Establish a Windows Security Baseline with Microsoft Security Compliance Toolkit

Microsoft Security Compliance Toolkit helps organizations fine-tune Windows security.

Brien Posey

June 29, 2020

5 Min Read
Establish a Windows Security Baseline with Microsoft Security Compliance Toolkit

Although Windows is designed to be secure by default, there are different degrees of security. A financial institution, for example, requires a far different level of security than the average home user. As such, Microsoft has designed Windows so that you can use Group Policy settings and other tools to achieve the level of security that is required for your own use case. Of course even though Microsoft leaves it up to you to configure Group Policy settings as you see fit, they do provide recommendations for how those settings should be configured. This is where the Microsoft Security Compliance Toolkit comes into play.

The Microsoft Security Compliance Toolkit includes a tool called the Microsoft Policy Analyzer. The Policy Analyzer can actually do a lot of different things. For instance, many organizations use it to track how their Group Policy settings evolve over time. However, you can also use it to compare your Group Policy settings against those recommended by Microsoft.

The Microsoft Security Compliance Toolkit also has an option to download the Windows Security Baselines. These baselines contain a series of Group Policy templates that have been configured according to Microsoft’s recommendations. You can use the Policy Analyzer to compare these template files against your own Group Policy settings to see where the differences lie.

Both the Policy Analyzer and the Security Baselines are encapsulated in ZIP files. Download both, and extract their contents. When you are done, run the PolicyAnalyzer.exe file. You can see what the Policy Analyzer tool looks like in Figure 1.

Security Baseline 1.jpg

Security Baseline 1_0

Figure 1

This is what the Policy Analyzer tool looks like.

Click the Add button and you will be taken to the Policy File Importer screen. This is where you will import the baseline Group Policy objects provided by Microsoft. To do so, choose the Add Files from GPOs command from the File menu, as shown in Figure 2. When prompted, go to the folder containing the security baselines that you downloaded, select the GPOs folder, and click the Select Folder button.

Security Baseline 2.jpg

Security Baseline 2

Figure 2

Choose the option to add files from GPOs.

At this point, you will see the Policy File Importer filled with the various policies that are found in the GPOs folder, as shown in Figure 3. Choose the policy that most closely matches the operating system that is running on the system that you are evaluating, and then click the Import button. Be sure to pay attention to the Policy Type column. There are several different types of policies (user, computer, etc.). You can import multiple policy types if you so desire.

Security Baseline 3.jpg

Security Baseline 3_0

Figure 3

Choose the policy that you want to compare against the current system.

The Policy Analyzer will now prompt you to save the policies that you are importing as a policy rules file. Enter a filename to use, and then click Save. I recommend using a descriptive name that reflects the system that you are analyzing. Upon saving the policy rules file, you should see it displayed within the Policy Analyzer, as shown in Figure 4.

Security Baseline 4.jpg

Security Baseline 4

Figure 4

The policy rules file now appears within the Policy Analyzer.

Now that we have imported Microsoft’s baseline policy settings, we need to import the policy settings that we want to compare these settings against. The method used to do this is going to vary slightly depending on the version of Windows you are using, and on what type of group policy object you are evaluating. For the purpose of this article, I will show you how to evaluate a domain policy.

Open Server Manager, then launch the Group Policy Management tool. Next, navigate through the console tree to Group Policy Management | Forest | Domains | | Group Policy Objects. Now, right-click on the Group Policy Objects container and choose the Back Up All command from the shortcut menu. You can see what this looks like in Figure 5.

Security Baseline 5.jpg

Security Baseline 5

Figure 5

You will need to create a backup of your Group Policy objects.

Now, close the Group Policy Management Console and the Server Manager, and go back to the Policy Analyzer. Click the Add button once again, and choose the Add Files from GPOs option from the File menu. Choose the folder containing the Group Policy settings that you just backed up. When prompted, choose to import all of the policies from that location. Once again, you will need to save a policy rules file. When you are done, both collections of rules will appear within the Policy Analyzer, as shown in Figure 6.

Security Baseline 6.jpg

Security Baseline 6

Figure 6

Two sets of policy rules are now loaded into the Policy Analyzer.

Finally, click the View/Compare button. Upon doing so, the Policy Viewer will show you a comparison of the policy settings on your domain controller and the settings found within the Microsoft baseline. You can see what this looks like in Figure 7.

Security Baseline 7.jpg

Security Baseline 7

Figure 7

I am comparing my domain controller against the Microsoft security baseline.

Read more about:

Microsoft

About the Author

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.

https://brienposey.com/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like