Microsoft adds tamper protection to Windows 11 security base


Microsoft adds tamper protection to Windows 11 security base

Microsoft has released the final version of its basic security configuration settings for Windows 11, available for download today using the Microsoft Security Compliance Toolkit.

“Two new settings have been added for this release (which were also added in Windows Server 2022 release), a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions,” said the Microsoft security consultant Rick Munck.

Default ransomware protection

When activating Microsoft Security Baseline for Windows 11, Redmond urges administrators to ensure that the Tamper Protection feature of Microsoft Defender for Endpoint, which adds additional protection against human-made ransomware attacks, is activated.

It does this by blocking attempts by malware or malicious actors to disable security solutions and operating system security features that would make it easier for them to access sensitive data and deploy malware or malicious tools.

Tamper Protection configures Microsoft Defender Antivirus using secure defaults and prevents attempts to change them through the registry, PowerShell cmdlets, or Group Policy.

Once tamper protection is activated, ransomware operators will have a much more difficult task in front of them when they try to:

  • Turn off virus and threat protection
  • Disable real-time protection
  • Monitoring of stopping behavior
  • Disable antivirus (such as IOfficeAntivirus (IOAV))
  • Disable cloud-provided protection
  • Remove Security Information Updates

PrintNightmare and Edge Legacy Recommendations

Along with the new security baseline, Microsoft has also added a new setting to the MS Security Guide custom administrative template to restrict printer driver installation to administrators.

This new recommendation follows fixes released since July 2021 to address the PrintNightmare CVE-2021-34527 remote code execution vulnerability in the Windows Print Spooler service.

Microsoft also removed all Microsoft Edge Legacy settings after the EdgeHTML-based web browser reached end of support in March and was removed from Windows 11.

“Going forward, please use the new Microsoft Edge (Chrome-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit,” Munck said.

Download and implement the security database

Windows Security Baselines provide administrators with Microsoft-recommended security configuration baselines designed to reduce the attack surface of Windows systems and strengthen the overall security position of Windows enterprise endpoints.

“A security baseline is a group of configuration settings recommended by Microsoft that explains their impact on security,” Microsoft explains. “These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.”

The Windows 11 Security Baseline is available for download through the Microsoft Security Compliance Toolkit. It includes Group Policy Object (GPO) backups and reports, scripts to apply settings to the local GPO, and Policy Analyzer rule files.

“Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations and customize / implement as necessary,” added Munck.

More details on the changes implemented in the Windows 11 baseline can be found in the Microsoft Security Baselines blog post announcing this release.


Please enter your comment!
Please enter your name here