Security baseline for Windows 10 “Fall Creators Update” (v1709) – FINAL

  • Article

Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Fall Creators Update,” also known as version 1709, “Redstone 3,” or RS3. There are no changes from the draft release we published a few weeks ago.

The 1709 baseline package has been added to the Microsoft Security Compliance Toolkit. On that page, click the Download button, then select "Windows 10 Version 1709 Security Baseline.zip" and any other content you want to download.

The 1709 baseline package includes GPOs that can be imported in Active Directory, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, and all the recommended settings in spreadsheet form. The spreadsheet also includes the corresponding settings for configuring through Windows’ Mobile Device Management (MDM).

We're also happy to announce the revamping of the Windows Security Baselines landing page.

The differences between the 1709 baseline and that for Windows 10 v1703 (a.k.a., “Creators Update,” “Redstone 2”, RS2) are:

  • Implementing Attack Surface Reduction rules within Windows Defender Exploit Guard. Exploit Guard is a new feature of v1709 that helps prevent a variety of actions often used by malware. You can read more about Exploit Guard here: Reduce attack surfaces with Windows Defender Exploit Guard. Note that we have enabled “block” mode for all of these settings. We are continuing to watch the “Block office applications from injecting into other process” setting; if it creates compatibility problems then we might change the baseline recommendation to “audit” mode for that setting. Please let us know what you observe.
  • Enabling Exploit Guard’s Network Protection feature to prevent any application from accessing web sites identified as dangerous, including those hosting phishing scams and malware. This extends the type of protection offered by SmartScreen to all programs, including third-party browsers.
  • Enabling a new setting that prevents users from making changes to the Exploit protection settings area in the Windows Defender Security Center.

We also recommend enabling Windows Defender Application Guard. Our testing has proven it to be a powerful defense. We would have included it in this baseline, but its configuration settings are organization-specific.

The old Enhanced Mitigation Experience Toolkit (EMET) add-on is not supported on Windows 10 v1709. Instead, we offer Windows Defender Exploit Guard’s Exploit Protection, which is now a built-in, fully-configurable feature of Windows 10. Exploit Protection brings the granular control you remember from EMET into a new, modern feature. Our download package includes a pre-configured, customizable XML file to help you add exploit mitigations to many common applications. You can use it as-is, or customize it for your own needs. Note that you configure the corresponding Group Policy setting by specifying the full local or server file path to the XML file. Because our baseline cannot specify a path that works for everyone, it is not included in the baseline packages GPOs – you must add it yourself.

Thank you to the Center for Internet Security (CIS) and to everyone else who gave us feedback.

Comments

  • Anonymous
    October 19, 2017
    Where can I find the text explaining the baseline recommendations that used to be in SCM when using the new toolkit? The MS guidance is really only helpful if we can read the reasoning behind the recommended setting.[Aaron Margosis] We don't have a direct replacement for that yet. I know this blog is not as convenient but we can get kind of expansive here when we need to. Personally, I believe more of the threats-and-countermeasures text should be incorporated into the Explain text with each setting. But then when we decide to change the guidance like we did for untrusted font blocking, Explain text wouldn't work so well.
  • Anonymous
    October 19, 2017
    Where can I get an eval version of W10 RS3? Will it be made available on Technet?
  • Anonymous
    October 20, 2017
    Yes but have you added the ability to remove pages from the Settings app into User Configuration? It is a bit silly to force admins to either lose important pages or allow standard users access to system changing pages. This is bread and butter stuff that was available for Control Panel over a decade ago.[Aaron Margosis] Got specifics? What exactly would you like to be able to hide from users?
  • Anonymous
    October 20, 2017
    Can't even open "Settings" menu? How can i roll back to 1703 now???[Aaron Margosis] I don't see what you're seeing. Fully applied, and even added a bunch of Control Panel restrictions, and was still able to open Settings.
  • Anonymous
    October 20, 2017
    This is great. I am glad to see that the Security baseline was made available during the Semi-Annul Channel ( targeted) period. can you tell me what the role of the Center for Internet Security will be going forward. Is this timely release of the security baseline something we can expect as part of the WaaS cadence.[Aaron Margosis] It is our intent to continue to release a Windows baselines at the same time as the release for "pilot" deployment so that pilot testing can incorporate those settings and be fully tested prior to "broad" deployment.We communicate with CIS regularly and share information on baselines. If you've tracked changes to their benchmarks, many of those settings follow ours. And we take their input and have made changes based on their recommendations. That will continue.
  • Anonymous
    October 23, 2017
    What is the advise when running 3rd party AV that defaults to disabling Windows Defender? Can/Is Windows Defender Application Guard standalone from the antivirus?[Aaron Margosis] Application Guard does not depend on the AV.
  • Anonymous
    October 23, 2017
    Is there any way to get notified when a new set of GPO templates comes out? Like the email list for security updates?[Aaron Margosis] Subscribe to this blog. There's a "follow this blog" link, RSS, etc. I just added a widget for email subscription, too.
    • Anonymous
      October 24, 2017
      Thank you for the subscribe widget! Keep up the great work.
  • Anonymous
    October 30, 2017
    Could you please explain how to correctly use GP client-side extensions with LGPO.exe? A GPO backup contains Backup.xml file with MachineExtensionGuids and UserExtensionGuids sections, but LGPO.exe doesn't process these, as far as I understand (would be really nice if it did). Instead, we have to pass those GUIDs to LGPO.exe via "/e {guid}" option. The format in the XML file consists of tuples with two or more entries per extension. This one, for example:[{169EBF44-942F-4C43-87CE-13C93996EBBE}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]is mentioned in the documentation (Microsoft User Experience Virtualization) and converted to LGPO.exe /e {169EBF44-942F-4C43-87CE-13C93996EBBE}, but what do I do with these three:[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{2D4156A2-897A-11DB-BA21-001185AD2B89}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]The UserExtensionGuids section in my backups has only one entry:Again, not sure how to handle it. Likewise, does LGPO care about which client-side extensions are per-machine and which ones are per-user? It just lumps everything together and I'm not sure whether the settings that we're configuring for stand-alone computers are actually enforced.[Aaron Margosis] For Administrative Templates, the CSEs for settings that need them are referenced in the ADMX files. That's where the listing in the LGPO documentation came from.
    • Anonymous
      November 14, 2017
      Let me ask the question this way. Is it sufficient to edit C:\Windows\System32\GroupPolicy\GPT.ini to configure CSEs, or does LGPO does something more with the /e arguments?I know where CSE GUIDs come from, but the ones that I've listed don't follow the standard format (that being a two-element tuple specifying the CSE and per-machine or per-user type), so it's not clear what to do with them when using LGPO. Also, as I mentioned, LGPO doesn't distinguish between per-machine vs per-user CSEs, so if it's fine to just copy over our own GPT.ini file instead of using /e options, that might make things easier until LGPO.exe can parse this information directly from Backup.xml.
  • Anonymous
    November 08, 2017
    The comment has been removed
  • Anonymous
    November 13, 2017
    Where can I find the Windows 10 1703 and Windows 10 1709 policy rules? I see just about everything except this in the sample policy rules from policy analyzer. In the separate Windows 10 1703 and 1709 baselines, I see Documentation, GP Reports, GPOs, Local_Script, Templates, and WMI Filters, but nothing related to policy rules that I can open with Policy Analyzer.[Aaron Margosis] We haven't re-released Policy Analyzer with content representing those baselines, but it's easy to create them when you have downloaded the new baselines. Just point Policy Analyzer at the GPOs directory and build a rule set from it.
    • Anonymous
      November 13, 2017
      I believe I just had to import the GPOs folders in each of the 1703 and 1709 baselines.
  • Anonymous
    November 26, 2017
    The comment has been removed
  • Anonymous
    December 04, 2017
    On the custome tap I see a few MSS Legacy, for example "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing)"Ive been reading some forums that you need to enable this yourself, but that forums only talk about Windows server 2012/ Windows 8. Do we still need to set those policies, if yes how to enable those MSS policies so we can see them on our Windows 2012R2 Dcs and use them on Windows 10?[Aaron Margosis] We still recommend a small number of "MSS" settings in the Windows 10 and Server 2016 baselines. The baselines include a custom ADMX/ADML template so that the MSS settings can be represented in the Group Policy editor. The ADMX/ADML can also be downloaded here.
  • Anonymous
    December 19, 2017
    Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B} blocks the Excel Add-Ins 'Solver' and 'Euro Currency Tools'. These add-in/macros unfortunately unpack randomized temp files into "%LOCALAPPDATA%\Microsoft\Windows\INetCache\Content.MSO". The ASR exclusion rules only accept exact folder paths or fully qualified resource names, they do not accept environment variables such as %LOCALAPPDATA% or wildcards like 'C:\Users*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO". Unfortunately, in light of those limitations for exclusions, I am required to place "Block Win32 API calls from Office macro" into Audit Mode, since some users in my environment do leverage these built-in add-ins. If anyone knows of a way of getting the ASR exclusions to work correctly for these add-ins, please let me know.
  • Anonymous
    January 26, 2018
    Set-ProcessMitigation commandlet has no functionality to delete a configured process-mitigation or to delete all configured per-process-mitigations like the EMET-Commandline-Tool EMET_Conf --delete or EMET_Conf --delete_apps or EMET_Conf --delete_all provided.I wrote a PowerShell Script to CleanUp the current configuration and import a clean / prepared Configuration (Default-Config + recommended Baseline). It can be downloaded at https://github.com/gunnarhaslinger/Windows-Defender-Exploit-Guard-Configuration
  • Anonymous
    January 28, 2018
    ExploitGuard Baseline: firefox.exe => Firefox 58 (64bit, fresh clean installation without any PlugIns) cannot load any Website with this configured mitigations. Works correct after removing the firefox.exe ExploitGuard-Settings.
  • Anonymous
    February 13, 2018
    ExploitGuard Baseline crashes OneDrive.exe (Version: 17.3.7294.108), Module: PayloadRestrictions.dll, Version: 10.0.16299.15. OneDrive silently crashes and stopps syncing with this configured Mitigations. Removing Onedrive.exe from ExploitGuard configuration solves the Problem. Please provide an updated ExploitGuard Baseline.[Aaron Margosis] It's fixed in RS4 (the upcoming Windows 10 Version 1803). In the meantime, disabling the anti-ROP mitigations for OneDrive will avoid the crash on RS3 (v1709) machines. Hope this helps.
  • Anonymous
    April 11, 2018
    I've been evaluating this security baseline with the Windows Assessment Console in ADK and I see that these GPO settings affect the performance negatively. Have Microsoft been testing these settings in regards to performance, and what performance impact should I expect?[Aaron Margosis] Can you be more specific about the performance impacts you've observed?