Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
New & Updated Security Tools
Published Sep 03 2020 09:54 AM 64.1K Views
Microsoft

It took us a little longer than we wanted but we are finally ready to announce new versions of LGPO and Policy Analyzer as well as two new tools, GPO2PolicyRules and SetObjectSecurity.  These new and updated tools are now available on the Microsoft Download Center

 

The goal is to keep this post as short as possible so let’s just jump into the details.

 

LGPO v3.0

Two new options were added in LGPO.exe.  The first, /ef which enables Group Policy extensions referenced in the backup.xml. The second, /p which allows for importing settings directly from a .PolicyRules file which negates the need to have the actual GPOs on hand. Additionally, LGPO.exe /b and /g now capture locally-configured client-side extensions (CSEs) (which we had an issue with previously).   Lastly, /b also correctly captures all user rights assignments, overcoming a bug in the underlying “secedit.exe /export” that fails to capture user rights assignments that are granted to no one.

 

Policy Analyzer v4.0

The “Compare to Effective State” button has replaced the “Compare local registry” and “Local Policy” checkboxes that used to be in the Policy Analyzer main window.  Press it to compare the selected baseline(s) to the current system state. If the selected baseline(s) contain any user configuration settings, they are compared against the current user’s settings. “Compare to Effective State” requires administrative rights if the selected baseline(s) include any security template settings or Advanced Auditing settings. The effective state corresponding to the selected baseline(s) settings are saved to a new policy rule set.

 

Rick_Munck_0-1599136789454.png

 

Policy Analyzer now captures information about Group Policy Client-Side Extensions (CSEs) when you import GPO backups. From a Policy Viewer window, choose View \ Client Side Extensions (CSEs) to view the Machine and User CSEs for each baseline in the Viewer. (Note that LGPO.exe’s improved support for CSEs includes the ability to apply CSE configurations from Policy Analyzer’s .PolicyRules files.)

 

Rick_Munck_1-1599136789470.png

 

Policy Analyzer now maps settings and sub-settings to display names more completely and more accurately, including mapping the GUIDs for Attack Surface Reduction (ASR) rules to their display names, and improved localization.

 

GPO2PolicyRules

You can now automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a new command-line tool that is included with the Policy Analyzer download. It takes two command-line parameters: the root directory of the GPO backup that you want to create a .PolicyRules file from, and the path to the new .PolicyRules file that you want to create. For example:

 

GPO2PolicyRules.exe C:\BaselinePkg\GPOs C:\Users\Analyst\Documents\PolicyAnalyzer\baseline.PolicyRules

 

SetObjectSecurity v1.0

SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.

 

Use cases include:

  •              Restoring default security descriptor on the file system root directory (which sometimes gets misconfigured by some system setup tools)
  •              Restricting access to sensitive event logs that grant access too broadly (examples include AppLocker and PowerShell script block logs that grant read or read-write to NT AUTHORITY\INTERACTIVE)
  •              Locking down (or opening access to) file shares, directories, registry keys

 

SetObjectSecurity.exe is a 32-bit standalone executable that needs no installer, has no dependencies on redistributable DLLs, and works on all supported x86 and x64 versions of Windows. (x64 systems must support WOW64)

 

Terms of Use

We have now included standard use terms for the tooling that is delivered as part of the Security Compliance Toolkit.

 

We continually try to process all your feedback and make improvements along the way so please give the new and updated tooling a try and as always let us know any feedback in the comments below.

33 Comments
Brass Contributor

Neat stuff here.  It will be good to have an alternative when icacls.exe or Get-Acl | Set-Acl can't seem to get the job done.

It would be nice for native 64-bit support for SetObjectSecurity so it will work in 64-bit Windows PE environments that don't have WOW64 subsystem.

 

Iron Contributor

Ooh. I didn't realize that WinPE doesn't have WOW64.

Brass Contributor

Yes and we use WinPE 64-bit exclusively ever since we moved from BIOS to UEFI for devices.  We don't even maintain a 32-bit WinPE image.  This is a challenge for things which still require 32-bit binaries to run.

Copper Contributor

Does this version support parse registry actions with "Secure key" or "soft"? It's quite rare case, I can't find the examples.

Brass Contributor

@haitao2020 - the LGPO.exe parser recognizes those actions in a registry policy (e.g., registry.pol) file, but does not otherwise support them. If you /parse a registry.pol that contains those commands, LGPO.exe will output what it finds as comments (that is, preceded with semicolons). I don't think I've ever seen those actions. Look for and parse an example of a %USERPROFILE%\ntuser.pol -- those seem to contain Comment commands, which LGPO.exe treats the same way.

Bronze Contributor

They are simple but useful and valuable tools.

One feedback here, it would be nice to work on improving the UI and also add GUI menu for those who are primary using CLI too.

We love both GUI and Commands and depending on use case we may use either.

Copper Contributor

Awesome and long awaited :) Thanks!

Copper Contributor

Are there plans to convert the abilities of LGPO.exe into PowerShell and use a XML file for LGPO settings?? It would making managing a large fleet of non-domain PCs much easier. 

Microsoft

@GeneSias it's not on the radar currently but we can discuss it during the next planning session

Copper Contributor

Thank you. This is a current Gap in PowerShell today. Many people are writing PowerShell that then calls LGPO to do the actual work of updating Group Policy. 

Copper Contributor

Hi@Rick_Munck 

Looks like the Digital Signature certificate for lgpo.exe executable available here https://www.microsoft.com/en-us/download/details.aspx?id=55319 expired 5/2/2020. As consequence, I can't use this tool to apply GPO backups remotely through 3rd party MDM or scripting. Is this something you can fix quickly?

Iron Contributor

@Roch_Norwa - the signing certificate has expired, but the signature is timestamped so it remains valid. This is standard practice for digital signatures. Without timestamping, every program you run (and every DLL they depend upon) would need to be updated all the time. Is there something on your system that's actually blocking you from using LGPO.exe?

Copper Contributor

Thanks Aaron, I think I found the reason. Our software was doing some security checks on the cert, requiring specific Subject in the digital signature but in the latest LGPO.exe version it does not match with the old versions - looks it was changed - in the newest version there is am additional line in the subject of the certificate "OU=MOPR".

Deleted
Not applicable

I'm not seeing that in the SubjectName nor IssuerName...

(Get-AuthenticodeSignature .\LGPO.exe).SignerCertificate ...

Copper Contributor

65330B1A-92BC-4CEE-9760-1372347FBC57.jpeg

Iron Contributor

Oh - in the old one. Yes - the older version of the tool went through a different signing process and used a slightly different certificate. All of them are valid, though.

Copper Contributor

It looks like you have to run Microsoft Security Toolkit on each server individually. Is there a guide to running the toolkit against a set of servers? We have 80+ servers so to run it on each would consume too much time.

Iron Contributor

@DC_CB -

Are you applying policy or verifying policy? To apply policy, AD GPO is what the baselines primarily target and what they're designed for. If the servers aren't domain-joined, then local GPO and/or Desired State Configuration (DSC) are a couple of options staying within the Microsoft stack. (IMO, managing them with Tanium is your best option -- FULL DISCLOSURE: I work for Tanium :)

 

Copper Contributor

@AaronMargosis_Tanium 

We will be using it to verify policy for compliance reasons. All servers are joined to our AD.

Deleted
Not applicable

@DC_CB -- these free tools aren't designed for compliance verification at scale.

Copper Contributor

Nice tool set especially LGPO - it would help to apply local group policies in better way than modifying the corresponding registry keys especially for non-administrative users. BUT the current terms of use prohibit to integrate LGPO into software products (see 3.e)) distributed to customers.
Are you plan to relax the terms of use in regards to this point OR exists plans the provide a SDK to allow SW developers to modify GPO's from an application/installer instead of doing it manually. (NOTE: target systems are standalone systems not integrated into any AD environment)

Microsoft

Hi @dierk22s, at this time there are no intentions of relaxing the terms of use on any of the SCT tooling, sorry!

Copper Contributor

I think there is a problem when trying to parse registry.pol if there are diacritics. If I enable policy Computer Configuration/Administrative Templates/Microsoft Edge/Configure Favorites and set value to "[{"url":"ĄąĆćĘꣳŃńÓ󌜏źŻż","name":"ĄąĆćĘꣳŃńÓ󌜏źŻż"}]"

1. lgpo.exe /parse output is incomplete, stops at the first diacritic, there is no ending line "; PARSING COMPLETED." in the output

; ----------------------------------------------------------------------
; PARSING Computer POLICY
; Source file:  c:\tmp\{2446679D-766C-4E00-BEB8-1F4DB87B793A}\DomainSysvol\GPO\Machine\registry.pol

Computer
Software\Policies\Microsoft\Edge
ManagedFavorites
SZ:[{"url":"

2. restoring policy from registry.pol file using lgpo.exe works correctly

 

I am using LGPO.exe version 3.0.2004.13001. Is there a newer version available which might not have this problem?

Nice!

Could you make a video explaining how the tools work in a practical and objective way.

Copper Contributor

Hi,

Can someone please let me know if I can use the policy analyser for comparing the local policies and registry settings with Baseline settings in Windows 2022 server, if yes where can I find the policy rule files to compare with?

 

thanks

 

Iron Contributor

@durga665 : download the baseline for WS2022 from the SCT download page (*). The PolicyRules file is in the Documentation folder.

 

(*) https://www.microsoft.com/download/details.aspx?id=55319

 

Copper Contributor

Hello all,

I haven't seen any mention of current LGPO's caveats, which I just ran into on a server : when using the "/b" flag to backup everything available locally, run as Administrator, part of the configured GPOs (in this case, at least LAPS related ones) were missing when comparing the resulting policyRule in PolicyAnalyzer.

 

Since the 2.0 pre-release post (https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-v2-0-pre-release-suppor...) seemed to mention support for these, am I missing something / or did I mess the extract up ?

Iron Contributor

Hi @sebfault - regarding the "/b" backup flag, the documentation (LGPO.pdf, in the download) says "It’s important to note that this operation
backs up only local policy, not all applied policies and settings."

Iron Contributor

@Rick_Munck @sebfault - it would be a cool feature to add to LGPO.exe: to perform the equivalent of a "gpresult" and capture it in the form of a GPO backup.

Copper Contributor

@AaronMargosis_TaniumI saw that part, but I had some cases where configuration descended through GPO (not applied locally through LGPO) seemed to have been extracted despite this information, is there any exact definition on what is actually backed up (besides this warning) ?

And I concur on the addition of a gpresult-like coverage for the backup function.

Iron Contributor

@sebfault - I'd have to check but my immediate guess is that it's probably some of the Security Settings (such as user rights assignments) and/or Advanced Auditing settings.

Copper Contributor

@AaronMargosis_Tanium That's not it, at least auditing and securit dedicated tool to be extracted (secedit and I forgot the second one) and are always properly extracted, I'm talking a bout REG entries missing, in the latest case I found, all WSUS configuration was missed (but properly present in registry, since our review process also retrieves both SYSTEM and SOFTWARE hives for further analysis).

From what I could gather, it seems to only fetch the "main" GPOs, and misses most of the ones dedicated to specific groups / components (in this case, the WSUS configuration was in a dedicated policy).

 

Iron Contributor

That's what I'm saying: the data extracted by secedit.exe and auditpol.exe are more likely to include settings that came down from domain GPO. IIRC, the /b option uses secedit.exe and auditpol.exe to get those security settings and advanced auditing settings; it parses the local registry.pol files for most of the registry-based settings and the local gpt.ini to identify registered client-side extensions, and those files aren't touched by domain GPOs.

Version history
Last update:
‎Sep 04 2020 04:22 AM
Updated by: