How to implement security best practices that the Advisor service recommends

  • Article

The [[Microsoft Security Compliance Manager (SCM)]] engineering team is constantly improving the tool and maintains this article to share the latest release information and known issues.

Table of Contents

This article explains your options for implementing the security settings recommended in the Advisor service. There are several methods that you can use to implement the security settings. Each has its own distinct advantages and disadvantages that are described below. Instructions and links to further information are also provided.

This document describes the following three primary methods for implementing the security settings recommended in the Advisor service:

 

  • Use the Local Group Policy Editor This is an effective method to modify or correct a small number of security settings, but it also is the most time consuming approach if you are configuring more than a handful of them.
  • Apply GPO Backups Locally This method is ideal if you wish to apply or re-apply all settings on computers that are not joined to an Active Directory® Domain Services (AD DS) domain.
  • Apply GPO Backups Using Active Directory Group Policy Active Directory Group Policy is the best method for applying or re-applying settings on domain-joined computers.

 

Important

Any changes that you make locally with either the GPO backups or the Local Group Policy Editor will be superseded by any settings that are configured in domain-based Group Policy.

 

Use the Local Group Policy Editor

One way that you can apply the settings is to modify the local Group Policy using the Local Group Policy Editor console. This method is effective if you are managing all of the security settings locally, you have already applied them, and you only need to adjust a small number of settings. If you need to modify numerous settings, this approach is slower than the two other methods discussed previously, and it also is much more prone to error.

  To open the Local Group Policy Editor console

 

1.   Log on to the computer as an administrator.

2.   On the computer, click Start, then in the Start Search box, type gpedit.msc.

3.   In the list of search results, right-click gpedit.msc, and then choose Run as administrator to open the editor with full administrative privileges.

Note

If you are prompted for logon credentials, type your user name and password, and then press Enter.

4.   Navigate to the location of the setting you wish to adjust, double-click it, make the desired changes, and then click OK.

 

Apply GPO Backups Locally

In order to create, test, and deploy the security settings discussed in this guide, you must first download and then run the Windows® Installer (.msi) file for the Microsoft Security Compliance Manager (SCM) tool. You can then use this tool to view and customize Microsoft product baselines that include security settings to meet your organization’s unique requirements. You can also save baselines as Microsoft® Excel® workbooks for documentation purposes.

When you have completed a baseline using the SCM tool, you can save it as a Group Policy Object (GPO) backup file that you can import into AD DS to further test and ultimately deploy in your production network. For instructions on how to use this tool to accomplish these tasks, see the information available in the Help topics for the tool.

After installing the SCM tool, you can use it to export the recommended Microsoft settings as GPO backups, and you can also install an additional utility that is included with SCM called the Local Policy Tool (LocalGPO). You can use the LocalGPO tool to apply the GPO backups to the local Group Policy Object of each system you manage.

 

Note

For instructions on installing SCM, see the Microsoft Security Compliance Manager (SCM) - Getting Started wiki.

 

To create a GPO backup for configuring your computers to match the recommendations in Advisor

 

1.   On the computer, click Start, click All Programs, click Microsoft Security Compliance Manager, and then click Security Compliance Manager.

2.   In SCM, in the Baselines Library in the left pane, under Microsoft Baselines, expand the product name that matches the operating system running on the servers that you wish to configure. For example, if the servers are running Windows Server 2008 R2 SP1, then expand Windows Server 2008 R2 SP1.

3.   Select the Member Server Security Compliance baseline. If you selected Windows Server 2008 R2 SP1 in the previous step, then the full name of the baseline is WS2008R2SP1 Member Server Security Compliance.

4.   In the Actions pane on the right, under the Baseline group of actions, click Duplicate.

5.   In the Duplicate dialog box, specify a name and description for the new baseline, and click Save.

This produces a new, custom baseline that is a copy of the Member Server Security Compliance baseline.

6.   In the Baselines Library, navigate to Customs Baseline and then locate and select your custom baseline.

7.   At the top of the Baseline Information pane, which is the center pane in SCM, click the arrow symbol next to Advanced View to display this feature.

8.   In the upper-right of the Baseline Information pane, click the Group View button and select Simple View.

9.   In the Baseline Information pane, use the scroll bar if needed to expose the column labeled Severity, and then click this column name to sort all of the settings by severity level.

10.  In the Baseline Information pane, scroll to the near the end of the list of settings to select all settings with a severity level of Optional. To do this, click the first setting with a severity level of Optional, press and hold the Shift key, and then click the last setting in the list with a severity level of Optional.

11.  In the Actions pane, under Setting, click Delete.

12.  On the confirmation dialog box asking if you want to delete the selected settings, click Yes.

13.  Now select all settings with a severity level of Important.

14.  In the Actions pane, under Setting, click Delete.

15.  On the confirmation dialog box asking if you want to delete the selected settings, click Yes.

Your custom baseline should now only contain settings with a severity level of Critical. This list matches the list of settings recommended by Advisor.

16.  In the Actions pane, under the Export group of actions, click GPO Backup (folder).

17.  In the Export GPO Backup (folder) dialog box, browse to the folder location where you want to export the GPO Backup files, or click the Make New Folder button to create a new folder, type a name for it, and then click OK.

The export operation produces a folder containing the GPO Backup files in the location that you specified on your computer.

 

Now that you have installed LocalGPO, you are ready to use it to apply the GPO backups that you created in SCM. Performing this task will modify the local Group Policy of a computer by applying the security settings included in the GPOs. LocalGPO applies the recommended security setting values to modify the local policy. The tool does this by importing the settings from a GPO backup into the local Group Policy.

 

To apply a GPO backup file to the local Group Policy

 

1.   Log on to the computer as an administrator.

2.   On the computer, click Start, click All Programs, and then open the LocalGPO folder.

3.   In the LocalGPO folder, right-click LocalGPO Command-line, and then choose Run as administrator to open the tool command prompt with full administrative privileges.

Note

If you are prompted for logon credentials, type your user name and password, and then press Enter.

4.   At the command prompt, type cscript LocalGPO.wsf /Path:<path> and then press Enter, where <path> is the path to the GPO backup that you created in the first procedure of this section.

 

Completing this procedure modifies the local security policy settings on the computer by using the values included in the GPO backup. You can use gpedit.msc to review the configuration of the updated local Group Policy on your computer. 

Apply GPO Backups Using Active Directory Group Policy

For computers that belong to an AD DS domain, this is the ideal method for applying the security settings because you can quickly apply all of the recommended settings to one or more computers using Active Directory-based Group Policy. However, to be effective and to avoid potentially difficult problems, it is important that you are familiar with Group Policy in general, and the Group Policy Management Console (GPMC) in particular, before proceeding.

For more information about using the GPMC to manage Group Policy, see the following resources:

         1.   Group Policy Planning and Deployment

         2.   Step-by-Step Guide for Microsoft Advanced Group Policy Management 3.0

         3.   Windows Server Group Policy

Organizational units (OUs) provide an effective way to segment administrative boundaries for users and computers. An OU is a container within a domain that uses AD DS. An OU may contain users, groups, computers, and other OUs. If an OU contains other OUs, it is a parent OU. An OU within a parent OU is a child OU. You can link a GPO to an OU, which will then apply the GPO's settings to the users and computers that are contained in that OU and its child OUs. And to facilitate administration, you can delegate administrative authority to each OU.

Use the procedures discussed in the previously mentioned resources to place the servers into role-specific OUs; create a new, empty GPO; and link the new GPO to the OU. Create a separate GPO and link it to the root of the domain. Repeat the first procedure in the previous section, "Applying GPO Backups Locally," to create a GPO backup that you can import into AD DS.

In the GPMC, select the GPO linked to the OU where the managed servers have been placed, and then import the Member Server Security Compliance baseline.

To ensure that the all of the settings apply to each of the servers you need to first refresh the GPO-based settings, and then reboot each one. These two steps are necessary to ensure that all of the settings take effect.

To accomplish this, first you use the gpupdate.exe tool to refresh policy to ensure that the latest GPOs are downloaded from an AD DS domain controller and applied to the servers. The last step, restarting each server, ensures that all of the settings take effect.

While some Group Policy settings come into operation immediately, settings that impact the behavior of the way Windows authenticates users and computers, and some other types of settings, require a system restart before they come into force.

To refresh the Group Policy settings on each server

1.   Log on to the server as an administrator.

2.   On the computer, click Start, click All Programs, click Accessories, right-click Command Prompt, and then choose Run as administrator to open the command prompt with full administrative privileges.

Note

If you are prompted for logon credentials, type your user name and password, and then press Enter.

3.   At the command prompt, type gpupdate /force and press Enter.

4.   Wait for both the computer and the user policy to update.

5.   Restart the server.

Please direct questions and comments to Security Solutions Questions & Feedback.