Server 2019 WMI Filters or Security Group Filtering

Iron Contributor

I want to apply a filter for specific Domain Controller OS's for a slow rollout of some security settings. Notably, I want to target server 2019 OS's and not others. I found this in my travels:

 

https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809...

 

2019-07-25_10-27-09.jpg

 

I don't mind applying filtering with groups, but I've never added DC's to groups before; I've always applied WMI filtering before. Would there be any issues with adding DC's to a group and applying a policy to them?

 

I'm just checking to see which is best practice, WMI or Group Filtering, and also, what is the recommended way to create a WMI filter for Server 2019?

 

3 Replies

@Lynn Towle Here is a WMI-Filter that specifically targets Windows Server 2019 Domain Controllers only:

 

Select BuildNumber from Win32_OperatingSystem WHERE BuildNumber = 17763 AND BuildNumber LIKE "%[123456789][0123456789][0123456789][0123456789][0123456789]%" AND ProductType="2"

 

If you should prefer WMI filtering or security group filtering is a design decision you should evaluate yourself for your environment.

If you have only Server 2016 and Server 2019 domain controllers you could use the Server 2019 DC baseline for both and not filter at all. I can't find any setting in the Server 2019 baseline that would pose a problem with Server 2016.

If however you want or need to filter and use different baselines, personally I would use security filtering instead of WMI filtering. Reason being that WMI-Filters are much slower and you can use the security groups you create to collect different servers for other things as well. WMI-filters are only good for group policies and have sometimes a use in scripting, security groups on the other hand can be used for many different things (and are faster for gpo's). ;)

We are looking at applying additional security mitigations outside of the baselines. The baselines are applied already. I try to ensure that when anything is applied, its applied in stages, a small subset of servers, test, then additional servers, so on and so forth.

Adding DCs to a security group "seems" like a security risk, you are now opening up a new avenue of attack. That can be mitigated, but takes a bit to get used to.

Also was curious if DCs would have any issues applying policy with security group filtering, are there any base security settings, either built in, or from the baseline that would stop that processing?
Also, thanks for the filter. I've seen that before, but again, a slightly different way of doing things :)