Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019

icrosoft is pleased to announce the draft release of the
security configuration baseline settings for Windows 10 version 1809
(a.k.a., “Redstone 5” or “RS5”), and for Windows Server 2019. Please
evaluate these proposed baselines and send us your feedback via blog
comments below.

Download the content here: Windows-10-1809-Security-Baseline-DRAFT.zip

The downloadable attachment to this blog post includes importable
GPOs, a PowerShell script for applying the GPOs to local policy, custom
ADMX files for Group Policy settings, documentation in spreadsheet form
and as a Policy Analyzer file
(MSFT-Win10-v1809-RS5-WS2019-DRAFT.PolicyRules). In this release, we
have changed the documentation layout in a few ways:

  • MS Security Baseline Windows 10 v1809 and Server 2019.xlsx
    multi-tabbed workbook listing all Group Policy settings that ship
    in-box with Windows 10 v1809 or Windows Server 2019. Columns for
    “Windows 10 v1809,” “WS2019 Member Server,” and “WS2019 DC” show the
    recommended settings for those three scenarios. A small number of cells
    are color-coded to indicate that the settings should not be applied to
    systems that are not joined to an Active Directory domain. Cells in the
    “WS2019 DC” columns are also highlighted when they differ from the
    corresponding cells in the “WS2019 Member Server” column. Another change
    from past spreadsheets is that we have combined tabs that used to be
    separate. Specifically, we are no longer breaking out Internet Explorer
    and Windows Defender AV settings into separate tabs, nor the settings
    for LAPS, MS Security Guide, and MSS (Legacy). All these settings are
    now in the Computer and User tabs.
  • BaselineDiffs-to-v1809-RS5-DRAFT.xlsx – This Policy
    Analyzer-generated workbook lists the differences in Microsoft security
    configuration baselines between the new baselines and the corresponding
    previous baselines. The Windows 10 v1809 settings are compared against
    those for Windows 10 v1803, and the Windows Server 2019 baselines are
    compared against those for Windows Server 2016.
  • Windows 10 1803 to 1809 New Settings.xlsx – Lists all the
    settings that are available in Windows 10 v1809 that were added since
    Windows 10 v1803. (We used to highlight these settings in the big
    all-settings spreadsheets.)
  • Server 2016 to 2019 New Settings.xlsx – Lists all the
    settings that are available in Windows Server 2019 that were added since
    Windows Server 2016. (We used to highlight these settings in the big
    all-settings spreadsheets.)

Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-DRAFT.xlsx:

  • The MS Security Guide custom setting protecting against potentially
    unwanted applications (PUA) has been deprecated, and is now implemented
    with a new setting under Computer Configuration…Windows Defender
    Antivirus.
  • We have enabled the “Encryption Oracle Remediation” setting we had considered for v1803.
    At the time we were concerned that enabling the newly-introduced
    setting would break too many not-yet-patched systems. We assume that
    systems have since been brought up to date. (You can read information
    about the setting hereand here.)
  • Changes to Virtualization-Based Security settings (used by Credential Guard and Code Integrity):
    • “Platform Security Level” changed from “Secure Boot and DMA
      Protection” to “Secure Boot.” If system hardware doesn’t support DMA
      protection, selecting “Secure Boot and DMA Protection” prevents
      Credential Guard from operating. If you can affirm that your systems
      support the DMA protection feature, choose the stronger option. We have
      opted for “Secure Boot” (only) in the baseline to reduce the likelihood
      that Credential Guard fails to run.
    • Enabled the new System Guard Secure Launch setting which will enable
      Secure Launch on new capable hardware. Secure Launch changes the way
      windows boots to use Intel Trusted Execution Technology (TXT) and
      Runtime BIOS Resilience features to prevent firmware exploits from being
      able to impact the security of the Windows Virtualization Based
      Security environment.
    • Enabled the “Require UEFI Memory Attributes Table” option.
  • Enabled the new Kernel DMA Protection feature described here.
    The “External device enumeration” policy controls whether to enumerate
    external devices that are not compatible with DMA-remapping. Devices
    that are compatible with DMA-remapping are always enumerated.
  • Removed the BitLocker setting, “Allow Secure Boot for integrity
    validation,” as it merely enforced a default that was unlikely to be
    modified even by a misguided administrator.
  • Removed the BitLocker setting, “Configure minimum PIN length for
    startup,” as new hardware features reduce the need for a startup PIN,
    and the setting increased Windows’ minimum by only one character.
  • Enabled the new Microsoft Edge setting to prevent users from
    bypassing certificate error messages, bringing Edge in line with a
    similar setting for Internet Explorer.
  • Removed the block against handling PKU2U authentication requests, as the feature is increasingly necessary.
  • Removed the configuration of the “Create symbolic links” user rights
    assignment, as it merely enforced a default, was unlikely to be
    modified by a misguided administrator or for malicious purposes, and
    needs to be changed to a different value when Hyper-V is enabled.
  • Removed the deny-logon restrictions against the Guests group as
    unnecessary: by default, the Guest account is the only member of the
    Guests group, and the Guest account is disabled. Only an administrator
    can enable the Guest account or add members to the Guests group.
  • Removed the disabling of the xbgm (“Xbox Game Monitoring”) service,
    as it is not present in Windows 10 v1809. (By the way, consumer services
    such as the Xbox services have been removed from Windows Server 2019
    with Desktop Experience!)
  • Removed Credential Guard from the Domain Controller baseline.
    (Credential Guard is not useful on domain controllers and is not
    supported there.)
  • Created and enabled a new custom MS Security Guide setting for the
    domain controller baseline, “Extended Protection for LDAP Authentication
    (Domain Controllers only),” which configures the
    LdapEnforceChannelBinding registry value described here.
  • The Server 2019 baselines pick up all the changes accumulated in the four Windows 10 releases since Windows Server 2016.

See the rest of the changes here