Implementation of Policy Settings

The easiest way to implement the Microsoft recommendations is to open the Group Policy Management Console (GPMC) on the DC and import the policy backups from the Security Compliance Toolkit directory into your production Active Directory as new policies. Alternatively, you can use the PowerShell scripts I mentioned earlier. You will then need to link the policies to the domain or, in the case of DCs, to the Domain Controller container (e.g., by drag and drop).

For the implementation, create a new Group Policy named Windows Server 2022 Domain Controller in the GPMC Group Policy Objects context menu. In the context menu of the new policy, select Import Settings , which launches a wizard. In the wizard, specify the GPOs (or GPO) directory in the SCT archive. After opening the directory, the wizard displays all group policies located in this directory. Select the desired template to tell the wizard to import all the settings into the new Group Policy object (GPO). You can also create multiple policies. If you used the Baseline-ADImport.ps1 script, the policies already exist in AD but are not yet linked. In other words, you have several ways to implement the settings on the network.

Comparison with Current Configuration

As already mentioned, Policy Analyzer gives you a quick and easy option for comparing different group policies. To do this, you need a backup of the current group policies. To simplify the process, Microsoft also provides policy rules files (.PolicyRules). You need MSFT-WS2022-FINAL.PolicyRules from the Documentation directory of the Windows Server 2022 baseline files. Copy the file to the Policy Rules directory, which is located in the Policy Analyzer directory.

In a production environment, save your existing policy in the Group Policy Management Console. To back up all policies, simply right-click on Group Policy Objects and click Back Up All ; then, select a directory and save the group policies. As mentioned, this backup serves as the basis for a comparison against the baselines. In this case, the main interest is in the Default Domain Controllers Policy (Figure 2). If you like, you can save just this one policy.

Figure 2: Before comparing the existing rules with those of the baselines, it makes sense to make a backup of the GPOs.

Next, launch Policy Analyzer from the download directory. You do not need to install the tool. In Policy Analyzer, get started by clicking on the Policy Rule sets in field at the bottom; then, select the Policy Analyzer directory and the Policy Rules subdirectory. You already copied the policy rules of the current Windows Server 2022 baselines to this directory.

To launch a comparison with your current policy, click Add , then select File | Add files from GPOs . Navigate to the folder with the backup of your existing group policies and complete the process by selecting Import . Then save the process as a .PolicyRules file (e.g., as the Default Domain Controllers Policy ). This policy is then also visible in Policy Analyzer.

With these steps, you have integrated the baseline policies into Policy Analyzer by their policy rules file and a recent backup of your Default Domain Controllers Policy , which you also saved as a policy rules file.

These steps integrate the baseline policies into Policy Analyzer by their policy rules file and the current backup of your Default Domain Controllers Policy , which you also saved as a .PolicyRules file. For the comparison, select your imported Default Domain Controllers Policy followed by MSFT-WS2022-FINAL . This is the policy rules file you copied from the current baselines for Windows Server 2022. Do not select any other policies; you only need these two. Now click on the View/Compare button. The process takes a few seconds. When done, you will see a precise comparison of your current Default Domain Controllers Policy and the baseline.

Adjusting Values for DC Security

The comparison helps you quickly identify strongly recommended options that are not set in your environment. As described earlier, you will generally want to implement the complete policy for your domain controllers. To do this, you can use the policy from the security baselines as a second policy for the DCs. The advantage is that you can leave the default policy unchanged and disable all new settings in one fell swoop if issues occur, simply by disabling the security baseline. The disadvantage is that you have to manage several group policies.

Of course, you could go through the individual differences and transfer them to your default domain controller policy manually, but this is a very time-consuming process and requires painstaking documentation. The most important values can be found under Computer Configuration | Policies | Windows Settings | Security Settings . Various folders with security baseline configurations are stored here. Pay particular attention to the settings in Security Options , which is where the security baseline governs user accounts and client communication with the domain controller. These settings can also be found in the MSFT Windows Server 2022 - Domain Controller.htm file in the Windows Server 2022 Security Baseline\Windows Server-2022-Security-Baseline-FINAL\GP Reports directory.

At the same time, the baseline also generates rules for the Windows firewall, which are not included in the default domain controller policy – nor are the numerous logging actions. These rules can be found under Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration in the group policies. You will generally want to implement these configurations in all environments. Negative effects are unlikely unless the domain controllers are already suffering capacity problems. In this case, extended system monitoring can cause the DCs to respond more slowly, but if you are at this point, replacing the hardware is the order of the day rather than reducing the recommended security levels.