Active Directory domain security hardening with Microsoft Security Compliance Manager (SCM). Twelve easy steps.

A step-by-step guide how to create, export and import Group Policy Objects with recommended security baselines for your domain.

The article provides a complete guide how to deploy the required GPO. The guide assumes that you deploy security baselines for Windows Server 2008 R2 SP1. You can easily adapt the guide for other versions of Windows.

Step 1. Prerequisites
Step 2. Domain Security Hardening GPO – Baseline design
Step 3. Domain Security Hardening GPO – Baseline export
Step 4. Domain Controllers Security Hardening GPO – Baseline customization
Step 5. Domain Controllers Security Hardening GPO – Baselines merge
Step 6. Domain Controllers Security Hardening GPO – Baselines export
Step 7. Member Servers Security Hardening GPO – Baseline design
Step 8. Member Servers Security Hardening GPO – Baseline export
Step 9. Target domain – GPO folders copying
Step 10. Target domain – The first GPO creation and settings import
Step 11. Target domain – Creation and import of two more GPO
Step 12. Target domain – GPO assignments


Step 1. Prerequisites

Download the latest version of the SCM tool from the Microsoft web site: http://technet.microsoft.com/en-us/library/cc677002.aspx.
Install SCM to your client computer.

Step 2. Domain Security Hardening GPO – Baseline design

Start Security Compliance Manager from the All Programs menu.



clip_image002

The main SCM window opens.

 
image
Expand Microsoft Baselines -> Windows Server 2008 R2 SP1 in the navigation pane. Select WS2008R2SP1 Domain Security Compliance 1.0.


clip_image002[9]
Review the highlighted values suggested by SCM. Change if needed.
 

Step 3. Domain Security Hardening GPO – Baseline export


clip_image002[11]
Select GPO backup (folder) task at the right pane.

 
image
Select a path to export the GPO and create a new folder named SCM Domain Security Hardening GPO.
 

clip_image006
GPO is exported to a folder.
Windows Explore opens automatically to display the folder.
The exported GPO will be later imported to a target domain.


Important note!
The highlighted values can be applied to a target domain only through a GPO that is linked to the root of the domain. The settings are NOT applied, if the GPO is linked to Domain Controllers OU.


 

Step 4. Domain Controllers Security Hardening GPO – Baseline customization

Domain controllers typically run Active Directory Domain Services and DNS services at the same time. Therefore we need a combined security baseline for these two services.
SCM includes two separate baselines that must be merged into a single one:
  • WS2008R2SP1 DNS Server Security Compliance 1.0
  • WS2008R2SP1 Domain Controller Security Compliance 1.1


clip_image002[13]
Review both baselines first and adjust if needed.



clip_image004[5]
Select the WS2008R2SP1 DNS Server Security Compliance 1.0 baseline.
The baseline for DNS servers contains only settings within the System Services section.
No customization is needed for this baseline.
 

clip_image006[5]
Select the WS2008R2SP1 Domain Controller Security Compliance 1.1 baseline.
The baseline for domain controllers is complicated and contains hundreds of settings.
 

Step 5. Domain Controllers Security Hardening GPO – Baselines merge

To merge the baselines follow the steps below.


clip_image008
1. Select the WS2008R2SP1 Domain Controller Security Compliance 1.1 baseline.
2. Click the Compare/Merge link at the right pane.

 
clip_image010
3. Select the WS2008R2SP1 DNS Server Security Compliance 1.0 and click OK.

 
clip_image012
The window compares two baseline settings. No changes here.
4. Click Merge Baselines.

 
clip_image014
5. Resolve conflicts between the baselines by selecting the highlighted options. Click OK.
 

clip_image016
6. Name the new custom baseline Security Hardening - Domain Controllers and DNS Servers. Click OK.

 
clip_image018
7. The new custom baseline appears under the Custom Baselines node in the main window of SCM.
 

Step 6. Domain Controllers Security Hardening GPO – Baselines export

You must export the custom baseline in order to use it later in an Active Directory domain.

clip_image020
1. Select the Security Hardening - Domain Controllers and DNS Servers GPO.
2. Select the GPO Backup (folder) link in the right pane.

 
image
Select Computer > C: and then click the Make New Folder button.
Name the new folder Security Hardening - Domain Controllers and DNS Servers baseline.
Click OK.

 
clip_image024
Windows Explorer opens and displays the newly created folder. 

Step 7. Member Servers Security Hardening GPO – Baseline design

Review the WS2008R2SP1 Member Server Security Compliance 1.1 baseline. It doesn’t require any customization or merging with another baseline.


Important note!
This security hardening  baseline contains couple of settings that may break your web applications, including SharePoint and MS SQL Server Reporting Services. Please test this baseline carefully within non-prod environment first.
 

 

Step 8. Member Servers Security Hardening GPO – Baseline export

You must export the WS2008R2SP1 Member Server Security Compliance 1.1 baseline in order to use it later in an Active Directory domain.

clip_image026
1. Select the WS2008R2SP1 Member Server Security Compliance 1.1.
2. Select the GPO Backup (folder) link in the right pane.

 
image
Select Computer > C: and then click the Make New Folder button.
Name the new folder Security Hardening – Member Servers GPO.
Click OK.

 
clip_image030
Windows Explorer opens and displays the newly created folder.

 

Step 9. Target domain – GPO folders copying

Logon to a domain controller of the target domain.
Copy exported GPO folders from remote computer to the drive C: of the domain controller.


clip_image002[15]
 

Step 10. Target domain – The first GPO creation and settings import

Open the Group Policy Management console.

image
1. Select the Group Policy Objects node.
2. From the Action menu select New.

 
clip_image006[7]
Type Security Hardening: Domain Security Compliance in the Name field.
Click OK.

 
clip_image008[5]
Select the newly created GPO.
Select Action > Import Settings… .

 
Import Settings Wizard window opens.

clip_image010[5]
Click Next.

 
clip_image012[5]
Click Next.

 
clip_image014[5]
Browse to the folder that contains exported GPO.
Click Next.
 

clip_image016[5]
Click Next.

 
clip_image018[5]
Click Next.

 
clip_image020[5]
Click Next.

 
clip_image022[5]
Click Finish.

 
clip_image024[5]
Click OK.
 

Step 11. Target domain – Creation and import of two more GPO

Repeat the Import Settings Wizard steps (see Step 10) for the other previously exported GPO:
  • Security Hardening – Domain Controllers and DNS Servers GPO;
  • Security Hardening – Member Servers GPO.


Step 12. Target domain – GPO assignments

Assign the newly created GPO according the table
GPO name Target
Security Hardening - Domain Security Compliance The domain root
Security Hardening - Domain Controllers and DNS Servers Domain Controllers OU
Security Hardening - Member Servers Servers OU



Unlink all other default GPO from the containers.
The domain Group Policy Objects assignments should look like this:
image

 

Conclusion

Domain security hardening process is not a complicated process when you use the right tools. Tricky thing, however, that every security hardening policy requires thorough testing in a non-prod environment. Especially if you deploy it in a domain where applications have already been installed and configured.

5 comments:

  1. Hello Mr Gorbunov

    Many thanks for your exceptional article which I am implementing as we speak .
    May I please enquire of you if I should remove the default domain policy from the Domains object ,I see many articles saying this should not be done ?

    Many Thanks
    Greg

    ReplyDelete
    Replies
    1. My preference for the new AD domains:
      - Leave the Default Domain Policy GPO untouched;
      - Create your own GPO that may override the Default Domain Policy settings, link the new GPO to the domain container;
      - Move the new GPO to the top of the list (i.e. increase priority, Link Order column); this step ensures that if there any conflicts between the Default Domain Policy and the new GPO, the new GPO will be applied.

      The other option could be merge of the Default Domain Policy settings into a new template within Security Compliance Manager and use these settings as a baseline.

      Btw, the original Default Domain Policy GPO contains only few settings that must be applied at the domain level: password policy and account lockout policy. And few settings for Kerberos, like 5 min tolerance against clock synchronization.

      Delete
  2. Hi Mr Gorbunov
    Once again many thanks ,I will do exactly what you have suggested above .
    Would I be correct in saying that as long as I know my local administrator user name and password I cant run in risk in being locked out of the domain once I have applied these new password policies etc..
    Thank you for your advice -
    Greg..

    ReplyDelete
    Replies
    1. The new password policies applied only when you change your password. If you have a password, that doesn't fit the policy, you cannot enforce the password "quality" until you start changing it.

      Local user accounts are not affected by the domain GPO; only Local GPO can enforce these settings. But one trick you can do is enforce local Administrator account properties through domain GPO (including renaming and assigning a unified password). Here is one of the samples: http://pc-addicts.com/change-local-administrator-password-with-group-policy/ .

      Delete
  3. Fantastic stuff ,many thanks for your help and your excellent work .
    I shall most certainly be following this website in the future .
    Kind regards
    Greg

    ReplyDelete