Microsoft Hardens Windows Server 2026 With New Security Baseline

Microsoft has strengthened its Windows Server security posture once again, rolling out a refreshed baseline package while expanding protections across core services.

According to a report from Neowin, Microsoft has updated the security baseline package for Windows Server 2025, introducing tighter controls aimed at enterprise and government environments running complex Microsoft infrastructure.

Windows Server 2025 security baseline updated

Security baselines provide pre-configured Group Policy Objects (GPOs), registry settings, and hardened security configurations that organizations can deploy to standardize protection across servers.

With version 2602, Microsoft has introduced several changes designed to reduce privilege escalation risks and close legacy attack vectors.

One of the most notable updates disables sudo command mode on Member Servers (MS) and Domain Controllers (DCs). This move reduces the risk of User Account Control (UAC) bypass and limits potential abuse of elevated privileges.

ROCA protections move to block mode

Microsoft has also strengthened protection against Return of Coppersmith’s Attack (ROCA), a cryptographic vulnerability affecting certain RSA keys.

Validation of ROCA-vulnerable Windows Hello for Business keys now runs in Block mode on domain controllers. This change prevents the use of potentially compromised authentication keys rather than simply auditing them.

Internet Explorer automation disabled

Legacy components continue to receive attention. Internet Explorer 11 launch through COM automation has been disabled due to ongoing security concerns.

At the same time, Mark of the Web (MotW) tagging now applies to files downloaded from the internet or other untrusted sources. MotW enables built-in safeguards such as SmartScreen filtering and automatic macro blocking in Microsoft Office applications.

Expanded NTLM auditing and RPC hardening

Microsoft has enhanced visibility and control over NTLM authentication across the domain.

Audit Incoming NTLM Traffic now enables auditing for all accounts on Member Servers and Domain Controllers. Domain controllers also enforce full NTLM authentication auditing, while outgoing NTLM traffic to remote servers is set to audit all activity.

These measures give administrators clearer insight into legacy authentication usage as Microsoft continues pushing organizations toward modern alternatives.

Remote Procedure Call (RPC) settings have also been tightened. Connections are enforced over RPC over TCP with authentication enabled, while RPC listeners on Member Servers use Kerberos over TCP.

Print Spooler and policy adjustments

The Print Spooler policy now allows secure client impersonation using RESTRICTED SERVICES\PrintSpoolerService, addressing security concerns without disabling essential printing services.

Microsoft also removed a policy preventing the downloading of enclosures, noting it does not apply to Windows Server 2025.

In addition, the company shared guidance on Secure Boot certificate expiration and SMB Server hardening, reinforcing its broader platform security strategy.

These changes follow Microsoft’s recent enforcement of TLS 1.2 for Azure Blob Storage, part of a wider effort to phase out outdated encryption standards.

Separately, Microsoft has expanded the Windows 10 Extended Security Updates program to include LTSB and certain Server editions. The company also introduced peripheral fingerprint support for Enhanced Windows Hello Sign-In via update KB5077230, further strengthening device-level authentication.

With the updated Windows Server 2025 baseline, Microsoft continues tightening enterprise security defaults as organizations prepare for increasingly complex threat landscapes.