Recent Discussions
Welcome
Welcome to the new home for blogs & discussion around the Security Compliance Toolkit (SCT) and the Microsoft Security Baselines. Please bear with Aaron Margosis and me as we sort through the old content from the SecGuide TechNet blog and get it migrated over to here. This new platform will give us the ability to more easily collaborate with the community. Also, we heard your feedback, be on the lookout for a new DRAFT security baseline (coming very soon) that we have been working on… Office 365 ProPlus!Windows 10/11 22h2 Security Baseline missing in Intune
Hi, can you please enlighten when the Windows 10/11 Security Baseline will be updated to 22H2? The current baseline is of November 2021, I am sure that there are new recommedations in the new baseline (Windows 10, version 22H2 Security baseline - Microsoft Community Hub) that would be helpful while managing Windows in a more modern way. As an example, currently missing the 22H2 option "Allow Administrator account lockout" to manage it without the need of a GPO.
Security Baseline for Office 365 July 2017 DRAFT Feedback
A bit of feedback on the "Security baseline for Office 365 ProPlus (v1907, July 2019) - DRAFT" settings. For reference, I deployed the settings via Group Policy andmy Office suite at the time was on version 1907 (Build 11901.20176). Macro Runtime Scan Scope With the "Macro Runtime Scan Scope" policy, I have had difficulties related to some built-in functionality in Access. When the Scan Scope is set to "Enable for all documents", and used at the same time as with Windows Defender Attack Surface Reduction, I seem to receive blocks against the "Block Win32 API calls from Office macro" (92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B) rule from the .accde files within"C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ACCWIZ". Example: Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Detection time: 2019-08-12T23:08:11.700Z User: (unknown user) Path: C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ACCWIZ\ACWZMAIN.ACCDE Process Name: OFFICE_VBA Security intelligence Version: 1.299.1840.0 Engine Version: 1.1.16200.1 Product Version: 4.18.1907.4 That particular event was a result of making a new local Access Database, putting 1 record in a table and then Create -> Query Wizard -> Simple Query Wizard -> OK. While I am not a fan of Access, we have a number of users who leverage the tool quite a bit and these blocks make Access "less than functional" to them. If I set the "Macro Runtime Scan Scope" back to my previously configured "Enable for low trust documents", the built-in Access functions work fine, since I have that specific folder added to Trusted Locations, as it is a default trusted location when the Office suite installs. Interestingly enough, adding exceptions to ASR for the respective folder or specific .accde does not work. (I also attempted a simultaneous Path exception to Windows Defender itself, with no luck.) I assume that this is a result of the way in which the data is passed to Windows Defender via AMSI due to the "Macro Runtime Scan Scope", which perhaps makes it difficult/impossible to make exclusions. Excel File Block prevents copy/paste from Access On a somewhat different note, the file block settings setting "Excel 97-2003 workbooks and templates" which prevents Open/Save, conflicts with, again, Access. If you have query results, or a table you wish to cut and paste into Excel, the default paste mechanism seems to require the ability to open"Excel 97-2003 workbooks and templates". If you set the file block settings for that file type to "Save Blocked", the paste from Access to Excel will work. If you set it to another value other than "Do not block", the paste will fail and you will receive a warning that Excel 97-2003 files are blocked. If you choose an alternative paste method, such as "Paste Special -> Text" or "Paste, match destination formatting", it will work, but depending on the data in Access, there could be some clean up needed (leading zeroes could be stripped). The remaining difficulties my organization may have with file block settings will be a result of how we operate, and those we work with, but this particular instance seemed worthy of note, since it impacts what could be viewed as a standard workflow/interplay between two Microsoft developed applications. Hope the information is useful. If you can think of something I have overlooked that will allow these to work and enable me to tighten up the policies a bit more, please let me know.Edge - Bypass HTTPS Warning Page
In the latest security baselines for Microsoft Edge v81, the setting "Allow users to proceed from the HTTPS warning page" is recommended to set as Disabled. Setting to Disabled prevents users from clicking through warning pages about invalid SSL certificates. With this setting in place, users are prevented from accessing sites with expired SSL certificates, often due to an administrator forgetting to renew it. This happens fairly often to sites/services on the Internet, which of course is something my company cannot control. For example, earlier this year Microsoft forgot to renew a certificate for Teams that caused an outage. I can imagine this recommended setting has potential to cause a significant problem for organizations if users are unable to access a critical site because they are unable to bypass the SSL warning. That leads me to a few questions: Given the risk of this setting blocking access to sites, why is this a recommended setting? Does Microsoft have this setting set to "Disabled" internally? Are any workarounds available for allowing bypass to specific sites, including when a certificate has expired? Some hotel Wi-Fi Internet access is only accessible after logging in via a captive portal page, which is sometimes hosted internally on RFC1918 private IP space and can not have a valid public certificate. How would users access the portal in order to connect to the Internet? Would they need to add the Certificate Authority to their Trusted Roots? I'm struggling to see how many companies could implement this setting without increasing the risk of an outage by being unable to access a critical site.Security Baselines for Linux
Currently only Windows OS is in scope of the Security Baseline assessments. Are there any plans to expand it for Linux (RedHat) as well? I mean our organization has deployed Defender on Linux, so it might be possible Microsoft will support this on Linux OS'es as well. Thanks, Dragi
UAC elevation prompt for standard users
MSFT Windows 10 21H2 - Computer have the following setting recommendation Policy:User Account Control: Behavior of the elevation prompt for standard users Setting: Automatically deny elevation requests How do I provide support if I need to install software that requires Run as Administrator permissions? Will I need to switch user to the Administrator, and install the software?
Security baseline with Hyper-V default switch
Continued from old TechNet blog discussion... ThanksAaron Margosis. I've figured out what is preventing clipboard file copying. It is the GPO setting "Do not allow drive redirection" (Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection). Haven't figured out why applying the security baseline disables guest VM network connectivity through the "Default Switch" (automatically created on Client Hyper-V), but a solution is to connect guest VMs directly to the external network adapter using the "External Switch". UPDATE: Network connectivity issues caused by GPO blocking local firewall rules (inbound allow rules are needed for Default Switch to work, see below discussion).
Windows 11 22H2, Server 2022 Baselines - CIS Level 1
Are the security baselines downloaded in the SCT "CIS Level 1"? I've used the Policy Analyzer to compare the group of baseline GPOs (all the ones in the \GPOs\ folder) to the 'current environment' using a freshly provisioned PC, and a Vm for sever 2022. The 'baseline' vs 'current state' comparison is helpful, but I'm wondering if I was to enable every gpo in the baseline column, does that get you CIS Level 1? MS does not seem to use the CIS terms in the documentation I've found.
Continuous ATO when new services installed
What is best process used to add new services to environment and meet compliance. Does the new service need ATO? Does Azure need Continuous ATO process. How to conduct a review of the product baseline against existing Azure baselines? I am experienced in on prem FISMA but new to cloud compliance.Dashboards for SCT
Hello and greetings from Portugal! I'm trying to find some kind of free tool that allows me to had MSFT Security Baseline files, run it against a machine and get some kind of dashboard about the differences between them. Does anyone knows something similar? Best regards, Diogo SousaSecurity Baselines in Intune - how to monitor?
Hello and greetings from Portugal! I'm starting to take a look at Security Baselines in MEM. I've already created a profile, and started testing configuration, but...what I wanted to know if there's anyway to create a profile, assign that profile and that, instead of changing settings, just get a report about what my machine has configured and what's the correct config for the security baseline. Is that possible? Best regards, Diogo Sousa
Win2019 standalone baseline testing (lab)
Hello, I'm running a Win2019 Core lab instance where I'm experimenting with the application of an SCT baseline to harden the system. The use case for the production rollout would be for an standalone Internet facing web server, so I'd like to ensure that I've done my best to prep it for exposure. The lab 2019 instance is running in Hyper-V and has been fully patched. -) Any recommendations on running the PolicyAnalyzer on a server running Core? I can execute the PolicyAnalyzer software from the server CLI console, but I think that, since Windows Explorer isn't available, certain key aspects of the tool become unusable (Example: when I try to select a directory for Policy Templates, the directory/location selection area is blank and I cannot select an alternate directory. See screenshot) -) When running the Baseline installation PS script, there is an error message that is displayed during the installation: ----- Installing Exploit Protection settings... Set-ProcessMitigation : Unable to load DLL 'MitigationConfiguration.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E) At C:\sct\Windows 10 Version 1809 and Windows Server 2019 Security Baseline\Local_Script\BaselineLocalInstall.ps1:250 char:1 + Set-ProcessMitigation -PolicyFilePath $rootDir\ConfigFiles\EP.xml + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Set-ProcessMitigation], DllNotFoundException + FullyQualifiedErrorId : System.DllNotFoundException,Microsoft.Samples.PowerShell.Commands.SetProcessMitigationsC ommand ----- Is there any way to understand what this error is and why it is occurring? Thanks, T.M365 security recommendations on Block-Listed domain
Don't know if this is the correct place to post my question, but here we go. I'm busy on baselining some tenants for customers and I'm struggling with the allow-listing and block-listing of domains to allow sharing and collaborating. Allow-listing all the domains is quite impossible due to the nature of the business, but at least we should be able to block-list certain domains. To do so, I'm trying to find a list of domains which are untrustworthy, and which should definitely be blocked. This as an alternative solution.... In the meantime I'm also building the allow-list, as I know this should be the way to go off course Any help is welcome, or some feedback from peers who went through the same experience. Thanks already!
Recent Blogs
- Microsoft is pleased to announce the release of the security baseline package for Windows 11, version 24H2!Dec 24, 2024
- Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2412. Please download the content from the Micr...Dec 18, 2024
