Windows 10 – Security Baselines and recommended GPO settings

No Comments on Windows 10 – Security Baselines and recommended GPO settings

Back in November i wrote an article about the beta of the security baselines for Windows 10 version 1511 (TH2, Threshold2, November Release, Build 10586…) release.

Now the final release of these baslines is there for Windows 10 TH2. Also there is an update for the baselines of Windows 10 TH1 (v1507, build 10240, Threshold 1, LTSB).

Updated Security Baselines – Windows 10 v1507

For TH1 there is an updated version of the security baselines. The following changes have been made

  • Removed configuration of “Allow unicast response” from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide “Interactive logon: Machine inactivity limit” setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for “Recovery console: Allow automatic administrative logon.” This setting has been obsolete since Windows XP and its removal just got missed until now.

The baselines for TH1 are available as importable GPOs and are shipped with a documentation. There will be no SCM (Security Compliance Manager) .CAB files. There will be .CAB files for the TH2 baselines. The TH1 baselines should be interesting for users of the LTSB, all others should update to v1511…

Here you can find the download an some more information:

Security baseline for Windows 10 (v1507, build 10240, TH1, LTSB) — UPDATE

Finale Version der Security Baselines – Windows 10 v1511

For version v1511 of Windows 10 there are the final baselines available now. Those are importable GPOs and a documentation too, but there will be some SCM .CAB files in the net days too…

The following changes have been made:

  • Enabled “Turn off Microsoft consumer experiences,” which is a new setting as of version 1511.
  • Removed configuration of “Allow unicast response” from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide “Interactive logon: Machine inactivity limit” setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for “Recovery console: Allow automatic administrative logon.” This setting has been obsolete since Windows XP and its removal just got missed until now

Here you can find the download an some more information:
Security baseline for Windows 10 (v1511, “Threshold 2”) — FINAL

Dieser Post ist auch verfügbar auf: German

Related Posts

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Top