In the ever-evolving landscape of cybersecurity, Microsoft provides a vital resource for administrators tasked with safeguarding their organizations. The Microsoft Security Compliance Toolkit serves as an essential ally, enabling IT professionals to identify and rectify potential vulnerabilities within their infrastructure. A single misconfiguration can lead to significant security breaches or compliance failures, making the toolkit’s role in maintaining a robust security posture all the more critical.
What is the Microsoft Security Compliance Toolkit?
The Microsoft Security Compliance Toolkit is a comprehensive suite of tools designed for administrators to assess their existing Group Policy Objects (GPOs) against Microsoft’s recommended security baselines. This toolkit empowers administrators to pinpoint discrepancies between their organization’s policies and Microsoft’s guidelines, allowing them to implement more secure settings as needed. It is compatible with both local GPOs and Active Directory, and it includes a utility for resetting security descriptors across various objects.
With this toolkit, administrators can edit GPOs, back them up in GPO format, and apply them through domain controllers or testing environments to proactively identify issues.
How to use the Microsoft Security Compliance Toolkit
To get started, administrators can download the Security Compliance Toolkit from Microsoft’s website, where zip files corresponding to security baseline packages for Windows Server, Windows 10, Windows 11, Microsoft 365 Apps for Enterprise, and Microsoft Edge are readily available. The toolkit also includes the Policy Analyzer, Local Group Policy Object utility, and Set Object Security application.
Policy Analyzer tool
The Policy Analyzer is a powerful tool that compares sets of GPOs, such as Microsoft’s security baselines, against a system’s local security policy and registry settings. It identifies inconsistencies and redundant settings while tracking changes over time.
To begin, create a policy rules file with the organization’s current policy settings. This can be easily done by accessing the Group Policy Management Console (GPMC), right-clicking on a GPO, and selecting Back Up from the menu.
Next, launch the Policy Analyzer, click the Add button, and choose Add files from GPO(s) from the File menu. Select the folder corresponding to the GPO backup and click Import.
When prompted, enter a name for the policy rules file and click Save. The main Policy Analyzer screen will display, featuring buttons to view or compare policy settings and assess their effectiveness.
Recently, Microsoft has packaged the GPO2PolicyRules utility with the Policy Analyzer, which automatically converts GPO backups into Policy Analyzer rules files. To use it, run GPO2PolicyRules.exe from a command prompt, followed by the desired GPO backup and the output file you wish to create.
Local Group Policy Object tool
The Local Group Policy Object (LGPO) tool, operated from the command line, is designed to manage the system’s local security policy. It offers several functionalities related to local policy settings:
- Import and apply settings. The tool supports various sources, including registry policy files, security templates, auditing backups, and LGPO text files.
- Policy backup. It allows for the export of local policy to a GPO backup for safekeeping and deployment across other systems.
- Verification. Administrators can verify Group Policy settings before widespread deployment.
- Non-domain system management. The tool automates configuration and deployment across multiple systems not connected to the domain.
The LGPO tool’s syntax may appear complex due to its numerous parameters. The full syntax can be accessed by running LGPO.exe from a command prompt. For instance, to create a backup of a local GPO, one would enter the command:
LGPO.exe /b /n Set Object Security tool
The Set Object Security tool applies a security descriptor to various objects, including files, folders, and SMB shares. A common application is restoring the default security descriptor to a system’s root folder.
To utilize this tool, run the SetObjectSecurity.exe command, followed by several parameters:
- ObjType. The type of object to secure, such as FILE, KEY, eventlog, printer, share, or kobject; note that object types are case sensitive.
- ObjName. The name of the object to secure, such as a file, folder, or registry key.
- SDDL. The security descriptor to apply, written in Security Descriptor Definition Language. Tools like AccessChk can be used to retrieve the SDDL from an object.
For example, the following command demonstrates the Set Object Security tool executing a set of policy rules converted from a GPO backup:
SetObjectSecurity.exe FILE C: "O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:P(ML;OINPIO;NW;;;HI)"How to apply security baselines to Windows Server
Before implementing any changes to a production system, it is advisable for administrators to adhere to best practices by testing the deployment of security baselines in a non-production environment. To utilize Microsoft’s recommended security configuration baselines for Windows Server versions prior to Windows Server 2025, download the relevant files from the Microsoft Security Compliance Toolkit. These files include documentation, Group Policy reports, GPOs for various setups, PowerShell scripts for deployment assistance, and GPO templates in ADMX and ADML formats.
To begin, open the Group Policy Management Console (GPMC) and navigate to Group Policy Objects within the domain. Right-click to create a new GPO, renaming it to reflect the baseline name. Next, right-click on the GPO and select Import Settings, choosing the baseline GPO for the server role from the extracted security baseline files. Link the GPO to the domain or organizational unit, enable the GPO settings, and run the command
gpupdate /forceto enforce the Group Policy update on the test system. Finally, check the event log for any errors related to Group Policy.
New security baseline method arrives with Windows Server 2025
With the introduction of Windows Server 2025, Microsoft has unveiled the OSConfig platform, which streamlines the application of desired state configurations for security baselines. This integration allows security baselines to be applied directly through the OSConfig PowerShell module, eliminating the need for separate downloads. The native PowerShell tooling simplifies the update process, requiring only a single command to adjust settings, while also offering an automated mechanism to maintain compliance through drift control.
Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. With over 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
