can easily take over all other computers on the network via a pass-the-hash attack. LAPS mitigates that threat. The Windows 10 baseline includes policies to enable LAPS. (Note that LAPS requires an Active Directory schema extension. See the links at the end of this article for more information.)

We recommend enabling Credential Guard on systems that can support it. We have put the Credential Guard settings in a separate GPO, however, because backing the settings out on a UEFI computer requires more than just removing the GPO. See the links for more information.

We have also moved the ancient “MSS” settings from Security Options to a custom Administrative Template. The mechanism that had been used to expose the MSS settings in Security Options had become unsupportable. The new custom ADMX and ADML establish the same registry settings, if you choose to configure them, but in a manner that is supportable.

While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a download package attached to this blog post. The download includes a spreadsheet listing all the baseline settings and highlighting all the new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, custom ADMX files to expose some important settings that aren't currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems.

Download and extract the attached "Win10-IE11-Baselines-DRAFT.zip". It contains the following folders:

  • Documentation: "SCM Windows 10 - 2015-10-08.xlsx" is an Excel spreadsheet that describes the full set of recommended settings. The spreadsheet has multiple tabs.  On each tab there’s a MSFT 8.1 column and an MSFT 10 column.  (On the IE tabs it’s MSFT IE11 and MSFT 10 (IE11 update) .  If the MSFT 10 column is empty, that means that the 8.1/IE11 setting is retained.  If the MSFT 10 column is not empty, that’s the new value for that setting.  In many cases, the new value is “Not configured.”  There’s also some color coding:  yellow indicates a setting that is new and applies only to Windows 10.  Green indicates a custom ADMX..

  • Administrative Template: Five ADMX and corresponding US English ADML files to expose additional security-relevant settings through the Group Policy editor. These include the LAPS (AdmPwd) and MSS settings described earlier, the EMET 5.5 beta policy files, a custom policy file to disable Wi-Fi Sense, and the Pass The Hash mitigations policy file we introduced with the Windows 8.1 baseline.

  • GP Reports: Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets).

  • GPOs: Group Policy Object backups for the following policies that can be imported into Active Directory Group Policy:

    • SCM Windows 10 - Computer

    • SCM Windows 10 - User

    • SCM Windows 10 - Domain Security

    • SCM Windows 10 - BitLocker

    • SCM Windows 10 - Cred Guard

    • SCM Internet Explorer - Computer

    • SCM Internet Explorer - User

  • Local_Script: This directory contains a batch file that applies the Computer, User and IE policies to local group policy.

  • WMI Filters: This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems.

We will follow up on this blog when the draft content is updated and when the SCM cab files become available.

[Update - adding in the links I had intended to include]

Local Administrator Password Solution (LAPS):

Credential Guard (Windows 10)