mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 21:33:38 +00:00
added new file for baslines
This commit is contained in:
Justin Hall
@ -0,0 +1,101 @@
|
||||
---
|
||||
title: Get support
|
||||
description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization
|
||||
keywords: virtualization, security, malware
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.localizationpriority: medium
|
||||
ms.author: sagaudre
|
||||
author: justinha
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 06/25/2018
|
||||
---
|
||||
|
||||
# Get Support
|
||||
|
||||
**What is the Microsoft Security Compliance Manager (SCM)?**
|
||||
|
||||
The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
|
||||
|
||||
More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
|
||||
|
||||
**Where can I get an older version of a Windows baseline?**
|
||||
|
||||
Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
|
||||
|
||||
- [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|
||||
- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
|
||||
- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
|
||||
- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
|
||||
|
||||
**What file formats are supported by the new SCT?**
|
||||
|
||||
The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported.
|
||||
|
||||
**Does SCT support Desired State Configuration (DSC) file format?**
|
||||
|
||||
Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
|
||||
|
||||
**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
|
||||
|
||||
No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
|
||||
|
||||
**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
|
||||
|
||||
No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
|
||||
|
||||
<br />
|
||||
|
||||
## Version Matrix
|
||||
|
||||
**Client Versions**
|
||||
|
||||
| Name | Build | Baseline Release Date | Security Tools |
|
||||
|---|---|---|---|
|
||||
|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <p> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <p>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <p>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <p>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
|
||||
Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|
||||
Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
|
||||
Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|
||||
| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|
||||
| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
|
||||
|
||||
<br />
|
||||
|
||||
**Server Versions**
|
||||
|
||||
| Name | Build | Baseline Release Date | Security Tools |
|
||||
|---|---|---|---|
|
||||
|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
|
||||
|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
|
||||
|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|
||||
Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|
||||
| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|
||||
|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
|
||||
|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
|
||||
|
||||
<br />
|
||||
|
||||
**Microsoft Products**
|
||||
|
||||
| Name | Details | Security Tools |
|
||||
|---|---|---|
|
||||
Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
|
||||
|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
|
||||
|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|
||||
|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|
||||
|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|
||||
|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|
||||
|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|
||||
|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
|
||||
|
||||
<br />
|
||||
|
||||
> [!NOTE]
|
||||
> Browser baselines are built-in to new OS versions starting with Windows 10
|
||||
|
||||
## See also
|
||||
|
||||
[Windows security baselines](windows-security-baselines.md)
|
||||
@ -0,0 +1,72 @@
|
||||
---
|
||||
title: Microsoft Security Compliance Toolkit 1.0
|
||||
description: This article describes how to use the Security Compliance Toolkit in your organization
|
||||
keywords: virtualization, security, malware
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.localizationpriority: medium
|
||||
ms.author: sagaudre
|
||||
author: justinha
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 11/26/2018
|
||||
---
|
||||
|
||||
# Microsoft Security Compliance Toolkit 1.0
|
||||
|
||||
## What is the Security Compliance Toolkit (SCT)?
|
||||
|
||||
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
|
||||
|
||||
The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
|
||||
<p></p>
|
||||
|
||||
The Security Compliance Toolkit consists of:
|
||||
|
||||
- Windows 10 security baselines
|
||||
- Windows 10 Version 1809 (October 2018 Update)
|
||||
- Windows 10 Version 1803 (April 2018 Update)
|
||||
- Windows 10 Version 1709 (Fall Creators Update)
|
||||
- Windows 10 Version 1703 (Creators Update)
|
||||
- Windows 10 Version 1607 (Anniversary Update)
|
||||
- Windows 10 Version 1511 (November Update)
|
||||
- Windows 10 Version 1507
|
||||
|
||||
- Windows Server security baselines
|
||||
- Windows Server 2019
|
||||
- Windows Server 2016
|
||||
- Windows Server 2012 R2
|
||||
|
||||
- Microsoft Office security baseline
|
||||
- Office 2016
|
||||
|
||||
- Tools
|
||||
- Policy Analyzer tool
|
||||
- Local Group Policy Object (LGPO) tool
|
||||
|
||||
|
||||
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/).
|
||||
|
||||
## What is the Policy Analyzer tool?
|
||||
|
||||
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
|
||||
- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
|
||||
- Highlight the differences between versions or sets of Group Policies
|
||||
- Compare GPOs against current local policy and local registry settings
|
||||
- Export results to a Microsoft Excel spreadsheet
|
||||
|
||||
Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
|
||||
|
||||
More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
|
||||
|
||||
## What is the Local Group Policy Object (LGPO) tool?
|
||||
|
||||
LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy.
|
||||
Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems.
|
||||
LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files.
|
||||
It can export local policy to a GPO backup.
|
||||
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
|
||||
|
||||
Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
|
||||
@ -0,0 +1,78 @@
|
||||
---
|
||||
title: Why We’re Not Recommending "FIPS Mode" Anymore
|
||||
description: This topic explains why Microsoft changed from recommending FIPS mode be enabled to Not Defined.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: aaronmar
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/11/2019
|
||||
---
|
||||
|
||||
# Why We’re Not Recommending “FIPS Mode” Anymore
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
In [the latest review of the official Microsoft security baselines](https://blogs.technet.microsoft.com/b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx) for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.”
|
||||
In our previous guidance we had recommended a setting of “Enabled”, primarily to align with US Federal government recommendations.
|
||||
In our updated guidance, the recommendation is “Not Defined”, meaning that we leave the decision to customers.
|
||||
Many people will correctly see this as a significant change, and it deserves explanation.
|
||||
|
||||
The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data.
|
||||
An implementation of an approved cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation.
|
||||
A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithm. Note that the requirement to use approved and validated algorithms applies only to the protection of sensitive data.
|
||||
Systems and applications are always free to use weak or non-validated cryptographic implementations for non-security purposes, such as in a hash table for indexing and lookup purposes.
|
||||
|
||||
## What FIPS mode does
|
||||
Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms.
|
||||
An example is Schannel, which is the system component that provides SSL and TLS to applications.
|
||||
When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards.
|
||||
Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0.
|
||||
(Note that the same results can be achieved without FIPS mode by configuring Schannel according to [KB 245030](http://support.microsoft.com/kb/245030) and [this blog post](https://blogs.technet.microsoft.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx).)
|
||||
|
||||
Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms.
|
||||
(More on this [later](#why-fips-mode-is-particularly-onerous).)
|
||||
|
||||
A more complete listing of the effects of enabling FIPS mode can be found in [KB 811833](https://blogs.technet.microsoft.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx).
|
||||
|
||||
## What FIPS mode does not do
|
||||
Beyond the effects described above, FIPS mode is merely advisory to applications.
|
||||
Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled.
|
||||
For example, a Win32 application−or third party disk encryption software−written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled.
|
||||
|
||||
Further, FIPS mode does not and cannot ensure that applications even use encryption at all when appropriate.
|
||||
There is nothing Windows can do to prevent an application from saving plaintext passwords or other sensitive data in unprotected files or registry values.
|
||||
The bottom line here is that just because a software product works when FIPS mode is enabled does not mean that it adheres to government standards.
|
||||
|
||||
## Why FIPS mode is particularly onerous
|
||||
Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework.
|
||||
If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes.
|
||||
The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved.
|
||||
|
||||
For example, the .NET Framework currently provides three implementations of the SHA256 hashing algorithm: SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed.
|
||||
The first two use “platform invoke” (a.k.a., “p/invoke”) to use Windows’ underlying implementations, which are FIPS-validated.
|
||||
By contrast, SHA256Managed, like all the other crypto classes ending with “Managed”, is implemented strictly in .NET managed code and doesn’t use the underlying platform implementations.
|
||||
Although it is an acceptably strong hashing algorithm for most uses, the Managed implementations have never been submitted to NIST for validation.
|
||||
And so if an application tries to use this class and FIPS mode is enabled, the Framework will raise an exception and not allow the class to be used; this exception will almost always cause the application to fail, if not terminate immediately.
|
||||
|
||||
Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster.
|
||||
|
||||
Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. Using the relatively new standard for password-based key derivation functions, this is no longer a problem with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows.
|
||||
|
||||
Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards.
|
||||
|
||||
## Is Microsoft contradicting government regulations?
|
||||
Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows.
|
||||
Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off−our recommendation is that it’s each customer’s decision to make.
|
||||
Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode.
|
||||
|
||||
References:
|
||||
- [FIPS 140 Evaluation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation)
|
||||
- ["System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows](https://support.microsoft.com/help/811833/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashi)
|
||||
@ -0,0 +1,80 @@
|
||||
---
|
||||
title: Windows security baselines
|
||||
description: This article, and the articles it links to, describe how to use Windows security baselines in your organization
|
||||
keywords: virtualization, security, malware
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.localizationpriority: medium
|
||||
ms.author: sagaudre
|
||||
author: justinha
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 06/25/2018
|
||||
---
|
||||
|
||||
# Windows security baselines
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Office 2016
|
||||
|
||||
## Using security baselines in your organization
|
||||
|
||||
Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.
|
||||
|
||||
Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
|
||||
|
||||
We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs.
|
||||
|
||||
Here is a good blog about [Sticking with Well-Known and Proven Solutions](https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-proven-solutions/).
|
||||
|
||||
## What are security baselines?
|
||||
|
||||
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
|
||||
|
||||
A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
|
||||
|
||||
## Why are security baselines needed?
|
||||
|
||||
Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers.
|
||||
|
||||
For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.
|
||||
|
||||
In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups.
|
||||
|
||||
## How can you use security baselines?
|
||||
|
||||
You can use security baselines to:
|
||||
- Ensure that user and device configuration settings are compliant with the baseline.
|
||||
- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
|
||||
|
||||
## Where can I get the security baselines?
|
||||
|
||||
You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.
|
||||
|
||||
The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.
|
||||
|
||||
[](security-compliance-toolkit-10.md)
|
||||
[](get-support-for-security-baselines.md)
|
||||
|
||||
## Community
|
||||
|
||||
[](https://blogs.technet.microsoft.com/secguide/)
|
||||
|
||||
## Related Videos
|
||||
|
||||
You may also be interested in this msdn channel 9 video:
|
||||
- [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO)
|
||||
|
||||
## See Also
|
||||
|
||||
- [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
|
||||
- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
|
||||
- [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/)
|
||||
- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
|
||||
- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
|
||||
- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)
|
||||
Reference in New Issue
Block a user