Microsoft has published the February 2026 revision of the Windows Server 2025 security baseline package, introducing critical security enhancements including NTLM auditing improvements, sudo command restrictions, and printer security hardening.
Microsoft has released the February 2026 revision (v2602) of the security baseline package for Windows Server 2025, introducing several critical security enhancements designed to protect enterprise environments while aligning with the latest capabilities and standards.
Key Security Policy Changes
The latest baseline includes significant updates across multiple security domains:
Sudo Command Restrictions
A notable addition is the configuration of the sudo command behavior. Microsoft now recommends enabling the policy Configure the behavior of the sudo command with the maximum allowed sudo mode set to Disabled. This change addresses potential privilege escalation vectors, particularly in environments with Active Directory or domain controllers. The sudo command, when enabled in certain configurations, could allow attackers or malicious insiders to bypass traditional UAC prompts and run commands with elevated privileges.
ROCA-vulnerable WHfB Key Validation
The baseline introduces configuration for Validation of ROCA-vulnerable WHfB keys during authentication. Microsoft recommends enabling this setting in Block mode on domain controllers to mitigate Windows Hello for Business keys vulnerable to the Return of Coppersmith's attack (ROCA). Organizations should use the WHfBTools PowerShell module to clean up orphaned or vulnerable keys before implementing this block to avoid breaking incompatible devices.
Internet Explorer 11 COM Automation Restrictions
Following the Windows 11 version 25H2 security baseline, Microsoft now recommends disabling Internet Explorer 11 Launch Via COM Automation. This prevents legacy scripts and applications from programmatically launching Internet Explorer 11 using COM automation interfaces like CreateObject("InternetExplorer.Application"), reducing exposure to legacy MSHTML and ActiveX components vulnerable to exploitation.
Mark of the Web Tag Configuration
The baseline configures Do not apply the Mark of the Web tag to files copied from insecure sources as Disabled, consistent with the Windows 11 security baseline. This ensures Windows applies the Mark of the Web (MotW) tag to files copied from Internet or untrusted zones, enabling additional protections such as SmartScreen checks and Office macro blocking.
Enhanced NTLM Auditing
Microsoft continues its push to help customers transition from NTLM to Kerberos with comprehensive auditing enhancements:
- Audit Incoming NTLM Traffic: Enabled for all accounts on both member servers and domain controllers
- Audit NTLM authentication in this domain: Enabled all on domain controllers
- Outgoing NTLM traffic to remote servers: Set to Audit all on both member servers and domain controllers
These settings log events for NTLM authentication requests that would be blocked when restrictions are enforced, helping organizations identify and remediate NTLM usage before implementing restrictions. Two additional NTLM auditing capabilities are enabled by default in Windows Server 2025 and Windows 11 version 25H2, providing detailed audit logs for authentication activity without requiring explicit configuration.
Printer Security Hardening
Several printer-related security enhancements have been introduced:
- Added RESTRICTED SERVICES\PrintSpoolerService to Impersonate a client after authentication policy
- Enforced default setting for Configure RPC connection settings to always use RPC over TCP with Authentication Enabled
- Raised security level of Configure RPC listener settings from Negotiate to Kerberos on member servers
While new policies like Require IPPS for IPP printers and Set TLS/SSL security policy for IPP printers are not enforced in the baseline due to potential operational challenges, Microsoft recommends transitioning away from IPP or self-signed certificates for improved security.
Secure Boot Certificate Updates
The baseline includes guidance for Secure Boot certificate deployment, with policies under Administrative Templates\Windows Components\Secure Boot. Organizations can control automatic certificate deployment via updates, initiate deployment explicitly, or participate in Microsoft-managed Controlled Feature Rollout. These updates depend on device firmware support, and organizations should test hardware compatibility before deployment.
SMB Server Hardening
To address relay attack vulnerabilities like CVE-2025-55234, Microsoft has introduced audit capabilities for SMB Server hardening features:
- Audit client does not support signing
- Audit SMB client SPN support
These audit features help identify device or software incompatibility issues before deploying SMB Server signing or extended protection for authentication (EPA). For domain controllers, SMB signing is already enabled by default, while member servers should first enable audit features to assess their environment.
Download and Implementation
The Windows Server 2025 security baseline v2602 is available through the Microsoft Security Compliance Toolkit. Organizations can download the baseline package, test recommended configurations in their environment, and customize or implement them as appropriate. The toolkit provides comprehensive documentation and implementation guidance for all included policies.
The security baseline represents Microsoft's ongoing commitment to helping enterprise customers maintain secure Windows Server environments while adapting to evolving threat landscapes and leveraging new security capabilities introduced in Windows Server 2025.
For more information about Windows security baselines and implementation guidance, visit aka.ms/baselines.
Comments
Please log in or register to join the discussion