Recommended Security Baseline Settings

Recommended Security Baseline Settings
for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11
Background and Summary

This document outlines recommended security configuration settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11, using
the previously-published baselines for Windows 8, Windows Server 2012 and Internet Explorer 10 as the starting point. These guidelines are
intended for well-managed enterprises.
Some of the more interesting changes from the Windows 8/2012/IE10 baselines:
 Use of new and existing settings to help block some Pass the Hash attack vectors
 Blocking the use of web browsers on domain controllers
 Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines
 Removal of almost all service startup settings, and all server role baselines that contain only service startup settings
 Removal of the recommendation to enable “FIPS mode”
Contents
Background and Summary ............................................................................................................................................................................................. 1
Settings New to Windows 8.1 and Windows Server 2012 R2 ....................................................................................................................................... 2
Settings New to Internet Explorer 11 ............................................................................................................................................................................ 6
Changes to Settings Inherited from Existing Baselines .................................................................................................................................................. 8
Changes to all Windows Server product baselines .................................................................................................................................................... 8
Pass the Hash ............................................................................................................................................................................................................. 9
Blocking the use of Web Browsers on Domain Controllers ..................................................................................................................................... 11
EMET ........................................................................................................................................................................................................................ 13
Updated Guidance ................................................................................................................................................................................................... 14
Advanced Auditing ................................................................................................................................................................................................... 16
Final v1.1 2 September 2014 Page 1 of 28

Removed Windows Recommendations ................................................................................................................................................................... 23
Removed Internet Explorer Recommendations ...................................................................................................................................................... 26
Bugs .............................................................................................................................................................................................................................. 27
Settings New to Windows 8.1 and Windows Server 2012 R2

The following settings are new to Windows 8.1 and Windows Server 2012 R2, and have been identified for inclusion in both the Windows 8.1
and Server 2012 R2 security baselines.
For Windows Server 2012 R2, we recommend the creation of baselines only for “Domain Controller Security Compliance”, “Domain Security
Compliance” and “Member Server Security Compliance”. We discuss this further in the “Changes to Both New and Existing Baselines” section
under “Changes to all Windows Server product baselines”.
Policy Path Policy Name Old New Value Rationale

Value
Computer Prevent enabling lock screen camera N/A Enabled Unauthenticated user can create
Configuration\Administrative content in user’s Pictures folder
Templates\Control (Tampering, Repudiation, Denial of
Panel\Personalization Service)
Computer Prevent enabling lock screen slide show N/A Enabled Potentially sensitive information
Configuration\Administrative from logged on user’s Pictures
Templates\Control folder displayed on locked desktop
Panel\Personalization (information disclosure)
Computer Include command line in process creation events N/A Not Enable only when needed;
Configuration\Administrative Configured otherwise it provides an attacker
Templates\System\Audit with admin rights a lot of data,
Process Creation potentially including passwords
(e.g., from a NET USE command
line).

Value
Computer Do not display network selection UI N/A Enabled Unauthenticated user should not
Configuration\Administrative be able to switch networks.
Templates\System\Logon (Tampering)
Computer Allow Microsoft accounts to be optional N/A Enabled Enterprises have to be able to
Configuration\Administrative enable app use without tying to an
Templates\Windows MSA or automatically uploading
Components\App runtime data to SkyDrive.
Computer Sign-in last interactive user automatically after a system- N/A Disabled Requires Windows to retain
Configuration\Administrative initiated restart plaintext-equivalent credentials
Templates\Windows during session
Components\Windows
Logon Options

Value
Computer Deny access to this computer from the network Guests Guests, Local Win8.1/2012R2 introduces two
Configuration\Windows account new pseudo groups that a local-
Settings\Local Policies\User account logon can get in its token
Rights Assignment (for Member and that has been backported to
Server: Windows 7/2008R2 and newer
Guests, Local with KB 2871997. Guests and
account and local accounts should be denied
member of network logon on domain-joined
Administrators systems. (For Member Server,
group) replace “Local account” with
“Local account and member of
Administrators group” to avoid
breaking failover clustering.) Also,
Enterprise Admins and Domain
Admins should also be denied all
access on all clients and servers
except for Domain Controllers and
dedicated admin workstations.
(Note that EA and DA are domain-
specific and cannot be specified in
generic baselines such as those in
SCM.)

Value
Computer Deny log on through Remote Desktop Services Guests Guests, Local Win8.1/2012R2 introduces a new
Configuration\Windows account pseudo group called “Local
Settings\Local Policies\User account” that any local-account
Rights Assignment logon gets in its token and that
has been backported to Windows
7/2008R2 and newer with KB
2871997. Guests and Local
Account should be denied remote
desktop logon on domain-joined
systems. Also, Enterprise Admins
and Domain Admins should also
be denied all access on all clients
and servers except for Domain
Controllers and dedicated admin
workstations. (Note that EA and
DA are domain-specific and cannot
be specified in generic baselines
such as those in SCM.)
Computer Lsass.exe audit mode N/A Not For more information, see
Configuration\Administrative (HKLM\SOFTWARE\Microsoft\Windows configured http://technet.microsoft.com/en-
Templates\SCM: Pass the NT\CurrentVersion\Image File Execution us/library/dn408187.aspx
Hash Mitigations Options\LSASS.exe!AuditLevel A custom Administrative Template
is provided so that this setting can
be configured with the Group
Policy editor.

Value
Computer Enable LSA Protection N/A Not For more information, see
Configuration\Administrative (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL) configured http://technet.microsoft.com/en-
Templates\SCM: Pass the us/library/dn408187.aspx
Hash Mitigations A custom Administrative Template
is provided so that this setting can
be configured with the Group
Policy editor. Note that on UEFI-
capable machines, once the
setting is enabled it cannot be
disabled using Group Policy alone.
User Turn off toast notifications on the lock screen N/A Enabled Information disclosure
Configuration\Administrative
Templates\Start Menu and
Taskbar\Notifications
Settings New to Internet Explorer 11

The following new settings have been identified for inclusion in the Internet Explorer 11 security baseline.
Policy Path Policy Name Old Value New Value Rationale

Computer Turn on 64-bit N/A Enabled Increased protection; will break some sites, but applies only
Configuration\Administrative tab processes when EPM is enforced
Templates\Windows when running in
Components\Internet Enhanced
Explorer\Internet Control Protected Mode
Panel\Advanced Page on 64-bit
versions of
Windows

Computer Don't run N/A Enabled: Disable Enforce the default
Configuration\Administrative antimalware
Templates\Windows programs against
Components\Internet ActiveX controls
Explorer\Internet Control
Panel\Security Page\Internet
Zone
Computer Don't run N/A Enabled: Disable (stronger than default; align with DoD STIG)
Panel\Security Page\Intranet
Zone
Panel\Security Page\Local
Machine Zone
Computer Don't run N/A Enabled: Disable Enforce the default
Panel\Security
Page\Restricted Sites Zone

Panel\Security Page\Trusted
Sites Zone
Changes to Settings Inherited from Existing Baselines

This section describes changes to settings that were inherited from older baselines. These changes will also be backported to those baselines:
Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012. The Baseline column describes which baselines
are affected.
Changes to all Windows Server product baselines

One change that we recommend for all Windows Server baselines is to create and maintain baselines only for “Domain Controller Security
Compliance”, “Domain Security Compliance” and “Member Server Security Compliance”. We recommend not creating (and deleting where they
now exist) server role baselines for AD Certificate Services, DHCP, DNS, File Server, Hyper-V, Network Policy and Access, Print Server, Remote
Access Services, Remote Desktop Services or Web Server.
The reason for this change is because those baselines contain only configuration for service startup and simply try to enforce the defaults for
their respective roles. The problems with these baselines are that 1) they are time-consuming to define and maintain, as service startup defaults
may change between OS versions; 2) as one can safely assume that the built-in Server Manager or other configuration tools do their job
correctly, the baselines provide almost no security benefit; and 3) they can create serious problems when they get it wrong. For example, in
some scenarios, Windows temporarily configures the Windows Installer service (which is normally a Manual start service) to be an Automatic
start service so that it can perform actions immediately following a reboot. The security baseline that forces it back to Manual-start thus causes
updates not to be correctly installed.
For those reasons, we have also decided to remove all the service startup settings from the Server baselines that include them (e.g., Windows
Server 2012 Domain Controller Security Compliance”). The one exception is the service startup configuration setting for the Application Identity

service in Domain Controllers, which is required to support the use of AppLocker (described in the section below, “Blocking the use of Web
Browsers on Domain Controllers”).
Pass the Hash

The following settings changes are recommended to help mitigate against Pass the Hash and similar credential theft attacks.
Baseli Policy Path Policy Name Old Value New Value Rationale
ne
All Computer Apply UAC restrictions to local N/A Enable Recommended in "Mitigating Pass-the-
Client Configuration\Administrative accounts on network logons (REG_DWORD Hash (PtH) Attacks and Other Credential
OS Templates\SCM: Pass the Hash (HKLM\SOFTWARE\Microsoft\W 0) Theft Techniques":
and Mitigations indows\CurrentVersion\Policies\ http://www.microsoft.com/en-
Memb System us/download/details.aspx?id=36036
er !LocalAccountTokenFilterPolicy) A custom Administrative Template is
Server provided so that this setting can be
s configured with the Group Policy editor.
All OS Computer Deny access to this computer Guests Guests, Local Win8.1/2012R2 introduces two new
Configuration\Windows from the network account pseudo groups that a local-account logon
Settings\Security Settings\Local can get in its token and that has been
Policies\User Rights (for Member backported to Windows 7/2008R2 and
Assignment Server: Guests, newer with KB 2871997. Guests and local
Local account accounts should be denied network logon
and member of on domain-joined systems. (For Member
Administrators Server, replace “Local account” with
group) “Local account and member of
Administrators group” to avoid breaking
failover clustering.) Also, Enterprise
Admins and Domain Admins should also
be denied all access on all clients and
servers except for Domain Controllers and
dedicated admin workstations. (Note that
EA and DA are domain-specific and cannot
be specified in generic baselines such as
those in SCM.)

ne
All Computer Deny log on through Remote Guests Guests, Local Win8.1/2012R2 introduces a new pseudo
OS Configuration\Windows Desktop Services account group called “Local account” that any
Settings\Security Settings\Local local-account logon gets in its token and
Policies\User Rights that has been backported to Windows
Assignment 7/2008R2 and newer with KB 2871997.
Guests and Local Account should be
denied remote desktop logon on domain-
joined systems. Also, Enterprise Admins
and Domain Admins should also be denied
all access on all clients and servers except
for Domain Controllers and dedicated
admin workstations. (Note that EA and DA
are domain-specific and cannot be
specified in generic baselines such as
those in SCM.)
All OS Computer Deny log on as a batch job Guests Guests Also, Enterprise Admins and Domain
Configuration\Windows Admins should also be denied all access on
Settings\Security Settings\Local all clients and servers except for Domain
Policies\User Rights Controllers and dedicated admin
Assignment workstations. (Note that EA and DA are
domain-specific and cannot be specified in
generic baselines such as those in SCM.)
All OS Computer Deny log on as a service Guests Guests Also, Enterprise Admins and Domain

ne
All OS Computer Deny log on locally Guests Guests Also, Enterprise Admins and Domain
All OS Computer WDigest Authentication N/A Disabled WDigest leaves users’ plaintext-equivalent
Configuration\Administrative (disabling may require passwords in Lsass.exe memory.
Templates\SCM: Pass the Hash KB2871997) Recommended in “Mitigating Pass-the-
Mitigations Hash and Other Credential Theft, version
2”, http://www.microsoft.com/pth
Blocking the use of Web Browsers on Domain Controllers

It is well-established within the security community that it is highly dangerous and unnecessary to browse the web from a high-value system
such as a Domain Controller. The purpose of the new baseline recommendations in this section is to help prevent such behavior by using
AppLocker to block the use of popular web browsers. Note that because it is impossible to prevent an administrator from bypassing these or
any other rules, the real purpose of these rules is to prevent accidental use and to make it clear that web browser use on a DC is inadvisable.
While these rules will cover many cases, they should not be considered to be comprehensive. Not only are there other browsers that are not
covered by this rule set, there are many other behaviors that are similarly dangerous when performed on a domain controller and that are not
explicitly blocked. For such cases, these rules can be considered illustrative of an approach that can be extended to be more comprehensive.
These rules can also be applied to other high value systems, such as database servers and dedicated, single-purpose administrative workstations
that are used solely to administer Active Directory.

Baseline Policy Path Policy Name New Value Rationale
All Windows Computer Enable Enable Block web browsers on DCs
Server “Domain Configuration\Windows enforcement of
Controller” Settings\Security Executable Rules
baselines Settings\Application Control
Policies\AppLocker
All Windows Computer Block IE FilePublisherRule: Deny Block web browsers on DCs
Server “Domain Configuration\Windows Everyone
Controller” Settings\Security PublisherName="O=MICROSOFT
baselines Settings\Application Control CORPORATION,
Policies\AppLocker\Executable L=REDMOND,
Rules S=WASHINGTON, C=US"
ProductName="WINDOWS®
INTERNET EXPLORER"
BinaryName="IEXPLORE.EXE"
All Windows Computer Block Chrome.exe FilePublisherRule: Deny Block web browsers on DCs
Controller” Settings\Security PublisherName="O=GOOGLE
baselines Settings\Application Control INC, L=MOUNTAIN VIEW,
Policies\AppLocker\Executable S=CALIFORNIA, C=US"
Rules ProductName="GOOGLE
CHROME"
BinaryName="CHROME.EXE"
All Windows Computer Block Firefox FilePublisherRule: Deny Block web browsers on DCs
Controller” Settings\Security PublisherName="O=MOZILLA
baselines Settings\Application Control CORPORATION,
Policies\AppLocker\Executable L=MOUNTAIN VIEW, S=CA,
Rules C=US"
ProductName="FIREFOX"
BinaryName="FIREFOX.EXE"

Baseline Policy Path Policy Name New Value Rationale
All Windows Computer Default rules Allow non-admins to run Block web browsers on DCs
Server “Domain Configuration\Windows executables in Program Files
Controller” Settings\Security Allow non-admins to run
baselines Settings\Application Control executables in Windir
Policies\AppLocker\Executable Allow admins to run executables
Rules anywhere
All Windows Computer Application Service startup mode = AppLocker requires AppIDSvc to be
Server “Domain Configuration\Windows Identity Automatic running to enforce rules
Controller” Settings\Security (AppIDSvc)
baselines Settings\System Services
EMET
We recommend installing EMET on all workstations and servers, along with these Group Policy settings:
Baseline Policy Path Policy Name Old Value New Value Rationale
All Computer Default Protections N/A Enabled EMET protections
OS Configuration\Administrative for Internet Explorer
Templates\Windows
Components\EMET
OS Configuration\Administrative for Popular Software
Templates\Windows
Components\EMET
OS Configuration\Administrative for Recommended
Templates\Windows Software
Components\EMET
All Computer System ASLR N/A Enabled: EMET protections
OS Configuration\Administrative Application Opt-In
Templates\Windows
Components\EMET

All Computer System DEP N/A Enabled: EMET protections
OS Configuration\Administrative Application Opt-Out
Templates\Windows
Components\EMET
All Computer System SEHOP N/A Enabled: EMET protections
OS Configuration\Administrative Application Opt-Out
Templates\Windows
Components\EMET
Updated Guidance
This section defines settings in all baselines covered by this report that should be added or changed to be consistent with other baselines.
All Computer Specify the maximum log file 20480 32768 Make consistent with Server OS
Client Configuration\Windows size (KB) recommendations and increase
OS Components\Event Log diagnostic and forensic abilities.
Service\Application
Service\Security
Service\System
All Computer Allow indexing of encrypted files Not Disabled Information disclosure; encrypted
OS Configuration\Administrative Configured content potentially goes into
Templates\Windows unencrypted index
Components\Search

All Computer Configuration\ Account lockout threshold 50 invalid 10 invalid 50 gives attackers too many shots;
OS Windows Settings\Security logon logon the 50 most-used passwords will
Settings\Account attempts attempts give attackers too many accounts.
Policies\Account Lockout Policy Too low a threshold causes
accidental lockout from application-
cached passwords. (Separate blog
post describes issues in more detail.)
All Computer MSS: (ScreenSaverGracePeriod) 0 Seconds 5 seconds No real security benefit setting it to
OS Configuration\Windows The time in seconds before the 0; align with DoD STIG.
Settings\Security Settings\Local screen saver grace period
Policies\Security Options expires (0 Recommended)
All Computer Network security: Force logoff Not Enabled Make logoff hours work over the
OS Configuration\Windows when logon hours expire Configured network too.
Settings\Security Settings\Local
Policies\Security Options
All Computer User Account Control: Behavior Prompt for Prompt for Make consistent (note that the
OS Configuration\Windows of the elevation prompt for consent for consent on actual value for Server 2008 has to
Settings\Security Settings\Local administrators in Admin non- the secure be “Prompt for consent”, as “secure
Policies\Security Options Approval Mode Windows desktop desktop” is specified in another
binaries option on Server 2008).
All Computer User Account Control: Behavior Prompt for Automatically UAC same-desktop elevation is not a
OS Configuration\Windows of the elevation prompt for credentials deny security boundary; there are more
Settings\Security Settings\Local standard users elevation secure ways to administer a system.
Policies\Security Options requests
All Computer Network security: Allow Local Not Defined Enabled Added to Member Server baseline
Membe Configuration\Windows System to use computer identity to be consistent with client and
r Settings\Security Settings\Local for NTLM domain controller baselines
Servers Policies\Security Options
All Computer Network security: Allow Not Defined Disabled Added to Member Server baseline
Membe Configuration\Windows LocalSystem NULL session to be consistent with client and
r Settings\Security Settings\Local fallback domain controller baselines
Servers Policies\Security Options

All Computer Access this computer from the Users, Authenticate Make consistent with Server
Client Configuration\Windows network Administrato d Users, guidance
OS Settings\Security Settings\Local rs Administrator
Policies\User Rights Assignment s
Advanced Auditing
The guidance for Windows 8 and Windows Server 2012 recommends “No Auditing” for many settings where the intent was to specify “Not
Defined” and to allow customer decisions. In some cases, “No Auditing” overrode a more secure default. We have tried to fix all those cases
here.
All Computer Audit Kerberos Authentication No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Service customers to decide
Settings\Advanced Audit Policy
Configuration\Audit
Policies\Account Logon
All Computer Audit Kerberos Service Ticket No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Operations customers to decide
Configuration\Audit
All Computer Audit Other Account Logon No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Events customers to decide
Configuration\Audit
All Computer Audit Application Group No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Management customers to decide
Configuration\Audit
Policies\Account Management

All Computer Audit Computer Account No Auditing Not Defined No security value; better to allow
Client Configuration\Windows Management customers to decide
OS Settings\Advanced Audit Policy
Configuration\Audit
All Computer Audit Distributed Group No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Management customers to decide
Configuration\Audit
All Computer Audit DPAPI Activity No Auditing Not Defined No security value; better to allow
OS Configuration\Windows customers to decide
Configuration\Audit
Policies\Detailed Tracking
All Computer Audit Process Termination No Auditing Not Defined No security value; better to allow
Settings\Advanced Audit
Policy\Configuration\Audit
All Computer Audit RPC Events No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Detailed Directory Service No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Replication customers to decide
Configuration\Audit Policies\DS
Access

All Computer Audit directory service access No Auditing Not Defined No security value; better to allow
Client Configuration\Windows customers to decide
Access
All Computer Audit Directory Service Changes No Auditing Not Defined No security value; better to allow
Client Configuration\Windows customers to decide
Access
All Computer Audit Directory Service No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Replication customers to decide
Access
All Computer Audit Account Lockout No Auditing Success “No Auditing” was probably a
OS Configuration\Windows mistaken entry here.
Configuration\Audit
Policies\Logon/Logoff
All Computer Audit IPSec Extended Mode No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit IPSec Main Mode No Auditing Not Defined No security value; better to allow
Configuration\Audit

All Computer Audit IPSec Quick Mode No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Network Policy Server No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Other Logon/Logoff No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Application Generated No Auditing Not Defined No security value; better to allow
Configuration\Audit
Policies\Object Access
All Computer Audit Central Access Policy No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Staging customers to decide
Configuration\Audit
All Computer Audit Certification Services No Auditing Not Defined No security value; better to allow
Configuration\Audit

All Computer Audit Detailed File Share No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit File Share No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit File System No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Filtering Platform No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Connection customers to decide
Configuration\Audit
All Computer Audit Filtering Platform Packet No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Drop customers to decide
Configuration\Audit
All Computer Audit Handle Manipulation No Auditing Not Defined No security value; better to allow
Configuration\Audit

All Computer Audit Kernel Object No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Other Object Access No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Registry No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Removable Storage No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit SAM No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Authorization Policy No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Change customers to decide
Configuration\Audit
Policies\Policy Change

All Computer Audit Filtering Platform Policy No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit MPSSVC Rule-Level Policy No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Other Policy Change No Auditing Not Defined No security value; better to allow
Configuration\Audit
All Computer Audit Non Sensitive Privilege No Auditing Not Defined No security value; better to allow
OS Configuration\Windows Use customers to decide
Configuration\Audit
Policies\Privilege Use
All Computer Audit Other Privilege Use Events No Auditing Not Defined No security value; better to allow
Configuration\Audit
Policies\Privilege Use
All Computer Audit Other System Events No Auditing Success and “No Auditing” was probably a
OS Configuration\Windows Failure mistaken entry here.
Configuration\Audit
Policies\System

Removed Windows Recommendations
This section lists settings that we believe should be removed from the Windows recommendations. In many cases, they provide little or no
security value. In other cases, the settings are no longer applicable.
Baseline Policy Path Policy Name Old Value New Rationale

Value
All Computer System Enabled Not Limited security value; breaks many legitimate use cases; SSL
OS Configuration\Windows cryptography: Defined 3.0 and earlier can be disabled through other means. Discussed
Settings\Security Use FIPS in more detail here:
Settings\Local compliant http://blogs.technet.com/b/secguide/archive/2014/04/07/why-
Policies\Security Options algorithms for we-re-not-recommending-fips-mode-anymore.aspx
encryption,
hashing, and
signing
All Computer Interactive Enabled Not No security value
OS Configuration\Windows logon: Require Defined
Settings\Security Domain
Settings\Local Controller
Policies\Security Options authentication
to unlock
workstation
All Computer User Account Disabled Not No security value
OS Configuration\Windows Control: Only Defined
Settings\Security elevate
Settings\Local executables
Policies\Security Options that are
signed and
validated
All OS Computer Bypass Administrators, Not No security value
Configuration\Windows traverse Users, Local Defined
Settings\Security checking Service,
Settings\Local Policies\User Network
Rights Assignment Service

Value
All OS Computer Increase a Administrators, Not No security value
Configuration\Windows process Local Service Defined
Settings\Security working set
Settings\Local Policies\User
Rights Assignment
All OS Computer Specify the Enabled: Not Setting is customer-specific
Configuration\Administrative search server Search configured
Templates\System\Device for device Managed
Installation driver updates Server
All Computer Turn off Enabled Not No longer applicable
OS Configuration\Administrative Search Defined
Templates\System\Internet Companion
Communication content file
Management\Internet updates
Communication settings
All Computer Turn off the Enabled Not No longer applicable
OS Configuration\Administrative "Publish to Defined
Templates\System\Internet Web" task for
Communication files and
Management\Internet folders
All Computer Turn off the Enabled Not No longer applicable
OS Configuration\Administrative Windows Defined
Templates\System\Internet Messenger
Communication Customer
Management\Internet Experience
Communication settings Improvement
Program

Value
All Computer Turn off Enabled Not No security value
OS Configuration\Administrative Windows Defined
Templates\System\Internet Update device
Communication driver
Management\Internet searching
All Computer Control Event Disabled Not No security value
OS Configuration\Administrative Log behavior Defined
Templates\Windows when the log
Components\Event Log file reaches its
Service\Application maximum size
Service\Security maximum size
Service\System maximum size
All Computer Allow Remote Enabled Not No security value (opposite!)
OS Configuration\Administrative Shell Access Defined
Templates\Windows
Components\Windows
Remote Shell

Value
All DC Computer Interactive 4 logons Not Not applicable since the role is a Domain Controller.
Configuration\Windows logon: Defined
Settings\Security Number of
Settings\Local previous
Policies\Security Options logons to
cache (in case
domain
controller is
not available)
All DC Computer Log on as a Administrators Not Previous guidance prevents some least-privilege scenarios.
Configuration\Windows batch job Defined
Settings\Security
Settings\Local Policies\User
Rights Assignment
Removed Internet Explorer Recommendations

This section lists settings that we believe should be removed from the Internet Explorer recommendations. In many cases, they provide little or
no security value. In other cases, the settings are no longer applicable.
All User Disable Save this program to Enabled Not No security value
IE Configuration\Administrative disk option Configured
Templates\Windows
Components\Internet
Explorer\Browser menus
All Computer Disable the Advanced page Enabled Not No security value
IE Configuration\Administrative Configured
Templates\Windows
Components\Internet
Explorer\Internet Control Panel

All Computer Disable the Security page Enabled Not No security value
Templates\Windows
Components\Internet
Explorer\Internet Control Panel
All Computer Software channel permissions High Safety Not No longer applicable
Templates\Windows
Components\Internet
Panel\Security Page\Internet
Zone
All Computer Software channel permissions High Safety Not No longer applicable
Templates\Windows
Components\Internet
Panel\Security Page\Restricted
Sites Zone
Bugs
This section lists defects in the existing guidance that need to be repaired.
Domain Computer Microsoft network Disabled Enabled Change value in “Default” column based on
Controller Configuration\Windows server: Digitally sign incorrect setting per
Settings\Security communications http://technet.microsoft.com/en-
Settings\Local (always) us/library/jj852239.aspx
Policies\Security
Options

Domain Computer Microsoft network Disabled Enabled Change value in “Default” column based on
Controller Configuration\Windows server: Digitally sign incorrect setting per
Settings\Security communications (if http://technet.microsoft.com/en-
Settings\Local client agrees) us/library/jj852242.aspx
Policies\Security
Options

Recommended Security Baseline Settings

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Recommended Security Baseline Settings

Încărcat de

Drepturi de autor:

Formate disponibile

Recommended Security Baseline Settings

Background and Summary

Final v1.1 2 September 2014 Page 1 of 28

Settings New to Windows 8.1 and Windows Server 2012 R2

Policy Path Policy Name Old New Value Rationale

Final v1.1 2 September 2014 Page 2 of 28

Final v1.1 2 September 2014 Page 3 of 28

Final v1.1 2 September 2014 Page 4 of 28

Final v1.1 2 September 2014 Page 5 of 28

Settings New to Internet Explorer 11

Policy Path Policy Name Old Value New Value Rationale

Final v1.1 2 September 2014 Page 6 of 28

Final v1.1 2 September 2014 Page 7 of 28

Changes to Settings Inherited from Existing Baselines

Changes to all Windows Server product baselines

Final v1.1 2 September 2014 Page 8 of 28

Pass the Hash

Final v1.1 2 September 2014 Page 9 of 28

Final v1.1 2 September 2014 Page 10 of 28

Blocking the use of Web Browsers on Domain Controllers

Final v1.1 2 September 2014 Page 11 of 28

Final v1.1 2 September 2014 Page 12 of 28

Final v1.1 2 September 2014 Page 13 of 28

Final v1.1 2 September 2014 Page 14 of 28

Final v1.1 2 September 2014 Page 15 of 28

Final v1.1 2 September 2014 Page 16 of 28

Final v1.1 2 September 2014 Page 17 of 28

Final v1.1 2 September 2014 Page 18 of 28

Final v1.1 2 September 2014 Page 19 of 28

Final v1.1 2 September 2014 Page 20 of 28

Final v1.1 2 September 2014 Page 21 of 28

Final v1.1 2 September 2014 Page 22 of 28

Baseline Policy Path Policy Name Old Value New Rationale

Final v1.1 2 September 2014 Page 23 of 28

Final v1.1 2 September 2014 Page 24 of 28

Final v1.1 2 September 2014 Page 25 of 28

Removed Internet Explorer Recommendations

Final v1.1 2 September 2014 Page 26 of 28

Final v1.1 2 September 2014 Page 27 of 28

Final v1.1 2 September 2014 Page 28 of 28

S-ar putea să vă placă și