Forum Discussion

StephanGee's avatar
StephanGee
Iron Contributor
Nov 04, 2020

Beginner Question - Why is there a baseline for every version and type?

Hi everyone,   i am currently double checking my settings against the baseline (2012R2 DC) and i am just curious why there is not one "DC baseline".   There may be new features incoming with ...
security baseline
Rick_Munck's avatar
Rick_Munck
Icon for Microsoft rankMicrosoft
Nov 23, 2020

StephanGee in theory that would seem the easiest.  However there have been various settings over the course of releases that do indeed change the behavior between OS versions and in those cases it would have caused everything from a crash to a less secure configuration.  We explored this in the past and the safest way to avoid conflicts is to keep them separate.

StephanGee's avatar
StephanGee
Iron Contributor
Nov 24, 2020

Rick_Munck 

Thanks for your answer. Do you have any hints how to do a perfect rollout?
Do it all at once because some settings rely on each other?

 

I do not have a 100 percent dev/test/prod lab to test all settings for a week or two - so i need clearance that even if it breaks something that after i disabled the GPO and performed a Gpupdate /force and a restart - it is back to "normal" (the way it was before)

 

best regards

Stephan

  • Rick_Munck's avatar
    Rick_Munck
    Icon for Microsoft rankMicrosoft
    Nov 24, 2020

    StephanGee in many cases you can roll back but there are certain 'tattoo' settings that do not automatically rollback.  Also the security template settings do not roll back, they tattoo as well.  Within GPMC you will see the icon is different for those settings that tattoo in GP (not security template).  Take a look at the settings in the Security Compliance Toolkit area of the GPO and you should see them.

     

    Every deployment is different so it's hard to give blanket advice.  We are working on an attempt at an article that describes many different options but due to several factors I dont see it being completed till after the first of the year.

     

    I will offer this, for client machines, I wouldn't expect you to have much of an issue but I would be careful applying the server config to an up and running server, especially if it already has various roles on it as you might run into an issue there where the security template will adjust user rights.

    • StephanGee's avatar
      StephanGee
      Iron Contributor
      Nov 30, 2020

      Rick_Munck 

      My biggest concern is that i should apply them all at once(?) so that one setting does not collide with another. 

      e.g. the SMB signing is forced on the one side but "disabled" on the other

      • Rick_Munck's avatar
        Rick_Munck
        Icon for Microsoft rankMicrosoft
        Dec 01, 2020

        StephanGee testing is really however your organization feels comfortable.  If you have an existing baseline your company uses then I would start with Policy Analyzer.  This will help you identify where the different settings are.  From there you need to make a risk based determination on how you role it out.  I always recommend starting small and ensuring you dont break anything along the way.

Resources