Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A set of Microsoft-recommended Group Policy settings that harden Windows against attack, shipped in the Security Compliance Toolkit.
Windows Security Baseline Definition: A set of Microsoft-recommended Group Policy settings that harden Windows against attack, shipped in the Security Compliance Toolkit.
A Windows Security Baseline is a Microsoft-recommended group of security configuration settings that harden Windows clients and servers against common attacks. Distributed in the Security Compliance Toolkit, each baseline bundles vetted Group Policy values for account policies, auditing, user rights, and attack surface reduction, balancing protection with functionality.
Baselines are delivered as Group Policy Objects (GPOs), spreadsheets, and the Policy Analyzer and LGPO tools. Administrators import the GPOs into Active Directory or apply them locally, then compare effective settings against the baseline to spot drift. Settings span five domains: account and password policies, security options, user rights assignments, audit policy, and attack surface reduction rules that disable risky features like legacy protocols or untrusted macros.
Without a baseline, Windows ships with backward-compatible defaults that prioritize usability over security, leaving systems exposed to credential theft, lateral movement, and known exploitation techniques. A consistent, tested baseline gives organizations a measurable hardening standard, supports compliance audits against frameworks like CIS or NIST SP 800-53, and makes configuration drift detectable. Applied blindly, however, baselines can break line-of-business apps, so they must be piloted and customized to the environment's risk profile.
For example, an enterprise rolling out Windows 11 might import the official baseline GPO into a test organizational unit, run Policy Analyzer to compare it against current settings, then pilot on IT workstations. After confirming that no critical applications break, they refine exceptions (such as enabling a required legacy service for one department), deploy enterprise-wide, and use continuous monitoring to alert when a setting like SMBv1 is re-enabled or audit logging is disabled by a malicious actor.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →