Although Windows is designed to be secure by default, there are different degrees of security. A financial institution, for example, requires a far different level of security than the average home user. As such, Microsoft has designed Windows so that you can use Group Policy settings and other tools to achieve the level of security that is required for your own use case. Of course even though Microsoft leaves it up to you to configure Group Policy settings as you see fit, they do provide recommendations for how those settings should be configured. This is where the Microsoft Security Compliance Toolkit comes into play.
The Microsoft Security Compliance Toolkit includes a tool called the Microsoft Policy Analyzer. The Policy Analyzer can actually do a lot of different things. For instance, many organizations use it to track how their Group Policy settings evolve over time. However, you can also use it to compare your Group Policy settings against those recommended by Microsoft.
The Microsoft Security Compliance Toolkit also has an option to download the Windows Security Baselines. These baselines contain a series of Group Policy templates that have been configured according to Microsoft’s recommendations. You can use the Policy Analyzer to compare these template files against your own Group Policy settings to see where the differences lie.
Both the Policy Analyzer and the Security Baselines are encapsulated in ZIP files. Download both, and extract their contents. When you are done, run the PolicyAnalyzer.exe file. You can see what the Policy Analyzer tool looks like in Figure 1.
This is what the Policy Analyzer tool looks like.
Click the Add button and you will be taken to the Policy File Importer screen. This is where you will import the baseline Group Policy objects provided by Microsoft. To do so, choose the Add Files from GPOs command from the File menu, as shown in Figure 2. When prompted, go to the folder containing the security baselines that you downloaded, select the GPOs folder, and click the Select Folder button.
Choose the option to add files from GPOs.
At this point, you will see the Policy File Importer filled with the various policies that are found in the GPOs folder, as shown in Figure 3. Choose the policy that most closely matches the operating system that is running on the system that you are evaluating, and then click the Import button. Be sure to pay attention to the Policy Type column. There are several different types of policies (user, computer, etc.). You can import multiple policy types if you so desire.
Choose the policy that you want to compare against the current system.
The Policy Analyzer will now prompt you to save the policies that you are importing as a policy rules file. Enter a filename to use, and then click Save. I recommend using a descriptive name that reflects the system that you are analyzing. Upon saving the policy rules file, you should see it displayed within the Policy Analyzer, as shown in Figure 4.
The policy rules file now appears within the Policy Analyzer.
Now that we have imported Microsoft’s baseline policy settings, we need to import the policy settings that we want to compare these settings against. The method used to do this is going to vary slightly depending on the version of Windows you are using, and on what type of group policy object you are evaluating. For the purpose of this article, I will show you how to evaluate a domain policy.
Open Server Manager, then launch the Group Policy Management tool. Next, navigate through the console tree to Group Policy Management | Forest | Domains |
You will need to create a backup of your Group Policy objects.
Now, close the Group Policy Management Console and the Server Manager, and go back to the Policy Analyzer. Click the Add button once again, and choose the Add Files from GPOs option from the File menu. Choose the folder containing the Group Policy settings that you just backed up. When prompted, choose to import all of the policies from that location. Once again, you will need to save a policy rules file. When you are done, both collections of rules will appear within the Policy Analyzer, as shown in Figure 6.
Two sets of policy rules are now loaded into the Policy Analyzer.
Finally, click the View/Compare button. Upon doing so, the Policy Viewer will show you a comparison of the policy settings on your domain controller and the settings found within the Microsoft baseline. You can see what this looks like in Figure 7.
I am comparing my domain controller against the Microsoft security baseline.