mercredi 9 avril 2014

Disponibilité des baselines SCM pour : Windows 8.1, 2012 R2, IE 11 et Beta Office 2013

Bonjour à tous,

Les baselines SCM pour Windows 8.1, Windows Server 2012 R2 et Internet Explorer 11 sont disponibles depuis hier.

Elles ne sont toutefois pas encore disponibles au format SCM mais l'archive fournie contient les éléments suivants :
  • Administrative Template:  an ADMX and (US English) ADML file surfacing some "pass the hash"-relevant settings through the Group Policy editor.  (Note: the Local_Script folder contains scripts that install these files to the appropriate location.)
  • Documentation:  "Recommended Security Baseline Settings.docx" is a Word doc that categorizes and describes all the new and updated settings (you should probably start here); this folder also contains "SCM Windows 8.1 and 2012 R2 Settings.xlsx", an Excel spreadsheet that describes the full set of recommended settings.
  • GP Reports:  Group Policy reports formatted as HTML files (for those who prefer that format over Excel spreadsheets).
  • GPOs:  Group Policy Object backups for the four separate sets of baselines described earlier.
  • Local_Script:  This directory contains three batch files that apply appropriate settings to the current machine:  81_Client_Install.cmd, 2012R2_DomainController_Install.cmd, and 2012R2_MemberServer_Install.cmd.
  • WMI Filters:  This directory contains .MOF files that you can import into your Group Policy configuration to ensure that GPOs are applied only to the appropriate systems.

Les principaux changement sont les suivants:
  • Use of new and existing settings to help block some Pass the Hash attack vectors
  • Blocking the use of web browsers on domain controllers
  • Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines
  • Removal of almost all service startup settings, and all server role baselines that contain only service startup settings
  • Removal of the recommendation to enable “FIPS mode”

L'annonce de la sortie sur le blog Microsoft Security Guidance : Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11

Le lien direct pour l'archive (encore taggé Beta) : Win81-WS2012R2-IE11-Baselines-BETA.zip  

En parallèle, la beta pour les baselines Office 2013 est ouverte : SCM Office 2013 Beta is now live!