Microsoft is pleased to announce the final release of security baseline settings for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11. Some of the highlights of the new security baselines (many of which we intend to backport to older versions of Windows and IE):
- Use of new and existing settings to help block some Pass the Hash attack vectors;
- Recommendations to control the storage of plaintext-equivalent passphrases;
- Blocking the use of web browsers on domain controllers;
- Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines;
- Removal of the recommendation to enable "FIPS mode" (this is discussed in greater detail in this blog post: Why We’re Not Recommending “FIPS Mode” Anymore);
- Removal of almost all service startup settings, and all server role baselines that contain only service startup settings.
Source : Microsoft Security Guidance