Security baseline for Windows 10 v1607 (“Anniversary edition”) and Windows Server 2016


Microsoft is pleased to announce the release of the security configuration baseline settings for Windows 10 version 1607, also known as “Anniversary edition” and internally as “Redstone 1”. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for “pass the hash” mitigation and legacy MSS settings, and all the settings in spreadsheet form. It also includes spreadsheets generated from Policy Analyzer that show differences from past baselines and brief descriptions of the reasons for the differences, and a similar spreadsheet listing the differences between the Member Server and Domain Controller baselines.

Download the content here: Windows 10 RS1 and Server 2016 Security Baseline

The .CAB files corresponding to these baselines for the Security Compliance Manager (SCM) are being worked on and should be available for download through SCM by the end of October. In the meantime, the downloadable materials on this blog post should provide most everything you need to move forward. We are also preparing an updated version of Policy Analyzer and hope to publish it soon. [Update, 17-Nov-2016: the SCM CAB files corresponding to these baselines are now published. Install and start SCM v4.0 on an internet-connected system: it will notify you that the new baselines are available if it is configured to check for updates automatically, or you can select "Check for updates" from the File menu.]

The main changes in the Windows 10 v1607 baseline since that for Windows 10 v1511 include:

  • Windows Defender is recommended for enterprise use and important Defender settings are now part of the Windows baseline.
  • Enforcing the blocking of use of SSL 3.0 and out-of-date ActiveX controls in Internet Explorer.
  • Disabling the Mobile Hotspot feature, which non-admins could otherwise enable.
  • Improvements in auditing settings.
  • Change in User Rights Assignment so that administrators can choose to enable Remote Desktop.
  • Continued removing unnecessary enforcement of defaults, consistent with our previously-documented philosophy.

In addition to those, the Windows Server 2016 Member Server baseline removes settings for the Microsoft Edge browser that were in the Windows Server 2016 Technical Preview 5 baseline, as Microsoft Edge is no longer present in Windows Server.

To assist with evaluation, we have built spreadsheets listing differences between the latest baselines and previous baselines, along with explanations for the differences. Download here. The spreadsheets with "Raw" in the file name includes detailed information about the differences; the ones with "Explanation" in the file name removes detailed columns such as raw registry value and data type, and adds a "Reason for difference" column. The differences captured are between:

  • Windows 10 v1511 (TH2) to Windows 10 v1607 (RS1)
  • Windows Server 2012 R2 to Windows Server 2016 - Member Server
  • Windows Server 2012 R2 to Windows Server 2016 - Domain Controller
  • Windows Server 2016 TP5 to Windows Server 2016 RTM - Member Server
  • Windows Server 2016 Member Server to Domain Controller

For those who have used the Local_Script tools in the download packages for previous baselines, we’ve changed its implementation. We used to copy GPO artifacts such as registry.pol files into the Local_Script directory and rename them. This time, the scripts reference the GPO files in their original locations. Because all GPO backup directory names are GUIDs, it can be difficult to identify which GUID is associated with which GPO. To help, we have added a simple PowerShell script that maps the GUIDs in a GPO backup directory hierarchy to the corresponding GPO names. This screenshot demonstrates:

blog post - v1607 - screenshot


Comments (38)

  1. Thanks guys, however this is a ZIP file and not a CAB file – Can’t import the baseline into SCM 4.0
    Can you guys assist?
    Cheers,
    Ray

    [Aaron Margosis] Per the blog post:

    The .CAB files corresponding to these baselines for the Security Compliance Manager (SCM) are being worked on and should be available for download through SCM by the end of October. In the meantime, the downloadable materials on this blog post should provide most everything you need to move forward.

    Also see the new pre-release version of Policy Analyzer.

  2. Robin Oonk says:

    Heads up when adding SecGuide.admx to the Central Store for Group Policy Administrative Templates in Active directory. If the PtH.admx is already present in this store (v1511 and earlier) you will see and you will be able to manage the pass the hash mitigations on two different places in your group policy editor:
    After adding SecGuide.admx it becomes available under
    “Computer Configuration\Policies\Administrative Templates\MS Security Guide”
    and it was already (via PtH.admx) available under
    “Computer Configuration\Policies\Administrative Templates\SCM: Pass the Hash Mitigations”.
    Removing the PtH.admx from the store will solve this feature, the settings previous made will not be lost.

    [Aaron Margosis] Ah, yes, good catch. We renamed and retitled the file, so when you install SecGuide.admx/adml you should remove PtH.admx/adml. We should probably incorporate that into the script.
  3. Justin says:

    V1607 is technically the “Anniversary Update” (not an edition). Editions are something else for Windows. It is bad when MS employees don’t get the name of their product correct.

    [Aaron Margosis] You’re absolutely correct, of course, and I cannot express the depth of my sadness nor of my disappointment in my catastrophic failure to get this right. All the more because “Anniversary Update” is surely the greatest name our marketing team has ever assigned to a release. I won’t ask for your forgiveness because I don’t deserve it. 🙁
  4. Ya’ll are running out of time for the “end of October” bit 😀

  5. Jayson Allen says:

    Is there a way, without relaxing the policy, to implement the Windows 10 policy settings and still enable users to elevate (prompting for username and password on the secure desktop)? Currently, we are relaxing “UAC: Behavior of the elevation prompt for standard users” to the setting of “Prompt for credentials on the secure desktop” and then implementing a hack which removes “RunAs” from “CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}”. I cringe just thinking about that!
    Also, if I am a domain admin with 2 accounts (one for standard use and one for DA type needs), what group memberships in AD should that account be added to? Domain Users and Domain Admins only, or just Domain Admins? Technically, you never use this account’s standard token.

    [Aaron Margosis] Running elevated code on a user’s desktop brings substantial risk of unauthorized elevation-of-privilege. It’s preferable to use Fast User Switching or remote administration mechanisms.
  6. Someone says:

    Any news on the SCM CAB you mentioned for the end of October?

    [Aaron Margosis] Oh, did you interpret that as October 2016? 🙂 It is being worked on right this minute – we have to make sure it aligns exactly with the baseline we published. Hopefully out in the next few days.
    1. Xpdite says:

      Guess we continue to wait?

      [Aaron Margosis] They’re still working on it.

      Is there anything you need from the baselines that isn’t included in the download package linked from this blog post?

    2. Inpatient says:

      Any updates on the CAB file? It’s been a few days since you said “Hopefully out in the next few days.” 🙂

    3. Baard Hermansen says:

      Sooo, it’s more than a few days later now 😉
      Any news about the CAB-files?

      [Aaron Margosis] They’re still working on it.

      Is there anything you need from the baselines that isn’t included in the download package linked from this blog post?

    4. Greg Gilbert says:

      How many days is a few? 🙂 I’m working on my baseline for 1607 to get security approval and getting the cab into SCM will be a big help.

      [Aaron Margosis] “A few” has turned out to be more than anticipated. But is there anything you need from the SCM package that you can’t move forward with even more quickly using the materials in the .zip file attached to this blog post? It should have everything you need.
      1. Greg Gilbert says:

        Thanks. I’m using the GPOs from the zip and Policy Analyzer to compare my settings and document our baseline.

  7. Me says:

    Hello,
    Thanks for the good job, it’s great that the security baselines for W2K16 are already available.
    I’ve loaded them into SCM 4 via Import GPO Backup.
    For W2K12 and W10, I cannot find the setting “Interactive logon: number of previous logons to cache”.
    Has it been removed or should I wait for the .CAB files?
    Thanks in advance.
    Best.

    [Aaron Margosis] Our Win8.1/2012R2 baselines still included that setting, but as part of the big reset for Windows 10 (and now Server 2016), we dropped it from the baseline recommendations, as it does not mitigate a contemporary security threat.
    1. Me says:

      Thanks for your answer; I understand the rationale behind the big reset.
      However, I am very surprised that “Interactive logon: Number of previous logons to cache” has been dropped for the reason that it does not mitigate a current threat.
      According to (1), it is still advisable to set Interactive logon: Number of previous logons to cache to 0. If the credentials are cached, there is a risk that an attacker could read them. He could then either find the plain text password or use PtH attacks.
      (1) https://technet.microsoft.com/en-us/itpro/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available

      [Aaron Margosis] The credentials aren’t cached. It’s a credential verifier. You can think of it as a hash of a hash of a hash of the password (although that’s not exactly accurate). Bottom line is that you can’t take that value and use it to authenticate. The only viable attack is a computationally-expensive brute force password-guessing attack, after extracting the value.
      1. Me says:

        In fact, the setting “Interactive logon: number of previous logons to cache” was not available in SCM because I did an import of an exported GPO (the CAB was not available at that time). It is stated in the SCM release notes that this process will not result in the same information and structure. Indeed with the SCM Cab file, the settings are far more comprehensive and this specific setting can now be configured.
        I hope this information will be of some help.

        [Aaron Margosis] GPO backups contain only settings that were configured, so when we dropped the cached-logon setting from the baselines, they won’t be in the GPO backups anymore. All the settings are available in the spreadsheet that is also part of the download package on this blog post.
  8. Nathaniel Bentzinger says:

    > The .CAB files corresponding to these baselines

    There is no cab file in that zip.

    [Aaron Margosis] The zip file linked from this blog post isn’t for SCM. It should contain everything you need, though. It has the security configuration baseline recommendations in the form of a GPO backup that you can import directly into AD GPO, as well as tools/scripts so that you can apply the baseline to the Local Group Policy of a system, and an Excel workbook that lists all the GP-configurable settings on Windows 10 v1607 and Windows Server 2016 and the recommendations for how to configure them. The CAB files (which are being worked on) can be imported into the Security Compliance Manager, but it takes a while to get those done. (Personally, I am not a fan of SCM anymore. It was a good idea but a suboptimal implementation.)
  9. yannara says:

    Still waiting fot that .cab 🙂

  10. Nathaniel Bentzinger says:

    Hi,

    The link you provided is not a CAB but a ZIP which doesn’t contain the CAB file we can import as a baseline into SCM.

    [Aaron Margosis] Yes, that is correct. Please see my reply to your previous comment for details about what is in the zip file. But is there anything you need from the SCM package that you can’t move forward with even more quickly using the materials in the .zip file attached to this blog post? It should have everything you need.
  11. laura says:

    Any idea when the CAB file is being released?

    [Aaron Margosis] It just went live. I’m still curious what everyone needs from SCM that the download package doesn’t provide.
    1. Joshua says:

      I and seems like many others just need the .cab file. We already have SCM 4.0. My situation is that my server is not connected to the internet to auto download the baseline. How can I receive/download the cab file by itself?

      [Aaron Margosis] I wish someone would answer the question about what needs SCM satisfies that the (IMO) superior download package doesn’t.

      There’s probably a link where you can download the .cab files directly, but I don’t know what it is. My suggestion is to install SCM on an internet-connected computer (which can even be a throwaway virtual machine) and have it download the .cab files. You should find them in your Documents folder.

      1. Bart Tukker says:

        Hi Aaron,
        In response to your questions as to why so many persist in having the CAB file available, here some possible answers:
        • The ability to download baselines directly from within SCM.
        • Or the fact that it is placed under the Baseline structure instead of the Imported GPO section.
        • Or the ability to export to an SCCM cab after tweaking; it can’t be selected if it is under imported GPO’s in SCM. In my case: these exports can easily be imported in SCCM for Compliance Settings, and saves me time creating the checks, because those are (in previous versions at least) built in to the CAB files as well, but I can’t check that, now.
        • We learned to love SCM.
        • All of the above. 🙂
        Regards,
        Bart

  12. Peter Häcker says:

    Thanks Aaron for providing the Security-Baseline Stuff.
    My wish is, that we are informed pro-actively (TechNet Blog, Newsletter, Twitter, etc.) if something will change (e.g. in a new version of the OS).

    Kind regards, Peter

    [Aaron Margosis] Things are changing all the time! If you mean in the baselines, I’d follow/subscribe to this blog.
  13. Craig says:

    I am new to this program. My predecessor was using it to import our GPOs and export the content in order to import into SCCM for continuous monitoring. I have taken over as we are switching to Win10.

    When I try and associate our GPOs with Win10 (1511 or 1607) it says there are “0 unique settings…” I have tried both SCM 3.0 and 4.0.

    Googling led me to some “workaround” which edits a stored procedure. This does not seem right. Is this a known issue? Is there a fix?

    Thank you

    [Aaron Margosis] SCM has design bugs and hasn’t been significantly maintained in about four years, and the baselines delivered since then cause those bugs to be noticeable. This is one of them. Looking into improvements for the future.
  14. Yangnome says:

    My organization requires settings from the 1607 SecGuide.admx that are not available on the PtH.admx yet baselines are configured on 1511. Would applying SecGuide.admx to a 1511 system have adverse affects?

    [Aaron Margosis] The settings should be the same in PtH.admx and in SecGuide.admx; the latter is just a renaming/relocating so that we can use it for custom settings other than PtH-related in the future if we need to. SecGuide.admx should work fine.
  15. KC says:

    Any chance this baseline meets NISPOM compliance?

    [Aaron Margosis] Is that different from the STIG?
  16. nodorina says:

    Hi, when will Microsoft release the Windows Server 2016 Security Guide?

    Not included with the SCM package; see this instead:
    https://info.microsoft.com/TheUltimateGuideToWindowsServer2016.html
  17. nodorina says:

    Hi, When will Microsoft release the Windows Server 2016 Member Server & Domain Controller Security Guide?

    Not included with the SCM package; see this instead:
    https://info.microsoft.com/TheUltimateGuideToWindowsServer2016.html
  18. Mark Thomas says:

    How do these baselines compare to the CIS ones? https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=windows10.111

    [Aaron Margosis] Our baselines and the Center for Internet Security’s “Level 1” baselines are very similar. We collaborate closely with CIS, and strive to keep our baselines and their “Level 1” benchmarks in alignment.
  19. Caratacus says:

    When using LGPO, the machines are obviously NOT domain-joined. How do we resolve the ‘Deny access to this computer from the network’ and ‘Deny log on through remote desktop services’ policies in ‘Member Server Baseline – Computer’ policy?
    We have resorted to ‘Guest’ for both, as there does not seem to be a ‘Local accounts NOT member of admins’ SID.
    Comments and criticisms welcome.

    [Aaron Margosis] Actually, LGPO is used all the time with domain-joined machines as well. 🙂 The baselines we’ve published are targeted to domain-joined enterprise systems. So (important point here) if you’re configuring a system that is not joined to a domain, then local accounts are all you’ll have. If you want to use the computer remotely using Windows accounts, you can’t block the use of local accounts. So those security settings need to be adjusted.
  20. David Sloane says:

    Is this set of configuration guidelines and options available as PowerShell DSC resources?
    If not, are there guidelines for implementing security baseline configurations with DSC?

  21. Justin Weddington says:

    Are there plans to release baselines for Exchange Server 2016? If so when are they due to be released?

    [Aaron Margosis] No plans for future Exchange baselines.
    1. KK says:

      I have problem to startup Exchange services after apply the baseline. Do you have any advise??

  22. Jeremy Herbison says:

    Heads-up that enabling “User Account Control: Admin Approval Mode for the Built-in Administrator account” and “User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode – Prompt for consent on the secure desktop” breaks the OOBE on Windows 10 1703. That took me a lot of trial and error to find!

    [Aaron Margosis] Thanks for the heads-up. How specifically does it break? And is this actually OOBE, or building in MDT?
    1. Jeremy Herbison says:

      Happens after deploying the vanilla install.wim via SCCM, and I would assume any other mode of deployment would also be affected. Its in the OOBE – happens at some point after language selection. Can’t find any errors in the panther logs though. Took lots of trial and error to figure out which policy was doing it.

  23. RaFi says:

    “Allow Basic authentication: Disabled” in “Windows Components/Windows Remote Management (WinRM)/WinRM Client” breaks O365 Powershell connectivity 🙁
    see https://drjohnstechtalk.com/blog/2016/09/powershell-winrm-client-error-explained/

    [Aaron Margosis] Confirmed. Per Lee Holmes: “O365 requires basic auth (over SSL) so that it can then authenticate the user over AAD. The ideal fix is for Windows + PowerShell to implement AAD / OAuth as a connection mechanism, but that hasn’t been done.”

    Depending on your requirements, this could be a necessary deviation from the baseline.

    1. RaFi says:

      ACK, Aaron 🙂 My post was a feedback to list of known problems, so others do not have to reinvent the wheel.

  24. John Rea says:

    Is there a new version of this document for Creator’s Update 1703? Thanks!

    [Aaron Margosis] Yes, very soon!
    [Aaron Margosis] “Very soon” == “Now”: https://www.microsoft.com/en-us/download/details.aspx?id=55319
  25. Joonas Tuomisto says:

    The 2016 computer policy seems to cause issues with SCOM, specifically the enforcement of User Rights Assignment -> Generate security audits (though it seems to be enforcing defaults?).

    The Management Servers start alerting: “The Data Access service is unable to audit SDK operations because it cannot generate auditing events in the security event log.”

    Tested with SCOM 2012 R2 and 2016.

    [Aaron Margosis] What does SCOM want to set it to?
    1. Joonas Tuomisto says:

      I believe the SOP configuration for SCOM is that the SDK account is a domain account. I checked secpol.msc on a SCOM Management Server and it appears SCOM automatically adds the SDK account into “Generate security audits”.

      Of course GPO > secpol.msc so this GPO will supersede it.

      In our case, I didn’t want to create a separate GPO for SCOM servers so I solved this by adding a domain group into “Generate security audits” on the baseline GPO and added the SDK users into the group. Too bad there’s no item-level targeting for every setting.

      I don’t know if there’s a better way to fix it, especially in the baseline you provide.

Skip to main content