Server 2025 Security Baseline breaks Failover Cluster
Hello everyone, while testing the Server 2025 Security Baseline with our Hyper-V Hosts in a Failover Cluster, we noticed the Cluster Service (ClusSvc) was unable to start correctly. It failed with Event 7024 - "A specified authentication package is unknown". From testing and the event logs, we noticed that the .dll file "CLUSAUTHMGR.DLL" was unable to load. After setting "Allow Custom SSPs and APs to be loaded into LSASS" to "Disabled", we were able to start the service again. I assume that the cluster auth manager .dll is not recognized as a trusted Microsoft SSP/AP and therefore blocked as "custom" when enabling this setting. Has anyone tested this using Hyper-V clusters and/or made similar observations? (P.S.: Before debugging, we should have googled, since apparently we are not the only one to have this issue: Failover Cluster Service wonโt start on Server 2025 | Jigsolving)Windows 10/11 22h2 Security Baseline missing in Intune
Hi, can you please enlighten when the Windows 10/11 Security Baseline will be updated to 22H2? The current baseline is of November 2021, I am sure that there are new recommedations in the new baseline ( Windows 10, version 22H2 Security baseline - Microsoft Community Hub ) that would be helpful while managing Windows in a more modern way. As an example, currently missing the 22H2 option "Allow Administrator account lockout" to manage it without the need of a GPO.Security Baselines for Linux
Currently only Windows OS is in scope of the Security Baseline assessments. Are there any plans to expand it for Linux (RedHat) as well? I mean our organization has deployed Defender on Linux, so it might be possible Microsoft will support this on Linux OS'es as well. Thanks, Dragi
Exploit Prevention Blocking EXE files
My environment is having an issue where exe files are being blocked when executed via a remote share. It appears Exploit Prevention is blocking but it does not happen for every user. I have placed an exclusion using Set-ProcessMitigation -Name filename.exe -Disable BlockRemoteImageLoads and the issues still persist. We do not use Defender for Endpoint as a solution and are not managing Exploit Guard policy via GPO, SCCM, or InTune. Also I have verified the process mitigation is disabled using PowerShell. ImageLoad: BlockRemoteImageLoads : OFF AuditRemoteImageLoads : NOTSET Override BlockRemoteImages : False BlockLowLabelImageLoads : OFF AuditLowLabelImageLoads : NOTSET Override BlockLowLabel : False PreferSystem32 : NOTSET AuditPreferSystem32 : NOTSET Override PreferSystem32 : False This randomly started a few days ago and I'm at a loss for how to move forward and why this occured all the sudden.
collecting activity logs via API for security
Hello Everyone! We are planning to collect MCAS activity event logs for security monitoring via API for applications we connected (O365, Azure, Workday, Salesforce, Service Now, Docusign). Can you please sare information about best practises, playbooks or guides regarding this scenario? Or if you have experience in similiar cases, I'll be thankful for information ๐DCOM Hardening: Different Versions of Windows
My version is win10 19042. when i try to execute any wmi command in my domain; (such as; wmic /node:IPADDR computersystem get username ) If server and client versions are the same, command success; (Windows 10 19042) If server and client versions are different; (Win10 19044, Win10 19042) it gives an error: The server-side authentication level policy does not allow the user domain\User SID (xxx) from address x.x.x.x to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application. I also created the registry key named "RequireIntegrityActivationAuthenticationLevel" on the remote computer and set its value to 0 but it doesn't affect it and gives the same error. How to overcome this situation except upgrade all remote computers?
Secure Environment (PAW) for IaC Coders or Azure Management with minimum compromise on security
Hi All, I followed the Guidelines from Microsoft on how to create a PAW with Intune for extremely exposed Accounts e.g., working on Tier 0 etc. Talking Hybrid now. Issues we currently see are in the following Areas: PAW itself is very locked down, using the Privilege Scripts and Profiles for Intune provided by Microsoft on Github (2020) which is by design. No Admin rights mean even if you deploy for e.g., VS Code via Intune as System installer (could not deploy user installer successfully via Company Portal) no one using it can actually run Program Updates etc. Also installing add-ins e.g., Bicep will be an issue. Same goes for PowerShell if you need additional Modules to install. In addition, App Locker and Controlled Folder Access makes it near impossible to use PowerShell efficiently. Now my Questions: 1. What is a good Option for Admins that need to manage System and Services with PowerShell and IaC ? do we need to deploy Enterprise or Specialized hardenings and forget about delivering them Physical PAWs hardened like MS does? Is LAPS an option to overcome the no-admin gap for the Issues mentioned above? Would you suggest using the Locked Down PAW only as Jump host not working on it at all? if so, how can you secure the Jump Server as much to keep the End-to-end security high for T0? I think if somebody can change and update code for a whole Landing Zone in Azure this should be categorized as T0 don't you think? I verified a lot of Community Projects and MVP Blogs but the Topics above i feel lack a bit of explanation. Would be great if somebody could give me some Ideas about how to do this for the necessary Admin Profiles to have some form of productivity experience while keep a highest security baseline as possible. BR Ueli
Command prompt password showing and correct
The lock screen on my PC is showing your pin is no longer available due to a change to the security settings on this device click to set up your pin again and when I am clicking on set up your pin I am again redirected to the lock screen and nothing happens and when I tried using advance option to troubleshoot the problem the command prompt was asking for a password for which I entered passwords this word showing in correct and I had enter all password that I could recall so what to do now please help me โ
