Many organizations have complex environments with a diverse set of hardware and software configurations. Those utilizing Microsoft"s stack of technology typically also receive guidance from the Redmond firm about the best practices to follow while configuring their infrastructure. One such technique for standardization of deployments is the security baseline package offered by Microsoft for Windows Server 2025. Now, the company has updated this package with new configurations.
For those unaware, a security baseline package is essentially a set of pre-configured Group Policy Objects (GPO), registry tweaks, and security policies recommended by Microsoft. The Redmond giant has made several changes to various configurations for Windows Server 2025, version 2602.
Starting off with the sudo command, this mode has been disabled in Member Servers (MS) and Domain Controllers (DCs) because it can be leveraged by attackers to escalate their privileges, bypassing user account control (UAC) prompts. In the same vein, the Configure Validation of ROCA-vulnerable WHfB keys during authentication setting has been set to Block mode in domain controllers to mitigate vulnerabilities Windows Hello for Business (WHfB) keys that are prone to the Return of Coppersmith"s attack (ROCA).
Additionally, Internet Explorer 11 Launch Via COM Automation has been disabled similar to Windows 11, version 25H2, as this poses a cybersecurity risk through legacy components. Another configuration borrowed from Windows 11 is the application of the Mark of the Web (MotW) tag on files downloaded from the internet and other untrusted sources. This enforces additional protections on such content such as SmartScreen filtering and blocking of macros in Office applications.
Some NTLM configurations, some of which we also discussed previously, are as follows:
- Audit Incoming NTLM Traffic: Configured as Enable auditing for all accounts on both MS and DC
- Audit NTLM authentication in this domain: Configured as Enable all on DC
- Outgoing NTLM traffic to remote servers: Configured as Audit all on both MS and DC
- NTLM Auditing Enhancements: Already enabled by default to improve visibility into NTLM usage within your environment
Meanwhile, the policy related to preventing the downloading of enclosures has been removed from the latest security baseline package as it is not applicable on Windows Server 2025.
Finally, some updated printer policies are described below:
- Configure RPC connection settings: Enforce the default, RPC over TCP with Authentication Enabled, on both MS and DC
- Configure RPC listener settings: Configure as RPC over TCP | Kerberos on MS
- Impersonate a client after authentication: Add RESTRICTED SERVICES\PrintSpoolerService to allow the Print Spooler’s restricted service identity to impersonate clients securely
Microsoft has also shared some guidance around the expiration of Secure Boot certificates and SMB Server hardening, you can check out additional details here.