Posted by: kurtsh | September 7, 2020

RELEASE: New Group Policy & Security Baseline Tools for Microsoft Security Compliance Toolkit (Sept 2020)

imageMicrosoft’s Security teams released 2 new updates & 2 new tools for folks maintaining security baselines for their organization systems & users through the Security Compliance Toolkit.

This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations. 

  • LGPO v3.0 (Local Group Policy Object utility)LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. It can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files and Policy Analyzer “.PolicyRules” XML files. It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.

  • Policy Analyzer v4.0
    Policy Analyzer is a lightweight utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies and can highlight the differences between versions or sets of Group Policies. It can also compare one or more GPOs against local effective state. You can export all its findings to a Microsoft Excel spreadsheet.
    Policy Analyzer lets you treat a set of GPOs as a single unit, and represents all settings in one or more GPOs in a single “.PolicyRules” XML file. You can also use .PolicyRules files with LGPO.exe v3.0 to apply those GPOs to a computer’s local policy, instead of having to copy GPO backups around.
    Treating a set of GPOs as a single unit also makes it easy to determine whether particular settings are
    duplicated across the GPOs or are set to conflicting values. You can capture an initial set and then
    compare it to a snapshot taken at a later time to identify changes anywhere across the set.

  • GPO2PolicyRules (Included in the Policy Analyzer v4.0 package/zip)
    You can now automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a new command-line tool that is included with the Policy Analyzer download. It takes two command-line parameters: the root directory of the GPO backup that you want to create a .PolicyRules file from, and the path to the new .PolicyRules file that you want to create.

  • SetObjectSecurity v1.0
    SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
    Use cases include:

    • Restoring default security descriptor on the file system root directory (which sometimes gets
      misconfigured by some system setup tools
    • Restricting access to sensitive event logs that grant access too broadly (examples include
      AppLocker and PowerShell script block logs that grant read or read-write to NT
    • Locking down (or opening access to) file shares, directories, registry keys

Note: The downloadable package also includes Security baselines for:

  • Microsoft Edge v85
  • Office 365 ProPlus Sept 2019
  • Windows 10
    • 2004, 1909, 1903, 1809, 1803, 1709, 1607, 1507
  • Windows Server
    • 2004, 1909, 1903, 1809, 1607, 2012R2

Download & read about the tools here:


%d bloggers like this: