Download the content from
the Microsoft Security Compliance Toolkit
(click Download and select Windows 10 Version 1903 and Windows Server Version
1903 Security Baseline.zip).
Note that Windows Server version
1903 is Server Core only and does not offer a Desktop Experience (a.k.a.,
“full”) server installation option. In the past we have published baselines
only for “full” server releases – Windows Server 2016 and 2019. Beginning with
this release we intend to publish baselines for Core-only Windows Server
versions as well. However, we do not intend at this time to distinguish
settings in the baseline that apply only to Desktop Experience. When applied to
Server Core, those settings are inert for all intents and purposes.
1903 is Server Core only and does not offer a Desktop Experience (a.k.a.,
“full”) server installation option. In the past we have published baselines
only for “full” server releases – Windows Server 2016 and 2019. Beginning with
this release we intend to publish baselines for Core-only Windows Server
versions as well. However, we do not intend at this time to distinguish
settings in the baseline that apply only to Desktop Experience. When applied to
Server Core, those settings are inert for all intents and purposes.
This new Windows Feature
Update brings very few new Group Policy settings, which we list in the
accompanying documentation. This baseline recommends configuring only two of
those. However, we have made several changes to existing settings, including
some changes since the draft version of this baseline
that we published last month.
Update brings very few new Group Policy settings, which we list in the
accompanying documentation. This baseline recommends configuring only two of
those. However, we have made several changes to existing settings, including
some changes since the draft version of this baseline
that we published last month.
The changes from the Windows
10 v1809 and Windows Server 2019 baselines include:
10 v1809 and Windows Server 2019 baselines include:
- Enabling the new “Enable svchost.exe mitigation
options” policy, which enforces stricter security on Windows services
hosted in svchost.exe, including that all binaries loaded by svchost.exe
must be signed by Microsoft, and that dynamically-generated code is
disallowed. Please pay special attention to this one as it might
cause compatibility problems with third-party code that tries to use the
svchost.exe hosting process, including third-party smart-card plugins. - Configuring the new App Privacy setting, “Let
Windows apps activate with voice while the system is locked,” so that
users cannot interact with applications using speech while the system is locked. - Disabling multicast name resolution (LLMNR) to
mitigate server spoofing threats. - Restricting the NetBT NodeType to P-node,
disallowing the use of broadcast to register or resolve names, also to
mitigate server spoofing threats. We have added a setting to the custom
“MS Security Guide” ADMX to enable managing this configuration setting
through Group Policy. - Correcting an oversight in the Domain
Controller baseline by adding recommended auditing settings for Kerberos
authentication service. - Dropping the password-expiration policies that
require periodic password changes. This change is discussed in further
detail below. - Dropping the specific BitLocker drive
encryption method and cipher strength settings. The baseline has been
requiring the strongest available BitLocker encryption. We are removing
that item for a few reasons. The default is 128-bit encryption, and our
crypto experts tell us that there is no known danger of its being broken
in the foreseeable future. On some hardware there can be noticeable
performance degradation going from 128- to 256-bit. And finally, many
devices such as those in the Microsoft Surface line turn on BitLocker by
default and use the default algorithms. Converting those to use 256-bit
requires first decrypting the volumes and then re-encrypting, which
creates temporary security exposure as well as user impact. - Dropping the File Explorer “Turn off Data
Execution Prevention for Explorer” and “Turn off heap termination on
corruption” settings, as it turns out they merely enforce default
behavior, as Raymond Chen describes here.
Additional changes that we
have adopted since publishing the draft version of this baseline include:
have adopted since publishing the draft version of this baseline include:
- Dropping the enforcement of the default
behavior of disabling the built-in Administrator and Guest accounts. We
had floated this proposal at the time of the draft baseline, and have
since decided to accept it. The change is discussed in more detail below. - Dropped a Windows Defender Antivirus setting
that applies only to legacy email file formats. - Changed the Windows Defender Exploit Protection
XML configuration to allow Groove.exe (OneDrive for Business) to launch
child processes, particularly MsoSync.exe which is necessary for file
synchronization.