kras99 - stock.adobe.com
Secure Windows with Microsoft's Security Compliance Toolkit
Learn how to work with the tools and security baselines provided by Microsoft to tighten the defenses in the Windows environment.
Busy Microsoft admins need all the help they can get, particularly in security-related areas.
An improper configuration can cascade into a lapse in security and cause untold damage to the enterprise, or put the organization under intense scrutiny if it fails a compliance audit. Microsoft offers the Microsoft Security Compliance Toolkit to identify problems with infrastructure settings so that admins can shut these gaps to maintain a consistent security posture and avoid disruption.
What is the Microsoft Security Compliance Toolkit?
The Microsoft Security Compliance Toolkit is a set of tools that admins can use to compare existing Group Policy Objects (GPOs) against Microsoft's recommended security baselines.
Administrators can see if their organization's policies differ from Microsoft's suggestions and can apply more secure policy settings if necessary. The tools are suitable for local GPOs and Active Directory. The Security Compliance Toolkit also includes a tool to reset the security descriptor for almost any object.
The toolkit enables admins to edit GPOs, store them in GPO backup format, and apply them via domain controllers or test environments to check for issues.
How to use the Microsoft Security Compliance Toolkit
Admins can download the Security Compliance Toolkit from Microsoft's site, which hosts zip files that correspond to the security baseline packages for Windows Server, Windows 10, Windows 11, Microsoft 365 Apps for Enterprise and Microsoft Edge. The other files are the Policy Analyzer, Local Group Policy Object utility and Set Object Security application.
Policy Analyzer tool
The Policy Analyzer compares sets of GPOs -- such as the security baselines provided by Microsoft -- and checks against a system's local security policy and registry settings. The Policy Analyzer checks for inconsistencies and redundant settings, and tracks changes by comparing baselines taken at different times.
Start by creating a policy rules file with the organization's current policy settings. The easiest method is to open the Group Policy Management Console (GPMC), right-click on a GPO and select Back Up from the shortcut menu.
Next, launch the Policy Analyzer. Click the Add button and select the Add files from GPO(s) command from the File menu. Select the folder that corresponds to the GPO backup and load it by clicking the Import button.
Next, enter a name when prompted for a policy rules file and click Save. The main Policy Analyzer screen will open. The console contains buttons used to view or compare the policy settings and to compare the policy settings to the effective state.
Microsoft recently packaged the GPO2PolicyRules utility with Policy Analyzer. GPO2PolicyRules automatically converts GPO backups to Policy Analyzer rules files.
Use it by running GPO2PolicyRules.exe from a command prompt, followed by the desired GPO backup and the output file that you want to create.
Local Group Policy Object tool
The Local Group Policy Object (LGPO) tool runs from the command line and manages the system's local security policy. This tool offers several capabilities related to local policy settings:
- Import and apply settings. The tool works with several sources, including registry policy files, security templates, auditing backups and LGPO text files.
- Policy backup. Export local policy to a GPO backup for safekeeping and deployment to other systems.
- Verification. Run a check of Group Policy settings before widespread deployment.
- Non-domain system management. Automate configuration and deployment across multiple systems not connected to the domain.
The LGPO tool's syntax is relatively complex, as it supports numerous parameters. You can view the full syntax by running LGPO.exe from a command prompt.
For example, to create a backup of a local GPO, enter this command:
LGPO.exe /b <path> /n <group policy name>
Set Object Security tool
Set Object Security applies a security descriptor to files, folders, SMB shares or nearly any other type of object. A common use is to restore the default security descriptor to a system's root folder.
To use the tool, run the SetObjectSecurity.exe command, followed by several parameters:
- ObjType. The type of object to secure, such as FILE, KEY, eventlog, printer, share or kobject, to name a few. Object types are case sensitive.
- ObjName. The name of the object to secure, such as a file, folder or registry key.
- SDDL. The SDDL is the security descriptor to apply, written in Security Descriptor Definition Language. Use a tool such as AccessChk to get the SDDL from an object.
The following example shows the Set Object Security tool executing a set of policy rules that were converted from a GPO backup:
SetObjectSecurity.exe FILE C:\ "O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:P(ML;OINPIO;NW;;;HI)"How to apply security baselines to Windows Server
Before executing any changes to a production system, admins should follow best practices and test deploying the security baselines to Windows Server systems in a nonproduction environment.
To use Microsoft's recommended security configuration baselines for Windows Server versions before Windows Server 2025, download the Microsoft Security Compliance Toolkit files used to configure Group Policy settings. The files contain documentation, Group Policy reports, GPOs for different setups, PowerShell scripts to assist with the deployment, and GPO templates in ADMX and ADML formats.
To start, open GPMC and open Group Policy Management.
Next, right-click on Group Policy Objects in the domain and forest to create the GPO, then rename the GPO to give it a descriptive name based on the baseline name.
Right-click on the GPO and choose Import Settings, then select the baseline GPO for the server role from the folder with the extracted security baseline files.
Link the GPO to the domain or the organizational unit, then enable the GPO settings. Run the following command to force the Group Policy update on the test system:
gpupdate /forceCheck the event log for any errors related to Group Policy.
New security baseline method arrives with Windows Server 2025
With Windows Server 2025, Microsoft introduced the OSConfig platform to apply a desired state configuration for security baselines.
Microsoft integrated security baselines into the OS via the OSConfig PowerShell module, which removes the need to download files. The native PowerShell tooling updates the settings with one command rather than requiring multiple tools. OSConfig also features an automated method to keep systems within compliance with a drift control mechanism.
Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
