deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

tech review feedback

Browse Source
This commit is contained in:
Brian Lich
2016-06-10 11:03:32 -07:00
parent db46837fcf
commit b93bdff813
3 changed files with 4 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
windows/keep-secure/windows-10-security-baselines.md
View File

@ -1,40 +0,0 @@
---
title: Windows 10 security baselines (Windows 10)
description: Use this topic to learn about updates to the Windows 10 security baselines and where to download it from.
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Windows 10 security baselines
**Applies to**
- Windows 10
Use the sections in this topic to learn and what has changed in the Windows 10 security baselines as well as a link to download them.
## Windows 10, Version 1511 security baseline
The Windows 10, Version 1507 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799381).
Here's a list of updates that were made to this version:
- Added the **Turn off Microsoft consumer experiences** setting.
## Windows 10, Version 1507 security baseline
The Windows 10, Version 1507 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799380).
Here's a list of updates that were made to this version:
- Removed configuration of **Allow unicast response** from the domain, private, and public Windows Firewall profiles. If you do not allow unicast responses, DHCP address acquisition will not work.
- Removed the restrictions on the number of cached logons.
- Removed the screen saver timeout from the user configuration because **Interactive logon: Machine inactivity limit** is configured at the device level.
- Removed Enhanced Mitigation Experience Toolkit settings.
- Removed the **Recovery console: Allow automatic administrative logon** setting.
## Related topics
- [Use security baselines in your organization](security-baselines.md)

5
windows/keep-secure/windows-security-baselines.md
View File

@ -10,7 +10,7 @@ author: brianlic-msft
# Windows security baselines
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number fo controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Mirosoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
@ -43,6 +43,8 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
Here's a list of security baselines that are currently available.
If you want to know what has changed with each security baseline, or if you want to stay up-to-date on whats happening with them, check out the Microsoft Security Guidance blog.
### Windows 10 security baselines
- [Windows 10, Version 1511 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799381)
@ -51,3 +53,4 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
### Windows Server security baselines
- [Windows Server 2012 R2 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799382)

50
windows/keep-secure/windows-server-security-baselines.md
View File

@ -1,50 +0,0 @@
---
title: Windows Server security baselines (Windows 10)
description: Use this topic to learn about updates to the Windows Server security baselines and where to download them.
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Windows Server security baselines
**Applies to**
- Windows Server 2012 R2
Use the sections in this topic to learn and what has changed in the Windows Server security baselines as well as a link to download them.
## Windows Server 2012 R2 security baseline
The Windows Server 2012 R2 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799382).
> **Note:** For Windows Server 2012 R2, we do not recommend applying this baseline to servers that are running the following server roles, such as Hyper-V, Active Directory Certificate Services, DHCP, DNS, File Services, Network Policy and Access, Print Server, Remote Access Services, Remote Desktop Services, and Web Server.
Here's a list of updates that were made to this version:
- Added the **Prevent enabling lock screen camera** setting.
- Added the **Prevent enabling lock screen slide show** setting.
- Added the **Include command line in process creation events** setting.
- Added the **Do not display network selection UI** setting.
- Added the **Allow Microsoft accounts to be optional** setting.
- Added the **Sign-in last interactive user automatically after a system-initiated restart** setting.
- Added the **Deny access to this computer from the network** setting.
- Added the **Deny log on through Remote Desktop Services** setting.
- Added the **Lsass.exe audit mode** (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe!AuditLevel) setting.
- Added the **Enable LSA Protection** (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL) setting.
- Added the **Turn off toast notifications on the lock screen** setting.
Additionally, you can change the following settings to help mitigate Pass-the-hash attacks:
- Configure the **Apply UAC restrictions to local accounts on network logons** setting to 0.
- Add **Local account** to the **Deny access to this computer from the network** security policy setting.
- Add **Local account** to the **Deny log on through Remote Desktop Services** security policy setting.
- Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a batch job** security policy setting on all devices except for domain controllers and privileged access workstations.
- Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a service** security policy setting on all devices except for domain controllers and privileged access workstations.
- Add **Enterprise Admins** and **Domain Admins** to the **Deny log on locally** security policy setting on all devices except for domain controllers and privileged access workstations.
- Disable the **WDigest Authentication** setting.
## Related topics
- [Use security baselines in your organization](security-baselines.md)