Forum Discussion

Haruko_N's avatar
Haruko_N
Former Employee
Dec 05, 2022

Microsoft Security Compliance Toolkit 1.0 - Script File for 2012 R2

My customer is looking for the local script files for Microsoft Security Compliance Toolkit 1.0,  which are missing. These are available on Windows 2016 up but not on Windows 2012 R2. If you can tell...
AaronMargosis_Tanium's avatar
AaronMargosis_Tanium
Iron Contributor
Dec 14, 2022

Xuefeng_L 

 

Good points you raise. The scripts that come with the newer baseline packages include switches for non-domain joined. What they do when you select one of them is to import the domain-member GPO(s) but then apply a couple of modifications in the ConfigFiles\DeltaForNonDomainJoined.* files, reverting the logon rights SeDenyNetworkLogonRight and SeDenyRemoteInteractiveLogonRight, and setting LocalAccountTokenFilterPolicy so that administrative local accounts can be used over the network. It should work if you bring those config files over and use LGPO.exe to apply those deltas:

 

lgpo.exe /v /s ConfigFiles\DeltaForNonDomainJoined.inf /t ConfigFiles\DeltaForNonDomainJoined.txt

 

Gary_666's avatar
Gary_666
Former Employee
Dec 14, 2022

Dear AaronMargosis_Tanium thanks for your reply, really appreciate that.

 

But we still have some questions regarding cx concerns, can you please help clarify the issue? thank you for your help in advance!

 

As per talk earlier, local script cx needed is missing and target server is a non-domain joined server, and according to your recommendation, the LGPO.exe should be a choice, we have concerns whether the GPOs listed for DC or member server can functions as a workaround for standalone server also?

 

If possible, can you please confirm the command we use? Do we need to make any modifications for that?

For example, if {AB1A03CA-A251-4FDC-9C95-3BFE14EF9A54} can work for standalone server in cx environment, we just need to run the command on the standalone server, right?

Lgpo.exe /g GPOs\{AB1A03CA-A251-4FDC-9C95-3BFE14EF9A54}

 

In your latest reply, you also mentioned another command related to ConfigFiles, may I know the difference between the command I just showed above?

 

If there is any misunderstanding, appreciate your kind clarification, thank you and have a good day!

  • Gary_666's avatar
    Gary_666
    Former Employee
    Dec 16, 2022

    Dear AaronMargosis_Tanium,

    thank you so much for your reply, issue resolved now, I appreciate all your time and efforts!

    Take care,

  • AaronMargosis_Tanium's avatar
    AaronMargosis_Tanium
    Iron Contributor
    Dec 15, 2022

    Without line breaks:

     

     

    Lgpo.exe /g GPOs\{AB1A03CA-A251-4FDC-9C95-3BFE14EF9A54}
Lgpo.exe /v /s ConfigFiles\DeltaForNonDomainJoined.inf /t ConfigFiles\DeltaForNonDomainJoined.txt

     

    As with any baseline recommendations, you should test this before rolling it out to production. We didn't test the standalone configuration back when we published the 2012R2 baseline, but I anticipate that it SHOULD work.

     

  • AaronMargosis_Tanium's avatar
    AaronMargosis_Tanium
    Iron Contributor
    Dec 15, 2022
    The /g option will apply the member server baseline, but if you don't follow that by also applying the additional ConfigFiles entries, you will only be able to log on to the server at the console. Standalone servers have only local accounts and won't recognize domain accounts. The member server baseline disallows local accounts from being used for remote desktop, and disallows administrative local accounts from authenticating over the network at all. The changes in those extra files remove those restrictions so that you can use local accounts over the network, including remote desktop:

    Lgpo.exe /g GPOs\{AB1A03CA-A251-4FDC-9C95-3BFE14EF9A54}
    Lgpo.exe /v /s ConfigFiles\DeltaForNonDomainJoined.inf /t ConfigFiles\DeltaForNonDomainJoined.txt

Resources