Security baseline for Windows 10 - DRAFT

[Removing the attachment from this post. Please see updated baseline content for Windows 10 v1507 (TH1) and Windows 10 v1511 (TH2).]

Microsoft is pleased to announce the beta release of the security baseline settings for Windows 10 along with updated baseline settings for Internet Explorer 11. With this release we have taken a different approach from baselines of the past. Instead of piling on more settings and continuing to grow the size of the baseline, we have reevaluated older settings to determine whether they address contemporary threats, and have removed 44 (so far) that don’t. In many cases, these settings merely enforce defaults that don’t need to be actively enforced through Group Policy. By removing these settings, we allow administrators to focus on real security issues, and allow organizations that choose to enable a technology or feature to be able to do so without having to argue with or receive failing marks from security auditors, or to reverse group policy settings.

Microsoft released the Local Administrator Password Solution (LAPS) earlier this year, and we strongly recommend that enterprises deploy it to workstations and member servers. LAPS is a simple and elegant solution that randomizes local account passwords so that no two computers on your network have a matching local account and password. When computers have identical local account passwords, an attacker who gets administrative rights on one computer can easily take over all other computers on the network via a pass-the-hash attack. LAPS mitigates that threat. The Windows 10 baseline includes policies to enable LAPS. (Note that LAPS requires an Active Directory schema extension. See the links at the end of this article for more information.)

We recommend enabling Credential Guard on systems that can support it. We have put the Credential Guard settings in a separate GPO, however, because backing the settings out on a UEFI computer requires more than just removing the GPO. See the links for more information.

We have also moved the ancient “MSS” settings from Security Options to a custom Administrative Template. The mechanism that had been used to expose the MSS settings in Security Options had become unsupportable. The new custom ADMX and ADML establish the same registry settings, if you choose to configure them, but in a manner that is supportable.

While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a download package attached to this blog post. The download includes a spreadsheet listing all the baseline settings and highlighting all the new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, custom ADMX files to expose some important settings that aren't currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems.

Download and extract the attached "Win10-IE11-Baselines-DRAFT.zip". It contains the following folders:

• Documentation: "SCM Windows 10 - 2015-10-08.xlsx" is an Excel spreadsheet that describes the full set of recommended settings. The spreadsheet has multiple tabs.  On each tab there’s a MSFT 8.1 column and an MSFT 10 column.  (On the IE tabs it’s MSFT IE11 and MSFT 10 (IE11 update) .  If the MSFT 10 column is empty, that means that the 8.1/IE11 setting is retained.  If the MSFT 10 column is not empty, that’s the new value for that setting.  In many cases, the new value is “Not configured.”  There’s also some color coding:  yellow indicates a setting that is new and applies only to Windows 10.  Green indicates a custom ADMX..

• Administrative Template: Five ADMX and corresponding US English ADML files to expose additional security-relevant settings through the Group Policy editor. These include the LAPS (AdmPwd) and MSS settings described earlier, the EMET 5.5 beta policy files, a custom policy file to disable Wi-Fi Sense, and the Pass The Hash mitigations policy file we introduced with the Windows 8.1 baseline.

• GP Reports: Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets).

• GPOs: Group Policy Object backups for the following policies that can be imported into Active Directory Group Policy:

  • SCM Windows 10 - Computer

  • SCM Windows 10 - User

  • SCM Windows 10 - Domain Security

  • SCM Windows 10 - BitLocker

  • SCM Windows 10 - Cred Guard

  • SCM Internet Explorer - Computer

  • SCM Internet Explorer - User

• Local_Script: This directory contains a batch file that applies the Computer, User and IE policies to local group policy.

• WMI Filters: This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems.

We will follow up on this blog when the draft content is updated and when the SCM cab files become available.

[Update - adding in the links I had intended to include]

Local Administrator Password Solution (LAPS):

• Security advisory
• KB article
• Download
• Blog
• Introduction of LAPS during Ignite 2015 session, "Barbarians Inside the Gates: Protecting against Credential Theft and Pass the Hash Today"
  • • Demo of local account abuse that demonstrates the need for LAPS goes from 11:40 to 17:41
    • LAPS description and demo goes from 56:50 to 1:08:18
• Taste of Premier: How to tackle local admin password problems in the enterprise with LAPS
• Taste of Premier: Proactively secure your IT environment from credential theft with POP-SLAM

Credential Guard (Windows 10)

• TechNet article

Comments

• Anonymous
  October 08, 2015
  Very good news, greatly appriciated!
  Keep up the good work :)

• Anonymous
  October 09, 2015
  "Note that LAPS requires an Active Directory schema extension. See the links at the end of this article for more information."
  
  Is there an article link outside of the zip download missing perhaps? [Aaron Margosis] Corrected the blog post - it now has copious links. :)

• Anonymous
  October 11, 2015
  Thanks for providing this draft.
  SCM baselines are a required prerequisite for implementing windows 10 in our company and with a draft we can start the preparations. :)
  
  Any plans when the RTM for W10 SCM guidelines will be available? [Aaron Margosis] No specific date has been established. We don't anticipate many changes to the settings we have published here, though.

• Anonymous
  October 12, 2015
  Thanks for continuing to develop these baselines. Looking forward to the RTM.

• Anonymous
  October 13, 2015
  You mentioned the MSS settings. Do they work on Win7? The STIGs still want those settings configured. [Aaron Margosis] The MSS settings have been around for a very long time, and have been part of our security guidance for over a decade.  The technique for exposing them is not supportable today (has to change ownership/permissions on OS files, and relies on a script that has OS-specific dependencies).  I anticipate that the STIG for Windows 10 will follow what we're doing here and use the custom ADMX.

• Anonymous
  October 13, 2015
  Appreciate releasing the draft. If the SCM release is months away, would it be possible to get a copy of the LocalGPO script that works with Win10 in the interim if it's ready?
  
  Also, FYI, the Policy Path in the XLSX with this package is inconsistent within the document and when compared to exports from SCM. The Security Template and Advanced Auditing tabs include the full "Computer ConfigurationWindows Settings" path, except they omit "Security Settings" which is a valid part of the path and in SCM output. All the other tabs drop Computer Configuration......... completely.

• Anonymous
  October 18, 2015
  This post Just landed on time for a new project. Thanks a million for posting This...it will be used in a few days as my baseline.
  Keep up the excellent work!

• Anonymous
  October 21, 2015
  What about the recommendation for Device Guard (inkl. VSM)? Does anyone know why this in not included in the baseline? [Aaron Margosis] You can't just turn on Device Guard. It requires planning, and configuration settings will always be specific to environment and scenario. For more information, see the Device Guard deployment guide.

• Anonymous
  October 27, 2015
  I'm concerned that Microsoft has stated that the SCM Tools is no longer supported.
  Is MS planning releasing an alternative of this tool? [Aaron Margosis] "Not supported" simply means that we won't necessarily provide bug fixes for the SCM tool itself. The Sysinternals tools are similarly "not supported".  SCM or the lightweight policy downloads/tools on the blog posts here for Win8.1/2012R2/IE11 and for Win10 are the best ways to deploy the security configuration recommendations.

• Anonymous
  October 27, 2015
  Any plans for delivering baselines for Office 2016?
  If so what timeframe?

• Anonymous
  October 28, 2015
  New to SCM. Appreciate the draft Windows 10 information. I have imported the GPO objects into SCM for review. Assuming that since these are GPO objects that have been imported, the value in "Default Value" would be considered the Windows 10 recommended setting from MS. Can you confirm this for a newbie? [Aaron Margosis] No, the "Default" tries to document what the setting is in Windows if you don't do anything.

• Anonymous
  October 30, 2015
  In the new guidance, Interactive logon: Do not require CTRL+ALT+DEL is now recommended to be not configured; yet I do not see any reasoning to explain why Windows 10 is no longer susceptible to credential theft via impostors. Could someone point me in the direction of some discussion or provide the reason why we are no longer recommended to require Ctrl+Alt+Del before allowing a logon? [Aaron Margosis] Great question. One is the increase in systems where a Secure Attention Sequence (SAS) isn't feasible. Second is that the SAS has probably been a very low-value protection, overall.  See the discussion about a setting where we made it possible to go overboard on the SAS and how that didn't really work out well: Unintended Consequences of Security Lockdowns
  http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM304 The discussion of the SAS issues starts at 32:47 in the recording.

• Anonymous
  November 05, 2015
  Appears to have more gaps than controls. When is the next draft coming out?
  What do people think of the draft STIG for Windows 10? It seems to have a lot more meat than this baseline. [Aaron Margosis] What do you mean by "more gaps than controls"? The STIG and our guidance are tracking very closely - both are getting rid of unnecessary "legacy" controls.

• Anonymous
  November 11, 2015
  Are these settings still considered to be in "draft" form? Would you consider these settings ready for testing to go forward into a production environment, or are the baselines expected to change at such a pace where we should begin testing with the current baseline, but also expect many changes? If so, can we follow those updates here? [Aaron Margosis] See these: Security baseline for Windows 10 (build 10240) – FINAL Security baseline for Windows 10 (“Threshold 2”) – DRAFT

• Anonymous
  November 13, 2015
  Are there any information about RTM for the win10 baselines? We can not start a win10 rollout with a "draft release" :-) [Aaron Margosis] See these: Security baseline for Windows 10 (build 10240) – FINAL Security baseline for Windows 10 (“Threshold 2”) – DRAFT

• Anonymous
  December 01, 2016
  Hi, Do Microsoft have any plans in releasing guidance or baselines for MDM / CSP based policies and how to migrate from a GPO based configuration to Intune or Airwatch?[Aaron Margosis] Yes, we are working on that. No timelines to announce at this time, though.