Defrag Tools #174 - Security Baseline, Policy Analyzer and LGPO

Play Defrag Tools #174 - Security Baseline, Policy Analyzer and LGPO
Sign in to queue

Description

In this episode of Defrag Tools, Andrew Richards and Chad Beeder are joined by Aaron Margosis. We talk about the Security Baseline for Windows 10. We also look at the Policy Analyzer and Local Group Policy Objects (LGPO) tools.

Resources:
Microsoft Security Guidance Blog
Policy Analyzer v3.1
Local Group Policy Objects (LGPO)
Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog
Troubleshooting with the Windows Sysinternals Tools, 2nd Edition

Embed

Download

The Discussion

  • User profile image
    Maria​Hamilton

    Just check your mother hasn't already got it...

  • User profile image
    Benayou

    This is a great episode. Especially the Policy Viewer and LGPO tools. Good Job Aaron.

  • User profile image
    mahendra

    Can we apply the security and audit setting to local policy using policy analyzer or LGPO.

  • User profile image
    Aaron Margosis

    LGPO can apply settings. Policy Analyzer is a "read-only" tool - it doesn't apply settings, just reports on them.

  • User profile image
    Paul Howells

    what emulates win 10 OS ?

  • User profile image
    System Auditor

    In the video Aaron mentions that some of the baseline security settings go to undocumented areas of the registry. Therefore when running "Compare local registry" not all of the values set by the baseline security stuff can be read by the tool.

    That means:
    1. It is not possible to check whether all of the baseline security settings were set correctly or not (since some are in hidden areas of the registry and can therefore not read out).
    2. Let's say I want to audit a Windows system which joined a domain. I'd like to know if the baseline security settings provided by Microsoft were applied. From my understanding I'm not able to verify that for all settings, without having a Backup of the GPOs from domain controller. Since just comparing against the registry, doesn't give me all the values.

    Is that correct?

  • User profile image
    Aaron​Margosis
    @System Auditor:
    User rights assignments and many other security options land in HKLM\Security, where only the System account is allowed and the data formats are undocumented. The way to validate settings is with low-level APIs or with secedit.exe /export.

    The next version of Policy Analyzer will offer a better way to validate current system state against baselines.
  • User profile image
    System Auditor

    @Aaron
    I'm impressed that you answered that fast. Very much apprechiated!

    Let me summarize that:
    I can use the "Compare local registry" feature to compare against selected baselines. Since that doesn't allow to also compare stuff under HKLM\Security, I would need to export via

    secedit.exe /export /cfg export.inf

    and compare the values with the ones in the baseline. Then every settings should have been covered.

    Correct?

Add Your 2 Cents