Defrag Tools #173 - Troubleshooting with the Windows Sysinternals Tools, 2nd Edition
Play Defrag Tools #174 - Security Baseline, Policy Analyzer and LGPO
Description
In this episode of Defrag Tools, Andrew Richards and Chad Beeder are joined by Aaron Margosis. We talk about the Security Baseline for Windows 10. We also look at the Policy Analyzer and Local Group Policy Objects (LGPO) tools.
Resources:
Microsoft Security Guidance Blog
Policy Analyzer v3.1
Local Group Policy Objects (LGPO)
Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog
Troubleshooting with the Windows Sysinternals Tools, 2nd Edition
Download
The Discussion
-
MariaHamilton Just check your mother hasn't already got it...
-
Benayou This is a great episode. Especially the Policy Viewer and LGPO tools. Good Job Aaron.
-
mahendra Can we apply the security and audit setting to local policy using policy analyzer or LGPO.
-
Aaron Margosis LGPO can apply settings. Policy Analyzer is a "read-only" tool - it doesn't apply settings, just reports on them.
-
Paul Howells what emulates win 10 OS ?
-
System Auditor In the video Aaron mentions that some of the baseline security settings go to undocumented areas of the registry. Therefore when running "Compare local registry" not all of the values set by the baseline security stuff can be read by the tool.
That means:
1. It is not possible to check whether all of the baseline security settings were set correctly or not (since some are in hidden areas of the registry and can therefore not read out).
2. Let's say I want to audit a Windows system which joined a domain. I'd like to know if the baseline security settings provided by Microsoft were applied. From my understanding I'm not able to verify that for all settings, without having a Backup of the GPOs from domain controller. Since just comparing against the registry, doesn't give me all the values.
Is that correct? -
AaronMargosis @System Auditor:
User rights assignments and many other security options land in HKLM\Security, where only the System account is allowed and the data formats are undocumented. The way to validate settings is with low-level APIs or with secedit.exe /export.
The next version of Policy Analyzer will offer a better way to validate current system state against baselines. -
System Auditor @Aaron
I'm impressed that you answered that fast. Very much apprechiated!
Let me summarize that:
I can use the "Compare local registry" feature to compare against selected baselines. Since that doesn't allow to also compare stuff under HKLM\Security, I would need to export via
secedit.exe /export /cfg export.inf
and compare the values with the ones in the baseline. Then every settings should have been covered.
Correct?
More episodes in this series
Defrag Tools #175 - Debugging the Network Stack
Related episodes
TechNet Radio: Direct from Tech Ed 2007 Part Two
TechNet Radio - Upgrading to Vista: A Customer’s Story
Steeltoe - External Configuration with Spring
Microsoft Identity and series introduction
ASP.NET Core Series: SameSite Cookie Security
Private Link for Azure SQL Database - Part 2
Private Link for Azure SQL Database - Part 1
Azure Sphere: Defense in depth for IoT devices
The Azure Sphere Security Promise
Device Authority Keyscaler integration with IoT Hub and DPS for PKI/Cert management
