Mar 03 2024 05:48 AM
Dear Microsoft Active Directory friends,
Even in the age of digital transformation, group policy settings (still) play a crucial role in maintaining network security and compliance. Advanced Hunting, an advanced technique for monitoring and analyzing these settings, is an indispensable tool for administrators. This method makes it possible to gain in-depth insights into the configuration and security situation of Windows networks. By using specific tools and scripts, professionals can detect security vulnerabilities, identify configuration errors and ensure that all group policies meet the highest security and compliance requirements. This article introduces the concept of Advanced Hunting for Group Policy settings and how it can transform management and security in IT infrastructures.
Do we now need additional software and/or expensive tools? No, all we need is a little time, curiosity and the "Security Compliance Toolkit", which Microsoft is making available to us free of charge (thanks to Microsoft at this point).
But first let's take a closer look at the MITRE techniques and the relevant Windows Event IDs. Before we start analyzing the group policy settings.
So that we can compare the Default Domain Controllers Policy, we create a backup:
Security Compliance Toolkit and Baselines can be downloaded here:
https://www.microsoft.com/en-us/download/details.aspx?id=55319
We need the necessary tools and baselines:
Extract the files:
From the Windows-Server-2022-Security-Baseline-FINAL folder, copy the following file:
Paste the file in the Policy Analyzer folder:
Open the Policy Analyzer:
NOTE: If you have a low screen resolution you may not be able to see the bottom part of the application. It is important that you see the bottom part so that you can adjust the path to the policy rule sets (see red marker).
Now we have to add the default domain controller policy:
Click on the import button:
Give it a name and then click on safe:
Now you can compare the policy with the security baseline:
If you want to examine your Active Directory with PowerShell, you will find a "small" compilation of various PowerShell scripts in the following link:
https://github.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/tree/main/PowerShell
NOTE: Before using these scripts, make sure that you have the necessary authorizations. This should always be in writing. Although the scripts do not change any settings or manipulate the system, it is your responsibility how you use these scripts!
I hope that this information is helpful to you and that you have been given a good "little" foundation. This article/information is by no means complete and exhaustive. But I still hope that this information is helpful to you.
Thank you for taking the time to read the article.
Happy Comparing and Hunting, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
Mar 05 2024 05:12 PM
Mar 05 2024 10:03 PM
Mar 06 2024 04:38 AM
Mar 06 2024 07:30 AM
May 19 2024 09:14 AM
Sorry, my AD knowledge is near to 0.
But why do you choose the default Domain Group Policy? We have near 100 different GPOs. Do we have to take every one and back it up and run the compare against them?
BR
Rob