Windows Server Security Baselines
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Windows Server Security Baselines: Securing the Foundation
When you first install Windows Server, Microsoft provides a configuration designed for maximum compatibility. This makes sense from a sales perspective; they want the server to work out of the box with as many applications and hardware configurations as possible. However, "maximum compatibility" is often the opposite of "maximum security." A default installation leaves numerous legacy protocols enabled, keeps unnecessary services running, and maintains permissive user rights that an attacker can easily exploit. To move from a vulnerable default state to a hardened production state, we use security baselines.
A security baseline is a group of Microsoft-recommended configuration settings that are based on feedback from security engineers, product groups, partners, and customers. These baselines are not just a list of "good ideas"; they are tested, holistic configurations that reduce the attack surface of your operating system without breaking core functionality. In this lesson, we will explore how to find these baselines, how to analyze the differences between your current state and the recommended state, and how to deploy these settings across your infrastructure using the Microsoft Security Compliance Toolkit.
Understanding the Landscape of Security Baselines
Before we jump into the technical implementation, it is important to understand where these baselines come from and why we choose one over another. Microsoft is the primary source for Windows Server baselines, but they are not the only ones. Organizations with high-security requirements often look to the Center for Internet Security (CIS) or the Defense Information Systems Agency (DISA) for even more stringent "STIGs" (Security Technical Implementation Guides).
Microsoft baselines are generally seen as the standard starting point for most enterprises. They strike a balance between high security and operational stability. When Microsoft releases a new version of Windows Server, they eventually release a corresponding security baseline that addresses the specific features and threats associated with that version. These baselines are delivered as part of the Microsoft Security Compliance Toolkit (MSCT), which includes Group Policy Objects (GPOs), scripts, and tools to manage them.
Callout: Microsoft Baselines vs. CIS Benchmarks
While Microsoft Baselines focus on a balance of security and functionality vetted by the product developers themselves, CIS Benchmarks are developed by a global community of security professionals. CIS Benchmarks often include "Level 1" (standard) and "Level 2" (high security) profiles. Microsoft baselines are excellent for general enterprise use, whereas CIS Benchmarks are often required for organizations needing to meet specific regulatory compliance standards like PCI-DSS or HIPAA.
The Microsoft Security Compliance Toolkit (MSCT)
The Microsoft Security Compliance Toolkit is the modern replacement for the old Security Compliance Manager (SCM) tool. It is a set of tools that allows enterprise security administrators to download, analyze, test, and edit Windows security configuration baselines. Unlike the older SCM, which was a heavy database-driven application, the MSCT is lightweight and consists of several standalone utilities.
The most important components of the toolkit are:
- Policy Analyzer: A tool for comparing sets of Group Policy Objects (GPOs). It helps you identify redundant settings or contradictions between different policy sets.
- LGPO.exe (Local Group Policy Object): A command-line utility used to automate the management of local group policies. This is essential for applying baselines to non-domain-joined servers or during the imaging process.
- Set-ObjectSecurity: A PowerShell module that allows you to set the security descriptor of almost any type of Windows object (files, keys, services, etc.).
When you download a baseline from the Microsoft site, you receive a ZIP file containing documentation (in Excel format), GPO backups, and scripts to import those GPOs into your Active Directory environment.
Step-by-Step: Implementing a Security Baseline
Implementing a baseline is not a "set it and forget it" task. It requires a methodical approach to ensure that you don't inadvertently shut down critical business services. Follow these steps to implement a baseline safely.
Step 1: Download and Extract the Baseline
First, you must download the version of the baseline that matches your specific Windows Server version (e.g., Windows Server 2022). Once downloaded, extract the contents to a secure administrative workstation. You will typically see folders for GPOs, Scripts, and Templates.
Step 2: Analyze the Impact with Policy Analyzer
Before applying anything, you need to know what is going to change. Policy Analyzer allows you to compare your current "Effective Policy" against the new Microsoft Baseline.
- Open
PolicyAnalyzer.exe. - Click Add to create a new set of rules to compare.
- Select File > Add files from GPO backups and point it to the
GPOsfolder in your downloaded baseline. - Once imported, select your current local policy and the new baseline, then click View/Compare.
The resulting table will show you exactly which settings differ. For instance, the baseline might set Restrict anonymous access to Named Pipes and Shares to Enabled, while your current server has it Disabled. This visibility is crucial for predicting potential application failures.
Step 3: Customizing the Baseline
Rarely will a baseline fit your environment 100% perfectly. You might have a legacy application that requires an older version of NTLM, or a monitoring tool that needs specific user rights.
Note: Never edit the original Microsoft GPO backups directly. Instead, import them into your Active Directory, create a "Delta" GPO for your specific overrides, and link it with a higher precedence. This keeps the standard baseline clean and makes it easy to see what customizations you have made.
Step 4: Deploying to a Test Environment
Never deploy a security baseline to your entire production environment at once. Start by applying the GPOs to a "Staging" or "UAT" (User Acceptance Testing) Organizational Unit (OU).
If you are applying the baseline to a standalone server using the provided scripts, you would use the Baseline-LocalInstall.ps1 script included in the toolkit. This script uses LGPO.exe to apply the settings to the local policy of the machine.
# Example of running the local install script provided in the toolkit
# This is typically found in the /Scripts folder of the baseline download
.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
This PowerShell command applies the settings specifically tailored for a non-domain-joined environment. Always read the script documentation to ensure you are using the correct flags for your server role.
Deep Dive into Key Baseline Settings
To truly understand security baselines, we need to look at what they actually change. Baselines cover hundreds of settings, but they generally fall into a few high-impact categories.
Account Policies and Password Security
Baselines significantly tighten password requirements. While many organizations are moving toward passwordless authentication, the baseline ensures that if passwords are used, they are difficult to crack. This includes setting a minimum password length (often 14 characters), enforcing password history to prevent reuse, and setting account lockout thresholds to mitigate brute-force attacks.
Advanced Audit Policy Configuration
Standard Windows logging is notoriously quiet. An attacker could move laterally across your network for weeks without triggering a single default alert. Security baselines enable "Advanced Audit Policy Configuration." This goes beyond simple "Success/Failure" logging and enables specific sub-categories like:
- Process Creation: Logs every time an application or command-line tool starts (Event ID 4688).
- Account Requesting Credentials: Helps detect "Pass-the-Hash" attacks.
- Registry and File System Changes: Monitors access to sensitive system files.
User Rights Assignment
This is one of the most effective ways to stop lateral movement. By default, "Local Accounts" might have the right to log on via Remote Desktop Services. A security baseline will often strip the "Access this computer from the network" right from local accounts, forcing users to use domain accounts which can be more easily monitored and restricted. It also prevents "Guest" and "Administrator" accounts from being used over the network.
Attack Surface Reduction (ASR) Rules
If you are using Microsoft Defender for Endpoint, the baselines include ASR rules. These rules prevent common malware techniques, such as:
- Blocking Office applications from creating child processes.
- Blocking credential stealing from the Windows local security authority subsystem (lsass.exe).
- Blocking execution of potentially obfuscated scripts.
Warning: ASR rules can be very disruptive. Always deploy them in "Audit Mode" first to see what they would have blocked before moving to "Enforcement Mode."
Comparison: Default vs. Hardened State
The following table highlights some of the common shifts that occur when moving from a default Windows Server installation to one governed by a Microsoft Security Baseline.
| Feature Area | Default Windows Setting | Security Baseline Recommendation |
|---|---|---|
| SMB v1 Protocol | Often enabled (legacy) | Disabled (Prevents Wannacry-style exploits) |
| NTLM Authentication | All versions allowed | Restrict NTLM; Prefer Kerberos |
| Anonymous SID Mapping | Allowed | Disabled |
| LAN Manager Hash | Sometimes stored | Never stored (Prevents easy cracking) |
| Remote Desktop | NLA not always required | Network Level Authentication (NLA) Required |
| PowerShell Execution | Restricted or Unrestricted | Constrained Language Mode (often recommended) |
| Audit Logs | Minimal | Comprehensive (Process Start, CLI Logging) |
Automating Baseline Management with PowerShell
In a modern DevOps or DevSecOps environment, you might not want to rely on the Group Policy Management Console (GPMC) GUI. You can use PowerShell to verify if your servers are still in compliance with the baseline. This is often referred to as "Desired State Configuration" (DSC).
While Microsoft provides the tools to apply the baseline, you can write simple scripts to check specific high-value settings. For example, checking if SMB v1 is truly disabled:
# Check if SMB v1 is enabled on the local server
$smbStatus = Get-WindowsFeature -Name FS-SMB1
if ($smbStatus.Installed -eq $true) {
Write-Warning "Compliance Failure: SMB v1 is installed. Security Baseline requires it to be removed."
# Command to remediate: Uninstall-WindowsFeature -Name FS-SMB1
} else {
Write-Host "Compliance Success: SMB v1 is not present." -ForegroundColor Green
}
This type of "Continuous Compliance" is better than a once-a-year audit. By scripting these checks, you can run them as a scheduled task and receive alerts the moment a server "drifts" away from its secure baseline.
Common Pitfalls and How to Avoid Them
Even with the best tools, things can go wrong. Hardening a server is essentially the process of breaking things in a controlled manner until only the necessary parts work.
1. The "Domain Controller" Trap
Applying a generic "Member Server" baseline to a Domain Controller (DC) is a recipe for disaster. DCs have very specific requirements for RPC communication, DNS, and Kerberos. Microsoft provides a specific baseline just for Domain Controllers. Always ensure you are applying the correct baseline to the correct role.
2. Over-restricting Service Accounts
Service accounts often need the "Log on as a service" or "Log on as a batch job" rights. Many baselines restrict these rights to prevent attackers from using them. If your backup software or SQL Server suddenly stops working after a baseline application, check the User Rights Assignment section of your GPO.
3. Ignoring Local Admin Password Solution (LAPS)
A baseline secures the settings, but it doesn't manage the passwords of the local administrator accounts. If you harden the OS but every server has the same local admin password, an attacker who gains local admin on one box can still move laterally. Always pair your security baselines with Windows LAPS to ensure every server has a unique, rotating password.
4. Failing to Document Exceptions
You will have to make exceptions. Perhaps your printing software requires an insecure port, or a legacy app needs a specific service account to have "Act as part of the operating system" rights. When you create these exceptions in your Delta GPO, use the "Comments" tab in the GPO editor to document why the exception exists, who authorized it, and when it should be reviewed.
Callout: The Principle of Least Privilege
Security baselines are the technical manifestation of the Principle of Least Privilege (PoLP). PoLP dictates that any user, program, or process should have only the bare minimum privileges necessary to perform its function. By applying a baseline, you are applying PoLP to the operating system itself—denying it the "privilege" of running unnecessary services or using weak protocols.
Monitoring for Configuration Drift
Once a baseline is applied, the work isn't over. "Configuration Drift" occurs when settings are changed over time—perhaps by a junior admin troubleshooting a problem or by an application installer that changes registry keys.
To combat drift, you can use the Policy Analyzer tool periodically. By taking a "snapshot" of your server's configuration immediately after the baseline is applied, you can compare future states against that gold-standard snapshot. If differences appear, you know exactly what has changed and can revert it if necessary.
In larger environments, tools like Microsoft Endpoint Configuration Manager (MECM) or Azure Automanage can automatically monitor and remediate configuration drift. They use the same logic as the baselines but provide a centralized dashboard to show the compliance percentage of your entire fleet.
Advanced Hardening: Beyond the Baseline
While Microsoft's baselines are excellent, they are designed to be "compatible enough" for most. If you are operating in a high-threat environment, you might want to go even further. This is where "Hardening Guides" come in.
- Virtualization-Based Security (VBS): Baselines often encourage enabling VBS, which uses hardware virtualization to create a secure memory region isolated from the normal OS. This protects features like Credential Guard.
- Kernel DMA Protection: This protects the system against drive-by DMA attacks using PCI hotplug devices (like Thunderbolt devices).
- System Guard Launch Control: This uses hardware-rooted trust to ensure the boot process hasn't been tampered with.
These features often require specific hardware (TPM 2.0, UEFI, Secure Boot). Part of implementing a modern security baseline is ensuring your hardware lifecycle supports these advanced features.
Practical Example: Remediation Workflow
Let's look at a real-world scenario. You are an administrator at a mid-sized company. You've been tasked with hardening ten new Windows Server 2022 web servers.
- Baseline Selection: You download the Windows Server 2022 Security Baseline from the Microsoft Security Compliance Toolkit.
- Initial Scan: You run
PolicyAnalyzer.exeagainst one of the freshly installed servers. You find 45 settings that don't match the baseline. - Conflict Identification: You notice the baseline disables the "Print Spooler" service. Since these are web servers and don't need to print, you keep this setting. However, you see the baseline restricts certain NTLM traffic, and you know your legacy internal load balancer uses NTLM.
- Customization: You create a new GPO called "Web-Server-Exceptions." In this GPO, you override the NTLM restriction setting to allow the specific traffic your load balancer requires.
- Pilot: You apply the Microsoft Baseline GPO and your "Web-Server-Exceptions" GPO to one server. You monitor the web application logs for 48 hours.
- Full Deployment: After confirming the web app is stable, you link the GPOs to the "Production Web Servers" OU.
- Verification: You run a final scan with Policy Analyzer to ensure the settings were applied successfully across all ten servers.
Summary of Best Practices
To ensure a successful security baseline implementation, keep these industry-standard practices in mind:
- Version Matching: Always use the baseline that matches your OS version and build number (e.g., 21H2 vs 22H2).
- Layered GPOs: Use the "Starter GPOs" provided by Microsoft, but apply your own overrides in a separate, higher-priority GPO. This makes updates easier.
- Test, Test, Test: Use a staging environment that mirrors production as closely as possible.
- Automate Compliance: Use PowerShell or DSC to check for drift rather than waiting for an annual audit.
- Read the Documentation: Microsoft includes an Excel spreadsheet with every baseline. It contains a column titled "Why is this setting configured this way?" Read it. It is an incredible educational resource.
- Review Regularly: Microsoft updates baselines as new threats emerge. Plan to review and update your baselines at least twice a year.
Tip: If you are using Azure, look into "Azure Security Center" (now part of Microsoft Defender for Cloud). It has built-in regulatory compliance dashboards that can automatically check your Azure VMs against the Microsoft Security Baseline and give you a "Secure Score."
Key Takeaways
- Baselines are Vetted Standards: Security baselines are not arbitrary; they are expert-vetted configurations designed to reduce the attack surface while maintaining stability.
- The Toolkit is Essential: The Microsoft Security Compliance Toolkit (MSCT) provides the necessary tools like Policy Analyzer and LGPO.exe to manage these configurations effectively.
- Phased Deployment is Mandatory: Always move from Analysis to Customization, then to Testing, and finally to Production. Never skip the testing phase.
- Audit Policy is a Game Changer: One of the most significant benefits of a baseline is the transition to Advanced Audit Policy, which provides the visibility needed to detect modern attacks.
- Documentation Matters: Always document your exceptions. A hardened server that no one knows how to troubleshoot is a liability, not an asset.
- Continuous Monitoring: Security is a state of being, not a project finish line. Use tools to monitor for configuration drift to ensure your servers stay as secure as the day you hardened them.
- Hardware Matters: Modern security baselines rely heavily on hardware features like TPM 2.0 and UEFI. Ensure your hardware refresh cycle aligns with your security goals.
By moving away from default configurations and embracing security baselines, you significantly raise the cost for an attacker to compromise your environment. While no system is perfectly secure, a hardened Windows Server infrastructure provides a resilient foundation that protects both your data and your organization's reputation.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons