Windows 10 1909 Drops Exploit Protection From Security Baseline

Windows 10 1909 Drops Exploit Protection From Security Baseline

Microsoft released the final version of its security configuration baseline settings for Windows 10 Version 1909 and Windows Server Version 1909, and also announced the removal of Exploit Protection settings and explicit enforcement of 30-day account password expiration for domain-joined devices.

Windows 10’s security baseline enables enterprise security administrators to use Microsoft-recommended Group Policy Object (GPO) baselines for boosting the overall security posture of a system and reduce its overall attack surface.

“A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact,” as Microsoft explains on its documentation website. “These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.”

“The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights,” Microsoft Cybersecurity Services Consultant Aaron Margosis said in an announcement made yesterday.

Baselines enforce a setting only if it will mitigate a contemporary security threat and if it will not cause operational issues worse than the security risks they defend against. Also, baselines enforce defaults only if users or misinformed admins would otherwise configure it in an insecure state.

Security baseline changes for Windows 10 version 1909

Microsoft made several changes to the Windows 10 1909 recommended security settings among which the removal of previously-recommended Exploit Protection settings, dropping restrictions on Thunderbolt devices in the BitLocker GPO, and the removal of explicit enforcement of the default 30-day machine account password expiration for domain-joined systems stand out.

For starters, Redmond dismissed the Exploit Protection settings that got included with the Windows 10 1709 baselines because of compatibility issues. A PowerShell script is provided in the Scripts folder to removing the settings from machines where the Exploit Protection settings have already been applied.

The explicit enforcement of 30-day machine account password expiration was also removed from the security baselines for Active Directory domain-joined computers. “Situations that necessitate disabling machine account password expiration can now be handled without being out of compliance with our baselines,” Margosis said.

“The risks of turning off machine account password expiration are relatively low. To steal a computer account password, you must first have already gained full administrative control of the computer,” he added. “Having a computer account’s password gives you only the ability to act as that computer on the network from other systems.”

Restriction related to Thunderbolt devices were also removed from the Windows 10 version 1909 security baseline because the direct memory access (DMA) side-channel attacks on BitLocker the could be used for can now be mitigated with kernel DMA protection.  

“Customers on platforms that do not support kernel DMA protection can choose to continue blocking Thunderbolt, but we are no longer including it in our broad recommendations for all customers,” Margosis stated.

Previous changes in the Windows 10 security baselines

Microsoft also dropped password expiration policies starting with the Windows 10 May 2019 Update, advising customers to replace them with password-security practices such as multi-factor authentication, detection of anomalous log on attempts, detection of password-guessing attacks, and the enforcement of banned passwords lists like Azure AD’s password protection.

This change followed a U.S. National Institute for Standards and Technology (NIST) special publication that urged government organizations to remove password expiration policies, recommending forced password changes only after fraudulent activity is detected. 

The enforcement of the built-in Administrator and Guest accounts being disabled by default and the requirement for administrators to enable 256-bit BitLocker encryption (because the default 128-bit encryption is in no danger of “being broken in the foreseeable future”) were also removed in the 1903 baselines.

The Windows 10 1909 security baseline is available for download via the Microsoft Security Compliance Toolkit, and it includes Group Policy Object (GPO) backups and reports, scripts to apply settings to the local GPO, as well as Policy Analyzer rules files.

More details on the changes implemented in the final version of the Windows 10 1909 baseline is available on the Microsoft Security Baselines Blog blog post announcing the release.