Security baseline for Windows Server 2016 Technical Preview 5 (TP5)

Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical Preview 5 (TP5). The final version of Windows Server 2016 will differ from the TP5 pre-release, and this security guidance will change as well. Both TP5 and this guidance are offered for evaluation purposes and we look forward to your feedback.

(Note: the final version of this baseline was published here.)

Our Windows 10 guidance differed dramatically from our past Windows client baselines (as described here), and our evolving Windows Server guidance is following suit. In addition to the changes described in that blog post, there are a few additional differences between this new guidance and both the Windows Server 2012 R2 guidance and the Windows 10 TH2 guidance:

  • Advanced Auditing setting for Account Lockout changed from Success to Success+Failure. We will also make this change in the next revision of our Windows 10 guidance. This change is needed so that account logon failures are audited when the failure reason is that the account is locked out.
  • Some settings not relevant to Windows Server, such as Wi-Fi Sense, are omitted.
  • BitLocker is not included in the Windows Server baseline.
  • Internet Explorer is introducing a new Group Policy control, “Allow only approved domains to use the TDC ActiveX control.” We are enabling that setting in the Internet and Restricted Sites zones. We will also make this change in the next revision of our Windows 10 guidance, where it will be more important.
  • Reverted “Apply local firewall rules” and “Apply local connection security rules” to Not Configured for the Public firewall profile, enabling organizations to make their own decisions. This is a difference from the Windows 10 guidance. Internet-facing servers have varied purposes and there is a greater need for flexibility in these settings than for Windows client.
  • Removed the recommendations for specific values in the User Rights Assignments “Replace a process level token” and “Adjust memory quotas for a process.” The defaults are good and the settings are unlikely to be abused for nefarious purposes. Also, during installation some products need to grant these rights to product-specific accounts, and later break when a Group Policy reverts them back to the Windows defaults. We will also make this change in the next revision of our Windows 10 guidance.

This baseline is designed for the Member Server scenario. The final version will also include a baseline for Windows Server 2016 Domain Controller. In addition to the differences between the Member Server and DC baselines for Windows Server 2012 R2 (*), the differences for Windows Server 2016 DCs will include:

  • Do not apply the LAPS setting, “Enable local admin password management,” to DCs.
  • The “Hardened UNC Paths” setting should not be applied to DCs.

(*) You can review the differences between these baselines using Policy Analyzer.

Comments

  • Anonymous
    June 27, 2016
    Ultimately, the following approach seems to be a is a step away from planning for system security; to reverting defaults with part of the justification being that some programs use obscure rights and don't make it clear that a tailored and appropriately applied GPO is required.--- Removed the recommendations for specific values in the User Rights Assignments “Replace a process level token” and “Adjust memory quotas for a process.” The defaults are good and the settings are unlikely to be abused for nefarious purposes. Also, during installation some products need to grant these rights to product-specific accounts, and later break when a Group Policy reverts them back to the Windows defaults. We will also make this change in the next revision of our Windows 10 guidance.
    • Anonymous
      July 08, 2016
      [Aaron Margosis] I don't understand your point.
  • Anonymous
    June 30, 2016
    Are these security policies also applicable on Windows Server 2016 TP5 Core and Nano servers? I am specially looking for applicable security on nano server.
    • Anonymous
      July 08, 2016
      Yes, but Nano doesn't have a Group Policy engine, so different tools are needed to apply the settings.
  • Anonymous
    July 28, 2016
    Can you tell me what is the location (FQDN) for SCM to update baseline with? Our ACLs block everything unless specified. I'm getting a Sever unavailable. Or maybe an alternative method to load new baselines.[Aaron Margosis] I just tested and it looks like content is hosted on akamaitechnologies.com servers. I cannot guarantee that you'll get the same results I did, but mine were all of the form *.deploy.static.akamaitechnologies.com over tcp/80. Another method would be to install a copy of SCM on a system not subject to the firewall rules, download the files from it, then bring them into your network using whatever authorized file transfer mechanism you have, and import them into SCM using "Import / SCM (.cab)" in the rightmost panel. Hope this helps.
  • Anonymous
    October 06, 2016
    The statement "•The “Hardened UNC Paths” setting should not be applied to DCs." Is that only for 2016 AD DCs or 2012 R2/R1 as well? If only 2016 AD DCs, what changed that makes that setting an issue?[Aaron Margosis] We've since been advised that assertion is incorrect, and I have edited the post to strike it out. It's fine to apply it to DCs, which enforces the default behavior. The upcoming security configuration baseline guidance for Server 2016 will apply the setting to all three configurations (Win10 v1607, Server 2016 Member Server, Server 2016 Domain Controller). The guidance also applies to previous server versions.
  • Anonymous
    February 01, 2017
    By the Hardened Paths bit do you mean the bypassing of hardened paths via registry key? Which I have had to do on our win 1- machines as we have never had path hardening setup and it was causing intermittent group policy issues...?Would be a key bit of info for me as i'm a bit scared to implement a Server 2016 DC at the moment and would like to replace one of our DC's which is still on Server 2008 R2 ASAP.
  • Anonymous
    June 06, 2017
    Is the final/release version available? If so, where can it be located?[Aaron Margosis] Yes - almost 8 months ago! https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/