![]() GPO’s – These are the group policy folders themselves which you can then use to import the exact security baselines. This is what the GPO should look like when its applied to a machine/user. GP Reports – This folder contains all the GPResults as released by us for each Group Policy. ![]() Select which baselines to download Extracted baseline fileĭocumentation – Contains the default policyrules files which are used with the Security Compliance Toolkit, differences between the previous baseline release (in this case v1903), and the new settings that were added. So based upon that logic you can do the following with a very simple AD structure and you don’t have to be concerned about where the computer objects are exactly, nor do you need an OU per Windows version. However there is a catch with this method, since you don’t always have the ideal OU structure to support this implementation.ĭue to this situation above, I always advise clients to use WMI Filters to then be able to have multiple baselines applying to a single parent OU, but the GPO will only apply if a very specific OS Version is detected. ![]() Generally what most customers’ would do in this situation is to have a difference OU per OS, and then apply the baseline for that specific OS to the single OU. Of course you can apply the very latest baselines on your Organizational Units (OU’s) however don’t expect all the settings to apply since some features are only present in the later version of the OS. You should always try your best to download exactly the version you want to apply the baselines to. Should I download only the latest version available for Windows 10/Server 2019 or should I get the precise version per OS/software? If you have an SCCM or asset inventory system, it will come in very handy here to understand exactly what you have in your environment and give you a clear scope of what to protect. You do not need to get Windows 10 v1607 if you don’t have any installed in your environment. In this situation, download just Windows 10 v1903, and v1909. An example of this is Windows 10 v1903 and Windows 10 v1909. Edge, IE, Server 2012R2, Windows 10 v1909 etc.įor example, if your organization is on Windows 10 SAC releases, you should see an update that is pushed every 6 months. I implore you to instead download the ones that constitute most of your environment, or the software you want to protect eg. You do not need to download every single baseline for every single version of product. The answer to the second part is very simply – No. Generally speaking though, once there is a (FINAL) version released then that’s the last iteration we will issue for that software or OS Version. My advice to customers is to generally wait for the (FINAL) version of whatever software they are getting baselines for. Which one should I download? Do I need all of them? If you would like to follow all the latest that is happening in the world of Security Baselines from Microsoft, please visit the below URL as this is our official blog Microsoft Security Compliance Toolkit (SCT) – all baselines and the toolkit itself can be downloaded from here.Īlternatively you can go below to get all the latest information of what’s been released, and also what discussions have gone around each baseline itself. These are the official download links, and you should never download from any other source. The baselines are downloadable from the link below. A security baseline helps keep all systems in line, while also allowing you to update the baselines when you decide to finally upgrade an Operating System or when a newer version of your software comes out, and still maintain a certain level of security/configuration across your environment. As your environment grows and you expand, you will find that you have many different systems that often don’t have the same security settings as each other. Very simply put, a security baseline allows you to ensure that a certain level of security is maintained across your environment. I have specifically gained a lot of experience through Microsoft’s Premier Offering called ‘ Active Directory Security: Domain and Domain Controller Hardening‘ which leverages a lot of the concepts and toolsets I am showcasing. In this series I will be sharing my knowledge and experience that I have gained over the years with various clients. It is very important to note that it’s a baseline for a reason, this will be the “minimum” configuration with all your custom differences put on top of it. Microsoft Security Baselines are created to give our customers a benchmark and to utilize the latest features possible, while also guiding them on which security settings should be used. Security Baselines are published by various companies however I will focus strictly on Microsoft Security Baselines, and how to apply them safely in your environment. What are security baselines? Why do I need them?
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |