Microsoft has released the latest security baseline for Windows Server 2025, version 2506, on June 25, 2025. This update introduces several key changes aimed at enhancing security and operational flexibility for enterprise environments.
Source: BornCity Security Baseline for Windows Server 2025, version 2506 | Born's Tech and Windows World
Key Changes in Version 2506
Deny Logon Through Remote Desktop Services
The policy "Deny log on through Remote Desktop Services" has been updated to allow remote logon for non-administrator local accounts on member servers. Additionally, the "BUILTIN\Guests" group has been added to both domain controllers and member servers. This adjustment balances security with operational needs, enabling legitimate remote access scenarios while maintaining restrictions on high-risk accounts. (techcommunity.microsoft.com)WDigest Authentication Policy Removal
The "WDigest Authentication" policy has been removed from the baseline. Previously enforced to prevent plaintext password storage in memory, this policy is now obsolete due to the deprecation of WDigest in Windows Server 2025. The removal reflects the current default behavior, eliminating the need for explicit enforcement. (techcommunity.microsoft.com)Windows Ink Workspace Policy Removal
The "Allow Windows Ink Workspace" policy has been removed from the baseline. This policy is applicable only to Windows client editions and not to Windows Server, making its inclusion unnecessary. Removing it reduces Group Policy Object (GPO) processing time and ensures that all recommended settings are relevant to the server environment. (techcommunity.microsoft.com)Audit Authorization Policy Change
The "Audit Authorization Policy Change" setting is now configured to log successful events on both domain controllers and member servers. This ensures visibility into changes affecting the system's security posture, such as modifications to user rights and audit policies. Logging these events aids in detecting misconfigurations or unauthorized changes. (techcommunity.microsoft.com)Include Command Line in Process Creation Events
The setting to "Include command line in process creation events" has been enabled for both domain controllers and member servers. Capturing command-line arguments enhances visibility into process executions, aiding in the detection and investigation of malicious activities that may otherwise appear legitimate. (techcommunity.microsoft.com)Visibility of Microsoft Defender Antivirus Exclusions
The policy "Control whether exclusions are visible to local users" has been set to "Not Configured." This change acknowledges that the parent policy "Control whether or not exclusions are visible to Local Admins" takes precedence, rendering the child policy redundant. Managing exclusion visibility through the parent policy simplifies configuration and reduces potential confusion. (techcommunity.microsoft.com)Implementation and Customization
Administrators can download the updated baseline package from the Microsoft Security Compliance Toolkit. It's recommended to test the configurations in a controlled environment before deployment. The baseline serves as a foundation, allowing organizations to customize settings to align with specific operational requirements and risk profiles. (techcommunity.microsoft.com)Conclusion
The release of the Windows Server 2025 security baseline version 2506 underscores Microsoft's commitment to evolving security practices. By refining policies and removing obsolete settings, this update enhances both security and operational efficiency. Organizations are encouraged to review and implement these changes to maintain a robust security posture.Source: BornCity Security Baseline for Windows Server 2025, version 2506 | Born's Tech and Windows World
