New & Updated Security Tools

Published Sep 03 2020 09:54 AM 23.3K Views
Microsoft

It took us a little longer than we wanted but we are finally ready to announce new versions of LGPO and Policy Analyzer as well as two new tools, GPO2PolicyRules and SetObjectSecurity.  These new and updated tools are now available on the Microsoft Download Center

 

The goal is to keep this post as short as possible so let’s just jump into the details.

 

LGPO v3.0

Two new options were added in LGPO.exe.  The first, /ef which enables Group Policy extensions referenced in the backup.xml. The second, /p which allows for importing settings directly from a .PolicyRules file which negates the need to have the actual GPOs on hand. Additionally, LGPO.exe /b and /g now capture locally-configured client-side extensions (CSEs) (which we had an issue with previously).   Lastly, /b also correctly captures all user rights assignments, overcoming a bug in the underlying “secedit.exe /export” that fails to capture user rights assignments that are granted to no one.

 

Policy Analyzer v4.0

The “Compare to Effective State” button has replaced the “Compare local registry” and “Local Policy” checkboxes that used to be in the Policy Analyzer main window.  Press it to compare the selected baseline(s) to the current system state. If the selected baseline(s) contain any user configuration settings, they are compared against the current user’s settings. “Compare to Effective State” requires administrative rights if the selected baseline(s) include any security template settings or Advanced Auditing settings. The effective state corresponding to the selected baseline(s) settings are saved to a new policy rule set.

 

Rick_Munck_0-1599136789454.png

 

Policy Analyzer now captures information about Group Policy Client-Side Extensions (CSEs) when you import GPO backups. From a Policy Viewer window, choose View \ Client Side Extensions (CSEs) to view the Machine and User CSEs for each baseline in the Viewer. (Note that LGPO.exe’s improved support for CSEs includes the ability to apply CSE configurations from Policy Analyzer’s .PolicyRules files.)

 

Rick_Munck_1-1599136789470.png

 

Policy Analyzer now maps settings and sub-settings to display names more completely and more accurately, including mapping the GUIDs for Attack Surface Reduction (ASR) rules to their display names, and improved localization.

 

GPO2PolicyRules

You can now automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a new command-line tool that is included with the Policy Analyzer download. It takes two command-line parameters: the root directory of the GPO backup that you want to create a .PolicyRules file from, and the path to the new .PolicyRules file that you want to create. For example:

 

GPO2PolicyRules.exe C:\BaselinePkg\GPOs C:\Users\Analyst\Documents\PolicyAnalyzer\baseline.PolicyRules

 

SetObjectSecurity v1.0

SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.

 

Use cases include:

  •              Restoring default security descriptor on the file system root directory (which sometimes gets misconfigured by some system setup tools)
  •              Restricting access to sensitive event logs that grant access too broadly (examples include AppLocker and PowerShell script block logs that grant read or read-write to NT AUTHORITY\INTERACTIVE)
  •              Locking down (or opening access to) file shares, directories, registry keys

 

SetObjectSecurity.exe is a 32-bit standalone executable that needs no installer, has no dependencies on redistributable DLLs, and works on all supported x86 and x64 versions of Windows. (x64 systems must support WOW64)

 

Terms of Use

We have now included standard use terms for the tooling that is delivered as part of the Security Compliance Toolkit.

 

We continually try to process all your feedback and make improvements along the way so please give the new and updated tooling a try and as always let us know any feedback in the comments below.

20 Comments
New Contributor

Neat stuff here.  It will be good to have an alternative when icacls.exe or Get-Acl | Set-Acl can't seem to get the job done.

It would be nice for native 64-bit support for SetObjectSecurity so it will work in 64-bit Windows PE environments that don't have WOW64 subsystem.

 

Occasional Contributor

Ooh. I didn't realize that WinPE doesn't have WOW64.

New Contributor

Yes and we use WinPE 64-bit exclusively ever since we moved from BIOS to UEFI for devices.  We don't even maintain a 32-bit WinPE image.  This is a challenge for things which still require 32-bit binaries to run.

Frequent Visitor

Does this version support parse registry actions with "Secure key" or "soft"? It's quite rare case, I can't find the examples.

Regular Visitor

@haitao2020 - the LGPO.exe parser recognizes those actions in a registry policy (e.g., registry.pol) file, but does not otherwise support them. If you /parse a registry.pol that contains those commands, LGPO.exe will output what it finds as comments (that is, preceded with semicolons). I don't think I've ever seen those actions. Look for and parse an example of a %USERPROFILE%\ntuser.pol -- those seem to contain Comment commands, which LGPO.exe treats the same way.

Valued Contributor

They are simple but useful and valuable tools.

One feedback here, it would be nice to work on improving the UI and also add GUI menu for those who are primary using CLI too.

We love both GUI and Commands and depending on use case we may use either.

Regular Visitor

Awesome and long awaited :) Thanks!

Occasional Visitor

Are there plans to convert the abilities of LGPO.exe into PowerShell and use a XML file for LGPO settings?? It would making managing a large fleet of non-domain PCs much easier. 

Microsoft

@GeneSias it's not on the radar currently but we can discuss it during the next planning session

Occasional Visitor

Thank you. This is a current Gap in PowerShell today. Many people are writing PowerShell that then calls LGPO to do the actual work of updating Group Policy. 

Occasional Visitor

Hi@Rick_Munck 

Looks like the Digital Signature certificate for lgpo.exe executable available here https://www.microsoft.com/en-us/download/details.aspx?id=55319 expired 5/2/2020. As consequence, I can't use this tool to apply GPO backups remotely through 3rd party MDM or scripting. Is this something you can fix quickly?

Occasional Contributor

@Roch_Norwa - the signing certificate has expired, but the signature is timestamped so it remains valid. This is standard practice for digital signatures. Without timestamping, every program you run (and every DLL they depend upon) would need to be updated all the time. Is there something on your system that's actually blocking you from using LGPO.exe?

Occasional Visitor

Thanks Aaron, I think I found the reason. Our software was doing some security checks on the cert, requiring specific Subject in the digital signature but in the latest LGPO.exe version it does not match with the old versions - looks it was changed - in the newest version there is am additional line in the subject of the certificate "OU=MOPR".

Occasional Contributor

I'm not seeing that in the SubjectName nor IssuerName...

(Get-AuthenticodeSignature .\LGPO.exe).SignerCertificate ...

Occasional Visitor

65330B1A-92BC-4CEE-9760-1372347FBC57.jpeg

Occasional Contributor

Oh - in the old one. Yes - the older version of the tool went through a different signing process and used a slightly different certificate. All of them are valid, though.

Occasional Visitor

It looks like you have to run Microsoft Security Toolkit on each server individually. Is there a guide to running the toolkit against a set of servers? We have 80+ servers so to run it on each would consume too much time.

Occasional Contributor

@DC_CB -

Are you applying policy or verifying policy? To apply policy, AD GPO is what the baselines primarily target and what they're designed for. If the servers aren't domain-joined, then local GPO and/or Desired State Configuration (DSC) are a couple of options staying within the Microsoft stack. (IMO, managing them with Tanium is your best option -- FULL DISCLOSURE: I work for Tanium :)

 

Occasional Visitor

@AaronMargosis_Tanium 

We will be using it to verify policy for compliance reasons. All servers are joined to our AD.

Occasional Contributor

@DC_CB -- these free tools aren't designed for compliance verification at scale.

%3CLINGO-SUB%20id%3D%22lingo-sub-1631613%22%20slang%3D%22en-US%22%3ENew%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1631613%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20took%20us%20a%20little%20longer%20than%20we%20wanted%20but%20we%20are%20finally%20ready%20to%20announce%20new%20versions%20of%20LGPO%20and%20Policy%20Analyzer%20as%20well%20as%20two%20new%20tools%2C%20GPO2PolicyRules%20and%20SetObjectSecurity.%26nbsp%3B%20These%20new%20and%20updated%20tools%20are%20now%20available%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Download%20Center%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20goal%20is%20to%20keep%20this%20post%20as%20short%20as%20possible%20so%20let%E2%80%99s%20just%20jump%20into%20the%20details.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1270485579%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%20id%3D%22toc-hId--1270485578%22%3ELGPO%20v3.0%3C%2FH2%3E%0A%3CP%3ETwo%20new%20options%20were%20added%20in%20LGPO.exe.%26nbsp%3B%20The%20first%2C%20%2Fef%20which%20enables%20Group%20Policy%20extensions%20referenced%20in%20the%20backup.xml.%20The%20second%2C%20%2Fp%20which%20allows%20for%20importing%20settings%20directly%20from%20a%20.PolicyRules%20file%20which%20negates%20the%20need%20to%20have%20the%20actual%20GPOs%20on%20hand.%20Additionally%2C%20LGPO.exe%20%2Fb%20and%20%2Fg%20now%20capture%20locally-configured%20client-side%20extensions%20(CSEs)%20(which%20we%20had%20an%20issue%20with%20previously).%20%26nbsp%3B%26nbsp%3BLastly%2C%20%2Fb%20also%20correctly%20captures%20all%20user%20rights%20assignments%2C%20overcoming%20a%20bug%20in%20the%20underlying%20%E2%80%9Csecedit.exe%20%2Fexport%E2%80%9D%20that%20fails%20to%20capture%20user%20rights%20assignments%20that%20are%20granted%20to%20no%20one.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1217027254%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%20id%3D%22toc-hId-1217027255%22%3EPolicy%20Analyzer%20v4.0%3C%2FH2%3E%0A%3CP%3EThe%20%E2%80%9CCompare%20to%20Effective%20State%E2%80%9D%20button%20has%20replaced%20the%20%E2%80%9CCompare%20local%20registry%E2%80%9D%20and%20%E2%80%9CLocal%20Policy%E2%80%9D%20checkboxes%20that%20used%20to%20be%20in%20the%20Policy%20Analyzer%20main%20window.%26nbsp%3B%20Press%20it%20to%20compare%20the%20selected%20baseline(s)%20to%20the%20current%20system%20state.%20If%20the%20selected%20baseline(s)%20contain%20any%20user%20configuration%20settings%2C%20they%20are%20compared%20against%20the%20current%20user%E2%80%99s%20settings.%20%E2%80%9CCompare%20to%20Effective%20State%E2%80%9D%20requires%20administrative%20rights%20if%20the%20selected%20baseline(s)%20include%20any%20security%20template%20settings%20or%20Advanced%20Auditing%20settings.%20The%20effective%20state%20corresponding%20to%20the%20selected%20baseline(s)%20settings%20are%20saved%20to%20a%20new%20policy%20rule%20set.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rick_Munck_0-1599136789454.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216300i560027DDF879E4CE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Rick_Munck_0-1599136789454.png%22%20alt%3D%22Rick_Munck_0-1599136789454.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPolicy%20Analyzer%20now%20captures%20information%20about%20Group%20Policy%20Client-Side%20Extensions%20(CSEs)%20when%20you%20import%20GPO%20backups.%20From%20a%20Policy%20Viewer%20window%2C%20choose%20View%20%5C%20Client%20Side%20Extensions%20(CSEs)%20to%20view%20the%20Machine%20and%20User%20CSEs%20for%20each%20baseline%20in%20the%20Viewer.%20(Note%20that%20LGPO.exe%E2%80%99s%20improved%20support%20for%20CSEs%20includes%20the%20ability%20to%20apply%20CSE%20configurations%20from%20Policy%20Analyzer%E2%80%99s%20.PolicyRules%20files.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rick_Munck_1-1599136789470.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216301iB0D017C54143A049%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Rick_Munck_1-1599136789470.png%22%20alt%3D%22Rick_Munck_1-1599136789470.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPolicy%20Analyzer%20now%20maps%20settings%20and%20sub-settings%20to%20display%20names%20more%20completely%20and%20more%20accurately%2C%20including%20mapping%20the%20GUIDs%20for%20Attack%20Surface%20Reduction%20(ASR)%20rules%20to%20their%20display%20names%2C%20and%20improved%20localization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--590427209%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%20id%3D%22toc-hId--590427208%22%3EGPO2PolicyRules%3C%2FH2%3E%0A%3CP%3EYou%20can%20now%20automate%20the%20conversion%20of%20GPO%20backups%20to%20Policy%20Analyzer%20.PolicyRules%20files%20and%20skip%20the%20GUI.%20GPO2PolicyRules%20is%20a%20new%20command-line%20tool%20that%20is%20included%20with%20the%20Policy%20Analyzer%20download.%20It%20takes%20two%20command-line%20parameters%3A%20the%20root%20directory%20of%20the%20GPO%20backup%20that%20you%20want%20to%20create%20a%20.PolicyRules%20file%20from%2C%20and%20the%20path%20to%20the%20new%20.PolicyRules%20file%20that%20you%20want%20to%20create.%20For%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGPO2PolicyRules.exe%20C%3A%5CBaselinePkg%5CGPOs%20C%3A%5CUsers%5CAnalyst%5CDocuments%5CPolicyAnalyzer%5Cbaseline.PolicyRules%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1897085624%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%20id%3D%22toc-hId-1897085625%22%3ESetObjectSecurity%20v1.0%3C%2FH2%3E%0A%3CP%3ESetObjectSecurity.exe%20enables%20you%20to%20set%20the%20security%20descriptor%20for%20just%20about%20any%20type%20of%20Windows%20securable%20object%20(files%2C%20directories%2C%20registry%20keys%2C%20event%20logs%2C%20services%2C%20SMB%20shares%2C%20etc).%20For%20file%20system%20and%20registry%20objects%2C%20you%20can%20choose%20whether%20to%20apply%20inheritance%20rules.%20You%20can%20also%20choose%20to%20output%20the%20security%20descriptor%20in%20a%20.reg-file-compatible%20representation%20of%20the%20security%20descriptor%20for%20a%20REG_BINARY%20registry%20value.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUse%20cases%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Restoring%20default%20security%20descriptor%20on%20the%20file%20system%20root%20directory%20(which%20sometimes%20gets%20misconfigured%20by%20some%20system%20setup%20tools)%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Restricting%20access%20to%20sensitive%20event%20logs%20that%20grant%20access%20too%20broadly%20(examples%20include%20AppLocker%20and%20PowerShell%20script%20block%20logs%20that%20grant%20read%20or%20read-write%20to%20NT%20AUTHORITY%5CINTERACTIVE)%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Locking%20down%20(or%20opening%20access%20to)%20file%20shares%2C%20directories%2C%20registry%20keys%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESetObjectSecurity.exe%20is%20a%2032-bit%20standalone%20executable%20that%20needs%20no%20installer%2C%20has%20no%20dependencies%20on%20redistributable%20DLLs%2C%20and%20works%20on%20all%20supported%20x86%20and%20x64%20versions%20of%20Windows.%20(x64%20systems%20must%20support%20WOW64)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-89631161%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%20id%3D%22toc-hId-89631162%22%3ETerms%20of%20Use%3C%2FH2%3E%0A%3CP%3EWe%20have%20now%20included%20standard%20use%20terms%20for%20the%20tooling%20that%20is%20delivered%20as%20part%20of%20the%20Security%20Compliance%20Toolkit.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20continually%20try%20to%20process%20all%20your%20feedback%20and%20make%20improvements%20along%20the%20way%20so%20please%20give%20the%20new%20and%20updated%20tooling%20a%20try%20and%20as%20always%20let%20us%20know%20any%20feedback%20in%20the%20comments%20below.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1631613%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Blog%20Graphics.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216303iF460F5E8EF3A8A20%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Blog%20Graphics.jpg%22%20alt%3D%22Security%20Blog%20Graphics.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENew%20and%20updated%20tools%26nbsp%3Bfor%20the%20Security%20Compliance%20Toolkit%20have%20arrived!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636043%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636043%22%20slang%3D%22en-US%22%3E%3CP%3ENeat%20stuff%20here.%26nbsp%3B%20It%20will%20be%20good%20to%20have%20an%20alternative%20when%20icacls.exe%20or%20Get-Acl%20%7C%20Set-Acl%20can't%20seem%20to%20get%20the%20job%20done.%3C%2FP%3E%3CP%3EIt%20would%20be%20nice%20for%20native%2064-bit%20support%20for%20SetObjectSecurity%20so%20it%20will%20work%20in%2064-bit%20Windows%20PE%20environments%20that%20don't%20have%20WOW64%20subsystem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636444%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636444%22%20slang%3D%22en-US%22%3E%3CP%3EOoh.%20I%20didn't%20realize%20that%20WinPE%20doesn't%20have%20WOW64.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636458%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636458%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20and%20we%20use%20WinPE%2064-bit%20exclusively%20ever%20since%20we%20moved%20from%20BIOS%20to%20UEFI%20for%20devices.%26nbsp%3B%20We%20don't%20even%20maintain%20a%2032-bit%20WinPE%20image.%26nbsp%3B%20This%20is%20a%20challenge%20for%20things%20which%20still%20require%2032-bit%20binaries%20to%20run.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1642818%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1642818%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20version%20support%20parse%20registry%20actions%20with%20%22Secure%20key%22%20or%20%22soft%22%3F%20It's%20quite%20rare%20case%2C%20I%20can't%20find%20the%20examples.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1644498%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1644498%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F780461%22%20target%3D%22_blank%22%3E%40haitao2020%3C%2FA%3E%20-%20the%20LGPO.exe%20parser%20recognizes%20those%20actions%20in%20a%20registry%20policy%20(e.g.%2C%20registry.pol)%20file%2C%20but%20does%20not%20otherwise%20support%20them.%20If%20you%20%2Fparse%20a%20registry.pol%20that%20contains%20those%20commands%2C%20LGPO.exe%20will%20output%20what%20it%20finds%20as%20comments%20(that%20is%2C%20preceded%20with%20semicolons).%20I%20don't%20think%20I've%20ever%20seen%20those%20actions.%20Look%20for%20and%20parse%20an%20example%20of%20a%20%25USERPROFILE%25%5Cntuser.pol%20--%20those%20seem%20to%20contain%20Comment%20commands%2C%20which%20LGPO.exe%20treats%20the%20same%20way.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1644870%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1644870%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20are%20simple%20but%20useful%20and%20valuable%20tools.%3C%2FP%3E%3CP%3EOne%20feedback%20here%2C%20it%20would%20be%20nice%20to%20work%20on%20improving%20the%20UI%20and%20also%20add%20GUI%20menu%20for%20those%20who%20are%20primary%20using%20CLI%20too.%3C%2FP%3E%3CP%3EWe%20love%20both%20GUI%20and%20Commands%20and%20depending%20on%20use%20case%20we%20may%20use%20either.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1682084%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1682084%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20and%20long%20awaited%20%3A)%3C%2Fimg%3E%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1779358%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779358%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20plans%20to%20convert%20the%20abilities%20of%20LGPO.exe%20into%20PowerShell%20and%20use%20a%20XML%20file%20for%20LGPO%20settings%3F%3F%20It%20would%20making%20managing%20a%20large%20fleet%20of%20non-domain%20PCs%20much%20easier.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1779547%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779547%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F832075%22%20target%3D%22_blank%22%3E%40GeneSias%3C%2FA%3E%26nbsp%3Bit's%20not%20on%20the%20radar%20currently%20but%20we%20can%20discuss%20it%20during%20the%20next%20planning%20session%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1779733%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779733%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you.%20This%20is%20a%20current%20Gap%20in%20PowerShell%20today.%20Many%20people%20are%20writing%20PowerShell%20that%20then%20calls%20LGPO%20to%20do%20the%20actual%20work%20of%20updating%20Group%20Policy.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1818269%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1818269%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooks%20like%20the%20Digital%20Signature%20certificate%20for%20lgpo.exe%20executable%20available%20here%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%3C%2FA%3E%20expired%205%2F2%2F2020.%20As%20consequence%2C%20I%20can't%20use%20this%20tool%20to%20apply%20GPO%20backups%20remotely%20through%203rd%20party%20MDM%20or%20scripting.%20Is%20this%20something%20you%20can%20fix%20quickly%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1819091%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1819091%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F845971%22%20target%3D%22_blank%22%3E%40Roch_Norwa%3C%2FA%3E%26nbsp%3B-%20the%20signing%20certificate%20has%20expired%2C%20but%20the%20signature%20is%20timestamped%20so%20it%20remains%20valid.%20This%20is%20standard%20practice%20for%20digital%20signatures.%20Without%20timestamping%2C%20every%20program%20you%20run%20(and%20every%20DLL%20they%20depend%20upon)%20would%20need%20to%20be%20updated%20all%20the%20time.%20Is%20there%20something%20on%20your%20system%20that's%20actually%20blocking%20you%20from%20using%20LGPO.exe%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1819254%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1819254%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Aaron%2C%20I%20think%20I%20found%20the%20reason.%20Our%20software%20was%20doing%20some%20security%20checks%20on%20the%20cert%2C%20requiring%20specific%20Subject%20in%20the%20digital%20signature%20but%20in%20the%20latest%20LGPO.exe%20version%20it%20does%20not%20match%20with%20the%20old%20versions%20-%20looks%20it%20was%20changed%20-%20in%20the%20newest%20version%20there%20is%20am%20additional%20line%20in%20the%20subject%20of%20the%20certificate%20%22OU%3DMOPR%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1819427%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1819427%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20seeing%20that%20in%20the%20SubjectName%20nor%20IssuerName...%3C%2FP%3E%3CP%3E(Get-AuthenticodeSignature%20.%5CLGPO.exe).SignerCertificate%20...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1819487%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1819487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2265330B1A-92BC-4CEE-9760-1372347FBC57.jpeg%22%20style%3D%22width%3A%202100px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F229292i9ED316EFF50A9555%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%2265330B1A-92BC-4CEE-9760-1372347FBC57.jpeg%22%20alt%3D%2265330B1A-92BC-4CEE-9760-1372347FBC57.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1819593%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1819593%22%20slang%3D%22en-US%22%3E%3CP%3EOh%20-%20in%20the%20old%20one.%20Yes%20-%20the%20older%20version%20of%20the%20tool%20went%20through%20a%20different%20signing%20process%20and%20used%20a%20slightly%20different%20certificate.%20All%20of%20them%20are%20valid%2C%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2245283%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2245283%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20looks%20like%20you%20have%20to%20run%20Microsoft%20Security%20Toolkit%20on%20each%20server%20individually.%20Is%20there%20a%20guide%20to%20running%20the%20toolkit%20against%20a%20set%20of%20servers%3F%20We%20have%2080%2B%20servers%20so%20to%20run%20it%20on%20each%20would%20consume%20too%20much%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2245782%22%20slang%3D%22en-US%22%3ERe%3A%20New%20%26amp%3B%20Updated%20Security%20Tools%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2245782%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F501903%22%20target%3D%22_blank%22%3E%40DC_CB%3C%2FA%3E%26nbsp%3B-%3C%2FP%3E%3CP%3EAre%20you%20applying%20policy%20or%20verifying%20policy%3F%26nbsp%3BTo%20apply%20policy%2C%20AD%20GPO%20is%20what%20the%20baselines%20primarily%20target%20and%20what%20they're%20designed%20for.%20If%20the%20servers%20aren't%20domain-joined%2C%20then%20local%20GPO%20and%2For%20Desired%20State%20Configuration%20(DSC)%20are%20a%20couple%20of%20options%20staying%20within%20the%20Microsoft%20stack.%20(IMO%2C%20managing%20them%20with%20Tanium%20is%20your%20best%20option%20--%20FULL%20DISCLOSURE%3A%20I%20work%20for%20Tanium%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Sep 04 2020 04:22 AM
Updated by:
www.000webhost.com