This article is contributed. See the original author and article here.

We are pleased to announce the proposed draft release of the for Windows 10 and Windows Server, version 20H2 (a.k.a. October 2020 Update) security baseline package!


 


Please download this draft baseline (attached to this post), evaluate the proposed baselines, and provide us your comments/feedback below.


 


This Windows 10 feature update brings very few new policy settings, which we list in the accompanying documentation. At this point, no new 20H2 policy settings meet the criteria for inclusion in the security baseline, but there are a few policies we are going to be making changes to, which we highlight below along with our recommendations.


 


Block at first sight


We started the journey for cloud protection several years ago. Based on our analysis of the security value versus the cost of implementation, we feel it’s time to add Microsoft Defender Antivirus’ Block At First Sight (BAFS) feature to the security baseline. BAFS was first introduced in Windows 10, version 1607 and allows new malware to be detected and blocked within seconds by leveraging various machine learning techniques and the power of our cloud.


 


BAFS currently requires 6 settings to be configured. Our baseline already sets 2 of them, Join Microsoft MAPS and Send file sample when further analysis is required. We are now recommending the addition of the following settings to enable BAFS:


 



  • Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Defender AntivirusMAPSConfigure the ‘Block at first sight’ feature set to Enabled


 



  • Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Defender AntivirusReal-time ProtectionScan all downloaded files and attachments set to Enabled


 



  • Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Defender AntivirusReal-time ProtectionTurn off real-time protection set to Disabled


 



  • Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Defender AntivirusMPEngineSelect cloud protection level set to High blocking level


 


These new settings have been added to the MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus group policy.


 


Additional details on BAFS can be found here.


 


Attack Surface Reduction Rules


We routinely evaluate our Attack Surface Reduction configuration, and based on telemetry and customer feedback we are now recommending configuring two additional Attack Surface Reduction controls: Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Defender AntivirusMicrosoft Defender Exploit GuardAttack Surface ReductionConfigure Attack Surface Reduction rules: Use advanced protection against ransomware and Block persistence through WMI event subscription.


 


Introduced in Windows 10, version 1709 the Use advanced protection against ransomware rule will scan any executable files and determine, using advanced cloud analytics, if the file looks malicious .  If so, it will be blocked unless that file is added to an exclusion list. This rule does have a cloud dependency, so you must have Join Microsoft MAPS also configured (which is already part of the security baseline).


 


Block persistence through WMI event subscription is a rule that was released in Windows 10, version 1903. This rule attempts to ensure WMI persistence is not achieved – a common technique adversaries use to evade detection. Unlike many of the other ASR rules, this rule does not allow any sort of exclusions since it is solely based on the WMI repository.


 


A friendly reminder that the security baselines set all ASR rules to block mode. We recommend first configuring them to audit mode, then testing to ensure you understand the impacts these rules will have in your environment, and then configuring them to block mode. Microsoft Defender for Endpoints (formally Microsoft Defender Advanced Threat Protection, MDATP) will greatly enhance the experience of testing, deployment, and operation of ASR rules. We would encourage you to look at evaluating, monitoring and customizing links to better prepare your environment.


 


These new settings have been added to the MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus group policy.


 


UEFI MAT


You might recall in the draft release of our security baseline for Windows 10, version 1809 we enabled UEFI Memory Attributes Tables, but based on your feedback we removed that recommendation from the final version (thank you to the testers who provided that feedback!). After further testing and discussions, we are again recommending that you enable Computer ConfigurationAdministrative TemplatesSystemDevice GuardTurn on Virtualization Based SecurityRequire UEFI Memory Attributes Table.


 


Microsoft Edge


Starting with Windows 10, version 20H2 the new Microsoft Edge (based on Chromium) is now installed as part of the operating system. Please ensure you are applying the security baseline for Microsoft Edge to your Windows 10, version 20H2 machines. We have gotten questions about including it on the Windows security baseline, but since Microsoft Edge is a cross platform product and has a different release cadence, we are going to keep it a separate security baseline.


 


Baseline criteria


We follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially:



  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.

  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.

  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:


    • If a non-administrator can set an insecure state, enforce the default.

    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.



For additional discussion, please see the “Why aren’t we enforcing more defaults?” section in this blog post.


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.