Azure - Microsoft Security Baseline for Windows Server 2016 Compliance


All virtual machines hosted in Azure should adhere to the campus Departmental IT Security Baseline. Adherence to the Departmental IT Security Baseline is the responsibility of Azure customers.

To make Departmental IT Security Baseline compliance easier, a subset of the Microsoft Security Baseline for Windows Server 2016 can be applied to a VM provisioned using Microsoft's Windows Server 2016 Datacenter templates.

As part of the Windows Server 2016 VM provisioning (recommended):
After a Windows Server 2016 VM has been provisioned:
The Microsoft Security Baseline for Windows Server 2016 includes the following settings:

The following changes have been made to the Microsoft Security Baseline for Windows Server 2016 to ensure compatibility in Azure:
  • Local Policies: User Rights Assignment: Allow log on locally
    • Recommended: BUILTIN\Administrators
    • Actual: BUILTIN\Administrators, BUILTIN\Remote Desktop Users
    • Rationale: Administrative users will need to connect to Azure servers remotely to administer them
  • Local Policies: User Rights Assignment: Deny access to this computer from the network
    • Recommended: NT AUTHORITY\Local account and member of Administrators group, BUILTIN\Guests
    • Actual: BUILTIN\Guests
    • Rationale: Administrative users will need to connect to Azure servers remotely to administer them
  • Local Policies: User Rights Assignment: Deny log on through Terminal Services
    • Recommended: BUILTIN\Guests, NT AUTHORITY\Local account
    • Actual: BUILTIN\Guests
    • Rationale: Administrative users will need to connect to Azure servers remotely to administer them
  • Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection
    • Recommended: Enabled
    • Actual: Disabled
    • Rationale: Users will need to use RDP to upload files to virtual machines in Azure
  • The UW-Madison password standard is enforced
  • Accounts are locked out for 15 minutes after 15 failed logon attempts in 10 minutes
  • A UW-Madison logon banner is displayed prior to logon
    • Authorized users only. Actual or attempted unauthorized use of this computer system may result in criminal and/or civil prosecution and/or University disciplinary action. We reserve the right to view, monitor, and record activity on this system without notice or permission. Any information obtained by monitoring, reviewing, or recording is subject to review by release to law enforcement organizations in connection with the investigation or prosecution of possible criminal unauthorized activity on the system in accordance with Federal law, State statute, and University policy. If you are not an authorized user of this system, exit the system at this time.

To make changes to this configuration (e.g., updating the Windows Update settings), changes must be made using the Group Policy Object Editor:
  • Login to the Windows VM using Remote Desktop
  • Open the Microsoft Management Console (mmc.exe)
  • File -> Add/Remove Snap In...
  • Group Policy Object Editor
  • Add >
  • Group Policy Object: Local Computer
  • Finish
  • OK
Microsoft provide additional details on the Windows settings available for configuration via group policy at

Group Policy Settings Reference for Windows and Windows Server

If you have any questions, feedback or ideas please Contact Us

Commonly Referenced Docs:

UW Madison Public Cloud Team Events
Online Learning Classes for Cloud Vendors
What Data Elements are allowed in the Public Cloud



Keywords:
azure microsoft security baseline windows server 2016 update group policy vm 
Doc ID:
69082
Owned by:
Steve T. in Public Cloud
Created:
2016-11-29
Updated:
2022-06-23
Sites:
Public Cloud