Microsoft Security Baseline contains recommended settings Microsoft suggests for Windows workstations and servers to provide secure configuration and protect domain controllers, servers, computers, and users. Microsoft has developed reference Group Policy Objects and templates based on the Security Baselines. Administrators can apply them in their AD domains. The security settings in the Microsoft Security Baseline GPO enable administrators to protect Windows infrastructure in accordance with the latest global security best practices. In this article we’ll show how to implement Microsoft Security Baseline GPOs in your domain.
Reference Microsoft Security Baseline Group Policies are a part of Microsoft Security Compliance Manager (SCM). SCM is a free product that contains multiple tools to analyze, test and apply the best practices and current security recommendations for Windows and other Microsoft products.
Microsoft Security Compliance Toolkit is available following this link: https://www.microsoft.com/en-us/download/details.aspx?id=55319. Today Baselines for the following products are available in the Security Compliance Toolkit:
- Windows 10 Version 20H2 and Windows Server Version 20H2
- Windows 10 Version 2004 and Windows Server Version 2004
- Windows 10 Version 1909 and Windows Server Version 1909
- Windows 10 Version 1903 and Windows Server Version 1903
- Windows 10 Version 1809 and Windows Server 2019
- Windows 10 Version 1607 and Windows Server 2016
- Microsoft Edge v88
- Office365 ProPlus
- Windows Server 2012 R2
You can also download these tools:
- LGPO is used to manage local GPO settings;
- PolicyAnalyzer is a tool to analyze existing Group Policies and compare them with the reference policies in the Security Baseline;
- SetObjectSecurity
The Security Baseline archive for each Windows version contains several folders:
- Documentation contains XLSX and PDF files with the detailed description of the settings applied in the Security Baseline;
- GP Reports has HTML reports with the GPO settings to be applied;
- GPOs – contains GPO objects for different scenarios. You can import the policies to your Group Policy Management (GPMC) console;
- Scripts contains PowerShell scripts to easily import GPO settings to domain or local policies:
Baseline-ADImport.ps1,Baseline-LocalInstall.ps1,Remove-EPBaselineSettings.ps1,MapGuidsToGpoNames.ps1 - Templates – additional ADMX/ADML GPO templates (for example,
AdmPwd.admxcontains local password management settings for LAPS,MSS-legacy.admx,SecGuide.admx)
In Active Directory domain environment, it is easier to implement Security Baseline using GPO (in a workgroup, you can apply recommended security settings through a Local Group Policy using LGPO.exe tool).
There are GPO Security Baseline templates for different Windows infrastructure elements: policies for computers, users, domain servers, domain controllers (there is a separate policy for virtual DCs), as well as Internet Explorer, BitLocker, Credential Guard, Windows Defender Antivirus settings. Configured Group Policies for various scenarios are located in the GPOs folder (you can see the list of GPOs for Windows Server 2019 and Windows 10 1909 below):
- MSFT Internet Explorer 11 — Computer
- MSFT Internet Explorer 11 — User
- MSFT Windows 10 1909 — BitLocker
- MSFT Windows 10 1909 — Computer
- MSFT Windows 10 1909 — User
- MSFT Windows 10 1909 and Server 1909 — Defender Antivirus
- MSFT Windows 10 1909 and Server 1909 — Domain Security
- MSFT Windows 10 1909 and Server 1909 Member Server — Credential Guard
- MSFT Windows Server 1909 — Domain Controller Virtualization Based Security
- MSFT Windows Server 1909 — Domain Controller
- MSFT Windows Server 1909 — Member Server
Extract the archive with the Security Baseline version matching your Windows version and open the Group Policy Management (gpmc.msc) console.
- Copy ADMX templates to the SYSVOL PolicyDefinitions folder (GPO Central Store) on your DC;
- Create a new GPO with the name Windows 10 2004 Security Baseline;
- Right-click the GPO and select Import Settings;
- Specify a path to the Security Baseline file for your Windows version as a Backup Location (for example,
C:\Tools\SCM\Windows 10 Version 2004 and Windows Server Version 2004 Security Baseline\Windows-10-Windows Server-v2004-Security-Baseline-FINAL\GPOs); - You will see a list of policy templates. In our case, I will import a policy with the computer settings. Select MSFT Windows 10 2004 – Computer (using the View Settings button, you can view the policy settings in the form of a gpresult report);
- Then you are prompted to select how to migrate reference links to security objects and UNC paths. Since the policy is new, select Copying them identically from the source;
- Then the reference Security Baseline policy settings for computers running Windows 10 2004 will be imported to your GPO.
To apply the Group Policy object only to computers running the specific Windows build, use GPO WMI filters. For example, for Windows 10 2004 you can use the following WMI filter:
Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE "10.0.19041%" and ProductType = "1"
Apply the filter to your policy and link the policy to the Organizational Unit you need.
Before applying the Security Baseline to user computers, check the suggested settings thoroughly and first apply them to an OU with test users or computers. If needed, you can disable some settings suggested by Security Baseline. Only after successfully testing the Security Baseline settings on test computers, you can apply them to all computers/servers in your domain.
Security Baseline contains dozens or even hundreds of settings. We are not able to discuss them in a single article. Let’s consider the security settings we have covered in other articles on woshub.com:
- Managing the program start and installation rules: AppLocker, Software Restriction Policy), UAC and Windows Installer
- Domain password and account lockout policies
- Privileged account restrictions
- Anonymous access restrictions
- Audit policy settings to get information about all events and user logon history
- LSA memory protection
- Access to peripherals (including printer and USB installation policies)
- Disabling NetBIOS and NTLM protocols
- Settings of Remote Assistance, shadow connections, RDS timeouts, CredSSP Oracle Remediation
- PowerShell Execution Policy
- Configuration of Windows Error Reporting
- Management of Windows Firewall rules
- WinRM settings
- Disabling the built-in administrator account
- Hardened UNC paths policy
- Disabling SMBv1
Allow unsigned scripts to run:
Set-ExecutionPolicy -Scope Process Unrestricted
Apply the policy:
Baseline-LocalInstall.ps1 -Win10NonDomainJoined
Microsoft Security Baseline settings can enhance the security of your Windows infrastructure and help to make sure that the same settings are applied to all computers (including new ones) on your corporate network.