Secure Standalone Windows Servers Using Security Compliance Manager

Posted on September 14, 2016 by Russell Smith in Windows Server with 0 Comments


Security Hero

In today’s Ask the Admin, I’ll show you how to use the localGPO command line tool in Security Compliance Manager (SCM) to apply security templates to computers that are not part of an Active Directory domain.

Security Compliance Manager comes with a command line tool for applying template settings to Local Group Policy Objects, i.e. for use on devices that are not joined to an Active Directory domain. For more information on SCM, see Using the Microsoft Security Compliance Manager Tool on the Petri IT Knowledgebase.

The installer for the localGPO tool is located in the c:\program files (x86)\microsoft security compliance manager\lgpo directory, and you need to run the .msi file to install it on the computer where you want to use the tool. Note that at the time of writing, localGPO is not supported on Windows Server 2012 R2.

  • Double click LocalGPO.msi.
  • Click Next on the welcome screen.
  • On the End-User License Agreement screen, check I accept the terms in the License Agreement and click Next.
  • On the Features to install screen, click Next.
  • The tool will now install. Click Finish to close the installer window.

The tool is installed in the “c:\program files (x86)\localgpo” directory. To work with the tool, run the “command-line here” batch file in the localgpo directory. This will open a command prompt window in the right directory and display information about the available switches that can be used with the tool, along with some useful examples.

To export the current local policy settings as a GPO backup, run the following command:

 

Export local policy settings as a GPO backup (Image Credit: Russell Smith)

Export local policy settings as a GPO backup (Image Credit: Russell Smith)

The folder specified in the /path switch must exist. Once the command has completed, the name of the folder containing the backup will be displayed in the command prompt window. You can add the /GPOPack switch to the above command to generate a script that can be run on servers independently of the localgpo tool. Just copy the resulting folder to the desired server and run the gpopack.wsf script.

To apply a GPO backup to the local computer run the command below, replacing c:\gpobackups\{36034CB9-E459-4652-8720-DE7F3AD51044} with the path of the GPO backup you want to apply.

You can compare the current local policy with a GPO backup using the /compare switch:

 

Compare local policy with a GPO backup (Image Credit: Russell Smith)

Compare local policy with a GPO backup (Image Credit: Russell Smith)

To restore the local computer policy to the default settings, run:

Sponsored

Additional switches

LocalGPO has a few additional switches that you might find useful. The /ConfigSCE switch displays settings in local computer policy that were developed by Microsoft Solutions for Security (MSS) but are not visible by default. Conversely, the /ResetSCE switch hides the MSS settings from local computer policy.

Hidden Microsoft Solutions for Security (MSS) settings (Image Credit: Russell Smith)

Hidden Microsoft Solutions for Security (MSS) settings (Image Credit: Russell Smith)

The /MLGPO switch can be used to apply a GPO backup to specific local users. This switch can also be used with gpopack.wsf scripts generated using the /GPOPack switch. For instance, the following command would apply the user section of the specified GPO backup to local user DavidSmith.

Sponsored

Administrators and Non-Administrators are also both valid users that can be specified with the /MLGPO switch, applying the user section of the specified GPO backup to all local administrators, or all local users that are not administrators respectively.

Sponsored

Tagged with , ,