The NEW Security baseline for Windows
While I was still a Full Time Employee at Microsoft, I was aware of these “new baseline” recommendations. But I was waiting for the final announcement from Aaron Margosis yesterday.
Here are the new security configuration baseline settings (version 1903) for Windows 10 and Windows Server.
Please note that the new Windows Server is now “Core” only (no Graphical Interface or Desktop Experience). As such, Microsoft had to make some changes to Windows Server 2016.
The Windows Feature Update only introduces a few new Group Policy settings. Microsoft lists them in the accompanying documentation. This baseline recommends that only two of these settings be configured. Microsoft has made several adjustments to the settings that are already in place, including some changes from the draft version of this baseline Microsoft published last month.
No more password expiration policies.
Microsoft has not changed the minimum password length, history or complexity.
Aaron points out that periodic password expiration is only a defense against the possibility that a password (or haveh) will be stolen within its validity period and used by an unauthorised entity. It doesn’t matter if a password isn’t stolen. If you have evidence that a password was stolen, you should presumably act immediately to fix the problem. If you know that a password will be stolen, how long should you allow the thief access to your password?
No more forced disabling of the Administrator and Guest accounts
The built-in guest account. Windows 10 and Windows Server default disable the Guest account (RID 501) Only administrators can enable the Guest account. Administrators would likely do this only for a valid reason, such as a kiosk system.
The Administrator account is built-in. Windows 10 defaults to disabling the local Administrator account (RID 500) but not Windows Server. Windows 10 Setup prompts for a new account to be created. This account will become the primary administrative account for the computer. Windows Server’s setup, however, prompts for a new password to be used for the Administrator account. The main differences between the -500 Administrator account (when it is enabled) and a custom administrative account are:
1) The account -500 is not subject to account expiration, account lockout, password expiration or logon hours;
2) The Administrators cannot remove the account -500 from their group.
3) That by default, the -500 account runs with full administrative rights and no UAC prompts. This includes over the network. This third difference can be eliminated (as our baselines always do) if you enable the security option “User account control: Admin approval mode for the Built-in administrator account.”
The following changes were made to the Windows 10 v1809 baselines and Windows Server 2019 bases:
Microsoft has made additional changes to this baseline since publishing the draft.
Aaron’s blog post can be found here
You can watch the video on YouTube
For more Video Tutorials

NEW Security baseline for Windows 2019