Security baseline for Windows 10 “April 2018 Update” (v1803) – FINAL


Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 “April 2018 Update,” also known as version 1803, “Redstone 4,” or RS4.

Download the content here: Windows-10-RS4-Security-Baseline-FINAL

The downloadable attachment to this blog post (which will be incorporated into the Security Compliance Toolkit shortly) includes importable GPOs, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, all the recommended settings in spreadsheet form and as a Policy Analyzer file (MSFT-Win10-v1803-RS4-FINAL.PolicyRules), and a Policy Analyzer-generated spreadsheet showing the differences from the RS3/v1709 baseline.

The only change from the draft version of this baseline is that after discussion we have removed the recommendation to configure the “Microsoft network server: Amount of idle time required before suspending session” security option. Enforcing that setting does not mitigate a contemporary security threat.

The differences between this baseline package and that for Windows 10 v1709 (a.k.a., “Fall Creators Update,” “Redstone 3”, RS3) include:

  • Two scripts to apply settings to local policy: one for domain-joined systems and a separate one that removes the prohibitions on remote access for local accounts, which is particularly helpful for non-domain-joined systems, and for remote administration using LAPS-managed accounts.
  • Increased alignment with the Advanced Auditing recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document (also reflected here).
  • Updated Windows Defender Exploit Guard Exploit Protection settings (separate EP.xml file).
  • New Windows Defender Exploit Guard Attack Surface Reduction (ASR) mitigations.
  • Removed numerous settings that were determined no longer to provide mitigations against contemporary security threats. The GPO differences are listed in the “Delta RS3 to RS4 baseline.xlsx” spreadsheet in the package’s Documentation folder. (Since the draft release of the RS4 baseline, we removed one more setting: “Microsoft network server: Amount of idle time required before suspending session.”)

After the draft baseline was released, Windows added another GPO setting that we considered adding to the baseline but ultimately decided not to configure at this time. The GPO path is Computer Configuration\Administrative Templates\System\Credentials Delegation\Encryption Oracle Remediation. You can read information about the setting here and here. (Note that the term “Oracle” here refers to a cryptographic concept and not to anything having to do with Oracle Corporation or its products.) While we recommend patching systems and incorporating this setting as soon as possible, we opted not to include it in the baseline for broad use in the short term because if all servers and clients aren’t patched in a timely fashion the setting will block remote desktop connections. We anticipate incorporating this setting in the next baseline that we publish.

When we published the draft baseline for RS4, we requested feedback about replacing the firewall’s logging facility with Advanced Auditing, such as by auditing failure events for Filtering Platform Connection. At this time, we’re going to keep the baseline as it is rather than introduce more changes. But remember that the baseline is just that: a starting point. If monitoring security events works better for you than monitoring firewall logs, do so. Or if you want to use both, do so.

Windows 10 v1803 (RS4) has greatly expanded its manageability using Mobile Device Management (MDM). However, our mapping from the baseline’s GPO settings to MDM is not ready to publish at this time. We will publish the baseline in MDM form as soon as it is ready.


Comments (7)

  1. Aaron, is there an expected release date for the actual ADML/X files?

  2. nbuuck says:

    Thank you for continuing to publish these baselines. I find them very valuable.

  3. Susann S says:

    Hi Aaron,
    I’m always wondering, why the “Debug Programs” right isn’t set to “no one”? (I know it can be circumvented easily, but it would avoid the very easy access 😉 )

    Susann

    [Aaron Margosis] Basically because it doesn’t stop badness but does interfere with legitimate administrative tasks. For an illustration, see Unintended Consequences of Security Lockdowns. The “Debug programs” topic begins at 9:07 in the recording.
    1. Susann S says:

      Thanks for the demo

  4. Kalin Tashev says:

    Hi Aaron, thanks a lot for the baselines!
    I think there is something wrong with the LGPO file in the ZIP file.
    It fails to run on Windows 10 1803 64-bit and it states that it’s incompatible.

    Regards,
    Kalin

    [Aaron Margosis] Did you remove the 32-bit support from your Windows install? LGPO.exe is a 32-bit executable but it runs perfectly fine on Win10 v1803.
    1. Kalin Tashev says:

      Hi Aaron,

      I haven’t removed 32 bit support.

      LGPO.txt (renamed to LGPO.exe after extracting from the ZIP) within Windows-10-RS4-Security-Baseline-FINAL.zip has size of 1 KB and hash 7390BD63BDD7B165021F4EA49AD2A3F45BD5A138AA58B9E03A4837896104EEC1 .

      LGPO.exe from https://www.microsoft.com/en-us/download/details.aspx?id=55319 has size of 401 KB and hash F218DB26D05C80D105DC779BA4E99C72F37FFC9F78D70D359BBE230713B765B4 .

      It might be something on my PC that corrupts the downloaded file, but this is the first time I encounter such issue and it’s fine when I download it from the official download page.

      Best regards,
      Kalin

  5. Oftkilted says:

    @Aaron – the Excel spreadsheet from the document in the ‘Security Baseline FINAL’ “Windows 10 RS4 Security Baseline.xlsx “Computer” tab Line 773 referencing the “Windows Components\BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives”

    I believe that it may be a typo and should be XTS-AES-256

    [Aaron Margosis] Thanks – we’ll have it fixed beginning with the v1809 spreadsheet, coming soon.
Skip to main content