Security baseline for Windows Server 2016 Technical Preview 5 (TP5)

Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical Preview 5 (TP5). The final version of Windows Server 2016 will differ from the TP5 pre-release, and this security guidance will change as well. Both TP5 and this guidance are offered for evaluation purposes and we look forward to your feedback.

(Note: the final version of this baseline was published here.)

Our Windows 10 guidance differed dramatically from our past Windows client baselines (as described here), and our evolving Windows Server guidance is following suit. In addition to the changes described in that blog post, there are a few additional differences between this new guidance and both the Windows Server 2012 R2 guidance and the Windows 10 TH2 guidance:

  • Advanced Auditing setting for Account Lockout changed from Success to Success+Failure. We will also make this change in the next revision of our Windows 10 guidance. This change is needed so that account logon failures are audited when the failure reason is that the account is locked out.
  • Some settings not relevant to Windows Server, such as Wi-Fi Sense, are omitted.
  • BitLocker is not included in the Windows Server baseline.
  • Internet Explorer is introducing a new Group Policy control, “Allow only approved domains to use the TDC ActiveX control.” We are enabling that setting in the Internet and Restricted Sites zones. We will also make this change in the next revision of our Windows 10 guidance, where it will be more important.
  • Reverted “Apply local firewall rules” and “Apply local connection security rules” to Not Configured for the Public firewall profile, enabling organizations to make their own decisions. This is a difference from the Windows 10 guidance. Internet-facing servers have varied purposes and there is a greater need for flexibility in these settings than for Windows client.
  • Removed the recommendations for specific values in the User Rights Assignments “Replace a process level token” and “Adjust memory quotas for a process.” The defaults are good and the settings are unlikely to be abused for nefarious purposes. Also, during installation some products need to grant these rights to product-specific accounts, and later break when a Group Policy reverts them back to the Windows defaults. We will also make this change in the next revision of our Windows 10 guidance.

This baseline is designed for the Member Server scenario. The final version will also include a baseline for Windows Server 2016 Domain Controller. In addition to the differences between the Member Server and DC baselines for Windows Server 2012 R2 (*), the differences for Windows Server 2016 DCs will include:

  • Do not apply the LAPS setting, “Enable local admin password management,” to DCs.
  • The “Hardened UNC Paths” setting should not be applied to DCs.

(*) You can review the differences between these baselines using Policy Analyzer.