Microsoft is pleased to announce the beta release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions of Windows and IE):
Settings are provided as four separate sets of baselines, for the following configurations: Windows 8.1, Windows Server 2012 R2 Domain Controller, Windows Server 2012 R2 Member Server, and Internet Explorer 11.
While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a download package attached to this blog post. The download includes a Word document describing various aspects of the changes from previous baselines, a spreadsheet listing all the baseline settings and highlighting all the new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, a new custom ADMX to expose some important settings that aren't currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems.
Download and extract the attached "Win81-WS2012R2-IE11-Baselines-BETA.zip". It contains the following folders:
We will follow up on this blog with additional announcements and details.
Why service startup states are removed?
[Aaron Margosis] We describe it in the Word doc included in the download:
One change that we recommend for all Windows Server baselines is to create and maintain baselines only for “Domain Controller Security Compliance”, “Domain Security Compliance” and “Member Server Security
Compliance”. We recommend not creating (and deleting where they now exist) server role baselines for AD Certificate Services, DHCP, DNS, File Server, Hyper-V, Network Policy and Access, Print Server, Remote Access Services, Remote Desktop Services or Web
The reason for this change is because those baselines contain only configuration for service startup and simply try to enforce the defaults for their respective roles. The problems with these baselines
are that 1) they are time-consuming to define and maintain, as service startup defaults may change between OS versions; 2) as one can safely assume that the built-in Server Manager or other configuration tools do their job correctly, the baselines provide
almost no security benefit; and 3) they can create serious problems when they get it wrong. For example, in some scenarios, Windows temporarily configures the Windows Installer service (which is normally a Manual start service) to be an Automatic start service
so that it can perform actions immediately following a reboot. The security baseline that forces it back to Manual-start thus causes updates not to be correctly installed.
For those reasons, we have also decided to remove all the service startup settings from the Server baselines that include them (e.g., Windows Server 2012 Domain Controller Security Compliance”). The one
exception is the service startup configuration setting for the Application Identity service in Domain Controllers, which is required to support the use of AppLocker (described in the section below, “Blocking the use of Web Browsers on Domain Controllers”).
Is the a .cab file to import in to SCM for Windows 8.1?
[Aaron Margosis] That's being worked on, but it's not ready yet.
Are these settings in-line with the recommendations given by CSI (http://www.cisecurity.org)?
[Aaron Margosis] Our guidance for Windows 8 / Server 2012 / IE10 aligns with CIS' guidance, as we collaborated closely. We also collaborated with CIS during the development of these new baselines. Although I haven't yet seen what CIS is publishing
for 8.1/2012R2/IE11, I've been told they are largely the same.
When will the final version be released?
[Aaron Margosis] Schedule has not been determined. Once it is finalized, we will release another .zip file here. There will probably be a bit of a lag before the content is available in the format that SCM consumes.
Trying to export IE11 BaseLine int .CAB file and IE 11 doesnt exist in SCM. Is there a way to associate IE 11 with the export tool?
[Aaron Margosis] Not yet. We are still preparing the content in the format that SCM uses.
When I look at my group policy settings, some of the settings listed in the documentation for Windows 8 and Server 2012 don't exist in the policy. How can I get these new policy settings to appear in my group policy management on my domain server?
[Aaron Margosis] You need to install the ADMX policy files for 8.1/2012/IE11:
Any ideas when the SCM CAB file for 2012 R2 will be completed?
[Aaron Margosis] We expect to publish a final update to the beta in the next week or two in the same format that we published the beta. The content that can be consumed by SCM will follow in the next month or two.