Windows Security Baselines – How-To do a initial implementation of security baselines?!
Question #1 – Are the security baselines backward compatible? E.g. is the 20H2 Baseline also usable for 20H1 or 1903?
Answer #1 – I did not found anything that documents this backward compatibility. In my point of view, mostly they are backward compatible and Microsoft adds mostly new settings of new major versions to the baselines. Consider, that in rare cases, also existing security settings could be changed.
Conclusion:
- So if you plan to use the latest Baselines for all your Windows 10 / Windows Server versions, you can but
-
You could get old settings changed resulting in productivity loss
-
Divide your Windows Clients and Servers into multiple groups – in Microsoft Terms „Rings“
-
Plan ~10% of all for Insider Rings
-
1 to 3 Rings e.g. like this
- 1% Insider Preview
- 3% Insider IT
- 6% Insider Users
- 1% Insider Preview
-
-
Plan 90% for the rest
-
1 to 4 Rings depending on the total number of machines
- 20% Official Ring #1
- 20% Official Ring #2
- 20% Official Ring #3
- 20% Official Ring #4
- 20% Official Ring #1
-
-
- Plan your Security Baseline Rollout via Rings, this helps you to minimize the risk for failures.
-
Question #2 – Where do I start with Microsoft Security Baselines?
Answer #2 – My recommendation is that you
- Import – Import all the security baselines and
- WMI-Filter – Add them to you 1st Insider Ring via WMI Filters
- Exceptions GPOs – Create a empty GPO and name it „<OriginalGPOName>-Exceptions“
- Link Security Baselines Exceptions GPOs – Link all the empty exceptions policies to depending the OU(s).
- Link Security Baselines GPOs – Link all the hardened security baseline policies to depending the OU(s).
- Verify Exception GPOs order – If you have exceptions created, they need a higher order in the linkage to the OUs to make the exceptions happen.
- Softening – When you experience settings, that you really don’t want to have set in your environment, add your exceptions of the Security Baselines to the Exception Baselines
By adding exceptions to dedicated GPOs, you can always import and use the latest Security Baselines (they are updated once or twice per year) without loosing your exceptions. How cool is that?
Question #3 – Common admin mistakes
You are adding/changing your exceptions directly into the Security Baselines.
You can do that, but…
- … you will get into trouble when you are importing the lastest security baselines in a couple of months in remembering the exceptions you made.
- … you will need to configure all the exceptions once again. This could be avoided by the exception GPOs.
You forgot to give the exceptions policies a higher order in the GPO ranking.
Verify, that the exceptions GPOs have a higher order than those with the Security Baselines.
Question #4 – Are there known risks in deploying the Microsoft Security Baselines?
Security Baseline „MSFT Windows 10 20H2 and Server 20H2 Member Server – Credential Guard“
When you activate this policy on devices, there is no easy way for turn around.
You will need to to a couple oft hings to get Device guard disabled again:
Manage Windows Defender Credential Guard (Windows 10) – Microsoft 365 Security | Microsoft Docs
Question #5 – What are the main exception areas?
-
MSFT Windows 10 20H2 – BitLocker
- Standby disabled
-
MSFT Windows 10 20H2 – Computer
- Allow log on locally
- Access this computer from the network
-
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
- Different settings
-
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
- Different settings
-
MSFT Edge Version 85 – Computer
- Allow specific extensions to be installed