Security baseline for Windows 10 v1607 (“Anniversary Update”) and Windows Server 2016

Microsoft is pleased to announce the release of the security configuration baseline settings for Windows 10 version 1607, also known as “Anniversary Update” and internally as “Redstone 1”. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for “pass the hash” mitigation and legacy MSS settings, and all the settings in spreadsheet form. It also includes spreadsheets generated from Policy Analyzer that show differences from past baselines and brief descriptions of the reasons for the differences, and a similar spreadsheet listing the differences between the Member Server and Domain Controller baselines.

Download the content from the Microsoft Security Compliance Toolkit (click Download and select Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip).

The .CAB files corresponding to these baselines for the Security Compliance Manager (SCM) are being worked on and should be available for download through SCM by the end of October. In the meantime, the downloadable materials on this blog post should provide most everything you need to move forward. We are also preparing an updated version of Policy Analyzer and hope to publish it soon. [Update, 17-Nov-2016: the SCM CAB files corresponding to these baselines are now published. Install and start SCM v4.0 on an internet-connected system: it will notify you that the new baselines are available if it is configured to check for updates automatically, or you can select "Check for updates" from the File menu.]

The main changes in the Windows 10 v1607 baseline since that for Windows 10 v1511 include:

  • Windows Defender is recommended for enterprise use and important Defender settings are now part of the Windows baseline.
  • Enforcing the blocking of use of SSL 3.0 and out-of-date ActiveX controls in Internet Explorer.
  • Disabling the Mobile Hotspot feature, which non-admins could otherwise enable.
  • Improvements in auditing settings.
  • Change in User Rights Assignment so that administrators can choose to enable Remote Desktop.
  • Continued removing unnecessary enforcement of defaults, consistent with our previously-documented philosophy.

In addition to those, the Windows Server 2016 Member Server baseline removes settings for the Microsoft Edge browser that were in the Windows Server 2016 Technical Preview 5 baseline, as Microsoft Edge is no longer present in Windows Server.

To assist with evaluation, we have built spreadsheets listing differences between the latest baselines and previous baselines, along with explanations for the differences. Download here . The spreadsheets with "Raw" in the file name includes detailed information about the differences; the ones with "Explanation" in the file name removes detailed columns such as raw registry value and data type, and adds a "Reason for difference" column. The differences captured are between:

  • Windows 10 v1511 (TH2) to Windows 10 v1607 (RS1)
  • Windows Server 2012 R2 to Windows Server 2016 - Member Server
  • Windows Server 2012 R2 to Windows Server 2016 - Domain Controller
  • Windows Server 2016 TP5 to Windows Server 2016 RTM - Member Server
  • Windows Server 2016 Member Server to Domain Controller

For those who have used the Local_Script tools in the download packages for previous baselines, we’ve changed its implementation. We used to copy GPO artifacts such as registry.pol files into the Local_Script directory and rename them. This time, the scripts reference the GPO files in their original locations. Because all GPO backup directory names are GUIDs, it can be difficult to identify which GUID is associated with which GPO. To help, we have added a simple PowerShell script that maps the GUIDs in a GPO backup directory hierarchy to the corresponding GPO names. This screenshot demonstrates:

blog post - v1607 - screenshot

Comments

  • Anonymous
    October 24, 2016
    Thanks guys, however this is a ZIP file and not a CAB file - Can't import the baseline into SCM 4.0Can you guys assist?Cheers,Ray[Aaron Margosis] Per the blog post:The .CAB files corresponding to these baselines for the Security Compliance Manager (SCM) are being worked on and should be available for download through SCM by the end of October. In the meantime, the downloadable materials on this blog post should provide most everything you need to move forward.Also see the new pre-release version of Policy Analyzer.
  • Anonymous
    October 26, 2016
    The comment has been removed
  • Anonymous
    October 28, 2016
    V1607 is technically the “Anniversary Update” (not an edition). Editions are something else for Windows. It is bad when MS employees don't get the name of their product correct.[Aaron Margosis] You're absolutely correct, of course, and I cannot express the depth of my sadness nor of my disappointment in my catastrophic failure to get this right. All the more because "Anniversary Update" is surely the greatest name our marketing team has ever assigned to a release. I won't ask for your forgiveness because I don't deserve it. :-(
  • Anonymous
    October 31, 2016
    Ya'll are running out of time for the "end of October" bit :-D
  • Anonymous
    November 01, 2016
    The comment has been removed
  • Anonymous
    November 02, 2016
    Any news on the SCM CAB you mentioned for the end of October?[Aaron Margosis] Oh, did you interpret that as October 2016? :) It is being worked on right this minute - we have to make sure it aligns exactly with the baseline we published. Hopefully out in the next few days.
    • Anonymous
      November 07, 2016
      Guess we continue to wait?[Aaron Margosis] They're still working on it.Is there anything you need from the baselines that isn't included in the download package linked from this blog post?
    • Anonymous
      November 08, 2016
      Any updates on the CAB file? It's been a few days since you said "Hopefully out in the next few days." :)
    • Anonymous
      November 09, 2016
      Sooo, it's more than a few days later now ;)Any news about the CAB-files?[Aaron Margosis] They’re still working on it.Is there anything you need from the baselines that isn’t included in the download package linked from this blog post?
    • Anonymous
      November 10, 2016
      How many days is a few? :-) I'm working on my baseline for 1607 to get security approval and getting the cab into SCM will be a big help.[Aaron Margosis] "A few" has turned out to be more than anticipated. But is there anything you need from the SCM package that you can't move forward with even more quickly using the materials in the .zip file attached to this blog post? It should have everything you need.
      • Anonymous
        November 15, 2016
        Thanks. I'm using the GPOs from the zip and Policy Analyzer to compare my settings and document our baseline.
  • Anonymous
    November 03, 2016
    Hello,Thanks for the good job, it's great that the security baselines for W2K16 are already available.I've loaded them into SCM 4 via Import GPO Backup. For W2K12 and W10, I cannot find the setting "Interactive logon: number of previous logons to cache".Has it been removed or should I wait for the .CAB files?Thanks in advance.Best.[Aaron Margosis] Our Win8.1/2012R2 baselines still included that setting, but as part of the big reset for Windows 10 (and now Server 2016), we dropped it from the baseline recommendations, as it does not mitigate a contemporary security threat.
    • Anonymous
      November 15, 2016
      The comment has been removed
      • Anonymous
        December 15, 2016
        In fact, the setting “Interactive logon: number of previous logons to cache” was not available in SCM because I did an import of an exported GPO (the CAB was not available at that time). It is stated in the SCM release notes that this process will not result in the same information and structure. Indeed with the SCM Cab file, the settings are far more comprehensive and this specific setting can now be configured.I hope this information will be of some help.[Aaron Margosis] GPO backups contain only settings that were configured, so when we dropped the cached-logon setting from the baselines, they won't be in the GPO backups anymore. All the settings are available in the spreadsheet that is also part of the download package on this blog post.
  • Anonymous
    November 09, 2016
    > The .CAB files corresponding to these baselines There is no cab file in that zip.[Aaron Margosis] The zip file linked from this blog post isn't for SCM. It should contain everything you need, though. It has the security configuration baseline recommendations in the form of a GPO backup that you can import directly into AD GPO, as well as tools/scripts so that you can apply the baseline to the Local Group Policy of a system, and an Excel workbook that lists all the GP-configurable settings on Windows 10 v1607 and Windows Server 2016 and the recommendations for how to configure them. The CAB files (which are being worked on) can be imported into the Security Compliance Manager, but it takes a while to get those done. (Personally, I am not a fan of SCM anymore. It was a good idea but a suboptimal implementation.)
  • Anonymous
    November 09, 2016
    Still waiting fot that .cab :)
  • Anonymous
    November 14, 2016
    Hi,The link you provided is not a CAB but a ZIP which doesn't contain the CAB file we can import as a baseline into SCM."[Aaron Margosis] Yes, that is correct. Please see my reply to your previous comment for details about what is in the zip file. But is there anything you need from the SCM package that you can’t move forward with even more quickly using the materials in the .zip file attached to this blog post? It should have everything you need.
  • Anonymous
    November 16, 2016
    Any idea when the CAB file is being released?[Aaron Margosis] It just went live. I'm still curious what everyone needs from SCM that the download package doesn't provide.
    • Anonymous
      November 29, 2016
      I and seems like many others just need the .cab file. We already have SCM 4.0. My situation is that my server is not connected to the internet to auto download the baseline. How can I receive/download the cab file by itself?[Aaron Margosis] I wish someone would answer the question about what needs SCM satisfies that the (IMO) superior download package doesn't.There's probably a link where you can download the .cab files directly, but I don't know what it is. My suggestion is to install SCM on an internet-connected computer (which can even be a throwaway virtual machine) and have it download the .cab files. You should find them in your Documents folder.
      • Anonymous
        February 07, 2017
        Hi Aaron,In response to your questions as to why so many persist in having the CAB file available, here some possible answers: • The ability to download baselines directly from within SCM.• Or the fact that it is placed under the Baseline structure instead of the Imported GPO section.• Or the ability to export to an SCCM cab after tweaking; it can’t be selected if it is under imported GPO’s in SCM. In my case: these exports can easily be imported in SCCM for Compliance Settings, and saves me time creating the checks, because those are (in previous versions at least) built in to the CAB files as well, but I can’t check that, now.• We learned to love SCM.• All of the above. :-)Regards,Bart
  • Anonymous
    December 07, 2016
    Thanks Aaron for providing the Security-Baseline Stuff.My wish is, that we are informed pro-actively (TechNet Blog, Newsletter, Twitter, etc.) if something will change (e.g. in a new version of the OS).Kind regards, Peter[Aaron Margosis] Things are changing all the time! If you mean in the baselines, I'd follow/subscribe to this blog.
  • Anonymous
    December 12, 2016
    I am new to this program. My predecessor was using it to import our GPOs and export the content in order to import into SCCM for continuous monitoring. I have taken over as we are switching to Win10.When I try and associate our GPOs with Win10 (1511 or 1607) it says there are "0 unique settings..." I have tried both SCM 3.0 and 4.0.Googling led me to some "workaround" which edits a stored procedure. This does not seem right. Is this a known issue? Is there a fix?Thank you[Aaron Margosis] SCM has design bugs and hasn't been significantly maintained in about four years, and the baselines delivered since then cause those bugs to be noticeable. This is one of them. Looking into improvements for the future.
  • Anonymous
    February 24, 2017
    My organization requires settings from the 1607 SecGuide.admx that are not available on the PtH.admx yet baselines are configured on 1511. Would applying SecGuide.admx to a 1511 system have adverse affects?[Aaron Margosis] The settings should be the same in PtH.admx and in SecGuide.admx; the latter is just a renaming/relocating so that we can use it for custom settings other than PtH-related in the future if we need to. SecGuide.admx should work fine.
  • Anonymous
    March 13, 2017
    Any chance this baseline meets NISPOM compliance?[Aaron Margosis] Is that different from the STIG?
  • Anonymous
    March 19, 2017
    Hi, when will Microsoft release the Windows Server 2016 Security Guide?Not included with the SCM package; see this instead:https://info.microsoft.com/TheUltimateGuideToWindowsServer2016.html
  • Anonymous
    March 19, 2017
    Hi, When will Microsoft release the Windows Server 2016 Member Server & Domain Controller Security Guide?Not included with the SCM package; see this instead:https://info.microsoft.com/TheUltimateGuideToWindowsServer2016.html
  • Anonymous
    March 20, 2017
    How do these baselines compare to the CIS ones? https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=windows10.111[Aaron Margosis] Our baselines and the Center for Internet Security's "Level 1" baselines are very similar. We collaborate closely with CIS, and strive to keep our baselines and their "Level 1" benchmarks in alignment.
  • Anonymous
    March 22, 2017
    When using LGPO, the machines are obviously NOT domain-joined. How do we resolve the 'Deny access to this computer from the network' and 'Deny log on through remote desktop services' policies in 'Member Server Baseline - Computer' policy?We have resorted to 'Guest' for both, as there does not seem to be a 'Local accounts NOT member of admins' SID.Comments and criticisms welcome.[Aaron Margosis] Actually, LGPO is used all the time with domain-joined machines as well. :) The baselines we've published are targeted to domain-joined enterprise systems. So (important point here) if you're configuring a system that is not joined to a domain, then local accounts are all you'll have. If you want to use the computer remotely using Windows accounts, you can't block the use of local accounts. So those security settings need to be adjusted.
  • Anonymous
    April 10, 2017
    Is this set of configuration guidelines and options available as PowerShell DSC resources?If not, are there guidelines for implementing security baseline configurations with DSC?[Aaron Margosis] Please tell me what you think of these relatively new resources:https://github.com/Microsoft/BaselineManagementhttps://blogs.technet.microsoft.com/ralphkyttle/2017/03/21/introducing-dscea/ https://github.com/Microsoft/DSCEAhttps://www.powershellgallery.com/packages/DSCEA
  • Anonymous
    April 24, 2017
    Are there plans to release baselines for Exchange Server 2016? If so when are they due to be released?[Aaron Margosis] No plans for future Exchange baselines.
    • Anonymous
      May 08, 2017
      I have problem to startup Exchange services after apply the baseline. Do you have any advise??
  • Anonymous
    May 01, 2017
    Heads-up that enabling "User Account Control: Admin Approval Mode for the Built-in Administrator account" and "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Prompt for consent on the secure desktop" breaks the OOBE on Windows 10 1703. That took me a lot of trial and error to find![Aaron Margosis] Thanks for the heads-up. How specifically does it break? And is this actually OOBE, or building in MDT?
    • Anonymous
      May 19, 2017
      Happens after deploying the vanilla install.wim via SCCM, and I would assume any other mode of deployment would also be affected. Its in the OOBE - happens at some point after language selection. Can't find any errors in the panther logs though. Took lots of trial and error to figure out which policy was doing it.
  • Anonymous
    May 09, 2017
    The comment has been removed
    • Anonymous
      May 09, 2017
      ACK, Aaron :-) My post was a feedback to list of known problems, so others do not have to reinvent the wheel.
  • Anonymous
    June 07, 2017
    Is there a new version of this document for Creator's Update 1703? Thanks![Aaron Margosis] Yes, very soon![Aaron Margosis] "Very soon" == "Now": https://www.microsoft.com/en-us/download/details.aspx?id=55319
  • Anonymous
    June 30, 2017
    The 2016 computer policy seems to cause issues with SCOM, specifically the enforcement of User Rights Assignment -> Generate security audits (though it seems to be enforcing defaults?).The Management Servers start alerting: "The Data Access service is unable to audit SDK operations because it cannot generate auditing events in the security event log."Tested with SCOM 2012 R2 and 2016.[Aaron Margosis] What does SCOM want to set it to?
    • Anonymous
      July 06, 2017
      I believe the SOP configuration for SCOM is that the SDK account is a domain account. I checked secpol.msc on a SCOM Management Server and it appears SCOM automatically adds the SDK account into "Generate security audits".Of course GPO > secpol.msc so this GPO will supersede it.In our case, I didn't want to create a separate GPO for SCOM servers so I solved this by adding a domain group into "Generate security audits" on the baseline GPO and added the SDK users into the group. Too bad there's no item-level targeting for every setting.I don't know if there's a better way to fix it, especially in the baseline you provide.
  • Anonymous
    July 11, 2018
    Hello there, how can this security baseline be configured on servers with Spanish language?[Aaron Margosis] The GPOs are not language-specific so they should just work. That said, the custom ADMX files we provide are available only in US-English. The settings will still apply correctly, but to view them in the Group Policy editor you'll need to see them in US English.
  • Anonymous
    November 21, 2018
    HiWe are planning take out one server out of domain and keep in Workgroup (Backup Server) as recommended by the support team since the Backup server contains the LUNs to keep backup sets. So these security baseline settings can be applied to those servers in workgroup through local GPO? Also how secure the user accounts & password with those servers in Work Group?Thank You[Aaron Margosis] Yes, you can apply settings through Local GPO, and you can use script in the baseline package to apply it.Securing local accounts - there's a lot there. Least privilege, very strong/long/complex passphrases, ... Need to know more about the specifics to recommend more.
    • Anonymous
      December 02, 2018
      Thank You Aaron. Our concern is how the credentials kept in a domain environment (in NTDS.dit database) Vs in a Workgroup, how difficult for an intruder to get the credentials in a Workgroup compared to a domain environment and how the user credentials transmit over a network in a workgroup. We followed MS & CIS best practice in domain environment by applying GPOs. This is just for our internal documentation purpose with this change.