ASD's Blueprint for Secure Cloud

Security Baseline for Windows 10 and later

This section describes the configuration of security baselines within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 13 minutes

Microsoft Windows Security Baseline

Basics

ItemValue
NameMicrosoft Windows Security Baseline
Description
PlatformWindows 10 and later

Assignments

ItemValue
Included groupsgrp-windows10-users
Excluded groups

Configuration settings

Above Lock

ItemValue
Voice activate apps from locked screenDisabled
Block display of toast notificationYes

App Runtime

ItemValue
Microsoft accounts optional for Windows Store appsEnabled

Application management

ItemValue
Block app installations with elevated privilegesYes
Block user control over installationsYes
Block game DVR (desktop only)Yes

Audit

ItemValue
Account Logon Audit Credential Validation (Device)Success and Failure
Account Logon Audit Kerberos Authentication Service (Device)None
Account Logon Logoff Audit Account Lockout (Device)Failure
Account Logon Logoff Audit Group Membership (Device)Success
Account Logon Logoff Audit Logon (Device)Success and Failure
Audit Other Logon Logoff Events (Device)Success and Failure
Audit Special Logon (Device)None
Audit Security Group Management (Device)None
Audit User Account Management (Device)Success and Failure
Detailed Tracking Audit PNP Activity (Device)Success
Detailed Tracking Audit Process Creation (Device)Success
Object Access Audit Detailed File Share (Device)Failure
Audit File Share Access (Device)Success and Failure
Object Access Audit Other Object Access Events (Device)Success and Failure
Object Access Audit Removable Storage (Device)Success and Failure
Audit Authentication Policy Change (Device)Success
Policy Change Audit MPSSVC Rule Level Policy Change (Device)Success and Failure
Policy Change Audit Other Policy Change Events (Device)None
Audit Changes to Audit Policy (Device)None
Privilege Use Audit Sensitive Privilege Use (Device)Success and Failure
System Audit Other System Events (Device)Success and Failure
System Audit Security State Change (Device)Success
Audit Security System Extension (Device)Success
System Audit System Integrity (Device)Success and Failure

Auto Play

ItemValue
Auto play default auto run behaviorNot configured
Auto play modeNot configured
Block auto play for non-volume devicesNot configured

BitLocker

ItemValue
BitLocker removable drive policyConfigure
- Block write access to removable data-drives not protected by BitLockerYes

Browser

ItemValue
Block Password ManagerNot configured
Require SmartScreen for Microsoft Edge LegacyYes
Block malicious site accessYes
Block unverified file downloadYes
Prevent user from overriding certificate errorsYes

Connectivity

ItemValue
Configure secure access to UNC pathsNot configured
Block downloading of print drivers over HTTPEnabled
Block Internet download for web publishing and online ordering wizardsEnabled

Credentials Delegation

ItemValue
Remote host delegation of non-exportable credentialsNot configured

Credentials UI

ItemValue
Enumerate administratorsNot configured

Data Protection

ItemValue
Block direct memory accessEnabled

Device Guard

ItemValue
Virtualization based securityNot configured
Enable virtualization based securityNot configured
Launch system guardEnabled
Turn on Credential GuardEnable with UEFI lock

Device Installation

ItemValue
Block hardware device installation by setup classesYes
- Remove matching hardware devicesYes
Block list{d48179be-ec20-11d1-b6b8-00c04fa372a7}

Device Lock

ItemValue
Require passwordYes
- Required passwordAlphanumeric
- Password expiration (days)60
- Password minimum character set count3
- Prevent reuse of previous passwords24
- Minimum password length8
- Number of sign-in failures before wiping device10
- Block simple passwordsYes
Password minimum age in days1
Prevent use of cameraNot configured
Prevent slide showNot configured

DMA Guard

ItemValue
Enumeration of external devices incompatible with Kernel DMA ProtectionBlock all

Event Log Service

ItemValue
Application log maximum file size in KB
System log maximum file size in KB
Security log maximum file size in KB

Experience

ItemValue
Block Windows SpotlightNot configured
- Block third-party suggestions in Windows SpotlightNot configured
- Block consumer specific featuresNot configured

File Explorer

ItemValue
Block data execution preventionNot configured
Block heap termination on corruptionNot configured

Firewall

ItemValue
Firewall profile domainConfigure
- Inbound connections blockedYes
- Outbound connections requiredYes
- Inbound notifications blockedYes
- Firewall enabledAllowed
Firewall profile privateConfigure
- Inbound connections blockedYes
- Outbound connections requiredYes
- Inbound notifications blockedYes
- Firewall enabledAllowed
Firewall profile publicConfigure
- Inbound connections blockedYes
- Outbound connections requiredYes
- Inbound notifications blockedYes
- Firewall enabledAllowed
- Connection security rules from group policy not mergedYes
- Policy rules from group policy not mergedYes

Internet Explorer

ItemValue
Internet Explorer encryption supportTLS v1.1
TLS v1.2
Internet Explorer prevent managing smart screen filterEnable
Internet Explorer restricted zone script Active X controls marked safe for scriptingDisable
Internet Explorer restricted zone file downloadsDisable
Internet Explorer certificate address mismatch warningEnabled
Internet Explorer enhanced protected modeEnabled
Internet Explorer fallback to SSL3No sites
Internet Explorer software when signature is invalidDisabled
Internet Explorer check server certificate revocationEnabled
Internet Explorer check signatures on downloaded programsEnabled
Internet Explorer processes consistent MIME handlingEnabled
Internet Explorer bypass smart screen warningsDisabled
Internet Explorer bypass smart screen warnings about uncommon filesDisabled
Internet Explorer crash detectionDisabled
Internet Explorer download enclosuresNot configured
Internet Explorer ignore certificate errorsDisabled
Internet Explorer disable processes in enhanced protected modeEnabled
Internet Explorer security settings checkEnabled
Internet Explorer Active X controls in protected modeDisabled
Internet Explorer users adding sitesDisabled
Internet Explorer users changing policiesDisabled
Internet Explorer block outdated Active X controlsEnabled
Internet Explorer include all network pathsDisabled
Internet Explorer internet zone access to data sourcesDisable
Internet Explorer internet zone automatic prompt for file downloadsDisabled
Internet Explorer internet zone copy and paste via scriptDisable
Internet Explorer internet zone drag and drop or copy and paste filesDisable
Internet Explorer internet zone less privileged sitesDisable
Internet Explorer internet zone loading of XAML filesDisable
Internet Explorer internet zone .NET Framework reliant componentsDisable
Internet Explorer internet zone allow only approved domains to use ActiveX controlsEnabled
Internet Explorer internet zone allow only approved domains to use tdc ActiveX controlsEnabled
Internet Explorer internet zone scripting of web browser controlsDisabled
Internet Explorer internet zone script initiated windowsDisabled
Internet Explorer internet zone scriptletsDisable
Internet Explorer internet zone smart screenEnabled
Internet Explorer internet zone updates to status bar via scriptDisabled
Internet Explorer internet zone user data persistenceDisabled
Internet Explorer internet zone allow VBscript to runDisable
Internet Explorer internet zone do not run antimalware against ActiveX controlsDisabled
Internet Explorer internet zone download signed ActiveX controlsDisable
Internet Explorer internet zone download unsigned ActiveX controlsDisable
Internet Explorer internet zone cross site scripting filterEnabled
Internet Explorer internet zone drag content from different domains across windowsDisabled
Internet Explorer internet zone drag content from different domains within windowsDisabled
Internet Explorer internet zone protected modeEnable
Internet Explorer internet zone include local path when uploading files to serverDisabled
Internet Explorer internet zone initialize and script Active X controls not marked as safeDisable
Internet Explorer internet zone java permissionsDisable java
Internet Explorer internet zone launch applications and files in an iframeDisable
Internet Explorer internet zone logon optionsPrompt
Internet Explorer internet zone navigate windows and frames across different domainsDisable
Internet Explorer internet zone run .NET Framework reliant components signed with AuthenticodeDisable
Internet Explorer internet zone security warning for potentially unsafe filesPrompt
Internet Explorer internet zone popup blockerEnable
Internet Explorer intranet zone do not run antimalware against Active X controlsDisabled
Internet Explorer intranet zone initialize and script Active X controls not marked as safeDisable
Internet Explorer intranet zone java permissionsHigh safety
Internet Explorer local machine zone do not run antimalware against Active X controlsDisabled
Internet Explorer local machine zone java permissionsDisable java
Internet Explorer locked down internet zone smart screenEnabled
Internet Explorer locked down intranet zone java permissionsDisable java
Internet Explorer locked down local machine zone java permissionsDisable java
Internet Explorer locked down restricted zone smart screenEnabled
Internet Explorer locked down restricted zone java permissionsDisable java
Internet Explorer locked down trusted zone java permissionsDisable java
Internet Explorer processes MIME sniffing safety featureEnabled
Internet Explorer processes MK protocol security restrictionEnabled
Internet Explorer processes notification barEnabled
Internet Explorer prevent per user installation of Active X controlsEnabled
Internet Explorer processes protection from zone elevationEnabled
Internet Explorer remove run this time button for outdated Active X controlsEnabled
Internet Explorer processes restrict Active X installEnabled
Internet Explorer restricted zone access to data sourcesDisable
Internet Explorer restricted zone active scriptingDisable
Internet Explorer restricted zone automatic prompt for file downloadsDisabled
Internet Explorer restricted zone binary and script behaviorsDisable
Internet Explorer restricted zone copy and paste via scriptDisable
Internet Explorer restricted zone drag and drop or copy and paste filesDisable
Internet Explorer restricted zone less privileged sitesDisable
Internet Explorer restricted zone loading of XAML filesDisable
Internet Explorer restricted zone meta refreshDisabled
Internet Explorer restricted zone .NET Framework reliant componentsDisable
Internet Explorer restricted zone allow only approved domains to use Active X controlsEnabled
Internet Explorer restricted zone allow only approved domains to use tdc Active X controlsEnabled
Internet Explorer restricted zone scripting of web browser controlsDisabled
Internet Explorer restricted zone script initiated windowsDisabled
Internet Explorer restricted zone scriptletsDisabled
Internet Explorer restricted zone smart screenEnabled
Internet Explorer restricted zone updates to status bar via scriptDisabled
Internet Explorer restricted zone user data persistenceDisabled
Internet Explorer restricted zone allow vbscript to runDisable
Internet Explorer restricted zone do not run antimalware against Active X controlsDisabled
Internet Explorer restricted zone download signed Active X controlsDisable
Internet Explorer restricted zone download unsigned Active X controlsDisable
Internet Explorer restricted zone cross site scripting filterEnabled
Internet Explorer restricted zone drag content from different domains across windowsDisabled
Internet Explorer restricted zone drag content from different domains within windowsDisabled
Internet Explorer restricted zone include local path when uploading files to serverDisabled
Internet Explorer restricted zone initialize and script Active X controls not marked as safeDisable
Internet Explorer restricted zone java permissionsDisable java
Internet Explorer restricted zone launch applications and files in an iFrameDisable
Internet Explorer restricted zone logon optionsAnonymous
Internet Explorer restricted zone navigate windows and frames across different domainsDisable
Internet Explorer restricted zone run Active X controls and pluginsDisable
Internet Explorer restricted zone run .NET Framework reliant components signed with AuthenticodeDisable
Internet Explorer restricted zone scripting of java appletsDisable
Internet Explorer restricted zone security warning for potentially unsafe filesDisable
Internet Explorer restricted zone protected modeEnable
Internet Explorer restricted zone popup blockerEnable
Internet Explorer processes restrict file downloadEnabled
Internet Explorer processes scripted window security restrictionsEnabled
Internet Explorer security zones use only machine settingsEnabled
Internet Explorer use Active X installer serviceEnabled
Internet Explorer trusted zone do not run antimalware against Active X controlsDisabled
Internet Explorer trusted zone initialize and script Active X controls not marked as safeDisable
Internet Explorer trusted zone java permissionsHigh safety
Internet Explorer auto completeDisabled

Local Policies Security Options

ItemValue
Block remote logon with blank passwordYes
Minutes of lock screen inactivity until screen saver activates15
Smart card removal behaviorLock workstation
Require client to always digitally sign communicationsYes
Prevent clients from sending unencrypted passwords to third party SMB serversYes
Require server digitally signing communications alwaysYes
Prevent anonymous enumeration of SAM accountsYes
Block anonymous enumeration of SAM accounts and sharesYes
Restrict anonymous access to named pipes and sharesYes
Allow remote calls to security accounts manager
Prevent storing LAN manager hash value on next password changeYes
Authentication levelSend NTLMv2 response only. Refuse LM and NTLM
Minimum session security for NTLM SSP based clientsRequire NTLM V2 and 128 bit encryption
Minimum session security for NTLM SSP based serversRequire NTLM V2 and 128 bit encryption
Administrator elevation prompt behaviorNot configured
Standard user elevation prompt behaviorAutomatically deny elevation requests
Detect application installations and prompt for elevationYes
Only allow UI access applications for secure locationsYes
Require admin approval mode for administratorsYes
Use admin approval modeNot configured
Virtualize file and registry write failures to per user locationsYes

Microsoft Defender

ItemValue
Block Adobe Reader from creating child processesEnable
Block Office communication apps from creating child processesEnable
Enter how often (0-24 hours) to check for security intelligence updates4
Scan typeQuick scan
Defender schedule scan dayEveryday
Scheduled scan start timeNot configured
Cloud-delivered protection levelNot configured
Scan network filesYes
Turn on real-time protectionYes
Scan scripts that are used in Microsoft browsersYes
Scan archive filesYes
Turn on behavior monitoringYes
Turn on cloud-delivered protectionYes
Scan incoming email messagesYes
Scan removable drives during full scanYes
Block Office applications from injecting code into other processesBlock
Block Office applications from creating executable contentBlock
Block all Office applications from creating child processesBlock
Block Win32 API calls from Office macroBlock
Block execution of potentially obfuscated scripts (js/vbs/ps)Block
Block JavaScript or VBScript from launching downloaded executable contentBlock
Block executable content download from email and webmail clientsBlock
Block credential stealing from the Windows local security authority subsystem (lsass.exe)Enable
Defender potentially unwanted app actionBlock
Block untrusted and unsigned processes that run from USBBlock
Enable network protectionEnable
Defender sample submission consentSend safe samples automatically

MS Security Guide

ItemValue
SMB v1 client driver start configurationNot configured
Apply UAC restrictions to local accounts on network logonNot configured
Structured exception handling overwrite protectionNot configured
SMB v1 serverNot configured
Digest authenticationNot configured

MSS Legacy

ItemValue
Network IPv6 source routing protection levelNot configured
Network IP source routing protection levelNot configured
Network ignore NetBIOS name release requests except from WINS serversNot configured
Network ICMP redirects override OSPF generated routesNot configured

Power

ItemValue
Require password on wake while on batteryNot configured
Require password on wake while plugged inNot configured
Standby states when sleeping while on batteryNot configured
Standby states when sleeping while plugged inNot configured

Remote Assistance

ItemValue
Remote Assistance solicitedNot configured

Remote Desktop Services

ItemValue
Remote desktop services client connection encryption levelNot configured
Block drive redirectionNot configured
Block password savingNot configured
Prompt for password upon connectionNot configured
Secure RPC communicationNot configured

Remote Management

ItemValue
Block client digest authenticationNot configured
Block storing run as credentialsNot configured
Client basic authenticationNot configured
Basic authenticationNot configured
Client unencrypted trafficNot configured
Unencrypted trafficNot configured

Remote Procedure Call

ItemValue
RPC unauthenticated client optionsNot configured
ItemValue
Disable indexing encrypted itemsYes

Smart Screen

ItemValue
Turn on Windows SmartScreenYes
Block users from ignoring SmartScreen warningsYes

System

ItemValue
System boot start driver initializationNot configured

Wi-Fi

ItemValue
Block Automatically connecting to Wi-Fi hotspotsNot configured
Block Internet sharingYes

Windows Connection Manager

ItemValue
Block connection to non-domain networksNot configured

Windows Ink Workspace

ItemValue
Ink WorkspaceEnabled

Windows PowerShell

ItemValue
PowerShell script block loggingNot configured

Security & Governance

Design

  • None identified

Configuration

  • None identified

References

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra