At the root of the WolfTech AD tree, there are a number of policies linked in. In order to better secure the domain, we have developed a model by which we drop in the Microsoft Enterprise Client security policies completely unmolested and then put a paired policy with it to have any changes we want added with both of them using a per-OS WMI filter. This lets us update the security policies as more are released and/or updated while tactically targeting OS-specific settings.
- Link Specific settings before Generic Ones – Example: Certificate Settings before OS’s.
- Filter on Authenticated Users combined with appropriate OS WMI filters – Example: Windows 2008r2 Member Server.
- Link Server OS’s before Client OS’s.
- Link Newer OS’s before Older OS’s.
- Do not edit the Microsoft EC Policies if at all possible.
- Create a separate “override” policy per OS to unset EC settings that are harmful to our environment.
- If a new OS comes out and Microsoft hasn’t released an EC Policy, copy the newest applicable and use that.
- Domain-NCSU Certificates
- Domain-Laptop Policy
- Default Domain Policy
- WolfTech Default Domain Policy – WS08R2
- WolfTech Default Domain Policy – WS08
- WS08 EC Member Server Baseline Policy
- WolfTech Default Domain Policy – Win2003
- WS03 EC Member Server Baseline Policy
- WolfTech Default Domain Policy – Win7
- Win7 EC Desktop Policy
- WolfTech Default Domain Policy – Vista
- VSG EC Desktop Policy
- WolfTech Default Domain Policy – WinXP
- XP EC Desktop Policy
Role Based GPO’s:
Note: There is a smaller number of ones for 2008 named “WS08 EC *” that you can find in the “Group Policy Objects” folder in GPMC.
The concept is that while the “WolfTech Default Domain Policy – WS08R2” and “WS08R2-EC-Member-Server” policies are linked at the root of the tree, you would be linking in “WS08R2-Print-Server” to your NCSU\College\Dept\Servers\Print OU as an example. The same would go for File or IIS servers. This also highlights the fact that people shouldn’t be putting multiple types of servers in a single OU, that it is appropriate to have an OU for each type of server you support.
Every once in awhile there is a setting in a Security Baseline that cannot be overwritten. When that occurs we will edit the default Security Baseline and document any changes.
Windows 10 Computer (Beta-1703) and Windows 10 Computer (SCTv1.0, v1709):
There are issues with BitLocker and DMA devices, that causes DMA devices not to function when BitLocker is enabled.
The following setting in both GPO’s were changed from “Enabled” to “Not Configured”
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\ Disable new DMA Devices when this computer is locked
Microsoft Security Compliance Manager: This is a tool that includes a gui interface for browsing through the baselines and getting information about why MS chose to set the values the way they did, what attack vectors would be used, references specific KB articles, and tells you what registry keys they set, and so on.