Microsoft has released the final Security Baseline for Windows 10 v1903 and Windows Server v1903. Microsoft Security Compliance Toolkit or MSCT allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products while comparing them against existing security configurations.
Security baseline for Windows 10 v1903 & Windows Server v1903
The Redmon giant highlights that unlike before, the published guideline is for both Windows 10 and Windows Server 1903 versions. Like every Feature update, there are new Group Policy settings, and a lot of policy has been changed and updated. The toolkit will offer IT Admins, to understand the difference between new and existing system.
List of changes in Group Policy compared to v1809 & Server 2019
1] Windows Services hosted in svchost.exe, including binaries loaded by scfhost.exe must be signed by Microsoft. It happens when you enable svchost.exe mitigation option policy. It is possible that it will cause compatibility problems with third-party code that tries to use the svchost.exe hosting process
2] Let Windows apps activate with voice while the system is locked. The policy can be used to block users from interacting with Voice assistants on the lock screen.
3] Policies to mitigate server spoofing threats
- Disable multicast name resolution (LLMNR).
- Restrict the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats.
- Custom “MS Security Guide” ADMX. It is to enable managing the configuration setting through Group Policy.
- Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
4] List of dropped policies
- Password-expiration policies.
- Specific BitLocker drive encryption method and cipher strength settings.
- File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off-heap termination on corruption” settings.
- Windows Defender Antivirus setting that applies only to legacy email file formats.
- Enforcement of the default behavior of disabling the built-in Administrator and Guest accounts.
Why did Microsoft drop Password Expiration enforcement?
The point of password expiration enforcement was only a defense against probably of a password being stolen. Microsoft says that if you know that password was stolen, nobody will wait for expiration to fix the problem. The end user will reset it. Here is what they say
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.
Why did Microsoft Drop the enforced disabling of the built-in Administrator and Guest accounts
To keep baselines useful and manageable, we tend to enforce secure defaults for policy settings only when 1) non-administrative users could otherwise override those defaults, or 2) misinformed administrators are otherwise likely to make poor choices about the setting. Neither of those conditions are true regarding enforcing the default disabling of the Administrator and Guest accounts, says Microsoft.
The Guest account is disabled by default on Windows 10 and Windows Server. The local Administrator account is disabled by default on Windows 10. However that’s not the case with Windows Server. When installing Windows 10, Windows Setup prompts you for a new account which becomes the primary administrative account for the computer.
Download the toolkit from Microsoft Downloads.