Skip to content

Group Policy

HotCakeX edited this page Jan 30, 2023 · 21 revisions

Microsoft Security Compliance Toolkit

Official link to download Microsoft Security Compliance Toolkit

Microsoft Security Compliance Toolkit 1.0 - How to use

This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.

Microsoft Security Compliance Toolkit includes multiple files and useful programs, here are the 3 main components that are important to us and are used in this script.

  1. Microsoft Security Baseline
  2. LGPO
  3. Policy Analyzer

Microsoft Security Baseline

Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft 365 apps for enterprise and Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.

Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. Continue reading more in the Microsoft website

When you unzip the Microsoft Security Baseline file, you will find this folder structure:

  1. Documentation## - contains PDF and Excel files describing the differences between the previous baseline release and the new settings that were added. contains the default policyrules file, which is used with the Security Compliance Toolkit, you can view it using Policy Analyzer program.
  2. GP Reports - contains reports in HTML format, describes the GPO settings that can be applied for each category
  3. GPOs – contains GPO objects for different scenarios, these are the actual policies that will be applied
  4. Scripts - contains multiple PowerShell scripts for different scenarios and helps us easily import GPO settings to our system. the most important PowerShell script here is Baseline-LocalInstall.ps1
  5. Templates – contains additional Group Policy Object templates that are not available by default on Windows, such as MSS-legacy.admx, these are in ADMX and ADML formats. they will be copied to C:\Windows\PolicyDefinitions, where they belong, so that the new Security Baselines GPOs can be interpreted.


LGPO

Quoting from the PDF file supplied by LGPO:

LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. It can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files and Policy Analyzer “.PolicyRules” XML files. It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. (The syntax for LGPO text files is described later in this document.)

LGPO.exe has four command-line forms: for importing and applying settings to local policy – including to Multiple Local Group Policy Objects (MLGPO)1 ; for creating a GPO backup; for parsing a Registry Policy file and outputting “LGPO” text; for producing a Registry Policy file from an LGPO text file.

All output is written to LGPO.exe’s standard output, and all diagnostic and error information is written to its standard error. Both can be redirected to files using standard command shell operations. To support batch file use, LGPO.exe’s exit code is 0 on success and non-zero on any error.


LGPO is the most crucial program for our workflow, it is part of the Security Compliance Toolkit (SCT)


What is the Local Group Policy Object (LGPO) tool?

LGPO.exe - Local Group Policy Object Utility


How to manually back up Group Policy Objects from a system using LGPO.exe

Use this command to back up the currently set local group policies to drive C

.\LGPO.exe /b C:

How to Import Group Policy Objects from a backup, created using LGPO.exe, to the local system

.\LGPO.exe /g 'Path to the backup'

# example:

.\LGPO.exe /g 'C:\{841474E6-33EC-418C-B884-EA0F7C8195DB}'

How to only Import the settings from a Registry Policy file into Computer (Machine) Configuration

(This only contains everything in Computer (Machine) Configuration -> Administrative Templates)

# Example command
.\LGPO.exe /m ".\GPOX\DomainSysvol\GPO\Machine\registry.pol"

How to only Import Security into Computer (Machine) Configuration

(This only contains everything in Computer (Machine) Configuration -> Windows Settings => Security Settings => everything in the subfolders except for the Advanced Audit Policy Configuration)

# Example command
.\LGPO.exe /s ".\GPOX\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"


Policy Analyzer

Quoting from the PDF file supplied by Policy Analyzer:

Policy Analyzer is a lightweight utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies and can highlight the differences between versions or sets of Group Policies. It can also compare one or more GPOs against local effective state. You can export all its findings to a Microsoft Excel spreadsheet. Policy Analyzer lets you treat a set of GPOs as a single unit, and represents all settings in one or more GPOs in a single “.PolicyRules” XML file. You can also use .PolicyRules files with LGPO.exe v3.0 to apply those GPOs to a computer’s local policy, instead of having to copy GPO backups around.


What is the Policy Analyzer tool?

Policy Analyzer Tool

About Compare to Effective State

In Policy Analyzer, there is an option called Compare to Effective State. Quoting from the PDF file that ships with Policy Analyzer program regarding that option:

Enable one or more of the Policy Rule sets’ checkboxes and click “Compare to Effective State” to compare the selected baselines against the local computer’s current configured state. The operation will require UAC elevation if any of the selected baselines include security template or advanced auditing settings that require elevation to retrieve.

The Policy Viewer will show the combined settings from all the selected Policy Rule sets in one column under the heading “Baseline(s),” and the corresponding current settings on the local computer and the logged-on user in a separate column under the heading “Effective state.”

The effective state settings are also saved to a new .PolicyRules file with a name combining “EffectiveState_,” the current computer name, and the current date and time in the format “yyyyMMdd- HHmmss.” For example, “EffectiveState_WKS51279_20200210-183947.PolicyRules.”


How is Group Policy used in this PowerShell script?

  1. The PowerShell script downloads the official Microsoft Security Baselines from Microsoft servers and applies them to the system.
  2. It then downloads Group Policies from this GitHub repository, which represent the configurations explained in the main Readme page, and applies them to the system, on top of Microsoft Security Baselines, so where there is a conflict of policy, Hardening script will replace the configurations set by Microsoft Security Baselines.
  3. The script proceeds with applying the rest of the configurations (as explained in the main Readme page) to the system. these configurations aren't available in Group Policy or can only be applied using PowerShell.

How is Security Baseline X created and maintained?

How I created it for the first time

  1. Installed the newest available Windows build on a fresh Hyper-V VM.
  2. After installation is done and I log into Windows, I create a standard checkpoint of that state of the VM.
  3. Opened Group Policy editor and started applying security measures described in the Readme page.
  4. Once I was done, I used LGPO.exe /b C: to backup Group Policies of the system by creating a full GPO.

How I maintain it

  1. As long as the VM is still using the latest available build of Windows, I use the standard checkpoint I had created to revert the VM back to that new state. If there is a newer build of Windows available, I delete that old VM, download the new Windows ISO file from Microsoft servers, then I create a fresh Hyper-V VM using it.
  2. I Copy the GPO backup I had created using LGPO.exe /b C: command, from my host OS to the VM, then I use LGPO.exe /g C: to import all of the policies to the system.
  3. At this point, I can continue working on Group Policies, change anything that is needed, and once I'm done, I create a full backup of Group Policies of the system using LGPO.exe /b C: command.
  4. Then I copy the backup files back to the host OS, replace them with the old backups.
  5. I rename the new backup folder to Security-Baselines-X and create a zip file named Security-Baselines-X.zip. Finally, I upload it to this GitHub repository so that it can be used by the PowerShell script that we run.


We can use Policy Analyzer for verification and comparison.

To verify the settings are applied correctly by this script:

  1. Use folder options in Control Panel or File Explorer to show hidden files and folder.

  2. Open Policy Analyzer program, Navigate to Add -> File -> Add files from GPO(s)... -> Browser for this folder "C:\Windows\System32\GroupPolicy", Select the folder -> Import -> save the Policy Rules file in \Documents\PolicyAnalyzer\

  3. Back at the main window, use View/Compare button to view applied Group Policies. the result that you will see is all of the Group Policies that are applied to your system.

Another way to verify the applied Group Policies is to perform the 3 tasks above, what it will give you is the Policy Rules file which is generated from Group Policy state after applying either the Microsoft Security Baseline, Security-Baselines-X, or both. If we take this policy rules file to a different machine where we just clean installed Windows and use Policy Analyzer to compare it to the Effective State of the system, we will see what Group Policy settings have changed as the result of applying those group policies.


Note: At first, when we clean install Windows, the Group Policy folder C:\Windows\System32\GroupPolicy is empty, it will get populated with empty folders and a 1kb file that contains only 1 word, when we first open the local Group Policy editor. It will get more populated with actual policies once we start modifying any group policies.



How to verify security-baselines-x.zip file and 100% trust it?

  1. Download the security-baselines-x.zip file, extract it.

  2. Open Policy Analyzer program, Navigate to Add -> File -> Add files from GPO(s)... -> Browser for the folder that was extracted from the security-baselines-x.zip file -> Select the folder -> Import -> save the Policy Rules file in \Documents\PolicyAnalyzer\ -> name it security-baselines-x or anything you like.

  3. Back at the main window, use "Compare to Effective State" button to view what policies are included in the security-baselines-x.

  4. As you will see, everything is according to what has been explicitly stated in the GitHub's Readme page.




Using CSPs, Configuration service providers and provisioning packages (work in progress)

This command gets the information about all installed provisioning packages on your system.

Get-ProvisioningPackage -AllInstalledPackages

Configuration service providers for IT pros

Settings changed when you uninstall a provisioning package

Why Intune and CSPs are the future of Windows management instead of Group Policy

Link to Microsoft Employee's comment

Download Windows Configuration Designer from Microsoft Store or from Windows ADK or from Windows insiders ADK, to easily create provisioning packages for your device(s)

Run this in an elevated PowerShell to check what Group Policies are being applied to your system:

gpresult /R

We can manually backup and restore Group Policy settings by copying this folder and all of its content:

C:\Windows\System32\GroupPolicy








C#


Clone this wiki locally