Stressing on the need of adopting a streamlined and efficient approach for its baseline definition, Microsoft has announced the final release of the Security Configuration Baseline Settings. The settings are available for both – Windows 10 v1909 and Windows Server v1909.
Security Configuration Baseline Settings for Windows 10 1909
This new Windows Feature Update brings some new Group Policy settings. We know, a large share of the work of securing a Windows 10 device takes place away from the device itself. So, in addition to a robust security policy, the specialists who can manage it and have the requisite expertise are required. Security Baseline offers this guidance for IT administrators via GPOs.
This new Windows Feature Update brings very few new Group Policy settings, which we list in the accompanying documentation. None of them meet the criteria for inclusion in the baseline (which are reiterated below), but customers interested in controlling the use of USB drives and other devices should be interested in the new and very granular device installation restrictions, mentioned a blog post on Microsoft Tech Community.
In comparison to the September update to Windows 10 v1903, some of the options that have been removed from the Baseline after reevaluation include,
- The restrictions on Thunderbolt devices in the BitLocker GPO
- Removal of the previously recommended Exploit Protection settings
- Enforcement of the default machine account password expiration for domain-joined systems
- the enforcement of the “Manage auditing and security log” privilege (SeSecurityPrivilege) on Domain Controllers
Apart from the above, situations that necessitate disabling machine account password expiration can now be handled without being out of compliance with our baselines.
The baselines are designed primarily for enterprise security administrators. As such, standard end users do not have administrative rights to it. A set of tools – Microsoft Security Compliance Toolkit helps enterprise security administrators to download, analyze, test and store Microsoft-recommended security configuration baselines for Windows.
For more information, visit Microsoft Tech community page.