Forum Widgets
Latest Discussions
Question regarding MSCT 1.0 baselines for Windows Server 2016, 2019, and 2022
Hi All, I have a mix of Windows Server 2016, 2019, and 2022 Domain Controllers. Given the above, what admx and adml files should I copy to the respective SYSVOL folders: C:\Windows\SYSVOL\domain\Policies C:\Windows\SYSVOL\domain\Policies\en-US E.G. If you look in the Templates folder for 2016, 2019, and 2022 they all have the same filenames and will overwrite each other. I'm assuming I should use Windows Server-2022-Security-Baseline-FINAL, but won't this have incompatibilities with 2016/2019 DCs? Windows-Server-2016-Security-Baseline Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 4k AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 4k Windows Server 2019 Security Baseline Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 28k AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 12k Windows Server-2022-Security-Baseline-FINAL Templates AdmPwd.admx 4k MSS-legacy.admx 19k SecGuide.admx 32k en-US AdmPwd.adml 4k MSS-legacy.adml 17k SecGuide.adml 16k
Security Baseline Version 23H2, greenfield deployment
Hi, Is there a best practice to start rolling out the Microsoft security baseline. I am in a Greenfield situation where I would like to use this baseline as a starting point. This by first adjusting the baseline by removing what I think might be causing issues for the user. There are a lot of settings in this baseline so I am sure some of them will causes issues for users. Since you simply can't disable the policy and all settings will be reverted what is the best practice around this? Make a copy of the existing baseline adjust settings and re-apply the correct settings? I read that Intune is tattooing some settings an the only way to reverse is to wipe and re-deploy, or manually fix in registry. Any advice on this, maybe not use the baseline and built template gradually.Windows 11 22H2, Server 2022 Baselines - CIS Level 1
Are the security baselines downloaded in the SCT "CIS Level 1"? I've used the Policy Analyzer to compare the group of baseline GPOs (all the ones in the \GPOs\ folder) to the 'current environment' using a freshly provisioned PC, and a Vm for sever 2022. The 'baseline' vs 'current state' comparison is helpful, but I'm wondering if I was to enable every gpo in the baseline column, does that get you CIS Level 1? MS does not seem to use the CIS terms in the documentation I've found.
Applying the SCT to standalone hardened systems?
I'm experimenting with the use of the SCT to speed up the hardening process for "elevated risk" servers for my company, such as systems residing within an Internet DMZ. My tests are currently relegated to the use of Windows 2016. In my environment, the DMZ placed systems would likely be standalone and not members of any domain. The SCT for Win10/Win2016 includes three main processing scripts for the application of the relevant GPO content to the targeted system: -) Client_Install.cmd -) Domain_Controller_Install.cmd -) Member_Server_Install.cmd Is there any guidance as to which particular processing script I should use for my standalone application on the target system? None of the "names" for the processing scripts above exactly match my scenario. Thanks, TariqQuestion Regarding Server 2022 Domain & Controller MSCT baselines
I have a basic 'Newbie' question regarding the MSCT baselines. I see the GPO for 'MSFT Windows Server 2022 - Domain Controller' and also 'MSFT Windows Server 2022 - Member Server'. I just want to confirm that we should only apply the'MSFT Windows Server 2022 - Domain Controller' policies to our DC's, and not the Member Server policies as well. While this seems obvious, I just want to make sure.Windows 10/11 22h2 Security Baseline missing in Intune
Hi, can you please enlighten when the Windows 10/11 Security Baseline will be updated to 22H2? The current baseline is of November 2021, I am sure that there are new recommedations in the new baseline (Windows 10, version 22H2 Security baseline - Microsoft Community Hub) that would be helpful while managing Windows in a more modern way. As an example, currently missing the 22H2 option "Allow Administrator account lockout" to manage it without the need of a GPO.
Office security baseline breaks excel feature: "analysis toolpak"
Hi team, I have found that the Office security baseline (Intune v2306) breaks an excel feature: analysis toolpak add-in (the data analysis menu item does not load). There was a known issue note on the v2206 office baseline that stated the setting "Prevent Excel from running XLM macros" broke analysis toolpak and referred to a workaround: https://support.microsoft.com/office/06cd719c-1e9b-4624-815b-c377ad5ca236 But, I have tested removing/disabling the "Prevent Excel from running XLM macros" from the baseline and the issue persists. I also tested deploying/enabling only the "Prevent Excel from running XLM macros" and it doesn't cause the feature to stop working. I've come to the conclusion that "Prevent Excel from running XLM macros" is no longer a relevant setting (and the workaround is no longer accurate). I've tested a dozen settings from excel trust center without success in finding the offending setting. The "analysis toolpak" doesn't show in the trust center logging. 1. It looks like this needs to be a known issue for the office baseline again, 2. Any recommendations on how to troubleshoot the issue (short of working through each setting in the baseline)?Security Baselines for Linux
Currently only Windows OS is in scope of the Security Baseline assessments. Are there any plans to expand it for Linux (RedHat) as well? I mean our organization has deployed Defender on Linux, so it might be possible Microsoft will support this on Linux OS'es as well. Thanks, DragiYour connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important that all the fixes are via the GPO settings (ADMX as of build 101 of Edge). The first issue is that when the browser starts, we want it to open to our organizational portal, but it opens to "edge://newtab". We managed to set the home page (when you click the home icon) to our portal, but can't figure out how to get Edge to always open with our portal as the main page. The second issue is even more problematic. On some external web sites, even those you would not expect to get it, we get a "Your connection isn't private" message (when trying to browse to "www.google.com" for example. and the internal error is "NET::ERR_CERT_NO_REVOCATION_MECHANISM" We don't have this issue with IE or chrome to the same websites on the same ws's. And we don't have this issue with internal websites. Anyone have any idea why this is happening only on Edge and what the parameter that could be causing this ? Again, it does not happen on all web sites. Some web sites that give this error allow us to move forwards, while others like google, won't even allow that. Would appreciate any help. MikeSecuring Group Policy Template and importing it to windows server 2016 Group Policy
Hi, I'm working on the Security Hardening of windows server 2016 according to [CIS Benchmark V 1.2.0][1], for this I found a Security Compliance project from Microsoft which is [Microsoft Security Compliance Toolkit 1.0][2]. This project works on a preconfigured Group Policy for Member Server or Domain Controller and that group policy has a Hardened configuration that complies with the CIS Benchmark. Microsoft Security Compliance Toolkit 1.0 has some tools and configurations that can be installed from [here][3]. the main problem with this toolkit and its group policy configuration is they are not implementing all the CIS Benchmark for windows server 2016 so I start working on my own Group Policy Template. For building my Hardening Group Policy Template I started by taking snapshot from my windows server 2016 so I can work on a system, like the production, then deploying the Hardened Group policy that comes with the Toolkit (as a starting point) then check every point from the CIS Benchmark document and reflect the Recommended configuration on that Template Group Policy. after finishing some of those Security recommendations I took another snapshot from the production server and used the LGPO.exe (included in the toolkit) tool to import the Hardened Group Policy Template that I was working on and apply it to the new server snapshot. after importing the Hardened Group Policy to the test server I start facing many problems when trying to log in to my administrator account, as seen in the photos : 1. After login, I receive this error, and if log in again it doesn't occur again : https://drive.google.com/file/d/1emPuoTKajuUmTifi8sSirb1vUJIhi9sI/view?usp=sharing 2. After login sometimes the server hangs on the following state : https://drive.google.com/file/d/1Vp48d7sxdCfabs93IfRW10_T9xHo44R3/view?usp=sharing 3. receive this error sometimes : https://drive.google.com/file/d/16BJEMn6OZAS8J5pTRFF4tGcFfGMAYRGN/view?usp=sharing Note that the previous errors occur sometimes and if you try to access the same thing again it works, 4.this occurs every time I log in to the account : https://drive.google.com/file/d/16W86tVTVgoo9amvhlsfCsmsMb-XMAFZl/view?usp=sharing All of these errors start happening after deploying the Hardened Group Policy to the test server, Also I had another snapshot from the production server where I tried to do the same Security Recommendations Manually, so I did the same Security Recommendations that I configured in the Group Policy and caused all the previous errors but this time manually and everything was working as expected with no errors !! So my Issue Is what goes wrong with having a tool such as LGPO.exe (official Microsoft tool) that imports Group Policy GPO to the current Group Policy, and why I had all the previous issues when doing that? but when doing manual works it worked well? what is the best way to Make Secure Group Policy as per CIS Benchmark and export it then import to each Server you have ? what is the best way for doing this? **Note:** 1. I have only one admin user that I'm using during the work 2. my win server 2016 is non-domain machine - stand alone Thanks in advance [1]: https://www.newnettechnologies.com/cis-benchmark.html?utm_campaign=Search+-+ROW+-+Quantity&utm_medium=ppc&utm_source=adwords&utm_term=&hsa_acc=2189148223&hsa_cam=134925607&hsa_grp=78721086889&hsa_src=g&hsa_tgt=dsa-688559004445&hsa_kw=&hsa_ad=361557470862&hsa_net=adwords&hsa_mt=b&hsa_ver=3&gclid=Cj0KCQjw3ZX4BRDmARIsAFYh7ZIAuQlReBpbGLHvKYCCQxq7QQrBYKgvrhxZu7tJne57NuBNQtT7gDIaAjDYEALw_wcB [2]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10 [3]: https://www.microsoft.com/en-us/download/details.aspx?id=55319
