4

I'm hardening a Windows Server 2012 R2 machine for serving secure web pages and following a guide that lays out multiple Local Group Policy Settings and Registry Settings.

When researching how to automate this process I only find ways to export and import Group Policy using Powershell as follows: https://technet.microsoft.com/en-us/library/ee461027.aspx

This server machine is not joined to a domain and doesn't have Group Policy Management Console installed. Unfortunately, I have not found a resource to use an automatic method (script, code) to change Local Group Policy settings such as:

Local Group Policy Editor -> Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Global Object Access Auditing -> Defined this Policy -> Configure

Local Group Policy Editor -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network access: Do not allow anonymous enumeration of SAM accounts and shares

My end goal is to create a process or script that can set around 100 different Registry Settings and Local Group Policy Settings on a server machine in order to lock it down. Avoiding manually configuring each one.

Community
  • 1
ibsk8in31
  • 103
  • 2
  • 2
  • 6
  • Do a search for `secedit.exe`, you prepare text files with your settings and then apply them to the system. I'm sure I wrote somewhere how to do this in detail, but I can't find it anymore. But there are several examples by other people out there. – Peter Hahndorf Mar 25 '15 at 15:04

5 Answers5

2

I have been able to research and find what I need on this goal! The resource I found the best direction from was as follows:

http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates

The local group policy settings and security settings can be transferred in a couple of steps:

1. Security Settings:

Right click Security Settings in Local Group Policy Editor (Edit Group Policy) and select Export Policy... Save the .inf file and transfer to the machine you wish to use the same settings. On the new machine, open a command prompt and use the secedit command

secedit /configure /db c:\windows\security\local.sdb /cfg {.\path\to.inf}

Review any errors that come back, I was dealing with user accounts trying to be set for permissions that did not exist on the new machine.

2. The rest of Local Group Policy

Locate the %systemroot%\system32\grouppolicy\ hidden folder and copy the sub folders to the target machine in the same location.

Open a command prompt and use

gpupdate /force

3. The remains

For the miscellanous I was able to use powershell commands to add or edit registry keys:

Add:

New-Item -Path HKCU:\Software -Name hsg –Force

Edit:

PS C:> Push-Location

PS C:> Set-Location HKCU:\Software\hsg

PS HKCU:\Software\hsg> Set-ItemProperty . newproperty "mynewvalue"

Community
  • 1
ibsk8in31
  • 103
  • 2
  • 2
  • 6
1

For non-domain machines, you set these things via Local Security Policy, not Group Policy. And those, you can import and export using the proper MMC (secpol.msc)

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • I'm looking for a way to set them automatically through writing script or code, not through editing the Security Policy in the MMC gui. – ibsk8in31 Mar 25 '15 at 14:51
  • You edit it once to create it and then export it. Then it can be imported anywhere you need it. Manipulating individual settings via powershell seems to be ungainly : http://stackoverflow.com/questions/23260656/modify-local-security-policy-using-powershell – mfinni Mar 25 '15 at 15:06
  • Further confirmation - all of these settings in Local Security are all over the registry and not standardized. Programatically setting them all will be awful, much easier to have a policy file you make once, and then import as needed. https://groups.google.com/forum/#!topic/microsoft.public.platformsdk.security/Y9iEE0lYzOc – mfinni Mar 25 '15 at 15:08
0

use the GPOpack tool from SCM to deploy settings to non domain joined machines. If you have direct registry edits that are not in group policy you'll have to add reg.exe commands

Jim B
  • 23,938
  • 4
  • 35
  • 58
0

Use the new LGPO.EXE tool. Its documented and downloadable from here: https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/

Going by some of the comments in the link it is not comprehensive, and it met my needs completely.

It also works on Windows Server 2016 which LocalGPO.Exe in the SCM tool 3.0 reportedly does not. And in fact LocalGPO.EXE is no longer shipped in SCM 4.0, though there is still a link to the help text for it in SCM!

RobG
  • 101
  • 2
0

Late addition: Consider using auditpol.exe for scripting. Someone has written a powershell example using auditpol that checks config against expected values.

Setting:

auditpol /set /category:Logon/Logoff /subcategory:"Account Lockout" /Success:enable /failure:disable

Getting:

PS C:\Windows\system32> auditpol /get /category:* /r 
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting

DESKTOP-7Q0D9I7,System,Logon,{0CCE9215-69AE-11D9-BED3-505054503030},Success and Failure,
DESKTOP-7Q0D9I7,System,User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030},No Auditing,
...
Alex M
  • 101