Defrag Tools #174 - Security Baseline, Policy Analyzer and LGPO

Play Defrag Tools #174 - Security Baseline, Policy Analyzer and LGPO

The Discussion

  • User profile image

    Just check your mother hasn't already got it...

  • User profile image

    This is a great episode. Especially the Policy Viewer and LGPO tools. Good Job Aaron.

  • User profile image

    Can we apply the security and audit setting to local policy using policy analyzer or LGPO.

  • User profile image
    Aaron Margosis

    LGPO can apply settings. Policy Analyzer is a "read-only" tool - it doesn't apply settings, just reports on them.

  • User profile image
    Paul Howells

    what emulates win 10 OS ?

  • User profile image
    System Auditor

    In the video Aaron mentions that some of the baseline security settings go to undocumented areas of the registry. Therefore when running "Compare local registry" not all of the values set by the baseline security stuff can be read by the tool.

    That means:
    1. It is not possible to check whether all of the baseline security settings were set correctly or not (since some are in hidden areas of the registry and can therefore not read out).
    2. Let's say I want to audit a Windows system which joined a domain. I'd like to know if the baseline security settings provided by Microsoft were applied. From my understanding I'm not able to verify that for all settings, without having a Backup of the GPOs from domain controller. Since just comparing against the registry, doesn't give me all the values.

    Is that correct?

  • User profile image
    @System Auditor:
    User rights assignments and many other security options land in HKLM\Security, where only the System account is allowed and the data formats are undocumented. The way to validate settings is with low-level APIs or with secedit.exe /export.

    The next version of Policy Analyzer will offer a better way to validate current system state against baselines.
  • User profile image
    System Auditor

    I'm impressed that you answered that fast. Very much apprechiated!

    Let me summarize that:
    I can use the "Compare local registry" feature to compare against selected baselines. Since that doesn't allow to also compare stuff under HKLM\Security, I would need to export via

    secedit.exe /export /cfg export.inf

    and compare the values with the ones in the baseline. Then every settings should have been covered.


  • User profile image

    It would be great if someone could confirm or correct the last comment of System Auditor. I have the same question.

Add Your 2 Cents