Share this article
Improve this guide
Windows 10 2004 security baseline has 4 settings changes
4 min. read
Published onAugust 5, 2020
published onAugust 5, 2020
Share this article
Improve this guide
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Key notes
Applying best practices to your Windows 10securityis no easy task, even with all the antivirus tools available to you, including Microsoft Defender Advanced Threat Protection (MDATP).
But theMicrosoft security baselinecan make things a lot easier for you when you’re configuring your environment to minimize its attack surface.
Well, Microsoft recently released the fundamentalsecurityconfiguration settings for Windows 10 and Windows Server 2004.
4 configuration settings updates for Windows 10 2004 security baseline
1. Extended Protection for LDAP Authentication
Microsoft has updated the MS Security Guide to make Extended Protection for LDAP Authentication part of Windows. The setting isn’t new though as it came with the Windows Server v1809 Domain Controller baseline.
With the latest security baseline changes, you can use Extended Protection for LDAP Authentication without having to create a custom ADMX. In addition, the policy is available to all Active Directory domain controllers.
The Extended Protection for LDAP Authentication baseline value remains the same though. Only its location has changed.
However, you need to have installed the March 10, 2020 security patch to configure the policy onWindows 10.
2. Microsoft Defender ATP file hash
MDATPusers now have the option to turn on file hashing and enhance blocking for custom indicators in the Windows antivirus.
When the new setting is on, Windows computes a file hash for every executable file that MDATP scans.
But there’s a catch—MDATP file hashing may slow down your PC. It’ll certainly take a toll on your machine if you frequently install or develop executables or update your applications.
Microsoftexplains:
The scenarios where you may want to test more thoroughly for performance include devices where you frequently create new executable content (for example, developers) or where you install or update applications extremely frequently.
The tool mitigates the performance impact by generating file hashes only once for each scanned executable. Still, you may want to keep the new setting off if you don’t use Microsoft Defender ATP.
If you really have to use the setting, Microsoft recommends that you implement it in a controlled manner. This will allow you to do a thorough performance cost analysis.
3. Windows 10 Account Password Length
Microsoft appears very committed to building systems that require no passwords to access. You can tell that from the latest improvements on features likeWindows Hello.
After deprecating the Windows 10 account password expiry policy, the Redmond tech giant introduced two new password security settings.
Relax minimum password length limitsis one of the new settings, and it allows admins to enforce user password lengths of up to 128 characters. Before this update, users couldn’t set passwords longer than 14 characters.
Longer passwords are obviously more difficult to guess and are an important safeguard against brute force attacks.
Microsoft says that the new setting may be incompatible with existing systems and processes, however. That’s why there’s the newMinimum password length auditsetting.
The additional feature lets you assess the impact of changing your password length policy. Apart from that, it includes three new SAM events for configuration, errors, and awareness.
This way, you’re less likely to change your password length policies oblivious of the damage the changes may cause to other Windows systems.
Nonetheless, the new policy isn’t part of thesecuritybaseline for Windows 10 2004.
4. Behavior Monitoring
Microsoft doesn’t think Behavior Monitoring requires enforcement, so it removed it from thesecuritybaseline. As a result, the feature is no longer in its usual location.
Microsoft added:
We are removing Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring.
Besides announcing the security baseline changes, Microsoft revealed that it will be releasing updates for LGPO and Policy Analyzer.
What’s your take on the latest Windows 10 security baseline updates? Please share your thoughts in the comments section below.
[wl_navigator]
Don Sharpe
Tech Journalist
Don has been writing professionally for over 10 years now, but his passion for the written word started back in his elementary school days. His work has been published on Livebitcoinnews.com, Learnbonds.com, eHow, AskMen.com, Forexminute.com, The Writers Network and a host of other companies.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Don Sharpe
Tech Journalist
Don has been writing professionally for over 10 years now, simplifying the tech universe for the mases.
