%3CLINGO-SUB%20id%3D%22lingo-sub-1631613%22%20slang%3D%22en-US%22%3ENew%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1631613%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20took%20us%20a%20little%20longer%20than%20we%20wanted%20but%20we%20are%20finally%20ready%20to%20announce%20new%20versions%20of%20LGPO%20and%20Policy%20Analyzer%20as%20well%20as%20two%20new%20tools%2C%20GPO2PolicyRules%20and%20SetObjectSecurity.%26nbsp%3B%20These%20new%20and%20updated%20tools%20are%20now%20available%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Download%20Center%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20goal%20is%20to%20keep%20this%20post%20as%20short%20as%20possible%20so%20let%E2%80%99s%20just%20jump%20into%20the%20details.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1270485579%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%3ELGPO%20v3.0%3C%2FH2%3E%0A%3CP%3ETwo%20new%20options%20were%20added%20in%20LGPO.exe.%26nbsp%3B%20The%20first%2C%20%2Fef%20which%20enables%20Group%20Policy%20extensions%20referenced%20in%20the%20backup.xml.%20The%20second%2C%20%2Fp%20which%20allows%20for%20importing%20settings%20directly%20from%20a%20.PolicyRules%20file%20which%20negates%20the%20need%20to%20have%20the%20actual%20GPOs%20on%20hand.%20Additionally%2C%20LGPO.exe%20%2Fb%20and%20%2Fg%20now%20capture%20locally-configured%20client-side%20extensions%20(CSEs)%20(which%20we%20had%20an%20issue%20with%20previously).%20%26nbsp%3B%26nbsp%3BLastly%2C%20%2Fb%20also%20correctly%20captures%20all%20user%20rights%20assignments%2C%20overcoming%20a%20bug%20in%20the%20underlying%20%E2%80%9Csecedit.exe%20%2Fexport%E2%80%9D%20that%20fails%20to%20capture%20user%20rights%20assignments%20that%20are%20granted%20to%20no%20one.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1217027254%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%3EPolicy%20Analyzer%20v4.0%3C%2FH2%3E%0A%3CP%3EThe%20%E2%80%9CCompare%20to%20Effective%20State%E2%80%9D%20button%20has%20replaced%20the%20%E2%80%9CCompare%20local%20registry%E2%80%9D%20and%20%E2%80%9CLocal%20Policy%E2%80%9D%20checkboxes%20that%20used%20to%20be%20in%20the%20Policy%20Analyzer%20main%20window.%26nbsp%3B%20Press%20it%20to%20compare%20the%20selected%20baseline(s)%20to%20the%20current%20system%20state.%20If%20the%20selected%20baseline(s)%20contain%20any%20user%20configuration%20settings%2C%20they%20are%20compared%20against%20the%20current%20user%E2%80%99s%20settings.%20%E2%80%9CCompare%20to%20Effective%20State%E2%80%9D%20requires%20administrative%20rights%20if%20the%20selected%20baseline(s)%20include%20any%20security%20template%20settings%20or%20Advanced%20Auditing%20settings.%20The%20effective%20state%20corresponding%20to%20the%20selected%20baseline(s)%20settings%20are%20saved%20to%20a%20new%20policy%20rule%20set.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rick_Munck_0-1599136789454.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216300i560027DDF879E4CE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Rick_Munck_0-1599136789454.png%22%20alt%3D%22Rick_Munck_0-1599136789454.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPolicy%20Analyzer%20now%20captures%20information%20about%20Group%20Policy%20Client-Side%20Extensions%20(CSEs)%20when%20you%20import%20GPO%20backups.%20From%20a%20Policy%20Viewer%20window%2C%20choose%20View%20%5C%20Client%20Side%20Extensions%20(CSEs)%20to%20view%20the%20Machine%20and%20User%20CSEs%20for%20each%20baseline%20in%20the%20Viewer.%20(Note%20that%20LGPO.exe%E2%80%99s%20improved%20support%20for%20CSEs%20includes%20the%20ability%20to%20apply%20CSE%20configurations%20from%20Policy%20Analyzer%E2%80%99s%20.PolicyRules%20files.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rick_Munck_1-1599136789470.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216301iB0D017C54143A049%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Rick_Munck_1-1599136789470.png%22%20alt%3D%22Rick_Munck_1-1599136789470.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPolicy%20Analyzer%20now%20maps%20settings%20and%20sub-settings%20to%20display%20names%20more%20completely%20and%20more%20accurately%2C%20including%20mapping%20the%20GUIDs%20for%20Attack%20Surface%20Reduction%20(ASR)%20rules%20to%20their%20display%20names%2C%20and%20improved%20localization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--590427209%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%3EGPO2PolicyRules%3C%2FH2%3E%0A%3CP%3EYou%20can%20now%20automate%20the%20conversion%20of%20GPO%20backups%20to%20Policy%20Analyzer%20.PolicyRules%20files%20and%20skip%20the%20GUI.%20GPO2PolicyRules%20is%20a%20new%20command-line%20tool%20that%20is%20included%20with%20the%20Policy%20Analyzer%20download.%20It%20takes%20two%20command-line%20parameters%3A%20the%20root%20directory%20of%20the%20GPO%20backup%20that%20you%20want%20to%20create%20a%20.PolicyRules%20file%20from%2C%20and%20the%20path%20to%20the%20new%20.PolicyRules%20file%20that%20you%20want%20to%20create.%20For%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGPO2PolicyRules.exe%20C%3A%5CBaselinePkg%5CGPOs%20C%3A%5CUsers%5CAnalyst%5CDocuments%5CPolicyAnalyzer%5Cbaseline.PolicyRules%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1897085624%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%3ESetObjectSecurity%20v1.0%3C%2FH2%3E%0A%3CP%3ESetObjectSecurity.exe%20enables%20you%20to%20set%20the%20security%20descriptor%20for%20just%20about%20any%20type%20of%20Windows%20securable%20object%20(files%2C%20directories%2C%20registry%20keys%2C%20event%20logs%2C%20services%2C%20SMB%20shares%2C%20etc).%20For%20file%20system%20and%20registry%20objects%2C%20you%20can%20choose%20whether%20to%20apply%20inheritance%20rules.%20You%20can%20also%20choose%20to%20output%20the%20security%20descriptor%20in%20a%20.reg-file-compatible%20representation%20of%20the%20security%20descriptor%20for%20a%20REG_BINARY%20registry%20value.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUse%20cases%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Restoring%20default%20security%20descriptor%20on%20the%20file%20system%20root%20directory%20(which%20sometimes%20gets%20misconfigured%20by%20some%20system%20setup%20tools)%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Restricting%20access%20to%20sensitive%20event%20logs%20that%20grant%20access%20too%20broadly%20(examples%20include%20AppLocker%20and%20PowerShell%20script%20block%20logs%20that%20grant%20read%20or%20read-write%20to%20NT%20AUTHORITY%5CINTERACTIVE)%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Locking%20down%20(or%20opening%20access%20to)%20file%20shares%2C%20directories%2C%20registry%20keys%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESetObjectSecurity.exe%20is%20a%2032-bit%20standalone%20executable%20that%20needs%20no%20installer%2C%20has%20no%20dependencies%20on%20redistributable%20DLLs%2C%20and%20works%20on%20all%20supported%20x86%20and%20x64%20versions%20of%20Windows.%20(x64%20systems%20must%20support%20WOW64)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-89631161%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%3ETerms%20of%20Use%3C%2FH2%3E%0A%3CP%3EWe%20have%20now%20included%20standard%20use%20terms%20for%20the%20tooling%20that%20is%20delivered%20as%20part%20of%20the%20Security%20Compliance%20Toolkit.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20continually%20try%20to%20process%20all%20your%20feedback%20and%20make%20improvements%20along%20the%20way%20so%20please%20give%20the%20new%20and%20updated%20tooling%20a%20try%20and%20as%20always%20let%20us%20know%20any%20feedback%20in%20the%20comments%20below.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1631613%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Blog%20Graphics.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216303iF460F5E8EF3A8A20%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Blog%20Graphics.jpg%22%20alt%3D%22Security%20Blog%20Graphics.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENew%20and%20updated%20tools%26nbsp%3Bfor%20the%20Security%20Compliance%20Toolkit%20have%20arrived!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636043%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636043%22%20slang%3D%22en-US%22%3E%3CP%3ENeat%20stuff%20here.%26nbsp%3B%20It%20will%20be%20good%20to%20have%20an%20alternative%20when%20icacls.exe%20or%20Get-Acl%20%7C%20Set-Acl%20can't%20seem%20to%20get%20the%20job%20done.%3C%2FP%3E%3CP%3EIt%20would%20be%20nice%20for%20native%2064-bit%20support%20for%20SetObjectSecurity%20so%20it%20will%20work%20in%2064-bit%20Windows%20PE%20environments%20that%20don't%20have%20WOW64%20subsystem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636444%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636444%22%20slang%3D%22en-US%22%3E%3CP%3EOoh.%20I%20didn't%20realize%20that%20WinPE%20doesn't%20have%20WOW64.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636458%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636458%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20and%20we%20use%20WinPE%2064-bit%20exclusively%20ever%20since%20we%20moved%20from%20BIOS%20to%20UEFI%20for%20devices.%26nbsp%3B%20We%20don't%20even%20maintain%20a%2032-bit%20WinPE%20image.%26nbsp%3B%20This%20is%20a%20challenge%20for%20things%20which%20still%20require%2032-bit%20binaries%20to%20run.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1642818%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1642818%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20version%20support%20parse%20registry%20actions%20with%20%22Secure%20key%22%20or%20%22soft%22%3F%20It's%20quite%20rare%20case%2C%20I%20can't%20find%20the%20examples.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1644498%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1644498%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F780461%22%20target%3D%22_blank%22%3E%40haitao2020%3C%2FA%3E%20-%20the%20LGPO.exe%20parser%20recognizes%20those%20actions%20in%20a%20registry%20policy%20(e.g.%2C%20registry.pol)%20file%2C%20but%20does%20not%20otherwise%20support%20them.%20If%20you%20%2Fparse%20a%20registry.pol%20that%20contains%20those%20commands%2C%20LGPO.exe%20will%20output%20what%20it%20finds%20as%20comments%20(that%20is%2C%20preceded%20with%20semicolons).%20I%20don't%20think%20I've%20ever%20seen%20those%20actions.%20Look%20for%20and%20parse%20an%20example%20of%20a%20%25USERPROFILE%25%5Cntuser.pol%20--%20those%20seem%20to%20contain%20Comment%20commands%2C%20which%20LGPO.exe%20treats%20the%20same%20way.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1644870%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1644870%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20are%20simple%20but%20useful%20and%20valuable%20tools.%3C%2FP%3E%3CP%3EOne%20feedback%20here%2C%20it%20would%20be%20nice%20to%20work%20on%20improving%20the%20UI%20and%20also%20add%20GUI%20menu%20for%20those%20who%20are%20primary%20using%20CLI%20too.%3C%2FP%3E%3CP%3EWe%20love%20both%20GUI%20and%20Commands%20and%20depending%20on%20use%20case%20we%20may%20use%20either.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1682084%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1682084%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20and%20long%20awaited%20%3A)%3C%2Fimg%3E%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

It took us a little longer than we wanted but we are finally ready to announce new versions of LGPO and Policy Analyzer as well as two new tools, GPO2PolicyRules and SetObjectSecurity.  These new and updated tools are now available on the Microsoft Download Center

 

The goal is to keep this post as short as possible so let’s just jump into the details.

 

LGPO v3.0

Two new options were added in LGPO.exe.  The first, /ef which enables Group Policy extensions referenced in the backup.xml. The second, /p which allows for importing settings directly from a .PolicyRules file which negates the need to have the actual GPOs on hand. Additionally, LGPO.exe /b and /g now capture locally-configured client-side extensions (CSEs) (which we had an issue with previously).   Lastly, /b also correctly captures all user rights assignments, overcoming a bug in the underlying “secedit.exe /export” that fails to capture user rights assignments that are granted to no one.

 

Policy Analyzer v4.0

The “Compare to Effective State” button has replaced the “Compare local registry” and “Local Policy” checkboxes that used to be in the Policy Analyzer main window.  Press it to compare the selected baseline(s) to the current system state. If the selected baseline(s) contain any user configuration settings, they are compared against the current user’s settings. “Compare to Effective State” requires administrative rights if the selected baseline(s) include any security template settings or Advanced Auditing settings. The effective state corresponding to the selected baseline(s) settings are saved to a new policy rule set.

 

Rick_Munck_0-1599136789454.png

 

Policy Analyzer now captures information about Group Policy Client-Side Extensions (CSEs) when you import GPO backups. From a Policy Viewer window, choose View \ Client Side Extensions (CSEs) to view the Machine and User CSEs for each baseline in the Viewer. (Note that LGPO.exe’s improved support for CSEs includes the ability to apply CSE configurations from Policy Analyzer’s .PolicyRules files.)

 

Rick_Munck_1-1599136789470.png

 

Policy Analyzer now maps settings and sub-settings to display names more completely and more accurately, including mapping the GUIDs for Attack Surface Reduction (ASR) rules to their display names, and improved localization.

 

GPO2PolicyRules

You can now automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a new command-line tool that is included with the Policy Analyzer download. It takes two command-line parameters: the root directory of the GPO backup that you want to create a .PolicyRules file from, and the path to the new .PolicyRules file that you want to create. For example:

 

GPO2PolicyRules.exe C:\BaselinePkg\GPOs C:\Users\Analyst\Documents\PolicyAnalyzer\baseline.PolicyRules

 

SetObjectSecurity v1.0

SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.

 

Use cases include:

  •              Restoring default security descriptor on the file system root directory (which sometimes gets misconfigured by some system setup tools)
  •              Restricting access to sensitive event logs that grant access too broadly (examples include AppLocker and PowerShell script block logs that grant read or read-write to NT AUTHORITY\INTERACTIVE)
  •              Locking down (or opening access to) file shares, directories, registry keys

 

SetObjectSecurity.exe is a 32-bit standalone executable that needs no installer, has no dependencies on redistributable DLLs, and works on all supported x86 and x64 versions of Windows. (x64 systems must support WOW64)

 

Terms of Use

We have now included standard use terms for the tooling that is delivered as part of the Security Compliance Toolkit.

 

We continually try to process all your feedback and make improvements along the way so please give the new and updated tooling a try and as always let us know any feedback in the comments below.

7 Comments
Senior Member

Neat stuff here.  It will be good to have an alternative when icacls.exe or Get-Acl | Set-Acl can't seem to get the job done.

It would be nice for native 64-bit support for SetObjectSecurity so it will work in 64-bit Windows PE environments that don't have WOW64 subsystem.

 

New Contributor

Ooh. I didn't realize that WinPE doesn't have WOW64.

Senior Member

Yes and we use WinPE 64-bit exclusively ever since we moved from BIOS to UEFI for devices.  We don't even maintain a 32-bit WinPE image.  This is a challenge for things which still require 32-bit binaries to run.

Visitor

Does this version support parse registry actions with "Secure key" or "soft"? It's quite rare case, I can't find the examples.

Regular Visitor

@haitao2020 - the LGPO.exe parser recognizes those actions in a registry policy (e.g., registry.pol) file, but does not otherwise support them. If you /parse a registry.pol that contains those commands, LGPO.exe will output what it finds as comments (that is, preceded with semicolons). I don't think I've ever seen those actions. Look for and parse an example of a %USERPROFILE%\ntuser.pol -- those seem to contain Comment commands, which LGPO.exe treats the same way.

Super Contributor

They are simple but useful and valuable tools.

One feedback here, it would be nice to work on improving the UI and also add GUI menu for those who are primary using CLI too.

We love both GUI and Commands and depending on use case we may use either.

Regular Visitor

Awesome and long awaited :) Thanks!