Recently, Microsoft released their final Windows 10 1703 security baseline. You can check out the blog post about it here. The blog post includes links to the download where you can get the pre-configured Group Policies, WMI Filters, script to deploy it locally, documentation and reports.
It’s worth remembering that this is only a baseline, further improvements can be made but this should be a good start to work with. I have applied this to my local machine and the only issue I have come across is when browsing the internet with IE11. This suggests that the baseline is too restrictive for day to day use.
The baseline is comprehensive, includes setting local password policies, disabling the Administrator and Guest accounts, disables the enumeration of accounts (yes we’ve already done this), configures UAC so that admin credentials cannot be used on a non admin account (useful!, you can still run-as an admin and elevate once “logged in”) and a whole host of other settings. The best thing to do is download the Zip file, extract it and read through the documentation which is an Excel sheet showing what is and isn’t configured.
Other useful things that this will do is configure BitLocker and Device Guard. Its worth bearing this in mind if you are using MBAM due to the fact that MBAM will configure BitLocker rather than GPO. Play around with it, test it and see what breaks if anything. I’ve been running this for a week or so now and other than having to switch browsers, I’ve been able to continue working.
