Nov 04 2020 02:07 AM - last edited on Nov 29 2021 08:13 AM by Allen
i am currently double checking my settings against the baseline (2012R2 DC) and i am just curious why there is not one "DC baseline".
There may be new features incoming with each new server OS. But if i configure it on a Win2kR2 DC - it will just ignore it as there is no program that will read this reg key.
Same with Win10 - if there is the newest security setting out but only affects 1909+ - the older OS will ignore it.
So bottom-line i do not understand why it is separated by OS instead of just the roles (member server, dc, client,..)
I would assign the newest baseline for the domain controller to the OU "Domain Controllers" without the WMI filter - in my understanding that cannot break anything because of the older OS in this OU?
Nov 23 2020 06:13 AM
@StephanGee in theory that would seem the easiest. However there have been various settings over the course of releases that do indeed change the behavior between OS versions and in those cases it would have caused everything from a crash to a less secure configuration. We explored this in the past and the safest way to avoid conflicts is to keep them separate.
Nov 24 2020 06:21 AM
Thanks for your answer. Do you have any hints how to do a perfect rollout?
Do it all at once because some settings rely on each other?
I do not have a 100 percent dev/test/prod lab to test all settings for a week or two - so i need clearance that even if it breaks something that after i disabled the GPO and performed a Gpupdate /force and a restart - it is back to "normal" (the way it was before)
Nov 24 2020 09:30 AM
@StephanGee in many cases you can roll back but there are certain 'tattoo' settings that do not automatically rollback. Also the security template settings do not roll back, they tattoo as well. Within GPMC you will see the icon is different for those settings that tattoo in GP (not security template). Take a look at the settings in the Security Compliance Toolkit area of the GPO and you should see them.
Every deployment is different so it's hard to give blanket advice. We are working on an attempt at an article that describes many different options but due to several factors I dont see it being completed till after the first of the year.
I will offer this, for client machines, I wouldn't expect you to have much of an issue but I would be careful applying the server config to an up and running server, especially if it already has various roles on it as you might run into an issue there where the security template will adjust user rights.
Nov 30 2020 06:20 AM
My biggest concern is that i should apply them all at once(?) so that one setting does not collide with another.
e.g. the SMB signing is forced on the one side but "disabled" on the other
Dec 01 2020 05:52 AM
@StephanGee testing is really however your organization feels comfortable. If you have an existing baseline your company uses then I would start with Policy Analyzer. This will help you identify where the different settings are. From there you need to make a risk based determination on how you role it out. I always recommend starting small and ensuring you dont break anything along the way.
Dec 03 2020 02:06 AM
Hi Rick. Yes - the policy analyzer is a great tool.
I have 2-3 critical settings that were set long time ago. But copied the DC to a Devlab and will test a few things out.
I came across settings like "IP Source Routing" also. But these are not available for me in the GPO.
Is it really necessary to execute the localgpo.wsf /ConfigSCE or are there just the admx somewhere that i can copy?
Dec 03 2020 10:56 AM
Don't run localgpo.wsf. The baseline downloads include ADMX/ADML files including the ones you need for some of those old MSS legacy settings, as well as for additional valuable settings exposed by the Security Compliance Toolkit. More information about the legacy MSS settings here:
Dec 03 2020 11:22 AM
Thanks. Yes i reviewed the WSF file and then decided not to deploy it. Even in my DEVLab ;)
I will try out the link you gave me. Appreciated
Jan 10 2021 11:25 PM
Thanks for all your help.
I am pushing the DC baseline step by step at the moment.
Another problem: I have some users with LM hashes. Is there an easy way to find out who so i can force them to change their password?
Feb 02 2021 11:03 PM
Just an update to get some information about some problems i came across (maybe other have them too)
MFP Printers vom HP need to be set to LDAPS with "simple bind" instead of Windows negotiation to work with "Channel binding" = "If supported"
Manage auditing and security log need "Exchange Servers" added to the ACL (if you have some) - or they will stop working (not immediately but within the next 2-3 days ;) )
Mar 18 2021 07:17 AM
Mar 20 2021 11:49 AM