EN, Microsoft Security Baselines Blog articles

Windows 11, version 24H2 security baseline

Microsoft is pleased to announce the release of the security baseline package for Windows 11, version 24H2!

 

Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.

 

This release includes several changes to further assist in the security of enterprise customers, including additional protections to LAN Manager, Kerberos, User Account Control, Microsoft Defender Antivirus updates, and more.

 

Mark of the Web

You may have seen previous discussions on the Mark of the Web (MotW) within our baselines at some point. A new setting has been added and configured, located at Windows Components\File Explorer\Do not apply the Mark of the Web tag to files copied from insecure sources. This new setting will be enforced with a value of Disabled. This adds the MotW when  copying a file from a network share (in the Internet Zone) into the local file system. If necessary, Zone Mapping can be used to map any file shares that are deemed trusted into the Trusted/Intranet Zones.

 

LAN Manager

For each release, we conduct a complete review of settings as part of our security baseline. Based on the latest review, we are updating our recommended settings for LAN Manager (Lanman) including Lanman Server and Lanman Workstation.

  • Network\Lanman Server
    • Audit client does not support encryption – set to a value of Enabled
    • Audit client does not support signing – set to a value of Enabled
    • Audit insecure guest logon – set to a value of Enabled
    • Enable authentication rate limiter – set to a value of Enabled
    • Enable remote mailslots – set to a value of Disabled
    • Mandate the maximum version of SMB – set to a value of Enabled: SMB 3.1.1
    • Mandate the minimum version of SMB – set to a value of Enabled: SMB 3.0.0
    • Set authentication rate limiter delay (milliseconds) – set to a value of Enabled: 2000