From 617ef4a2975bfb78216229b51f11b7b1fe0696cf Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 20 May 2016 15:23:08 -0700 Subject: [PATCH] first draft for review --- windows/keep-secure/security-baselines.md | 70 +++++++++++++++++++ .../windows-10-security-baselines.md | 37 ++++++++++ .../windows-server-security-baselines.md | 56 +++++++++++++++ 3 files changed, 163 insertions(+) create mode 100644 windows/keep-secure/security-baselines.md create mode 100644 windows/keep-secure/windows-10-security-baselines.md create mode 100644 windows/keep-secure/windows-server-security-baselines.md diff --git a/windows/keep-secure/security-baselines.md b/windows/keep-secure/security-baselines.md new file mode 100644 index 0000000000..e8d268ffdb --- /dev/null +++ b/windows/keep-secure/security-baselines.md @@ -0,0 +1,70 @@ +--- +title: Use security baselines in your organization (Windows 10) +description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure. +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Use security baselines in your organization + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview +- Windows Server 2012 R2 + +Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Office. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server is designed to be secure out-of-the-box, a large number of organizations still want a higher level of security. Therefore, organizations need guidance on how to best use the security features. + +Microsoft security baselines give organizations the security guidance they need to protect their devices and apps. + + + +## What are security baselines? + +Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. + +A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft product groups, partners, and +customers. + +## Why are security baselines needed? + +The expert knowledge that Microsoft, partners, and other customers bring together in a security baseline is an essential benefit to customers. + +For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 3,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be. + +In modern organizations, the security threat landscape is constantly evolving and you must keep current with security threats and changes to Windows security settings to help mitigate these threats. + +To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups and DCM packs. + + ## How can you use security baselines? + + You can use security baselines to: + + - Ensure that user and device configuration settings are compliant with the baseline. + - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. + + + ## Where can I get the security baselines? + + Here's a list of security baselines that are currently available: + + - [Windows 10, version 1511 security baseline](windows-10-version-1511-security-baseline.md) + - [Windows 10, version 1507 security baseline](windows-10-version-1507-security-baseline.md) + - [Windows Server 2012 R2 security baseline](windows-server-2012-r2-security-baseline.md) + diff --git a/windows/keep-secure/windows-10-security-baselines.md b/windows/keep-secure/windows-10-security-baselines.md new file mode 100644 index 0000000000..b98d77b385 --- /dev/null +++ b/windows/keep-secure/windows-10-security-baselines.md @@ -0,0 +1,37 @@ +--- +title: Windows 10 security baselines (Windows 10) +description: Use this topic to learn about updates to the Windows 10 security baselines and where to download it from. +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Windows 10 security baselines + +**Applies to** +- Windows 10 + +Use the sections in this topic to learn and what has changed in the Windows 10 security baselines as well as a link to download them. + +## Windows 10, Version 1511 security baseline + +The Windows 10, Version 1507 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799381). + +Here's a list of updates that were made to this version: + +- Added the **Turn off Microsoft consumer experiences** setting. + +## Windows 10, Version 1507 security baseline + +The Windows 10, Version 1507 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799380). + +Here's a list of updates that were made to this version: + +- Removed configuration of **Allow unicast response** from the domain, private, and public Windows Firewall profiles. If you do not allow unicast responses, DHCP address acquisition will not work. +- Removed the restrictions on the number of cached logons. +- Removed the screen saver timeout from the user configuration because **Interactive logon: Machine inactivity limit** is configured at the device level. +- Removed Enhanced Mitigation Experience Toolkit settings. +- Removed the **Recovery console: Allow automatic administrative logon** setting. + diff --git a/windows/keep-secure/windows-server-security-baselines.md b/windows/keep-secure/windows-server-security-baselines.md new file mode 100644 index 0000000000..ae6b5e01c8 --- /dev/null +++ b/windows/keep-secure/windows-server-security-baselines.md @@ -0,0 +1,56 @@ +--- +title: Windows Server security baselines (Windows 10) +description: Use this topic to learn about updates to the Windows Server security baselines and where to download them. +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Windows Server security baselines + +**Applies to** +- Windows Server 2012 R2 + +Use the sections in this topic to learn and what has changed in the Windows Server security baselines as well as a link to download them. + +## Windows Server 2012 R2 security baseline + +The Windows Server 2012 R2 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799382). + +> **Note:** For Windows Server 2012 R2, we do not recommend applying this baseline to servers that are running the following server roles: +- Hyper-V +- Active Directory Certificate Services +- DHCP +- DNS +- File Services +- Network Policy and Access +- Print Server +- Remote Access Services +- Remote Desktop Services +- Web Server + +Here's a list of updates that were made to this version: + +- Added the **Prevent enabling lock screen camera** setting. +- Added the **Prevent enabling lock screen slide show** setting. +- Added the **Include command line in process creation events** setting. +- Added the **Do not display network selection UI** setting. +- Added the **Allow Microsoft accounts to be optional** setting. +- Added the **Sign-in last interactive user automatically after a system-initiated restart** setting. +- Added the **Deny access to this computer from the network** setting. +- Added the **Deny log on through Remote Desktop Services** setting. +- Added the **Lsass.exe audit mode** (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe!AuditLevel) setting. +- Added the **Enable LSA Protection** (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL) setting. +- Added the **Turn off toast notifications on the lock screen** setting. + +Additionally, you can change the following settings to help mitigate Pass-the-hash attacks: + +- Configure the **Apply UAC restrictions to local accounts on network logons** setting to 0. +- Add **Local account** to the **Deny access to this computer from the network** security policy setting. +- Add **Local account** to the **Deny log on through Remote Desktop Services** security policy setting. +- Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a batch job** security policy setting on all devices except for domain controllers and privileged access workstations. +- Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a service** security policy setting on all devices except for domain controllers and privileged access workstations. +- Add **Enterprise Admins** and **Domain Admins** to the **Deny log on locally** security policy setting on all devices except for domain controllers and privileged access workstations. +- Disable the **WDigest Authentication** setting.