Security Baseline for Windows 11: All You Need to Know

essidsolutions

Microsoft released Windows 11 in October 2021 along with the Windows 11 security baseline, which provides better protectionOpens a new window than its predecessor Windows 10. Here, we analyze the core features in Windows 11 baseline security, its implementation, what’s new in security updates, and what’s gone. 

Securing an enterprise is a tall order today. Hybrid IT architectures and remote work strategies have greatly expanded the size of the IT estate that must be protected. Now add all the computing devices that employees utilize on the job. 

Let’s take Windows devices, for instance. Sure, there are great policy-making tools such as Group Policy and Microsoft Endpoint Manager (MEM) to deploy and enforce security settings. Still, Group Policy has more than 3,000 group policy settings for Windows 10 alone, with another 2,000 settings devoted to web browsers. Only a small portion of these settings are dedicated to security, but who has the time to sort through all of those? Then there is the culmination of MDM settings rapidly introducing that admins must keep informed about. There’s no doubt that IT and cybersecurity teams can use all the help they can get regarding security. That’s the premise behind security baselines. 

See More: A Step-by-Step Guide for Migrating to Microsoft Windows 11

What is a Microsoft security baseline?

A Microsoft security baselineOpens a new window is a collection of assigned configuration settings that Microsoft security experts construct. They are based on the feedback of product groups, partners, and customers. Microsoft then packages these security baselines for management systems such as Group Policy and MEM. The settings are tested not only for security purposes but also for compatibility. These baselines only implement a setting if it alleviates a known security hazard and does not cause operational difficulties that might be worse than the risks it addresses. These baselines enforce default settings that override an insecure state that a non-administrative user might attempt to enable. These pre-configured setting collections conveniently allow security-minded organizations to secure end-user devices and ensure compliance.  

Microsoft offers a security baseline for several products, such as Windows 10, Windows 11, Edge, and Office 365. Note that the Windows 10 Security Baselines apply to Windows 11 devices for settings common to both operating systems. What’s more, Microsoft continues to update these baselines as security periodically as security threats evolve.

Implementing the Windows 11 Security Baseline

Microsoft released the Windows 11 Security baseline for Group Policy in October of 2021. The first step is to download the baseline from the Microsoft website, which you can do hereOpens a new window .

As you can see from the screenshot below, the package comprises various folder directories.

The Windows 11 ADMX/ADML templates are required for the baseline to apply the recommended settings. You may already have them, but there are several ways to get them if not. You can download them from the Microsoft websiteOpens a new window or find them in the C:WindowsPolicyDefinitions folder on any domain-joined Windows 11 machine. These two methods will get you all the latest template files. The Templates folder shown above only contains the templates you need to deploy the baseline. These enclosed template files are shown below.

However, when we get the templates, we need to copy and paste them into the central store of our domain controller. The central store is in the SYSVOL folder.  

See More: Windows 11: Microsoft Office Gets a Fluent-Design Makeover

The package’s primary goal is to import new security baselines. The attached scripts can be used to integrate these policies either locally or into AD. To get extensive domain coverage, I am importing them into my AD environment using the scripts shown below.

Domain Security GPO

We can now explore some of the featuresOpens a new window in the baseline package. A GPO named MSFT Windows 11 – Domain Security is included in the baseline. Before blindly implementing the baseline, you need to know the new password length that this baseline enforces. While Microsoft has traditionally followed the standard 8-character password standard that most organizations adhere to, the baseline has been pushed up to 14-characters, so make sure your users are ready for it. The reason for this is simple. The 8-character password is easily exploited today thanks to increased CPU power and advanced password cracking utilities that make an 8-character password vulnerable within hours. You can see the new password requirement in the screenshot below.

Changing password rules is a major issue. Not only will the users complain about lengthier passwords, but we will also need to make sure that all of our systems and apps are compatible with this length of password before implementing this policy.  Thus, it sounds like a better deal to first activate the  ‘MinimumPasswordLengthAudit’ Group Policy setting, which can be found in Computer Configuration > Windows Settings > Security Settings > Account Policies -> Password Policy -> Minimum password length audit. Enabling this option will provide you with information about the effects of lengthening your password.

Microsoft Legacy Edge is no more

Microsoft Edge Legacy was phased down in 2021, and it is not included in Windows 11. This means that all the compatible settings were eliminated from the baseline because only Chromium Edge is supported. This also means that you can delete any GPOs already in production dedicated to enforcing Legacy Edge settings within your Group Policy environment. 

Restrict printer driver installations

In the summer of 2021, Windows Print Nightmare came to the surface. It involved a bug in the Windows Spooler Service that made the local system vulnerable to a remote attacker. In July, Microsoft announced CVE-2021-34527, which resolved the code execution vulnerability in the Windows Print Spooler service. The security baseline includes the patched settings that strip standard users of printer installation rights, as shown below.

There are a few other settings you can explore in the baseline package, such as forced script scanning. Keep in mind that new settings will be added to new baselines in the future.

Security Baselines in Microsoft Endpoint Manager

Microsoft hasn’t provided a Windows 11 security baseline for MEM (Intune) yet. We still have the Windows 10 Security Baseline, however. Below are the security baselines currently available in the Microsoft MDM. 

Conclusion

Security Baselines are a great way to secure Windows endpoint devices, especially for SMBs that don’t have sufficient staff, time, or knowledge base to create their configuration policies. If you are new to security baselines, it might be a good idea to apply them to other products as well.

Do you think Windows 11 baseline security offers adequate protection to endpoint devices? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you! 

MORE ON WINDOWS OS:

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA