locked
INF vs GPO -- safe to use W2K8 INF templates? RRS feed

  • Question

  • LHi,

    While I see the potential, and am looking forward to the Beta release, I need to lock down a W2K8 R2 Standalone server NOW to CIS/DHS STIG standards, as so far the SCM V2 doesn't get me there.  I have already had two Microsoft Premier Customer Support guys try to assist but both felt they needed to forward my ticket to someone else.  As others have commented, this tool would be truly valuable if we could convert the GPOs/baselines into exportable, usable .INF templates.

    One question no one has been able to answer so far:  Is it safe to configure a W2K8 R2 Enterprise server using the .INF templates provided in the Security Management Tool Kit for W2K8 dtd 2009?

    I understand that if I try to apply an existing W2K3 Bastion Host level .INF template to W2K8 R2 that it will break the system. 

    I managed to track down in my old security tool downloads, a copy of the W2K8 Security tools dtd 2009 which include INF templates.  Comparing the W2K8 sslf template to existing computer settings on the W2K8 R2 server using the local Analysis snap-in, this template appears to provide many of the critical settings needed.

    I have already spent considerable hours researching/modifying/saving settings in the provided SCM V2 baselines only to have just the Advanced Auditing settings take effect on the target server using the LocalGPO.wsf tool.

    And this was only after I did a GPO backup of the target server current GPO; importing that backup into the SCM tool and merging that GPO with a copy of the modified SSLF baseline; then backing up the merged GPO and applying that GPO backup locally to the target server.  The LocalGPO process reports that requisite INF and POL files are missing from the merged GPO backup files, and as such, no changes are made to the local policy affected by those files. BTW, I am running the SCM V2 on a Windows 7 Pro workstation and I copied/installed the LocalGPO.msi to the target server from the LocalGPO tool directory on the workstation. 

    The server local SCW and Server Role options also do not appear to meet my needs.  We are testing this W2K8 R2 system as a replacement host for our mission critical customized Oracle application. which currently runs on W2K3 Enterprise systems which run Apache web services and connect our users, via the application, to an Oracle 10g database hosted on a Unix system on the backend. BTW, we are also testing hosting this mission criitical applicaton on Suse Linux OS systems.  

    Thursday, June 23, 2011 2:28 PM

All replies

  • I recommend against using security templates in the way you describe. I haven't seen the behavior you describe with the Local Policy Tool. the only issue I've ever had with it is actually caused by the GP engine, not LPT:

     

    1. Due to the way the group policy engine processes Advanced Audit Policy settings it may be necessary to manually force the local policy to be refreshed. To do so open gpedit.msc with administrator privileges and navigate to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policies\Audit Policies\Account Logon.

    2. Modify one of the policy settings by double-clicking on it, changing the value, and clicking OK

    3. Return that policy setting to its original state by double-clicking on it, changing the value back to its previous value, and clicking OK.

     

    Would you mind zipping up the GPO backups you're working with and emailing them to us at secwish@microsoft.com?

     

    Regards,

     

    Kurt


    Kurt Dillard http://www.kurtdillard.com
    Thursday, June 23, 2011 7:30 PM
  • In regards to only the Advanced Audit policies taking effect on an WS08-R2... this is default behavior. In WS08-R2, the "Audit: Force audit policy subcategory settings" security option is enabled by default (this was not the case in WS08). This forces the computer to only observe\use Advanced Audit policy settings. Using the legacy Audit Policy settings in WS08/WS08-R2 is *not* recommended.
    Friday, July 8, 2011 1:21 PM