Hello everyone,
I wanted to share with you the securing of Active Directory from a Group Policy Object GPO point of view.
===========================================================
As an overview I propose this link where we discuss AD Windows security in general.
Version 28 Sep 2021 #13 in the Blue Cyber Education Series
==========================================================
We will now proceed to analyse and implement hardening best practices for an Active Directory system via the "Microsoft Security Compliance Toolkit 1.0".
ATTENTION: In order to implement the following Security GPOs, it is necessary to create a lab.
Many security GPOs could compromise various features of the Domain\users\computers object and applications.
It is strongly recommended to carefully analyse and test each GPO before bringing it into production.
Link to the documentation & Download:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10
https://www.microsoft.com/en-us/download/details.aspx?id=55319
Download and unpack the downloaded package.
- Using the Policy Analyser you can compare the SCT GPO best practices with your own GPOs that you have implemented.
- Extract PolicyAnalyzer.zip
- For example, let's extract Windows Server 2012 R2 Security Baseline.zip
- Run PolicyAnalyzer.exe
- Go to the path where you extracted the Windows 2012 R2 security baseline and import it.
- Set the paths
- click on View/Compare to display the imported baseline.
- To compare with the configurations on your Domain Controller click on the Compare to Effective State button, which compares the selected baseline with the current system state. In the Policy Viewer you will be able to see the results and compare the two columns with the settings on the left and the settings suggested by Microsoft (which you imported) on the right.
- Identical values are displayed in white, conflicting settings are highlighted in yellow and absent settings in grey. The pane below shows the policy setting, location and other information associated with the selected row.
- It is possible to export this to excel by installing the software.
- How to import GPO MSCT Hardening
- After comparing the results, you can deploy the baselines proposed by Microsoft. Extract the baseline version that matches the version of your operating system and import the administrative templates that you find in the Templates folder in the Central Store (PolicyDefinitions folder of SYSVOL)
- Create an empty GPO and import from the MSCT gpo template from backup.
- Example policy name:
-
Hardening Member Windows Server 2012 , 2019 ,2022
-
Hardening Domain Controller Windows Server 2012 , 2019 ,2022
-
- Import all GPOs pertaining to the O.S. and object type.
Doman Controllers
Members Servers
Users
Computers
- Change Windows Firewall GPO settings to allow Domain Controllers remote administration of member servers
- Add Windows Firewall: Allow remote administration exception
- You can apply GPOs via a WMI Filter per O.S.
- Test the WMI filter carefully to avoid applying policies on the wrong systems.
You are ready to take the propaedeutic tests
- There are many interesting utilities in the package to help automate and merge your GPOs
- It is possible to view all policy settings under 'GP reports' of each O.S. template
thank you for your attention if you would like to add info.
