Forum Discussion

Mughal1's avatar
Mughal1
Copper Contributor
Sep 10, 2020

Applying the SCT to standalone hardened systems?

I'm experimenting with the use of the SCT to speed up the hardening process for "elevated risk" servers for my company, such as systems residing within an Internet DMZ.  My tests are currently relega...
Mughal1's avatar
Mughal1
Copper Contributor
Sep 12, 2020

OK, more updates.

 

Upon additional review, all of the GPO's that I'd selected were actually already included in the Member_Server_Install.cmd script.

 

The reason why I'd gone down this weird path was that when I tried to apply the "Member_Server_Install.cmd" script, some of the security settings that I'd expected to be modified were not being modified.  Things like the Audit Policy settings or the System Access settings - the script would run, wouldn't generate any errors but the settings would remain unmodified from their original default values.

 

The two main GPO subfolders that didn't seem to be triggering were:

 

GPO subfolder: {088E04EC-440C-48CB-A8D7-A89D0162FBFB}
Security Topic: Win2016 - Member Baseline

 

GPO subfolder: {9C87270F-7704-41D9-A76D-C8B9ADB1794A}
Security Topic: Win2016 - Member Server Baseline

 

I'd extracted the baseline zip file to c:\Users\Administrator\Downloads, which meant that the total filepath just to get to the baseline content (GPOs, Local_Script, etc.) was:

 

C:\Users\Administrator\Downloads\Windows 10 Version 1607 and Windows Server 2016 Security Baseline\Windows-10-RS1-and-Server-2016-Security-Baseline

 

On a lark, I shifted the "Windows-10-RS1-and-Server-2016-Security-Baseline" folder to the root of c:\ and re-ran.  All of the expected script processing ran fine - including the Audit Policy and System Access settings.  I'm guessing now that the path size was somehow violating the max size limits and was mucking with the script run.

 

I feel kinda sheepish at this point - but I guess it was a good troubleshooting exercise 🙂

 

Tariq

AaronMargosis_Tanium's avatar
AaronMargosis_Tanium
Iron Contributor
Sep 14, 2020

Mughal1 -

 

The Windows baseline zip file downloads each include a "Documentation" folder with a big spreadsheet listing all the available GPO settings, and columns showing the baseline settings for Win10, Windows Server Member Server, and Domain Controller. In addition, the DC column includes conditional formatting that puts a blue background in the cells that differ from the corresponding Member Server setting.

 

I also recommend having a look at the scripts that come with the newest Windows baselines. At some point (I don't remember which was the first baseline we did it in), we made a single script that handled all Windows versions, and also included options to adjust settings for non-joined systems by removing some of the restrictions on local accounts.

 

Also have a look at the MapGuidsToGpoNames.ps1 script in the Scripts\Tools folder -- given a directory containing a bunch of GUID-named GPO backups, MapGuidsToGpoNames.ps1 will tell you the names of the GPOs in each. Have a look in the Baseline-ADImport and Baseline-LocalInstall scripts in the newer download packages for examples of how it can be used.

Resources