- How to install Group Policy ADMX templates for OneDrive - Mon, Mar 27 2023
- How to change the PowerShell prompt - Wed, Mar 22 2023
- Trim characters from strings in PowerShell - Tue, Mar 14 2023
The security baseline is a collection of recommended settings for group policies. It represents the manufacturer's best practices and configures settings even if they are already secure by default. This prevents users or admins from changing them in unfavorable ways.
Microsoft is usually quite conservative when recommending new security settings because they can easily lead to compatibility issues or impact the user experience.
However, the baseline for Windows 11 2022 introduces several new policies with this release. Some of these were previously included in SecGuide.admx, which is part of the security baseline.
Securing the printing subsystem
Most of the additional settings now recommended are related to printing. This is not a big surprise, as several serious vulnerabilities have been discovered in the corresponding subsystem over the past year.
As a key measure, Microsoft advised disabling Point and Print for standard users and limiting printer driver installation to privileged users. The corresponding policy, found under Computer Configuration > Policies > Administrative Templates > Printers, is called Limits installation of printer drivers to administrators.
It was not included in the ADMX for Windows 11 21H2 but in those for Windows 10 21H2. Now, the manufacturer is also incorporating them into Windows 11 2202.
In addition, it introduces four settings for communication with the print spooler via RPC:
- Configure RPC connection settings: This prevents the use of named pipes for RPCs to the spooler and to force TCP.
- Configure RPC listener settings: This sets the protocol used for incoming RPCs to the spooler. TCP should be selected here as well.
- Configure RPC packet level privacy setting for incoming connections: This setting is currently only available via SecGuide.admx and addresses the CVE-2021-1678 vulnerability.
- Configure RPC over TCP port: RPCs now use dynamic TCP ports by default. This is also the baseline recommendation, whereas the policy defines a fixed port. Accordingly, you should disable it.
There are two more settings for the printing system:
- Configure Redirection Guard
- Manage processing of queue-specific files: This setting previously existed only as a registry key in response to CVE-2021-36958, exclusively allowing standard color profile processing using the inbox mscms.dll executable.
Settings for Defender
Windows 11 2022 extends SmartScreen's protection against phishing attacks. To do so, it monitors when users enter their credentials in web applications. If these are known phishing sites or other malicious sites, then it prompts users to change their passwords. If they do not do so, then they receive a warning as soon as they use the password in another application or website.
In addition, the feature monitors whether users save their Windows passwords in Office documents or text files and warns them about this behavior, if necessary.
The group policies for advanced phishing protection in Windows 11 2022 can be found in a separate container, under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender SmartScreen.
It contains the settings for the purposes described below.
- Notify Malicious: Warns users when a suspicious or potentially dangerous website is visited
- Notify Password Reuse: Reminds users that they have not changed their passwords after entering them into an insecure site
- Notify Unsafe App: Alerts users that they have saved the password in a file
- Service Enabled: Turns on advanced phishing protection
In addition, Microsoft has added another rule to Attack Surface Reduction (ASR). It is called Block abuse of exploited vulnerable signed drivers. As usual, there is no separate group policy for this; rather, you enter a GUID and a numerical value for the desired action in a table for each rule. The documentation for the newly added rule can be found here.
The security baseline for Windows 11 2022 recommends three new settings for secure logon:
Allow Custom SSPs and APs to be loaded into LSASS: The Local Security Authority Subsystem Service (LSASS) allows third-party providers to plug in their own modules for login. This allows them to customize the login, for example, to enforce password rules or MFA. However, this possibility can be abused by malicious players for attacks. With the new setting, admins should close this gap if no such add-on is used in the company.
Configure LSASS to run as a protected process: This setting is the successor to LSA Protection in SecGuide.admx, but it is only available in Windows 11 2022; on older versions of the OS, you must stick with the option from SecGuide.admx.
Allow Administrator account lockout: As with other accounts, this can now be used to prevent possible brute force attacks on the integrated local administrator.
The new release of Windows 11 includes a setting that can be used to disable NetBIOS. This measure has been considered best practice for a long time, but until now, there has been no group policy for this purpose.
It can be found under Computer Configuration > Policies > Administrative Templates > Network > DNS Client and is called Configure NetBIOS settings.
It doesn't only allow simply switching NetBIOS on and off; rather, it can disable it only in public networks, for example. However, the security baseline recommends completely disabling the outdated protocol, if possible, for compatibility reasons.
The support for DNS over HTTPS (DoH) introduced with Windows 11 and Windows Server 2022 secures DNS queries and thus prevents DNS spoofing. However, Microsoft currently considers it premature to recommend the use of DoH.
Windows 11 2022 introduces another technology for hardening the system kernel, which makes use of the hypervisor and modern hardware. It requires at least Intel Tiger Lake or AMD Zen3 processors. In addition, HVCI must be enabled.
Configure this mechanism with the Enable virtualization-based security setting (under Computer Configuration > Policies > Administrative Templates > System > Device Guard). It now has a new option called Kernel Mode Hardware-enforced Stack Protection.
Considering the relatively few new features in Windows 11 2022, the OS brings a surprising number of settings to increase security. Most of these have been included in the security baseline.
Microsoft has paid particular attention to securing the printing system, which has been affected by several critical vulnerabilities in the recent past. The additional protection mechanisms in Defender and the hardening of the logon process are also noteworthy.
Subscribe to 4sysops newsletter!
Finally, many admins will appreciate the fact that NetBIOS can now be (selectively) disabled via group policy.
Want to write for 4sysops? We are looking for new authors.
I used to disable NetBios with a PowerShell script. Good to know it can now be done with group policy. Thank you for sharing such a great post as always.