Hi everyone, i am currently double checking my settings against the baseline (2012R2 DC) and i am just curious why there is not one "DC baseline". There may be new features incoming with each new server OS. But if i configure it on a Win2kR2 DC - it will just ignore it as there is no program that will read this reg key. Same with Win10 - if there is the newest security setting out but only affects 1909+ - the older OS will ignore it. So bottom-line i do not understand why it is separated by OS instead of just the roles (member server, dc, client,..) I would assign the newest baseline for the domain controller to the OU "Domain Controllers" without the WMI filter - in my understanding that cannot break anything because of the older OS in this OU? Best regards Stephan

StephanGee in theory that would seem the easiest. However there have been various settings over the course of releases that do indeed change the behavior between OS versions and in those cases it would have caused everything from a crash to a less secure configuration. We explored this in the past and the safest way to avoid conflicts is to keep them separate.

Rick_Munck Thanks for your answer. Do you have any hints how to do a perfect rollout?Do it all at once because some settings rely on each other? I do not have a 100 percent dev/test/prod lab to test all settings for a week or two - so i need clearance that even if it breaks something that after i disabled the GPO and performed a Gpupdate /force and a restart - it is back to "normal" (the way it was before) best regardsStephan

StephanGee in many cases you can roll back but there are certain 'tattoo' settings that do not automatically rollback. Also the security template settings do not roll back, they tattoo as well. Within GPMC you will see the icon is different for those settings that tattoo in GP (not security template). Take a look at the settings in the Security Compliance Toolkit area of the GPO and you should see them. Every deployment is different so it's hard to give blanket advice. We are working on an attempt at an article that describes many different options but due to several factors I dont see it being completed till after the first of the year. I will offer this, for client machines, I wouldn't expect you to have much of an issue but I would be careful applying the server config to an up and running server, especially if it already has various roles on it as you might run into an issue there where the security template will adjust user rights.

Rick_Munck My biggest concern is that i should apply them all at once(?) so that one setting does not collide with another. e.g. the SMB signing is forced on the one side but "disabled" on the other

StephanGee testing is really however your organization feels comfortable. If you have an existing baseline your company uses then I would start with Policy Analyzer. This will help you identify where the different settings are. From there you need to make a risk based determination on how you role it out. I always recommend starting small and ensuring you dont break anything along the way.

Beginner Question - Why is there a baseline for every version and type?

12 Replies

Rick_Munck
Microsoft
Nov 23, 2020
StephanGee in theory that would seem the easiest. However there have been various settings over the course of releases that do indeed change the behavior between OS versions and in those cases it would have caused everything from a crash to a less secure configuration. We explored this in the past and the safest way to avoid conflicts is to keep them separate.
- StephanGee
  Iron Contributor
  Nov 24, 2020
  Rick_Munck
  Thanks for your answer. Do you have any hints how to do a perfect rollout?
  Do it all at once because some settings rely on each other?
  
  I do not have a 100 percent dev/test/prod lab to test all settings for a week or two - so i need clearance that even if it breaks something that after i disabled the GPO and performed a Gpupdate /force and a restart - it is back to "normal" (the way it was before)
  
  best regards
  Stephan
  - Rick_Munck
    Microsoft
    Nov 24, 2020
    StephanGee in many cases you can roll back but there are certain 'tattoo' settings that do not automatically rollback. Also the security template settings do not roll back, they tattoo as well. Within GPMC you will see the icon is different for those settings that tattoo in GP (not security template). Take a look at the settings in the Security Compliance Toolkit area of the GPO and you should see them.
    
    Every deployment is different so it's hard to give blanket advice. We are working on an attempt at an article that describes many different options but due to several factors I dont see it being completed till after the first of the year.
    
    I will offer this, for client machines, I wouldn't expect you to have much of an issue but I would be careful applying the server config to an up and running server, especially if it already has various roles on it as you might run into an issue there where the security template will adjust user rights.

Forum Discussion

Beginner Question - Why is there a baseline for every version and type?

12 Replies

Resources