Securing Windows environments with baselines

I recently held a webcast in Norwegian related to securing Windows with baselines and the changes to managing baselines after Microsoft announced the retirement “Security Compliance Manager”. For more information: https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/

I promised to write a blog post containing the simple script I used to export the GPO’s from my lab environment and import to Production.

Recording of the full presentation can be seen here (Norwegian only):

A quick summary of how I manage the baselines:

  1. Dummy server containing all Group Policy objects x 2. 1 that’s unchanged from the baseline and 1 that has my customization’s configured. The reason behind having 2 is that it makes it easier to do a comparison of what differences there are between my customization and the default – using PolicyAnalyzer.
  2. Export the baseline containing a specific string from the dummy server
  3. Importing the baseline to the production environment, removing the specific string (“Test” in my case). If a policy with the name already exists, current policy will be merged.

The “Security Compliance Toolkit” can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=55319

I also promised to do some generalizations in my script prior to publishing but it’s almost been two weeks since my webcast and I haven’t had the time yet. The script is only intended for demonstration purposes and should not be used in production environments without adjusting the code.

That’s it.