Aaron Margosis vient de publier un article intéressant:
Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Fall Creators Update,” also known as version 1709, “Redstone 3,” or RS3. There are no changes from the draft release we published a few weeks ago.
The 1709 baseline package has been added to the Microsoft Security Compliance Toolkit. On that page, click the Download button, then select « Windows 10 Version 1709 Security Baseline.zip » and any other content you want to download.
The 1709 baseline package includes GPOs that can be imported in Active Directory, scripts for applying the GPOs to local policy, custom ADMX files for Group Policy settings, and all the recommended settings in spreadsheet form. The spreadsheet also includes the corresponding settings for configuring through Windows’ Mobile Device Management (MDM).
We’re also happy to announce the revamping of the Windows Security Baselines landing page.
The differences between the 1709 baseline and that for Windows 10 v1703 (a.k.a., “Creators Update,” “Redstone 2”, RS2) are:
We also recommend enabling Windows Defender Application Guard. Our testing has proven it to be a powerful defense. We would have included it in this baseline, but its configuration settings are organization-specific.
The old Enhanced Mitigation Experience Toolkit (EMET) add-on is not supported on Windows 10 v1709. Instead, we offer Windows Defender Exploit Guard’s Exploit Protection, which is now a built-in, fully-configurable feature of Windows 10. Exploit Protection brings the granular control you remember from EMET into a new, modern feature. Our download package includes a pre-configured, customizable XML file to help you add exploit mitigations to many common applications. You can use it as-is, or customize it for your own needs. Note that you configure the corresponding Group Policy setting by specifying the full local or server file path to the XML file. Because our baseline cannot specify a path that works for everyone, it is not included in the baseline packages GPOs – you must add it yourself.
Thank you to the Center for Internet Security (CIS) and to everyone else who gave us feedback.