Win2019 standalone baseline testing (lab)

Occasional Contributor

Hello,

 

I'm running a Win2019 Core lab instance where I'm experimenting with the application of an SCT baseline to harden the system. The use case for the production rollout would be for an standalone Internet facing web server, so I'd like to ensure that I've done my best to prep it for exposure. The lab 2019 instance is running in Hyper-V and has been fully patched.

 

-) Any recommendations on running the PolicyAnalyzer on a server running Core? I can execute the PolicyAnalyzer software from the server CLI console, but I think that, since Windows Explorer isn't available, certain key aspects of the tool become unusable (Example: when I try to select a directory for Policy Templates, the directory/location selection area is blank and I cannot select an alternate directory. See screenshot)

 

-) When running the Baseline installation PS script, there is an error message that is displayed during the installation:

 

-----

Installing Exploit Protection settings...
Set-ProcessMitigation : Unable to load DLL 'MitigationConfiguration.dll': The specified module could not be found.
(Exception from HRESULT: 0x8007007E)
At C:\sct\Windows 10 Version 1809 and Windows Server 2019 Security Baseline\Local_Script\BaselineLocalInstall.ps1:250
char:1
+ Set-ProcessMitigation -PolicyFilePath $rootDir\ConfigFiles\EP.xml
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-ProcessMitigation], DllNotFoundException
+ FullyQualifiedErrorId : System.DllNotFoundException,Microsoft.Samples.PowerShell.Commands.SetProcessMitigationsC
ommand

-----

 

Is there any way to understand what this error is and why it is occurring?

 

Thanks,

 

T.

4 Replies

I've been struggling with this as well. I think it's because of running a Core version.

FWIW, this does NOT fix it:

 

Install-Module -Name ProcessMitigations -Force -SkipPublisherCheck
Import-Module ProcessMitigations

 

 

A relevant thread to "follow" might be: https://github.com/microsoft/PowerStig/issues/866

It looks like you are failing on the Exploit Protection portion of the script which we have removed from all baselines starting in the fall of 2019.

@Rick_Munck Can you shed some light on where to get the latest baseline?  The version I downloaded said it was published on 3/4/2022.  It still has the following lines:

LogAndShowProgress "Installing Exploit Protection settings..."
# TODO: Some way to capture this output?
Set-ProcessMitigation -PolicyFilePath $rootDir\ConfigFiles\EP.xml

 

Based on your statement, it sounds like this has been removed from all baselines for a few years now??

 

I've downloaded it from https://www.microsoft.com/en-us/download/details.aspx?id=55319

@Ian-Cervantez-Volusion it depends on what version you are referring to.  Starting in version 1909 we no longer include Exploit Protection settings.  The baselines are point in time and evolved with each version.  For 2019 I would recommend using the 20H2 baseline.