Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 - FINAL

  • [アーティクル]

Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions of Windows and IE):

  • Use of new and existing settings to help block some Pass the Hash attack vectors;

  • Recommendations to control the storage of plaintext-equivalent passphrases;

  • Blocking the use of web browsers on domain controllers;

  • Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines;

  • Removal of the recommendation to enable "FIPS mode" (this is discussed in greater detail in this blog post: Why We’re Not Recommending “FIPS Mode” Anymore);

  • Removal of almost all service startup settings, and all server role baselines that contain only service startup settings.

Settings are provided as four separate sets of baselines, for the following configurations: Windows 8.1, Windows Server 2012 R2 Domain Controller, Windows Server 2012 R2 Member Server, and Internet Explorer 11. The attachment to this blog post includes scripts to apply those baselines to a computer’s local policy and GPO backups you can import into Active Directory Group Policy.

There are a few changes between these recommendations and the beta version we released in April. We discuss those changes in more detail in two other blog posts: one about most of the changes, and another detailed post about the issues around account lockout recommendations.

[Update 2 September 2014: updated the guidance with a change to Member Server baseline and "Deny access to this computer from the network" setting. For more info, see Blocking Remote Use of Local Accounts.]

While we are preparing the content in the format used for inclusion in the Security Compliance Manager (SCM), we are making the baselines available as a download package attached to this blog post. The download includes a Word document describing various aspects of the changes from baselines for earlier versions of Windows and IE, a spreadsheet listing all the baseline settings and highlighting all the new and updated settings, Group Policy Objects (GPOs), scripts and utilities to import the full complement of settings into local group policy for evaluation and testing, a new custom ADMX to expose some important settings that aren't currently exposed by Windows as Group Policy settings, and WMI filters to ensure that GPOs are applied to appropriate systems.

Download and extract the attached "Win81-WS2012R2-IE11-Baselines-FINAL.zip". It contains the following folders:

  • Documentation: "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings.

  • Administrative Template: an ADMX and (US English) ADML file surfacing some "pass the hash"-relevant settings through the Group Policy editor. (Note: the Local_Script folder contains scripts that install these files to the appropriate location.)

  • GP Reports: Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets).

  • GPOs: Group Policy Object backups for the four separate sets of baselines described earlier. These can be imported into Active Directory Group Policy.

  • Local_Script: This directory contains three batch files that apply appropriate settings to the current machine: 81_Client_Install.cmd, 2012R2_DomainController_Install.cmd, and 2012R2_MemberServer_Install.cmd. 

  • WMI Filters: This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems.

We will follow up on this blog when the SCM cab files become available.

We would like to acknowledge and express our appreciation to the Center for Internet Security for their collaboration in the development of this guidance.

Win81-WS2012R2-IE11-Baselines-FINAL.zip

Comments

  • Anonymous
    January 01, 2003
    thank you

  • Anonymous
    January 01, 2003
    I am having an issue with creating a new corporate baseline, based on the SCM Server 2012 R2 member server baseline. I have made a duplicate of it, making it available under the "Custom Baseline" node. But if i want to add a Server 2012 R2 setting (choosing Product: Server 2012 R2), the settings window is completely empty. If i choose "Server 2012" as product, i get all the settings available.
    I am missing a point?

    • Anonymous
      November 07, 2016
      I've the same issue.

  • Anonymous
    January 01, 2003
    It's nice to find out that there is a final release of the baseline, however there is no news on the Microsoft SCM 3.0 update/support... it would have been great if Microsoft would have release an updated version of SCM along side MDT 2013... Guys please post when the update is available, also share the GPOPack.wsf file update with windows 8.1 support & guidelines around using it. [Aaron Margosis]  Should be released before the end of August.  We could have held back on release of the materials we did publish, but it made more sense to release them when they were ready rather than hold back.

  • Anonymous
    August 13, 2014
    When can it be downloaded through SCM 3.0 ? [Aaron Margosis] We anticipate publishing the .cab files this month. We will of course announce here.

  • Anonymous
    August 15, 2014
    Hi, any chances to get these integrated/passed along to CIS for incorporation into their benchmark tooling?
    Thank you! :) [Aaron Margosis] We have been collaborating with CIS on the development of these baselines. I don't know what their current timetables are for their own releases, though.

  • Anonymous
    August 17, 2014
    This is really helpful information and tools. Thanks to everyone involved that produced this.

  • Anonymous
    August 19, 2014
    Awesome stuff... I will definitely cover this at my TechEd NZ Group Policy PtH session in a few weeks.

  • Anonymous
    September 07, 2014
    Finally, the settings for Server 2012 R2 are available for download in SCM.
    As there is no "Upgrade" of existing custom configure polices associate with Server 2012 (or any earlier OS) I did export my Policy as GPO and re-imported it back, knowing to loose some settings as the export and Import process renames setting, uses sometimes integers as boolean or vice-versa, and then tried to associate it with Server 2012 R2.
    "0 unique settings from the GPO's 346 Settings apply to this product."!
    Whow, that's a surprise now. OK. What would happen if I Export the 2012 R2 Policy, Import it back as GPO and associate it with Server 2012 R2 again.
    "0 unique settings from the GPO's 157Settings apply to this product.".
    That's even better. Not only that it cannot find any matches, it looses most of the 421 (see below) settings.

    So what happened? Why can't I associate a GPO import with server 2012 R2?
    The release notes state:
    • If the Microsoft Windows Server 2012 R2 Security Compliance Baseline is exported to a Group Policy object (GPO) from SCM 3.0, the exported GPO cannot be re-imported into SCM 3.0. Importing the exported GPO will not result in the same information and structure as was originally exported.
    But it does not tell that the association does not work at all any-more.

    Will there be a way to associate GPO imports to Server 2012 R2?
    Will SCM be fixed to export meta data on GPO exports to allow re-import including comments?
    Will SCM be fixed to use the same syntax checks for exports and imports?

    Thank you very much for letting us know
    Best regards
    Patrick


  • Anonymous
    September 23, 2014
    Still waiting for SCCM .cab files! :o) [Aaron Margosis]  I assume you mean SCM (Security Compliance Manager) and not SCCM, right?  We published those .cab files almost three weeks ago.

  • Anonymous
    December 10, 2014
    >[Aaron Margosis] I assume you mean SCM (Security Compliance Manager) and not SCCM, right? We published those .cab files almost three weeks ago.
    Thanks for (not) updating this article then! LOL. Guess you guys are only human like the rest of us..
    "We will follow up on this blog when the SCM cab files become available." haha.. its OK, I'm always forgetting stuff myself. [Aaron Margosis] Umm... we DID update this blog -- my last reply had a link to the post we published announcing it. We didn't say we'd update this specific blog post, but that we'd announce it on the blog, which we did right away.

  • Anonymous
    December 17, 2014
    Unfortunately, even after importing the CAB files, there is still no way to customer our own baselines. No settings show up.

    http://i.imgur.com/yTIpdki.png [Aaron Margosis]  Known issue. Unfortunately there's nothing I can do about it.  The text below is from the Release Notes for the Win8.1 baselines; similar language is in the notes for the other baselines: If the Microsoft Windows 8.1 Security Compliance Baseline is exported to a Group Policy object (GPO) from SCM 3.0, the exported GPO cannot be re-imported into SCM 3.0. Importing the exported GPO will not result in the same information and structure as was originally exported.

  • Anonymous
    March 18, 2015
    Applied the 2012 R2 Member profile with the Local script on a non domain joined server. I can't figure out how to reenable local user remote desktop login, are there more settings that affect this besides what's in Local Security Policy, User Rights Assignment: Deny log on through RDS and Allow log on through RDS? My user is a local admin, can't login though. Looked all through the User Rights Assignment entries. Tried creating a new admin user, adding the admin user to RDS Users, no luck. makes no sense.

    Testing on 2 different servers, one complains about no Remote Desktop login right and the other complains about unable to contact the LSAuthority [Aaron Margosis] Try removing the Local Account restriction on the "Deny access to this computer from the network" policy.

  • Anonymous
    March 18, 2015
    yes that works. Sorry I was actually testing against the wrong server, too many VMs I have to keep straight. duh!
    Thank you

  • Anonymous
    March 20, 2015
    The field really needs updated SCAP solutions/support for SCCM. Government agencies need this sooner vs later.

    Why isn't Microsoft supporting the most recent SCAP version requirements yet? Isn't this a priority?

  • Anonymous
    March 25, 2015
    2 questions, is there an easy way to reverse all the changes that are applied from this baseline? Specifically I'm applying the windows 2012 R2 member server script from the "Local Script" directory.

    Also are their known performance issues when applying this baseline? We run a custom app that uses IIS/java/web browser and I see a noticeable performance decrease when applying this script to the server. It's going to be hard to find out which settings caused the decrease in performance if anything. [Aaron Margosis] No good way to revert the entire thing, as some of the settings tattoo. No known perf issues that I'm aware of.

  • Anonymous
    April 10, 2015
    Have you guys reviewed the documentation? The Recommended Security Baseline Settings.docx states that Policy Name Account lockout threshold's old value was 50? Really it was never 50, it was 5 right? The Delta-BetaToFinal doc also talks about this setting change. The doc reads ".. this setting in a separate blog post [add hyperlink], but clearly no one added that hyperlink. [Aaron Margosis] Yes, of course we reviewed it.That's not to say that every mistake got caught. Every program has bugs and every book has errata. Thanks for the feedback -- I do hate making mistakes, no matter how small. The account lockout threshold was 50 in the Windows 7 / Server 2008 R2 guidance, then dropped to 5 in the Windows 8 / Server 2012 guidance, then changed to 10 in the 8.1/2012R2 guidance. More details in this blog post. Since the comparison should have been against the Windows 8 / 2012 guidance, that's a bug in that document. The blog post referenced in the Delta-BetaToFinal.docx Word doc hadn't been posted yet when the document was written, hence the placeholder. The placeholder was updated when the document became a blog post itself (here), but the original Word doc never got updated. That's a bug. Thanks again for the feedback.

  • Anonymous
    May 16, 2015
    Why don't you allow the 2.16.840.1.101.3.4.1.12 standard? 2.16.840.1.101.3.4.1.2 and 2.16.840.1.101.3.4.1.42 are allowed, so this seems like a mistake? [Aaron Margosis] What is the ...3.4.1.12 standard? I searched for that OID but found no references to it anywhere.

  • Anonymous
    May 17, 2015
    It's the 192bit mode for AES-CBC. Currently only 128bit and 256bit are allowed.
    See: http://www.alvestrand.no/objectid/2.16.840.1.101.3.4.1.html
    Is it unsupported maybe? Just stumbled across it :) [Aaron Margosis] Did you mean ".22" instead of ".12", then?  That is supported.  https://msdn.microsoft.com/en-us/library/windows/desktop/aa378177(v=vs.85).aspx

  • Anonymous
    May 17, 2015
    My bad, I meant 2.16.840.1.101.3.4.1.22 of course.
    GP has only .2 and .42 set.
    "Restrict crypto algorithms or cipher suites to the following: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42"
    Any reason .22 is missing there?

  • Anonymous
    June 08, 2015
    The comment has been removed

  • Anonymous
    June 16, 2015
    Good Morning,
    Can you please tell me if the Server 2012 R2 Baselines are CIS compliant? [Aaron Margosis]  We worked closely with CIS in the development of these baselines.  You should find no differences between Microsoft's and CIS' baselines for Server 2012 R2, or any other recent baselines.

  • Anonymous
    September 10, 2015
    Aaron - I've noticed both the DoD STIG and the Microsoft baseline for IE 11 specify Java permissions for each IE zone. It's my understanding that this GPO setting applies only to the long-defunct Microsoft Java, last included with Windows XP prior to Service Pack 2. It has no impact on the functionality of Oracle Java.

    So for any version of Internet Explorer from 9 on up, this setting is meaningless (since IE 8 is the last version that works on XP). Does this sound right? Should these settings be removed from all the various baselines? Thank you. [Aaron Margosis]  Yes and no. :)
    This should help explain:
    http://blogs.technet.com/b/fdcc/archive/2008/01/31/internet-explorer-security-setting-java-permissions-disable-java.aspx

  • Anonymous
    October 12, 2015
    Is the excel spreadsheet updated? On the user tab it has several settings which are not included in the GPO (Internet Communications settings, Attachment Manager, Network sharing and WMP codec download) [Aaron Margosis] I don't think I understand what you mean. Settings that are "Not Configured" never appear in GPO backups - only settings that are explicitly configured.

  • Anonymous
    October 14, 2015
    In the excep spreadsheet, these are shown as configured. But they do not appear in the GPO. For instance in the spreadsheet "Prevent Codec Download" shows "Enabled" (for 2012 R2). [Aaron Margosis] Ah, yes, you're correct. The spreadsheet lists some settings in the 2012R2 column that don't need to be there. The 2012R2 guidance should generally match that of the 8.1 guidance.  On the other hand, there are two User Config Attachment Manager settings in the 8.1 baseline that are not in the GPOs for Server. Those appear to be oversights as well. Because those settings enforce defaults, impact should be low.

  • Anonymous
    October 21, 2015
    The solution accelerator website for SCM states "This tool is no longer supported by Microsoft"
    https://technet.microsoft.com/en-au/solutionaccelerators/cc835245.aspx

    So what is the officially supported method for hardening standalone servers? Back to using security templates? [Aaron Margosis] "Not supported" simply means that we won't necessarily provide bug fixes for the SCM tool itself. The Sysinternals tools are similarly "not supported".  SCM or the lightweight policy downloads/tools on the blog posts here for Win8.1/2012R2/IE11 and for Win10 are the best ways to deploy the security configuration recommendations.

  • Anonymous
    January 02, 2016
    I have found that the 'MSFT Windows Server 2012 R2 Member Server Baseline' GPO prevents Advanced Auditing from applying. If I remove the policy the settings apply properly again.

    Does anyone know which of the settings in this policy would cause this?

    Thanks! [Aaron Margosis] Never heard of that problem before - are you quite sure?

  • Anonymous
    January 16, 2016
    The comment has been removed

  • Anonymous
    October 20, 2017
    I ran the MBSA ver.2.3 installed in my W-8.1pro PC and the report came back very bad. The links lead to results about WindowsXP fixes, making me wonder if this is the correct version for 8.1. I also ran the WU troubleshooter and supposedly Nothing is wrong, so why don't I have the version mentioned on This page (from 2014*)? The report Also says that Windows Firewall is Not ON, but it is*. What is wrong with the Analyzer, or should it NOT be ran as Admin??