Windows 10 – Security Baselines and recommended GPO settings

Windows 10 – Security Baselines and recommended GPO settings

No Comments on Windows 10 – Security Baselines and recommended GPO settings

Back in November i wrote an article about the beta of the security baselines for Windows 10 version 1511 (TH2, Threshold2, November Release, Build 10586…) release.

Now the final release of these baslines is there for Windows 10 TH2. Also there is an update for the baselines of Windows 10 TH1 (v1507, build 10240, Threshold 1, LTSB).

Updated Security Baselines – Windows 10 v1507

For TH1 there is an updated version of the security baselines. The following changes have been made

  • Removed configuration of “Allow unicast response” from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide “Interactive logon: Machine inactivity limit” setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for “Recovery console: Allow automatic administrative logon.” This setting has been obsolete since Windows XP and its removal just got missed until now.

The baselines for TH1 are available as importable GPOs and are shipped with a documentation. There will be no SCM (Security Compliance Manager) .CAB files. There will be .CAB files for the TH2 baselines. The TH1 baselines should be interesting for users of the LTSB, all others should update to v1511…

Here you can find the download an some more information:

Security baseline for Windows 10 (v1507, build 10240, TH1, LTSB) — UPDATE

Finale Version der Security Baselines – Windows 10 v1511

For version v1511 of Windows 10 there are the final baselines available now. Those are importable GPOs and a documentation too, but there will be some SCM .CAB files in the net days too…

The following changes have been made:

  • Enabled “Turn off Microsoft consumer experiences,” which is a new setting as of version 1511.
  • Removed configuration of “Allow unicast response” from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide “Interactive logon: Machine inactivity limit” setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for “Recovery console: Allow automatic administrative logon.” This setting has been obsolete since Windows XP and its removal just got missed until now

Here you can find the download an some more information:
Security baseline for Windows 10 (v1511, “Threshold 2”) — FINAL

About the author:

Ich bin Eric Berg und bin Senior IT-Consultant für Microsoft Solutions und hauptsächlich im Bereich Virtualisierung, Client-Lifecycle Management, Private und Public Cloud aktiv.
Seit 2015 bin ich System Center Cloud und Datacenter MVP.
Seit 2014 bin ich Microsoft Partner Technical Solutions Professional (P-TSP) und agiere im Auftrag von Microsoft mit Kunden rund um die oben beschriebenen Themen.
Alle Gedanken, Meinungen und Ideen auf dieser Website sind von mir und spiegeln nicht die Haltung meines Arbeitgebers oder von Microsoft wieder.

Related Posts

Leave a comment

Back to Top