Home NewsX Windows 11, version 24H2 security baseline

Windows 11, version 24H2 security baseline

by info.odysseyx@gmail.com
0 comment 0 views


Microsoft is pleased to announce the release of the Security Baseline Package for Windows 11, version 24H2!

Download the content. Microsoft Security Compliance ToolkitTest recommended configurations and customize/implement them as appropriate.

This release includes several changes to further support security for enterprise customers, including additional protection for LAN Manager, Kerberos, User Account Control, Microsoft Defender Antivirus updates, and more.

mark on the web

You may have seen our previous discussion of the Mark of the Web (MotW) within our criteria at some point. A new setting has been added and configured in Windows Components\File Explorer\Do not apply web tag markings to files copied from unsafe sources. This new setting takes effect with the value Disabled. This adds MotW when copying files from a network share (Internet zone) to the local file system. Optionally, you can use zone mapping to map file shares that are considered trustworthy to the Trusted/Intranet zone.

LAN Manager

With each release, we perform a complete review of your settings as part of our security baseline. Based on our latest reviews, we are updating our recommended settings for LAN Manager (Lanman), including Lanman Server and Lanman Workstation.

  • Network\Lanman Server
    • The audit client does not support encryption. – Set to the activated value.
    • The audit client does not support signing. Set the value to Enabled.
    • Audit insecure guest logons – set the value to Enabled
    • Enable Authentication Rate Limiter – Set to Enabled value
    • Enable remote mailslot – set to Disabled value
    • Requires maximum version of SMB – set to enabled value: SMB 3.1.1
    • Requires a minimum version of SMB – set to the enabled value: SMB 3.0.0
    • Set authentication rate limiter delay (milliseconds) – set to active value: 2000
  • Network\Lanman Workstation
    • Audit insecure guest logons – set the value to Enabled
    • Audit Server does not support encryption. – Set to the activated value.
    • Audit Server does not support signing. Set the value to Enabled.
    • Enable remote mailslot – set to Disabled value
    • Requires maximum version of SMB – set to enabled value: SMB 3.1.1
    • Requires a minimum version of SMB – set to the enabled value: SMB 3.0.0
    • Require encryption – Set the value to Disable.

Configure Hash Algorithm for Certificate Logon

New settings in System\KDC and System\Kerberos have been added for smart card encryption agility. This setting allows the user to configure the hash algorithm to be used for certificate-based smart card (PKINIT) authentication in Kerberos. This configuration allows customers to prevent SHA-1 from being used. The security baseline recommends support for SHA-256, SHA-384, and SHA-512, but does not recommend support for SHA-1. It’s important to note that these settings are only useful if both the client and the KDC (Windows Server 2025) are configured this way in your environment.

sudo command

This setting, located in System\Sudo Command Behavior Configuration, allows you to customize how the sudo command behaves. Sudo for Windows can be used as a potential privilege vector escalation when enabled in certain configurations. The baseline configures this setting to the disable value, which disables sudo for Windows.

Microsoft Defender Antivirus

Microsoft Defender Antivirus (MDAV) plays an important role in the security story. We’re constantly improving our product, and this release includes six new settings.

  • Windows Components\Microsoft Defender Antivirus\Control whether exclusions are visible to local users – set the value to Enabled
  • Windows Components\Microsoft Defender Antivirus\Features\Enable EDR in Blocking Mode – Set the value to Enabled
  • Windows Components\Microsoft Defender Antivirus\Network Scanning System\Convert Alert Findings to Block – Set the value to Enabled
  • Windows Components\Microsoft Defender Antivirus\Real-time Protection\Configure Real-time Protection and Security Intelligence Updates during OOBE – Set the value to Enabled.
  • Windows Components\Microsoft Defender Antivirus\Reporting\Configure whether dynamic signature deletion events are reported – set the value to Enabled
  • Windows Components\Microsoft Defender Antivirus\Scan\Scan excluded files and directories during quick scan – set to Enabled value: 1

User Account Control

Two settings have been added that affect User Account Control:

  • Enhanced Rights Protection mode helps isolate sensitive data and processes, providing an additional layer of protection against malware and other threats. In Enhanced Privilege Protected Mode, the baseline in the security template under Security Options\Behaviors in the elevation prompt for administrators configures this setting to Prompt for credentials on the secure desktop.
  • The second policy controls whether enhanced privilege protection applies to Admin Approval Mode elevation. It is located in the security template under Security Options\Administrator Approval Mode Type Configuration and is recommended to be set to the value Administrator Approval Mode with Enhanced Privilege Protection.

Additional items to consider

The following settings should be evaluated based on your environment.

Delegated Managed Service Account (dMSA)

We’ve introduced a new policy called Enable Delegated Managed Service Account (dMSA) logon in System\Kerberos. This controls dMSA logon on your computer. If you enable this policy setting, dMSA logon is supported on Kerberos clients. Please review the following: prerequisites Before adjusting policy settings

dMSA is disabled by default because domain controllers (DCs) must also be upgraded to Windows Server 2025 for the feature to work properly. If your DC runs a version prior to Server 2025, dMSA will not receive the required schema updates.

If your DC is upgraded to Windows Server 2025, we recommend enabling this policy on both the client side and the DC side. Once enabled, you may need to specify a realm, that is, a domain or portion of the directory where the dMSA account can be authenticated and accessed. Subdomains from previous server versions can continue to interact with your account while maintaining a secure perimeter. This allows features to transition and coexist more smoothly in mixed-version environments. For example, if you have a primary domain called corp.contoso.com running on Windows Server 2025 and an older subdomain called Legacy.corp.contoso.com running on an earlier version of Windows Server (such as Windows Server 2022), you can select the zone as Legacy. You can specify it as .corp.contoso.com. For more information, see: Setting up a delegated managed service account (dMSA) in Windows Server 2025.

Windows Protected Printing

Windows Protected Printing (WPP) is new, modern, more secure printing for Windows, built from the ground up with security in mind. WPP Block 3rd Installs party drivers and hardens the entire printing stack against attacks. WPP is designed to work with: Mopria Certification printer. Although it is not yet configured in the security baseline, we recommend that you consider the Printers\Windows Protected Print configuration setting as we plan to enable this very important feature in a future version of the baseline. You can learn more about the security benefits here: blog post.

Microsoft Defender Antivirus

There are several Microsoft Defender Antivirus (MDAV) settings to consider.

  • Windows Components\Microsoft Defender Antivirus\Real-time Protection\Performance Mode State Configuration is useful for developers leveraging Dev Drive on Windows 11. More information about Dev Drive can be found here. here.

The following two settings apply only to VDI environments:

  • Turning on Windows Components\Microsoft Defender Antivirus\Network Scanning System\Asynchronous scanning will help ensure that it doesn’t slow down the scanning process.
  • The Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates\VDI client’s scheduler controls the flow of Security Intelligence Updates to the SIU.

Other changes

After receiving feedback from our support engineers about the numerous issues we are tracking, we have decided to remove System\Group Policy\Configuration registry policy processing from our security baseline.

Since the last release, several minor inconsistencies have been discovered between documentation and Group Policy. All these issues must be resolved in the future.

Please let us know your thoughts through comments on this post or via KakaoTalk. Security Reference Community.





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX