Security baseline for Windows 10 "April 2018 Update" (v1803) – FINAL

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 “April 2018 Update,” also known as version 1803, “Redstone 4,” or RS4.

Download the content from the Microsoft Security Compliance Toolkit (click Download and select Windows 10 Version 1803 Security Baseline.zip).

The downloadable attachment to this blog post (which will be incorporated into the Security Compliance Toolkit shortly) includes importable GPOs, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, all the recommended settings in spreadsheet form and as a Policy Analyzer file (MSFT-Win10-v1803-RS4-FINAL.PolicyRules), and a Policy Analyzer-generated spreadsheet showing the differences from the RS3/v1709 baseline.

The only change from the draft version of this baseline is that after discussion we have removed the recommendation to configure the “Microsoft network server: Amount of idle time required before suspending session” security option. Enforcing that setting does not mitigate a contemporary security threat.

The differences between this baseline package and that for Windows 10 v1709 (a.k.a., “Fall Creators Update,” “Redstone 3”, RS3) include:

  • Two scripts to apply settings to local policy: one for domain-joined systems and a separate one that removes the prohibitions on remote access for local accounts, which is particularly helpful for non-domain-joined systems, and for remote administration using LAPS-managed accounts.
  • Increased alignment with the Advanced Auditing recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document (also reflected here).
  • Updated Windows Defender Exploit Guard Exploit Protection settings (separate EP.xml file).
  • New Windows Defender Exploit Guard Attack Surface Reduction (ASR) mitigations.
  • Removed numerous settings that were determined no longer to provide mitigations against contemporary security threats. The GPO differences are listed in the “Delta RS3 to RS4 baseline.xlsx” spreadsheet in the package’s Documentation folder. (Since the draft release of the RS4 baseline, we removed one more setting: “Microsoft network server: Amount of idle time required before suspending session.”)

After the draft baseline was released, Windows added another GPO setting that we considered adding to the baseline but ultimately decided not to configure at this time. The GPO path is Computer Configuration\Administrative Templates\System\Credentials Delegation\Encryption Oracle Remediation. You can read information about the setting here and here. (Note that the term “Oracle” here refers to a cryptographic concept and not to anything having to do with Oracle Corporation or its products.) While we recommend patching systems and incorporating this setting as soon as possible, we opted not to include it in the baseline for broad use in the short term because if all servers and clients aren’t patched in a timely fashion the setting will block remote desktop connections. We anticipate incorporating this setting in the next baseline that we publish.

When we published the draft baseline for RS4, we requested feedback about replacing the firewall’s logging facility with Advanced Auditing, such as by auditing failure events for Filtering Platform Connection. At this time, we’re going to keep the baseline as it is rather than introduce more changes. But remember that the baseline is just that: a starting point. If monitoring security events works better for you than monitoring firewall logs, do so. Or if you want to use both, do so.

Windows 10 v1803 (RS4) has greatly expanded its manageability using Mobile Device Management (MDM). However, our mapping from the baseline’s GPO settings to MDM is not ready to publish at this time. We will publish the baseline in MDM form as soon as it is ready.

Comments

  • Anonymous
    May 01, 2018
    Aaron, is there an expected release date for the actual ADML/X files?[Aaron Margosis] ADMX for v1803: https://www.microsoft.com/en-us/download/details.aspx?id=56880
  • Anonymous
    May 05, 2018
    Thank you for continuing to publish these baselines. I find them very valuable.
  • Anonymous
    May 11, 2018
    Hi Aaron, I'm always wondering, why the "Debug Programs" right isn't set to "no one"? (I know it can be circumvented easily, but it would avoid the very easy access ;-) )Susann[Aaron Margosis] Basically because it doesn't stop badness but does interfere with legitimate administrative tasks. For an illustration, see Unintended Consequences of Security Lockdowns. The "Debug programs" topic begins at 9:07 in the recording.
    • Anonymous
      May 15, 2018
      Thanks for the demo
  • Anonymous
    July 02, 2018
    Hi Aaron, thanks a lot for the baselines! I think there is something wrong with the LGPO file in the ZIP file.It fails to run on Windows 10 1803 64-bit and it states that it's incompatible.Regards,Kalin[Aaron Margosis] Did you remove the 32-bit support from your Windows install? LGPO.exe is a 32-bit executable but it runs perfectly fine on Win10 v1803.
    • Anonymous
      July 03, 2018
      The comment has been removed
  • Anonymous
    September 19, 2018
    The comment has been removed
  • Anonymous
    December 24, 2018
    First, thank you very much for Policy Analyzer LGPO.exe and baselines. Monitoring drift in Windows policy across 7 domains is made easy with Policy Analyzer. I have a more fundamental question about deltas between Win 10 1709 and 1803 and 1809 Group Policy Templates. I have not been successful in finding a report detailing the differences between GPO template releases. One example, at 1803 the Data Collection policy "Disable pre-release features or settings" is no longer available (HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds:EnableConfigFlighting). The spreadsheet included with the baselines does document changes to baseline, but nothing on differences in GPO templates.Thanks,Rick[Aaron Margosis] That is a good point. Our content highlights new and changed items, but doesn't call out policy settings that are no longer present.