Security baseline for Windows 10 – DRAFT

[Removing the attachment from this post. Please see updated baseline content for Windows 10 v1507 (TH1) and Windows 10 v1511 (TH2).] Microsoft is pleased to announce the beta release of the security baseline settings for Windows 10 along with updated baseline settings for Internet Explorer 11. With this release we have taken a different approach from…


What's New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11

The attachment on this post describes what's new in the security baseline recommendations for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11, relative to the baselines published for Windows 8, Windows Server 2012 and Internet Explorer 10.  It is included as a Word document in the download from yesterday's announcement blog post.  We are posting the document here…


Configuring Account Lockout

We can recommend an ideal configuration for most of the settings in our security guidance. For example, the “Debug programs” privilege should be granted to Administrators and to no one else. For account lockout, however, there is no “one size fits all” setting, but there’s a lot of heated discussion whenever anyone tries to pick…


Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions of Windows and IE): Use of new and existing settings to help block…


Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta

We have made a small number of changes in the baseline security guidance for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 since we released the beta version of our guidance last April. This blog post discusses those changes and the reasons for them. Account Lockout Threshold: we’re changing the incorrect-password threshold that…


Why We’re Not Recommending “FIPS Mode” Anymore

[Note added 3 Oct 2017 to clarify an occasional misinterpretation: at no point does this blog post recommend against using FIPS mode. As stated near the end of the post, “we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make.”]   In the latest review of the official Microsoft…


Security Compliance Manager 3.0 now available for download!

Secure your environment with SCM 3.0! The Security Compliance Manager (SCM) is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage the computers in your environment and your private cloud using Group Policy and Microsoft® System Center Configuration Manager. This version of SCM supports Windows Server 2012,…


Security Compliance Manager (SCM) version 2.5 now available

You’ve been asking for Exchange Server baselines. You’ve been waiting for the Windows 7 SP1 baseline update. They are all available now in SCM v2.5! SCM 2.5 includes a number of new and updated baselines, empowering you to manage configuration drift, address compliance requirements, and reduce security threats in your organization’s IT environment, traditional data…


SCM v2 Beta: What happened to the EC + SSLF?

I can feel this becoming a FAQ, so I wanted to blog on this early in the Beta. 🙂 I forgot to mention in my Beta announcement anything about the new ‘severity’ you see on settings, whoops. The text below is a copy and paste from the IE9 Security Guide which hopefully clarifies our reasoning….