Microsoft Group Policy

Leon SCOTT

7 min read
Microsoft Group Policy

I thought I better explain myself

Microsoft Group policy is a way to enhance and harden your Windows systems. If you are not running Windows home edition it is already installed and available. However, it is not configured by default and requires a little knowledge.

Normally group policy would be deployed via Intune, a Domain controller or via Microsoft 365 which is the new way of managing endpoints rather than using a domain controller. It is normally the responsibility of your IT Administrator no matter his actual title.

Why am I sharing this. Because it can make a great difference on how secure your Windows system is no matter how good your firewall, your cybersecurity hygiene and if you do fall victim to click bait or your teenage son does, you may be the last man standing as you run around and try to figure what is going on.

So, it's important.

Who is this article for

  1. Anybody concerned about their windows security whose device is standalone
  2. Anybody who does not have a managed Windows Endpoint

Disclaimer

  1. I am not responsible if you implement my script on your machine
  2. I am not responsible if you get hacked after implementing my script on your machine
  3. Basically, I am not responsible

About me

  1. I am a cybersecurity hobbyist. I love this stuff
  2. I have been running group policy for some time and have enhanced skills
  3. I use a great number of tools that I will go into on how/why I have set my GPO as it is in GitHub (getting to it)

Method

So, let's get into it and talk briefly on how I built my GPO for the 6 endpoints that are utilized in my house that are unmanaged by any institution (in other words they are all standalone Microsoft Windows 11 devices running the latest version of Windows Professional version 24H2 (which is the current release and what you should all be running as well)

I built my GPO in this order of priority

  1. I have Microsoft Defender for Business subscriptions for all endpoints
  2. I took the guidance from the Microsoft Security portal to harden my devices. I did this via GPO rather than registry edits as GPO is dynamic
  3. I then used the Microsoft Security baselines to enhance the basic GPO
  4. See below
  5. Finally, I read a lot of hacking postmortems, if they have Group Policy changes to mitigate the risk, I implement them after assessing the pros and cons.
Security baselines guide
Learn how to use security baselines in your organization.
Microsoft Learnvinaypamnani-msft
Microsoft Security Baselines Blog | Microsoft Community Hub
Learn more: aka.ms/baselines | Download the Security Compliance Toolkit: <a…
TECHCOMMUNITY.MICROSOFT.COMRick_MunckMicrosoft Security Baselines Blog

From all this we end up here

Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center
This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.
Microsoft Store - Download Center

The compliance tool kit gives you access to the tools, GPO's and templates you will need to build out your GPO. It provides guidance on how to harden up your device - without actually killing its useability - cybersecurity has always been a balance between security and useability. Make it too hard and they won't use it.

So out of the third link I download the following

  1. Windows 11 v24H2 Security Baseline.zip
  2. Microsoft Edge v128 Security Baseline.zip
  3. Windows 11 Security Baseline.zip
  4. PolicyAnalyzer.zip
  5. LGPO.zip

Pretty self-explanatory really, I don't run Windows servers and are only interested in the latest version of Windows and run Edge over Google Chrome because I prefer it. Obviously if you prefer Firefox or Google Chrome you will need to find the GPO template files for these and install them. So, explain that.

If you downloaded the above files and extracted them to individual directories in your download folder, you will see that they contain a lot of information. We are interested in the GPO and the templates for each of them.

  1. The templates you need to import here: C:\Windows\PolicyDefinitions
  2. Where you see the en-US files you need to import here: C:\Windows\PolicyDefinitions\en-US
  3. The GPO's we will get to in a minute
  4. Once you copy the files to the locations above you need to restart your device
  5. No, it won't break anything because all you have done is expanded Group Policy on your device
  6. No, you don't need to install the template files on your other devices. Just one.

Once you are restarted and logged in start gpedit in search apps and you will be looking at the group policy editor. Its large, complicated so start slowly.

So, what do you change. Now this is the complicated bit as you will need to use the Policy Analyzer above to help you sort this out. I have a head start as I have been tinker with GPO for years either standalone or otherwise.

So how do you use it.

  1. Right click on the ...
    \Downloads\PolicyAnalyzer\PolicyAnalyzer_40\PolicyAnalyzer.exe"
  2. Run it as administer - it will show stuff all
  3. If you have no group policy defined you can't really add your configuration
  4. Click on Add button, and you will see the following
  1. Now I already had a Computer configuration, User Configuration (blank), Security Template, Audit policy and I didn't bother with the Backup. So, I added these but it is not necessary so we will skip it
  2. You will need to add the GPOs for the 3 security baselines mentioned above
  3. Click on "Add files from GPO(s) but one at a time
  4. Select the GPO folder and add them, when it asks to save it, use the default location and call it something meaningful to you
  5. Now once you have that done, click on say the 24H2 and then "Compare to Effective State"
  6. Let the fun begin. Yes, there is a faster way but don't use it if you're a newbie.

Now you need to use the GP editor to change your local GPO to match that recommended by Microsoft - and you need to think, test, keep some sort of record just in case you need to undo it. Luckily the GP editor can be sorted to allow you to see what you have changed compared to Non configured.

Yes, it's a little bit of a pain in the backside. Lots of testing as you slowly harden it all up.

End Result

  1. A hardened Windows installation
  2. Hopefully no downside on operability.

So how do you export the local GPO from your test device to every other device you have access to and is not managed or joined to a domain ie.. standalone

This is where our final zip file comes in called LGPO.zip.
This utility can export your local GPO and allow it to be imported into the other devices. A quick restart of these devices and your GPO has been applied and its secured

The instructions on how to do this are contained within the readme file of that expanded archive you made so I am not going to go into it in detail

However, this is rather tedious, so I have written a script. It's not the tidiest thing but you should be able to read it (Powershell) and you can work it out from there. The big problem is that the files need to be stored somewhere that the computers you are trying to apply the GPO have access to. If you have a NAS you are all set, although there are other methods - I just wanted to put it in the public domain, to help enhance other people's security.

The script, my registry.pol and so on are stored here.

GitHub - Braedach/GPO: GPO Test system
GPO Test system. Contribute to Braedach/GPO development by creating an account on GitHub.
GitHubBraedach

This is not the latest version of my GPO as I am constantly updating it, but I have had no issues with the version stored in GitHub. You don't need to be smart to understand PowerShell. You should be fine.

The script has an undo function. It will remove the GPO from the device and give you a fresh slate. Just follow the instructions.

The script uses a single registry.pol. This is for the computer and not the user. I am not a control freak, but I put particular research and testing into my changes. Please be aware of this.

Crap

I forgot. By default, your prototype system will not run PowerShell scripts that are not signed by default. This is a good thing. You will need to change this by running the following commands or a variation thereof.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Set-PSRepository -Name 'PSGallery' -InstallationPolicy 'Trusted'

This is up to you.

Conclusion

As stated, I wanted to help people harden their devices, without breaking stuff and I hope this post is a start. Remember you can undo the GPO, if you need to.

DO NOT implement this on a managed device issued to you via any organization or institution. They use the own GPO and implement it via different mechanisms.

If you use MDE in any form, the policies you set there will take precedence over what you set in GPO unless you have told the GPO otherwise. Yeah, so watch it.

#enoughsaid