- Secure password resets at the IT service desk with Specops Secure Service Desk - Wed, Jul 8 2020
- NetCrunch 10.9: Enterprise-grade monitoring - Tue, Jun 30 2020
- Winget: Native Windows package manager - Mon, Jun 29 2020
Security and compliance are two words that can make a Windows systems administrator shudder! There has never been a more difficult time to administer infrastructure, given today's security and compliance requirements that are necessary to protect your systems and data. Often, this is accomplished with policies.
First of all, what is the Security Compliance Toolkit (SCT) and what capabilities does it provide to you in your environment? The SCT is actually a collection of tools and templates released by Microsoft to give enterprise security administrators quick, easy access to recommended security configuration baselines for Windows and other Microsoft products such as Microsoft Edge.
It allows you to download, analyze, test, edit, and save Microsoft-recommended security configuration baselines and use them for comparison and other purposes in your environment. It is a handy tool for working with policy baselines in the form of GPOs or local policies. Typically, GPOs and local policies are the primary mechanism for applying and enforcing settings in a Windows environment.
As part of the downloads you receive with the Security Compliance Toolkit 1.0, you get security baselines for recommended policy settings. What Microsoft operating systems and products does the tool apply to?
Windows 10 security baselines
- Windows 10 Version 1909 (November 2019 Update)
- Windows 10 Version 1903 (May 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
- Windows 10 Version 1607 (Anniversary Update)
- Windows 10 Version 1507
Windows Server security baselines
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
Microsoft Office security baseline
- Microsoft 365 Apps for enterprise (Sept 2019)
Microsoft Edge security baseline
- Version 80
In addition to the security baselines, you also get two tools that allow you to actually run the policy comparisons and interact with GPOs and local policies.
- Policy Analyzer
Let's take a closer look at the two tools that are included in the Security and Compliance Toolkit 1.0 download: Policy Analyzer and LGPO.exe.
Policy Analyzer ^
The Policy Analyzer tool is included with Security Compliance Toolkit 1.0. What is it? In short, it is a tool that Microsoft provides that allows comparing Group Policies for redundant settings, inconsistencies, and changes that need to be made between policies.
Have you ever been in an environment where you have dozens or more GPOs being applied at different levels? Are there perhaps redundant settings between the policies? Are there settings that are in conflict with each other? The Policy Analyzer can definitely help in those cases.
A handy feature the Policy Analyzer provides is the ability to compare group policy objects or different versions of policies with the local policy of a given workstation or server. This enables easily seeing differences that may exist between your GPOs and what is applied locally on the workstation/server.
You can also compare multiple GPOs at once. This enables easily comparing many GPOs at the same time. This prevents having to load different GPOs, noting the differences, and attempting to compare them manually.
In case you are wondering, Policy Analyzer can't apply policy settings. It is a read-only tool that allows viewing, comparing, and other functions.
Using Policy Analyzer ^
Using the Policy Analyzer tool is fairly straightforward. The Policy Analyzer.exe tool is a self-contained executable that requires no installation. It is downloaded as part of the ZIP utilities that are included with Security Compliance Toolkit 1.0. SCT 1.0 actually comprises several tools that make up the toolkit.
Policy Analyzer and
tools are included as part of the SCT download
Simply extract and run the Policy Analyzer Tool executable. The first thing you will want to do is Add a policy template or GPO to compare.
Click the File button and select one of the options to add a file to compare. Here, I am adding GPOs for comparison.
You will find the GPOs underneath the various baselines, which you download as part of the toolkit. For instance, in the screen capture below, I am in the extracted Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline. The Policy Analyzer only has you choose the GPO root folder for comparison.
Below, you see the various policies that are imported to the Policy file importer. Click the Import… button to import the policies for comparison.
It will ask you to save the policy rules. The default location is under Documents > PolicyAnalyzer.
Note that below, I have Local policy selected. This will compare the imported GPOs with the settings found running in my local policy on the workstation/server. Click the View/Compare button.
In just a couple of moments, you will see the Policy Viewer launch, displaying the Local Policy along with win10_1909 (the name I gave the policy when I saved it). The tool makes the differences stand out by highlighting them side-by-side. If you have more than one policy you want to compare, these are simply displayed as additional columns in the Policy Viewer.
Another handy feature of the tool is that you can export the settings to Excel. You can export either the table itself or all data.
The LGPO.exe tool is a command line utility that provides an easy way to manage your local policies configured on servers/workstations. The tool can import settings from various sources. This includes registry policy files, security templates, advanced auditing backup files, and LGPO text files.
Settings can also be exported from a machine into a GPO backup. Settings can be exported into a format that allows editing, such as the LGPO text format. LGPO has four modes:
- Import and apply policy settings
- Export local policy to a GPO backup
- Parse a registry.pol file to "LGPO text" format
- Build a registry.pol file from "LGPO text"
While Policy Analyzer is a read only tool, LGPO.exe can merge and import policies.
Using LGPO.exe ^
Let's take a look at using the LGPO.exe command line tool to perform one of its four functional modes. We will look at how you can easily export local policy settings to a GPO backup. First, if you just run the executable from the command line, you will see the various options that can be used.
To show the functionality of the utility, you can run the following command to back up your local policies to a GPO backup:
exe /b c:<path you want to store backup> /n <Name of backup>
The local policy will back up to the path you designate. You can use this for additional comparisons or for "snapshots" of various policies that you want to compare in your environment.
Wrapping up ^
The Microsoft Security Compliance Toolkit 1.0 provides a great toolset for IT and security admins to work with policies and baselines across their Windows environments. It even includes policy analysis for Microsoft 365 and Microsoft Edge.
The Policy Analyzer tool is a great little tool that allows comparing policies, even multiple GPOs at once, to compare and contrast settings between the policies and what is applied locally. The LGPO.exe utility is a command line utility that allows easily interacting, importing, and exporting policies locally.
Using the Security Compliance Toolkit 1.0 provides an automated way to interact with and compare policy settings to quickly find overlapping settings, conflicting settings, and perhaps settings that are no longer used or needed.
Download the Microsoft Security Compliance Toolkit 1.0 here.