Security Baseline for WS2016 TP5!

Une bonne nouvelle pour les paranos comme moi Smile de la part de: Aaron Margosis: les Baselines sont sorties pour la TP5 de Windows Server 2016….ça s’annonce proche si vous me le demandez Smile

Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical Preview 5 (TP5). The final version of Windows Server 2016 will differ from the TP5 pre-release, and this security guidance will change as well. Both TP5 and this guidance are offered for evaluation purposes and we look forward to your feedback.

Download the content here: Server 2016

Our Windows 10 guidance differed dramatically from our past Windows client baselines (as described here), and our evolving Windows Server guidance is following suit. In addition to the changes described in that blog post, there are a few additional differences between this new guidance and both the Windows Server 2012 R2 guidance and the Windows 10 TH2 guidance:

  • Advanced Auditing setting for Account Lockout changed from Success to Success+Failure. We will also make this change in the next revision of our Windows 10 guidance. This change is needed so that account logon failures are audited when the failure reason is that the account is locked out.
  • Some settings not relevant to Windows Server, such as Wi-Fi Sense, are omitted.
  • BitLocker is not included in the Windows Server baseline.
  • Internet Explorer is introducing a new Group Policy control, “Allow only approved domains to use the TDC ActiveX control.” We are enabling that setting in the Internet and Restricted Sites zones. We will also make this change in the next revision of our Windows 10 guidance, where it will be more important.
  • Reverted “Apply local firewall rules” and “Apply local connection security rules” to Not Configured for the Public firewall profile, enabling organizations to make their own decisions. This is a difference from the Windows 10 guidance. Internet-facing servers have varied purposes and there is a greater need for flexibility in these settings than for Windows client.
  • Removed the recommendations for specific values in the User Rights Assignments “Replace a process level token” and “Adjust memory quotas for a process.” The defaults are good and the settings are unlikely to be abused for nefarious purposes. Also, during installation some products need to grant these rights to product-specific accounts, and later break when a Group Policy reverts them back to the Windows defaults. We will also make this change in the next revision of our Windows 10 guidance.

This baseline is designed for the Member Server scenario. The final version will also include a baseline for Windows Server 2016 Domain Controller. In addition to the differences between the Member Server and DC baselines for Windows Server 2012 R2 (*), the differences for Windows Server 2016 DCs will include:

  • Do not apply the LAPS setting, “Enable local admin password management,” to DCs.
  • The “Hardened UNC Paths” setting should not be applied to DCs.

(*) You can review the differences between these baselines using Policy Analyzer.

Afficher l’article…

A propos Red Kaffe

IT Trainer and Consultant on Microsoft Technologies. Windows Server and Client, Service Center 2012, WSUS/MDT/ADK/WAIK, SBS 2008/2011, Office 365, etc. Fully dedicated to support and train my customers...
Cet article a été publié dans 2016, Deployment, Formation, Migration, Security. Ajoutez ce permalien à vos favoris.

Votre commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:


Vous commentez à l’aide de votre compte Déconnexion /  Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Connexion à %s