Hardening Windows Using Microsoft Security Baseline

Microsoft Security Baseline contains recommended settings Microsoft suggests for Windows workstations and servers to provide secure configuration and protect domain controllers, servers, computers, and users.

Microsoft has developed reference Group Policy Objects and templates based on the Security Baselines. Administrators can apply them in their AD domains. The security settings in the Microsoft Security Baseline GPO enable administrators to protect Windows infrastructure in accordance with the latest global security best practices.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Windows queries.

In this context, we shall look into how to harden Windows Using Microsoft Security Baseline.

Hardening Windows Using Microsoft Security Baseline

 Today, let us see how to implement Microsoft Security Baseline GPOs in our domain.

We can use security baselines to:

1. Firstly, ensure that user and device configuration settings are compliant with the baseline.

2. Secondly, set configuration settings. For example, we can use Group Policy, Microsoft Endpoint Configuration Manager or Microsoft Intune to configure a device with the setting values specified in the baseline.

Reference Microsoft Security Baseline Group Policies are a part of Microsoft Security Compliance Manager (SCM). SCM is a free product that contains multiple tools to analyze, test and apply the best practices and current security recommendations for Windows and other Microsoft products.

Microsoft Security Compliance Toolkit is available following this link: https://www.microsoft.com/en-us/download/details.aspx?id=55319

We can download these tools:

i. LGPO is used to manage local GPO settings.

ii. PolicyAnalyzer is a tool to analyze existing Group Policies and compare them with the reference policies in the Security Baseline.

iii. SetObjectSecurity

The Security Baseline archive for each Windows version contains several folders:

i. Documentation contains XLSX and PDF files with the detailed description of the settings applied in the Security Baseline.

ii. GP Reports has HTML reports with the GPO settings to be applied.

iii. GPOs – contains GPO objects for different scenarios. We can import the policies to our Group Policy Management (GPMC) console.

iv. Scripts contains PowerShell scripts to easily import GPO settings to domain or local policies: Baseline-ADImport.ps1, Baseline-LocalInstall.ps1, Remove-EPBaselineSettings.ps1, MapGuidsToGpoNames.ps1.

v. Templates – additional ADMX/ADML GPO templates (for example, AdmPwd.admx contains local password management settings for LAPS, MSS-legacy.admx, SecGuide.admx).

There are GPO Security Baseline templates for different Windows infrastructure elements:

Policies for computers, users, domain servers, domain controllers (there is a separate policy for virtual DCs), as well as Internet Explorer, BitLocker, Credential Guard and Windows Defender Antivirus settings. Configured Group Policies for various scenarios are located in the GPOs folder.

Note that there is a separate Security Baseline set for each Windows Server version or Windows 10 build.

In order to, extract the archive with the Security Baseline version matching our Windows version and open the Group Policy Management (gpmc.msc) console.

1. Firstly, copy ADMX templates to the SYSVOL PolicyDefinitions folder (GPO Central Store) on our DC.

2. Then, create a new GPO with the name Windows 10 2004 Security Baseline.

3. Next, right-click the GPO and select Import Settings.

4. Then, specify a path to the Security Baseline file for our Windows version as a Backup Location.

5. Next, import a policy with the computer settings. Select MSFT Windows 10 2004 – Computer (using the View Settings button, we can view the policy settings in the form of a gpresult report).

6. Then, we are prompted to select how to migrate reference links to security objects and UNC paths. Since the policy is new, select Copying them identically from the source.

7. Then, the reference Security Baseline policy settings for computers running Windows 10 2004 will be imported to our GPO.

To apply the Group Policy object only to computers running the specific Windows build, use GPO WMI filters. For example, for Windows 10 2004, we can use the following WMI filter:

Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE “10.0.19041%” and ProductType = “1”

Then, apply the filter to our policy and link the policy to the Organizational Unit we need.

In the same way, we can import Security Baselines for users, domain controllers, domain member servers, etc.

Security Baseline contains dozens or even hundreds of settings. Let us see a few security settings:

i. Firstly, managing the program start and installation rules: AppLocker (Software Restriction Policies), UAC and Windows Installer

ii. Then, domain password and account lockout policies

iii. Next, privileged account restrictions

iv. Next, snonymous access restrictions

v. Then, audit policy settings to get information about all events and user logon history

vi. LSA memory protection

vii. Access to peripherals (including printer and USB installation policies)

viii. Disabling NetBIOS and NTLM protocols

ix. Settings of Remote Assistance, shadow connections, RDS timeouts, CredSSP Oracle Remediation

x. PowerShell Execution Policy

xi. Then, configuration of Windows Error Reporting

xii. Management of Windows Firewall rules

xiii. WinRM settings

xiv. Disabling the built-in administrator account

xv. Hardened UNC paths policy

xvi. Finally, disabling SMBv1

If we want to protect our home computer running Windows 10, we can apply Security Baseline settings on it using a ready PowerShell script.

Allow unsigned scripts to run:

Set-ExecutionPolicy -Scope Process Unrestricted

Apply the policy:

Baseline-LocalInstall.ps1 -Win10NonDomainJoined

Usually, microsoft Security Baseline settings can enhance the security of our Windows infrastructure and help to make sure that the same settings are applied to all computers (including new ones) on our network.

[Need help to harden Nagios XI server? We'd be happy to assist. ]


This article covers Hardening Windows Using Microsoft Security Baseline.

Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information.

The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

How can you use security baselines?

You can use security baselines to:

1. Ensure that user and device configuration settings are compliant with the baseline.

2. Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.