Group policies on Windows Server 2022
Simple and Effective
Allow Only Known Applications
Software allowlisting is an administrative monster waking up from a deep sleep. An allowlist of applications would virtually eliminate the problem of ransomware. Ransomware launches an executable when the attack occurs. The simple logic is that if only known and documented software is allowed in the company, and all other software is forbidden, the ransomware cannot do its job. Although it is a trivial approach, it works worlds better than trying to detect and prevent ransomware from launching with behavior detection.
In my security proposals, AppLocker and Software Restriction Policies are always included as mandatory components. However, this solution increases workload and costs time, and the system needs maintenance once it is set up. As with the firewall, the technology comes from the age of Windows XP SP2.
The latter four security ideas mentioned here can be wonderfully implemented locally with group policies, but they share issues with time, maintenance, and overhead. Microsoft's desired solution is to move to the cloud. In Microsoft 365, you can force the user to use 2FA, with no ancient protocols that an attacker can exploit. From Microsoft's point of view, the system is secure if local resources are no longer important. If the crown jewels of the company are in the cloud, then admins can encrypt all data locally. The response to a security incident would then simply be to reinstall computers and continue working. The time and downtime are still annoying and cost money, but they are inexpensive compared with a genuine data loss by encryption for ransom.
Conclusions
Even if Windows Server 2022 does not deliver that much new functionality in terms of GPO, it is still important to ensure maximum security for clients. Numerous GPO templates help with this job. Server 2022 does not establish any new rules. It's just that the requirements for your own network now need to adapt to the 2022 server version.
Infos
- Windows Server 2022 ADMX and GPO settings: https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/windows-server-2022-admx-and-gp-settings-now-available/m-p/3254928
- ADMX Templates forWindows Server 2022: https://www.microsoft.com/en-us/download/details.aspx?id=104003
- Excel spreadsheet with GPOs: https://www.microsoft.com/en-us/download/details.aspx?id=104005
- Security Compliance Toolkit: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10
- BSI SiSyPHuS: https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Studien/SiSyPHuS_Win10/SiSyPHuS.html?nn=1022786
- Center for Internet Security: https://www.cisecurity.org/cis-benchmarks/
- STIGs by the DoD: https://public.cyber.mil/stigs/
- ACSC guide to system hardening: https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-system-hardening
- gp-pack PaT: https://www.gp-pack.com/gp-pack-pat-privacy-and-telemetry/ (in German)
- LGPO utility: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045
- Policy Analyzer: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-tool-policy-analyzer/ba-p/701049
- Central Store for Administrative Templates: https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store
- Editing additional registry settings: https://sdmsoftware.com/tips-tricks/removing-extra-registry-settings-from-gpos/
- DSInternals: https://www.dsinternals.com/en/
- PwnedPassCheck: https://www.dvolve.net/blog/2019/08/new-module-pwnedpasscheck/
Buy this article as PDF
(incl. VAT)