Microsoft has released an updated security baseline for Windows Server 2025, introducing stricter default protections designed to help organizations defend against modern cyber threats. The update, highlighted in a report by Neowin, focuses on reducing privilege abuse, strengthening authentication controls, and limiting legacy attack surfaces.
Security baselines provide standardized configurations—including Group Policy settings, registry changes, and system hardening—that enterprises can deploy across environments to enforce consistent protection.
Sudo Disabled to Reduce Privilege Abuse
One of the most notable changes in baseline version 2602 is the disabling of sudo command mode on both Member Servers and Domain Controllers.
Microsoft says the move helps reduce the risk of User Account Control (UAC) bypass and limits opportunities for attackers to escalate privileges within enterprise networks.
Stronger Protection Against ROCA
The update also enhances defenses against the Return of Coppersmith’s Attack (ROCA), a cryptographic weakness affecting certain RSA keys.
Domain controllers now enforce Block mode for Windows Hello for Business keys identified as vulnerable, preventing their use entirely rather than simply logging them for review.
Internet Explorer Automation Disabled
As part of its continued effort to eliminate legacy risks, Microsoft has disabled Internet Explorer 11 launch via COM automation.
In addition, files downloaded from external or untrusted sources will now automatically receive Mark of the Web (MotW) tagging. This enables built-in safeguards such as:
- Microsoft Defender SmartScreen warnings
- Automatic macro blocking in Microsoft Office
Expanded NTLM Auditing and RPC Hardening
To address ongoing concerns around legacy authentication, Microsoft has expanded NTLM monitoring:
- Incoming NTLM traffic auditing enabled for all accounts
- Domain controllers enforce full NTLM authentication auditing
- Outgoing NTLM activity to remote servers logged across environments
The changes aim to help organizations identify and phase out NTLM in favor of more secure modern authentication methods.
Remote Procedure Call (RPC) settings have also been tightened. Connections now require authentication over RPC over TCP, while Member Servers use Kerberos-secured RPC listeners.
Print Spooler and Additional Changes
The baseline includes adjustments to the Print Spooler, allowing secure client impersonation through a restricted service account without disabling printing functionality.
Microsoft also removed a policy related to downloading enclosures that does not apply to Windows Server 2025, and provided updated guidance on:
- Secure Boot certificate lifecycle management
- SMB server hardening
The update aligns with Microsoft’s wider security strategy, which includes enforcing modern encryption standards such as TLS 1.2 across cloud services and strengthening device-level protections through recent Windows Hello enhancements.
