Microsoft Security Compliance Toolkit 1.0

Auditing, administering, and implementing Windows policies can be cumbersome. Microsoft Security Compliance Toolkit 1.0 replaces Security Compliance Manager and can help manage both domain and local policies effectively. In this post, we take a look at its features and capabilities.

Security and compliance are two words that can make a Windows systems administrator shudder! There has never been a more difficult time to administer infrastructure, given today's security and compliance requirements that are necessary to protect your systems and data. Often, this is accomplished with policies.

Overview ^

First of all, what is the Security Compliance Toolkit (SCT) and what capabilities does it provide to you in your environment? The SCT is actually a collection of tools and templates released by Microsoft to give enterprise security administrators quick, easy access to recommended security configuration baselines for Windows and other Microsoft products such as Microsoft Edge.

It allows you to download, analyze, test, edit, and save Microsoft-recommended security configuration baselines and use them for comparison and other purposes in your environment. It is a handy tool for working with policy baselines in the form of GPOs or local policies. Typically, GPOs and local policies are the primary mechanism for applying and enforcing settings in a Windows environment.

As part of the downloads you receive with the Security Compliance Toolkit 1.0, you get security baselines for recommended policy settings. What Microsoft operating systems and products does the tool apply to?

Windows 10 security baselines

  • Windows 10 Version 1909 (November 2019 Update)
  • Windows 10 Version 1903 (May 2019 Update)
  • Windows 10 Version 1809 (October 2018 Update)
  • Windows 10 Version 1803 (April 2018 Update)
  • Windows 10 Version 1709 (Fall Creators Update)
  • Windows 10 Version 1607 (Anniversary Update)
  • Windows 10 Version 1507

Windows Server security baselines

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2

Microsoft Office security baseline

  • Microsoft 365 Apps for enterprise (Sept 2019)

Microsoft Edge security baseline

  • Version 80

In addition to the security baselines, you also get two tools that allow you to actually run the policy comparisons and interact with GPOs and local policies.

Tools Included:

  • Policy Analyzer
  • exe

Let's take a closer look at the two tools that are included in the Security and Compliance Toolkit 1.0 download: Policy Analyzer and LGPO.exe.

Policy Analyzer ^

The Policy Analyzer tool is included with Security Compliance Toolkit 1.0. What is it? In short, it is a tool that Microsoft provides that allows comparing Group Policies for redundant settings, inconsistencies, and changes that need to be made between policies.

Have you ever been in an environment where you have dozens or more GPOs being applied at different levels? Are there perhaps redundant settings between the policies? Are there settings that are in conflict with each other? The Policy Analyzer can definitely help in those cases.

A handy feature the Policy Analyzer provides is the ability to compare group policy objects or different versions of policies with the local policy of a given workstation or server. This enables easily seeing differences that may exist between your GPOs and what is applied locally on the workstation/server.

You can also compare multiple GPOs at once. This enables easily comparing many GPOs at the same time. This prevents having to load different GPOs, noting the differences, and attempting to compare them manually.

In case you are wondering, Policy Analyzer can't apply policy settings. It is a read-only tool that allows viewing, comparing, and other functions.

Using Policy Analyzer ^

Using the Policy Analyzer tool is fairly straightforward. The Policy Analyzer.exe tool is a self-contained executable that requires no installation. It is downloaded as part of the ZIP utilities that are included with Security Compliance Toolkit 1.0. SCT 1.0 actually comprises several tools that make up the toolkit.

Policy Analyzer and

Policy Analyzer and LGPO tools are included as part of the SCT download

Policy Analyzer and LGPO tools are included as part of the SCT download

tools are included as part of the SCT download

Simply extract and run the Policy Analyzer Tool executable. The first thing you will want to do is Add a policy template or GPO to compare.

Running the Policy Analyzer and adding a GPO for comparison

Running the Policy Analyzer and adding a GPO for comparison

Click the File button and select one of the options to add a file to compare. Here, I am adding GPOs for comparison.

Choose the type of file you want to import for comparison

Choose the type of file you want to import for comparison

You will find the GPOs underneath the various baselines, which you download as part of the toolkit. For instance, in the screen capture below, I am in the extracted Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline. The Policy Analyzer only has you choose the GPO root folder for comparison.

Choose the domain GPO folder that you want to use for comparison

Choose the domain GPO folder that you want to use for comparison

Below, you see the various policies that are imported to the Policy file importer. Click the Import… button to import the policies for comparison.

After choosing the GPO policy, import the policies for comparison

After choosing the GPO policy, import the policies for comparison

It will ask you to save the policy rules. The default location is under Documents > PolicyAnalyzer.

Save the imported policy rules

Save the imported policy rules

Note that below, I have Local policy selected. This will compare the imported GPOs with the settings found running in my local policy on the workstation/server. Click the View/Compare button.

Run the View Compare option with Local policy selected

Run the View Compare option with Local policy selected

In just a couple of moments, you will see the Policy Viewer launch, displaying the Local Policy along with win10_1909 (the name I gave the policy when I saved it). The tool makes the differences stand out by highlighting them side-by-side. If you have more than one policy you want to compare, these are simply displayed as additional columns in the Policy Viewer.

Viewing the differences in the Policy Viewer tool

Viewing the differences in the Policy Viewer tool

Another handy feature of the tool is that you can export the settings to Excel. You can export either the table itself or all data.

Export results to Excel

Export results to Excel

LGPO.exe ^

The LGPO.exe tool is a command line utility that provides an easy way to manage your local policies configured on servers/workstations. The tool can import settings from various sources. This includes registry policy files, security templates, advanced auditing backup files, and LGPO text files.

Settings can also be exported from a machine into a GPO backup. Settings can be exported into a format that allows editing, such as the LGPO text format. LGPO has four modes:

  • Import and apply policy settings
  • Export local policy to a GPO backup
  • Parse a registry.pol file to "LGPO text" format
  • Build a registry.pol file from "LGPO text"

While Policy Analyzer is a read only tool, LGPO.exe can merge and import policies.

Using LGPO.exe ^

Let's take a look at using the LGPO.exe command line tool to perform one of its four functional modes. We will look at how you can easily export local policy settings to a GPO backup. First, if you just run the executable from the command line, you will see the various options that can be used.

Viewing the LGPO.exe command line options

Viewing the LGPO.exe command line options

To show the functionality of the utility, you can run the following command to back up your local policies to a GPO backup:

Backing up local policy settings to a GPO backup using LGPO.exe

Backing up local policy settings to a GPO backup using LGPO.exe

The local policy will back up to the path you designate. You can use this for additional comparisons or for "snapshots" of various policies that you want to compare in your environment.

Local policy settings are backed up to a GPO backup using LGPO.exe

Local policy settings are backed up to a GPO backup using LGPO.exe

Wrapping up ^

The Microsoft Security Compliance Toolkit 1.0 provides a great toolset for IT and security admins to work with policies and baselines across their Windows environments. It even includes policy analysis for Microsoft 365 and Microsoft Edge.

The Policy Analyzer tool is a great little tool that allows comparing policies, even multiple GPOs at once, to compare and contrast settings between the policies and what is applied locally. The LGPO.exe utility is a command line utility that allows easily interacting, importing, and exporting policies locally.

Using the Security Compliance Toolkit 1.0 provides an automated way to interact with and compare policy settings to quickly find overlapping settings, conflicting settings, and perhaps settings that are no longer used or needed.

Download the Microsoft Security Compliance Toolkit 1.0 here.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

2+
avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account