Security baseline for Windows 10 (v1507, build 10240, TH1, LTSB) -- UPDATE

Based on continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers, we are publishing a few changes to the security configuration baseline recommendations for Windows 10, version 1507. Version 1507 was the original RTM release of Windows 10, and is also known as "Build 10240," "Threshold 1," or "TH1." Version 1507 is also the current Long Term Servicing Branch (LTSB) build, which is the primary reason for continuing to update the baseline for this version. Those who are not relying on the LTSB track should have already updated to version 1511. Note that we are simultaneously releasing final guidance for version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2."

These are the updates we have made:

  • Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide "Interactive logon: Machine inactivity limit" setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for "Recovery console: Allow automatic administrative logon." This setting has been obsolete since Windows XP and its removal just got missed until now.

This specific baseline will be delivered only through the downloadable attachment to this blog post. The attachment includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will not be publishing SCM .CAB files for this baseline, as we are focusing our SCM resources on the “Threshold 2” release.

Windows 10 Security Baseline.zip