Securing Windows environments with baselines

I recently held a webcast in Norwegian related to securing Windows with baselines and the changes to managing baselines after Microsoft announced the retirement “Security Compliance Manager”. For more information: https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/

I promised to write a blog post containing the simple script I used to export the GPO’s from my lab environment and import to Production.

Recording of the full presentation can be seen here (Norwegian only):

A quick summary of how I manage the baselines:

  1. Dummy server containing all Group Policy objects x 2. 1 that’s unchanged from the baseline and 1 that has my customization’s configured. The reason behind having 2 is that it makes it easier to do a comparison of what differences there are between my customization and the default – using PolicyAnalyzer.
  2. Export the baseline containing a specific string from the dummy server
  3. Importing the baseline to the production environment, removing the specific string (“Test” in my case). If a policy with the name already exists, current policy will be merged.

The “Security Compliance Toolkit” can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=55319

I also promised to do some generalizations in my script prior to publishing but it’s almost been two weeks since my webcast and I haven’t had the time yet. The script is only intended for demonstration purposes and should not be used in production environments without adjusting the code.

That’s it.

Published by

Karim El-Melhaoui

Working as a Technical Architect in Advania Norway with focus on Microsoft Infrastructure, Cloud and security. My daily tasks are advisory, design and implementation of products and security measures for companies Continously focusing on developing my skillset and staying up to date within newest in Technology. Microsoft Certified Trainer, MCSE Cloud Platform & Infrastructure and Mobility, MCSA Windows Client, Server and Office 365

Leave a Reply

Your email address will not be published. Required fields are marked *