Microsoft has released the final version of the security configuration baseline settings for Windows 11, which can download today using the Microsoft Security Compliance Toolkit. “Two new settings have been added for this release (which were also added to the Windows Server 2022 release), a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions,” Microsoft Security Consultant said.
User Operated Ransomware Protection by Default
When enabling the Microsoft Security Baseline for Windows 11, Redmond urges the admin to ensure that Microsoft Defender for Endpoint’s tamper security feature, which computes additional protection against human-operated ransomware attacks, is enabled.
It does that by blocking attempts made by malware or attackers to disable security solutions and OS security features that would permit them to achieve easier access to critical information and set up malware or malicious tool.
Tamper security deployment Microsoft Defender Antivirus using protection default values and hinders trials to change them through the registry, PowerShell cmdlets, or group policies.
Once tamper protection is toggled on, ransomware operators would have a much more challenging task ahead of them when trying to:
- Disable virus and threat protection
- Disable real-time protection
- Turnoff behavior monitoring
- Disable antivirus like IOfficeAntivirus (IOAV)
- Disable cloud-delivered protection
- Remove security intelligence updates
PrintNightmare and Edge Legacy Guidance
With the new security baseline, Microsoft also added a new setting to the MS Security Guide custom administrative template to restrict printer driver installation to administrators.
This new recommendation follows patches released in July 2021 to address the CVE-2021-34527 PrintNightmare remote code execution vulnerability in the Windows Print Spooler service.
Microsoft also removed all Microsoft Edge Legacy settings after the EdgeHTML-based web browser reached the end of support in March and was removed from Windows 11.
‘Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit,” Munck said.
Download and implement the security baseline
Windows security baselines provide the admin with Microsoft-recommended security configuration baselines intended to conquer Windows systems’ attack surface and boost the overall security posture of Windows enterprise endpoints.
“A security baseline is a group of Microsoft-recommended configuration settings that explains their protection impact,” as Microsoft explains. “These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.”
The Windows 11 protection baseline is prepared for download through the Microsoft Security Compliance Toolkit. It involves Group Policy Object (GPO) backups and reports, scripts to apply settings to the local GPO, and Policy Analyzer rules files.
“Please download the content from the Microsoft Security Compliance Toolkit, test the approved arrangements, and customize / implement as appropriate,” Munck added.
