Forum Discussion
Microsoft Security Compliance Toolkit 1.0 - Script File for 2012 R2
Xuefeng_LMicrosoft
Hi Aaron, the customer said that their target server is a stand-alone server. Not a domain controller nor joined to domain.
I recognized that the following policy should be applied based on the above assumption, is this correct?
GPOs\{AB1A03CA-A251-4FDC-9C95-3BFE14EF9A54}
GPOs\{AB1A03CA-A251-4FDC-9C95-3BFE14EF9A54}Xuefeng_L AaronMargosis_Tanium
Dear Aaron, hope you doing well!
CX raised concern that target server is a standalone server, non-domain joined, there is no such baseline for a standalone server neither, the point here is that whether LGPO can functions as a workaround for local script which was missing in the tookit package, and whether baseline listed below can work as a solution? Namely, can baseline for DC or member server functions as a workaround for standalone server? Appreciate your reply.
- Note that Windows Server 2012 R2 goes completely out of support in less than a year from now:
https://learn.microsoft.com/en-us/lifecycle/announcements/sql-server-2012-windows-server-2012-2012-r2-end-of-support- Xuefeng_L
Hi AaronMargosis_Tanium , we would appreciate if you could share your knowledge.
Good points you raise. The scripts that come with the newer baseline packages include switches for non-domain joined. What they do when you select one of them is to import the domain-member GPO(s) but then apply a couple of modifications in the ConfigFiles\DeltaForNonDomainJoined.* files, reverting the logon rights SeDenyNetworkLogonRight and SeDenyRemoteInteractiveLogonRight, and setting LocalAccountTokenFilterPolicy so that administrative local accounts can be used over the network. It should work if you bring those config files over and use LGPO.exe to apply those deltas:
lgpo.exe /v /s ConfigFiles\DeltaForNonDomainJoined.inf /t ConfigFiles\DeltaForNonDomainJoined.txt
Thank you AaronMargosis_Tanium !!
