Azure - Microsoft Security Baseline for Windows Server 2016 Compliance

All virtual machines hosted in Azure should adhere to the campus Departmental IT Security Baseline. Adherence to the Departmental IT Security Baseline is the responsibility of Azure customers.

To make Departmental IT Security Baseline compliance easier, a subset of the Microsoft Security Baseline for Windows Server 2016 can be applied to a VM provisioned using Microsoft's Windows Server 2016 Datacenter templates.

As part of the Windows Server 2016 VM provisioning (recommended):

Add a Custom Script Extension that uses azure-uwmadison_security_baseline-windows_server_2016.ps1 as the script file. This will configure the VM to meet a subset of the Microsoft Security Baseline for Windows Server 2016 as part of the provisioning process.

After a Windows Server 2016 VM has been provisioned:

Download azure-uwmadison_security_baseline-windows_server_2016.ps1 on the new VM, and run .\azure-uwmadison_security_baseline-windows_server_2016.ps1 from Windows PowerShell (Run as Administrator) to configure the VM to meet a subset of the Microsoft Security Baseline for Windows Server 2016.

The Microsoft Security Baseline for Windows Server 2016 includes the following settings:

The following changes have been made to the Microsoft Security Baseline for Windows Server 2016 to ensure compatibility in Azure:

Recommended: BUILTIN\Administrators
Actual: BUILTIN\Administrators, BUILTIN\Remote Desktop Users
Rationale: Administrative users will need to connect to Azure servers remotely to administer them

Local Policies: User Rights Assignment: Deny access to this computer from the network

Recommended: NT AUTHORITY\Local account and member of Administrators group, BUILTIN\Guests
Actual: BUILTIN\Guests
Rationale: Administrative users will need to connect to Azure servers remotely to administer them

Recommended: BUILTIN\Guests, NT AUTHORITY\Local account
Actual: BUILTIN\Guests
Rationale: Administrative users will need to connect to Azure servers remotely to administer them

Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection

Recommended: Enabled
Actual: Disabled
Rationale: Users will need to use RDP to upload files to virtual machines in Azure

The UW-Madison password standard is enforced
Accounts are locked out for 15 minutes after 15 failed logon attempts in 10 minutes
A UW-Madison logon banner is displayed prior to logon

Authorized users only. Actual or attempted unauthorized use of this computer system may result in criminal and/or civil prosecution and/or University disciplinary action. We reserve the right to view, monitor, and record activity on this system without notice or permission. Any information obtained by monitoring, reviewing, or recording is subject to review by release to law enforcement organizations in connection with the investigation or prosecution of possible criminal unauthorized activity on the system in accordance with Federal law, State statute, and University policy. If you are not an authorized user of this system, exit the system at this time.

To make changes to this configuration (e.g., updating the Windows Update settings), changes must be made using the Group Policy Object Editor:

Microsoft provide additional details on the Windows settings available for configuration via group policy at

Group Policy Settings Reference for Windows and Windows Server