Windows 10 21H2 Adds Ransomware Protection to Security Baseline
Microsoft has released the final version of security configuration baseline settings for Windows 10, version 21H2, available today from the Microsoft Security Compliance Toolkit.
“This Windows 10 feature update brings very few new policy settings,” Microsoft security consultant Rick Munck said.
“One setting has been added for this release for printer driver installation restrictions (which was also added to the Windows 11 release). Additionally, all Microsoft Edge Legacy settings have been removed,”
Protection from human-operated ransomware
However, the highlight of the new Windows 10 security baseline is the addition of tamper protection as a setting to enable by default (this was also made a default setting in the Windows 11 security baseline two months ago).
When toggling on the Microsoft Security Baseline for Windows 10 21H2, Redmond urges admins to toggle on Defender for Endpoint’s tamper protection feature to protect against human-operated ransomware attacks.
This feature does that by blocking attempts by ransomware operators or malware to disable OS security features and security solutions to gain easier access to sensitive data and deploy further malware or malicious tools.
Tamper protection automatically locks Microsoft Defender Antivirus using the default secure values, thwarting attempts to change them using the registry, PowerShell cmdlets, or group policies.
After enabling it, ransomware operators would have a considerably more challenging task when trying to:
- Disable virus and threat protection
- Disable real-time protection
- Turnoff behavior monitoring
- Disable antivirus (such as IOfficeAntivirus (IOAV))
- Disable cloud-delivered protection
- Remove security intelligence updates
- Disable automatic actions on detected threats
PrintNightmare and Edge Legacy
With the new Windows 10 21H2 security baseline, Redmond removed all Microsoft Edge Legacy settings after its EdgeHTML-based web browser reached end of support in March.
“Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit,” Munck added.
Microsoft also added a new setting to the MS Security Guide custom administrative template designed to restrict printer driver installation to users with Administrator privileges.
The new recommendation follows security updates released starting with July 2021 to address the CVE-2021-34527 PrintNightmare remote code execution flaw impacting the Windows Print Spooler service.
Now available for download
Windows security baselines provide Microsoft-recommended security configurations which reduce Windows systems’ attack surface and increase the overall security posture of enterprise endpoints.
“A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact,” as Microsoft explains. “These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.”
The Windows 10 21H2 security baseline is now available for download via the Microsoft Security Compliance Toolkit, and it includes Group Policy Object (GPO) backups and reports, the scripts needed to apply settings to the local GPO, as well as Policy Analyzer rules.
“Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate,” Munck added.
More info on the changes that the new Windows 10 21H2 security baseline comes with is available in this Microsoft Security Baselines blog post.