Three months after the operating system was released, Microsoft published the associated security baseline. Several of the settings now recommended concern new features such as Delegated Managed Service Accounts or functions to improve SMB security. There are several changes for Defender Antivirus.
The Security Baseline brings together a series of security settings whose configuration Microsoft recommends as best practice. They are available as group policies and now also as CSPs for the MDM interfaces. The manufacturer announced an update to the baseline for the next few months, which will also include settings from OSConfig .
Baselines for DCs and member servers
As usual, there are separate security baselines for domain controllers and member servers for version 2025. There are also separate recommendations for Defender Antivirus, Credential Guard and, interestingly, also for Internet Explorer 11, which is no longer on board the OS.
As expected, changes in the security baseline primarily reflect the new security options of the operating system. However, some of the recommendations can also be implemented on older OS versions. For example, Microsoft recommends that the lockout policy only allow 3 failed logins instead of 10.
This category also includes allowing domain and enterprise admins to log on locally to DCs. This is to avoid problems when a component calls the lsalogonuser() function in the context of a machine account to update the PKINIT machine credentials.
Delegated Managed Service Account (dMSA)
One of the significant innovations for Active Directory in Windows Server 2025 is a new account type for services, dMSA . It is primarily intended to replace conventional user accounts under which Windows services log on.
Microsoft recommends activating this feature, which, however, requires that at least one writable domain controller is running on Windows Server 2025. This ensures the required schema update in AD.
Securing SMBs
With Windows Server 2025, Microsoft took several measures to harden the legacy SMB protocol and protect it against attacks. These mechanisms can be activated consistently via group policies.
The Security Baseline recommends enabling settings that log insecure communication, such as when clients do not support encryption or signing. These include:
- The audit client does not support encryption (“Audit client does not support encryption”)
- The audit client does not support signing
- Audit insecure guest logon
The Security Baseline for Server 2025 recommends monitoring insecure SMB communications.
In addition, there is protection against brute force attacks by limiting the number of login attempts with a suggested value of 2000:
- Set authentication rate limiter delay (milliseconds)
Finally, the Security Baseline recommends setting the SMB version to at least 3.0.0. The “Mandate the minimum version of SMB” policy serves this purpose .
Virtualization Based Security
For both DCs and member servers, Microsoft recommends using the virtualization-based security features. The corresponding setting can be found under Computer Configuration => Policies => Administrative Templates => System => Device Guard . Here you should configure the following options:
- Select Platform Security Level => Secure Boot
- Virtualization Based Protection of Code Integrity => Enabled with UEFI lock
- UEFI Memory Attributes Table required (“Require UEFI Memory Attributes Table”) => True
- Credential Guard Configuration (“Credential Guard Configuration”) = Enabled with UEFI lock
- Secure Launch Configuration => Enabled
Security Baseline recommended settings for VBS
Due to the potential impact, you should enable the following two settings in audit mode:
- Machine Identity Isolation Configuration
- Kernel-mode hardware-enforced stack protection
Defender Antivirus
There are a number of changes to the integrated virus protection. This particularly affects Attack Surface Reduction (ASR), which has a server-specific option called Block Webshell creation for Servers . At the same time, Microsoft removed all ASR rules for Adobe Reader and MS Office, as these are only relevant for clients.
Using the settings
- Control whether exclusions are visible to local users
- This controls whether exclusions are visible to local administrators (“Control whether or not exclusions are visible to Local Admins”)
You can prevent users or admins from seeing the defined exclusions for the virus scanner. The baseline recommends enabling both.
Finally, the baseline recommends that admins configure the group policies for daily and monthly definition and engine updates, selecting the Current Channel (general) value .
Specify the channel for obtaining Defender updates using Group Policy
Another recommendation is to allow real-time protection before the end of the OOBE phase:
- Configure real-time protection and Security Intelligence Updates during OOBE
These recommendations are largely identical to those in the Security Baseline for Windows 11 24H2 .
availability
As usual, the Security Baseline is part of the Security Compliance Toolkit . In addition to GPO backups that can be imported into your own environment, it contains documentation in the form of GPO reports and an Excel table that lists all settings and their recommended values. The guidelines for DCs and member servers differ from one another in the areas marked in blue.
The delivery also includes a PDF document with a description of the most important changes.
