Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions of Windows and IE):
Use of new and existing settings to help block some Pass the Hash attack vectors;
Recommendations to control the storage of plaintext-equivalent passphrases;
Blocking the use of web browsers on domain controllers;
Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines;
Removal of the recommendation to enable "FIPS mode" (this is discussed in greater detail in this blog post: Why We’re Not Recommending “FIPS Mode” Anymore);
Removal of almost all service startup settings, and all server role baselines that contain only service startup settings.
Settings are provided as four separate sets of baselines, for the following configurations: Windows 8.1, Windows Server 2012 R2 Domain Controller, Windows Server 2012 R2 Member Server, and Internet Explorer 11. The attachment to this blog post includes scripts to apply those baselines to a computer’s local policy and GPO backups you can import into Active Directory Group Policy.
There are a few changes between these recommendations and the beta version we released in April. We discuss those changes in more detail in two other blog posts: one about most of the changes, and another detailed post about the issues around account lockout recommendations.
[Update 2 September 2014: updated the guidance with a change to Member Server baseline and "Deny access to this computer from the network" setting. For more info, see Blocking Remote Use of Local Accounts.]
While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a download package attached to this blog post. The download includes a Word document describing various aspects of the changes from baselines for earlier versions of Windows and IE, a spreadsheet listing all the baseline settings and highlighting all the new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, a new custom ADMX to expose some important settings that aren't currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems.
Download and extract the attached "Win81-WS2012R2-IE11-Baselines-FINAL.zip". It contains the following folders:
Documentation: "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings.
Administrative Template: an ADMX and (US English) ADML file surfacing some "pass the hash"-relevant settings through the Group Policy editor. (Note: the Local_Script folder contains scripts that install these files to the appropriate location.)
GP Reports: Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets).
GPOs: Group Policy Object backups for the four separate sets of baselines described earlier. These can be imported into Active Directory Group Policy.
Local_Script: This directory contains three batch files that apply appropriate settings to the current machine: 81_Client_Install.cmd, 2012R2_DomainController_Install.cmd, and 2012R2_MemberServer_Install.cmd.
WMI Filters: This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems.
We will follow up on this blog when the SCM cab files become available.
We would like to acknowledge and express our appreciation to the Center for Internet Security for their collaboration in the development of this guidance.
When can it be downloaded through SCM 3.0 ?
[Aaron Margosis] We anticipate publishing the .cab files this month. We will of course announce here.
Hi, any chances to get these integrated/passed along to CIS for incorporation into their benchmark tooling? Thank you! :)
[Aaron Margosis] We have been collaborating with CIS on the development of these baselines. I don't know what their current timetables are for their own releases, though.
This is really helpful information and tools. Thanks to everyone involved that produced this.
Awesome stuff... I will definitely cover this at my TechEd NZ Group Policy PtH session in a few weeks.
It's nice to find out that there is a final release of the baseline, however there is no news on the Microsoft SCM 3.0 update/support... it would have been great if Microsoft would have release an updated version of SCM along side MDT 2013... Guys please post when the update is available, also share the GPOPack.wsf file update with windows 8.1 support & guidelines around using it.
[Aaron Margosis] Should be released before the end of August. We could have held back on release of the materials we did publish, but it made more sense to release them when they were ready rather than hold back.
Finally, the settings for Server 2012 R2 are available for download in SCM.
As there is no "Upgrade" of existing custom configure polices associate with Server 2012 (or any earlier OS) I did export my Policy as GPO and re-imported it back, knowing to loose some settings as the export and Import process renames setting, uses sometimes
integers as boolean or vice-versa, and then tried to associate it with Server 2012 R2.
"0 unique settings from the GPO's 346 Settings apply to this product."!
Whow, that's a surprise now. OK. What would happen if I Export the 2012 R2 Policy, Import it back as GPO and associate it with Server 2012 R2 again.
"0 unique settings from the GPO's 157Settings apply to this product.".
That's even better. Not only that it cannot find any matches, it looses most of the 421 (see below) settings.
So what happened? Why can't I associate a GPO import with server 2012 R2?
The release notes state:
• If the Microsoft Windows Server 2012 R2 Security Compliance Baseline is exported to a Group Policy object (GPO) from SCM 3.0, the exported GPO cannot be re-imported into SCM 3.0. Importing the exported GPO will not result in the same information and structure
as was originally exported.
But it does not tell that the association does not work at all any-more.
Will there be a way to associate GPO imports to Server 2012 R2?
Will SCM be fixed to export meta data on GPO exports to allow re-import including comments?
Will SCM be fixed to use the same syntax checks for exports and imports?
Thank you very much for letting us know
Still waiting for SCCM .cab files! :o)
[Aaron Margosis] I assume you mean SCM (Security Compliance Manager) and not SCCM, right? We published those .cab files almost three weeks ago.
I am having an issue with creating a new corporate baseline, based on the SCM Server 2012 R2 member server baseline. I have made a duplicate of it, making it available under the "Custom Baseline" node. But if i want to add a Server 2012 R2 setting (choosing
Product: Server 2012 R2), the settings window is completely empty. If i choose "Server 2012" as product, i get all the settings available.
I am missing a point?
>[Aaron Margosis] I assume you mean SCM (Security Compliance Manager) and not SCCM, right? We published those .cab files almost three weeks ago. Thanks for (not) updating this article then! LOL. Guess you guys are only human like the rest of us.. "We will follow up on this blog when the SCM cab files become available." haha.. its OK, I'm always forgetting stuff myself.
[Aaron Margosis] Umm... we DID update this blog -- my last reply had a link to the post we published announcing it. We didn't say we'd update this specific blog post, but that we'd announce it on the blog, which we did right away.
Unfortunately, even after importing the CAB files, there is still no way to customer our own baselines. No settings show up. http://i.imgur.com/yTIpdki.png
[Aaron Margosis] Known issue. Unfortunately there's nothing I can do about it. The text below is from the Release Notes for the Win8.1 baselines; similar language is in the notes for the other baselines:
If the Microsoft Windows 8.1 Security Compliance Baseline is exported to a Group Policy object (GPO) from SCM 3.0, the exported GPO cannot be re-imported into SCM 3.0. Importing the exported GPO will not result in the same information and structure as was originally exported.
Applied the 2012 R2 Member profile with the Local script on a non domain joined server. I can't figure out how to reenable local user remote desktop login, are there more settings that affect this besides what's in Local Security Policy, User Rights Assignment: Deny log on through RDS and Allow log on through RDS? My user is a local admin, can't login though. Looked all through the User Rights Assignment entries. Tried creating a new admin user, adding the admin user to RDS Users, no luck. makes no sense. Testing on 2 different servers, one complains about no Remote Desktop login right and the other complains about unable to contact the LSAuthority
[Aaron Margosis] Try removing the Local Account restriction on the "Deny access to this computer from the network" policy.
yes that works. Sorry I was actually testing against the wrong server, too many VMs I have to keep straight. duh!
The field really needs updated SCAP solutions/support for SCCM. Government agencies need this sooner vs later.
Why isn't Microsoft supporting the most recent SCAP version requirements yet? Isn't this a priority?
2 questions, is there an easy way to reverse all the changes that are applied from this baseline? Specifically I'm applying the windows 2012 R2 member server script from the "Local Script" directory. Also are their known performance issues when applying this baseline? We run a custom app that uses IIS/java/web browser and I see a noticeable performance decrease when applying this script to the server. It's going to be hard to find out which settings caused the decrease in performance if anything.
[Aaron Margosis] No good way to revert the entire thing, as some of the settings tattoo.
No known perf issues that I'm aware of.