Security baseline for Windows 10 v1803 “Redstone 4” – DRAFT

  • Article

Microsoft is pleased to announce the draft release of the security configuration baseline settings for the upcoming Windows 10 version 1803, codenamed “Redstone 4.” Please evaluate this proposed baseline and send us your feedback via blog comments below.

(Note: the final version of this baseline was published here.)

The downloadable attachment to this blog post includes importable GPOs, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, and all the recommended settings in spreadsheet form and as a Policy Analyzer file (DRAFT-MSFT-Win10-RS4.PolicyRules).

The differences between this baseline package and that for Windows 10 v1709 (a.k.a., “Fall Creators Update,” “Redstone 3”, RS3) include:

  • Two scripts to apply settings to local policy: one for domain-joined systems and a separate one that removes the prohibitions on remote access for local accounts, which is particularly helpful for non-domain-joined systems, and for remote administration using LAPS-managed accounts.
  • Increased alignment with the Advanced Auditing recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document (also reflected here).
  • Updated Windows Defender Exploit Guard Exploit Protection settings (separate EP.xml file).
  • New Windows Defender Exploit Guard Attack Surface Reduction (ASR) mitigations.
  • Removed numerous settings that were determined no longer to provide mitigations against contemporary security threats. The GPO differences are listed in a spreadsheet in the package’s Documentation folder.

We’d like feedback regarding an Advanced Auditing setting that we have considered adding to the baseline but haven’t so far. The auditing and monitoring reference, mentioned above, recommends auditing failure events for Filtering Platform Connection. This is somewhat redundant because the Windows client baseline’s firewall configuration logs dropped packets. The Advanced Auditing setting collects richer data, but can add large numbers of events to the Security event log. The reference recommends against auditing successful connections. So, should the baseline:

  • Stay as it is, with firewall logging only and no Advanced Auditing for Filtering Platform Connection?
  • Keep firewall logging as it is, and add Failure auditing for Filtering Platform Connection? (This creates duplication between dropped packet logging and failure audit events.)
  • Keep firewall successful-connection logging only, and replace the recommendation for dropped-packet logging with Failure auditing for Filtering Platform Connection? (An obvious disadvantage is that admins have to look in two places for firewall-related events.)
  • Another alternative?

Please let us know in the comments below.

Thanks.

Comments

  • Anonymous
    March 27, 2018
    Is it okay to apply an 1803 baseline to a 1607 LTSB install? And, another baseline specifies that to be compliant, EMET must be installed and it must have the secondary logon service disabled. This seems impossible at first glance because EMET service has a dependency on the secondary logon service. Is there a solution for this on 1607 LTSB?[Aaron Margosis] Probably OK, but not tested.What baseline says to disable seclogon? Not one of ours.EMET's service is marked to have that dependency, but it shouldn't. It doesn't actually require that service.
    • Anonymous
      March 28, 2018
      Windows_10 STIG . Its kind of silly that compliance tests that seclogon is disabled but instead of testing if EMET_Service is enabled and running it just tests if it is installed. So can I just edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EMET_Service DependOnService and remove seclogon ?
  • Anonymous
    March 27, 2018
    Is there a reason that there is no MDM settings in the Security baseline tike there was in the RS3 baseline ??[Aaron Margosis] We are going to include it separately.
  • Anonymous
    March 28, 2018
    If I apply this as lgpo.exe to 1607 LTSB (maybe newer?), and then do a sysprep generalize, oobe fails because of password settings in Password Policy. You can exit to audit mode, use mmc to temporarily disable the password settings and finish oobe. Maybe a sysprep cleanup entry could fix this or a way to apply lgpo with an exception for local admin?
  • Anonymous
    March 29, 2018
    Hi Aaron, re: filtering platform connections;This is something I’ve covered in a Windows Firewall project that compliments these security baselines and the privileged access workstation design https://github.com/SteveUnderScoreN/WindowsFirewall. My policy is designed to sit above the Microsoft baseline and disables all text based firewall logging.Allowed and blocked platform connections should be enabled for user assets at a minimum, logs compress down from 200MB to 15MB locally and provide essential evidence for modern forensics investigations. Basic analysis of the security events can be as easy as ‘how many events logs are created per day’, anything off trend can be indication of unwanted network activity and should be investigated via the enterprise SIEM or by downloading a trial event log analysis application and loading the event logs in question. On a busy system (15 connections per second) this could be 5 logs per day.Blocked platform connections should be audited on all domain resources although it is also of benefit to have allowed and blocked events logged when researching application activity on domain controllers and member servers.Implemented in a phased approach can identify rogue devices (including non-Windows devices), unwanted network activity can be dealt with reducing logging levels and allowing for further computers to have advanced logging enabled.The WindowsFirewall project would benefit from a PowerShell scripts signed by Microsoft that compresses logs locally triggered by the security event log automatic backup ID 1105. A parameter could be passed to this script that deletes >= n oldest logs, this gives logs time to be collected or it maintains a set number if central log collection is not in place. I’m happy to write the script. Hope that helps,Steve
    • Anonymous
      July 23, 2018
      To help with security event analysis I'm creating a tool which will be on GitHub https://github.com/SteveUnderScoreN/WindowsFirewall . This tools will search the security event log, filter out duplicates and then help, via a GUI, create the firewalls rules to allow blocked traffic.
  • Anonymous
    May 01, 2018
    RSAT tools.... How do administrators get the new RSAT tools to administer their computers in a domain/ forest?[Aaron Margosis] RSAT updated: https://www.microsoft.com/en-us/download/details.aspx?id=45520
  • Anonymous
    May 08, 2018
    After running the baseline configuration on a few test machines we found that local admins can not manually restart services like dnsclient (greyed out). I looked at the excel spread sheet but could not see where this setting is, can you tell me how this was done so I can use a gpo to undo it?