Hardening Group Policy Template adn importing it to windows server 2016 Group Policy

Murad Almomani 21 Reputation points
2020-07-08T16:47:30.7+00:00

Hi,

I'm working on the Security Hardening of windows server 2016 according to CIS Benchmark V 1.2.0, for this I found a Security Compliance project from Microsoft which is Microsoft Security Compliance Toolkit 1.0. This project works on a preconfigured Group Policy for Member Server or Domain Controller and that group policy has a Hardened configuration that complies with the CIS Benchmark.

Microsoft Security Compliance Toolkit 1.0 has some tools and configurations that can be installed from here. the main problem with this toolkit and its group policy configuration is they are not implementing all the CIS Benchmark for windows server 2016 so I start working on my own Group Policy Template.

For building my Hardening Group Policy Template I started by taking snapshot from my windows server 2016 so I can work on a system, like the production, then deploying the Hardened Group policy that comes with the Toolkit (as a starting point) then check every point from the CIS Benchmark document and reflect the Recommended configuration on that Template Group Policy. after finishing some of those Security recommendations I took another snapshot from the production server and used the LGPO.exe (included in the toolkit) tool to import the Hardened Group Policy Template that I was working on and apply it to the new server snapshot. after importing the Hardened Group Policy to the test server I start facing many problems when trying to log in to my administrator account, as seen in the photos :

  1. After login, I receive this error, and if log in again it doesn't occur again :
    https://drive.google.com/file/d/1emPuoTKajuUmTifi8sSirb1vUJIhi9sI/view?usp=sharing
  2. After login sometimes the server hangs on the following state :
    https://drive.google.com/file/d/1Vp48d7sxdCfabs93IfRW10_T9xHo44R3/view?usp=sharing
  3. receive this error sometimes :
    https://drive.google.com/file/d/16BJEMn6OZAS8J5pTRFF4tGcFfGMAYRGN/view?usp=sharing

Note that the previous errors occur sometimes and if you try to access the same thing again it works,

4.this occurs every time I log in to the account :
https://drive.google.com/file/d/16W86tVTVgoo9amvhlsfCsmsMb-XMAFZl/view?usp=sharing

All of these errors start happening after deploying the Hardened Group Policy to the test server, Also I had another snapshot from the production server where I tried to do the same Security Recommendations Manually, so I did the same Security Recommendations that I configured in the Group Policy and caused all the previous errors but this time manually and everything was working as expected with no errors !!

So my Issue Is what goes wrong with having a tool such as LGPO.exe (official Microsoft tool) that imports Group Policy GPO to the current Group Policy, and why I had all the previous issues when doing that? but when doing manual works it worked well?

what is the best way to Make Secure Group Policy as per CIS Benchmark and export it then import to each Server you have ? what is the best way for doing this?

Note:

  1. I have only one admin user that I'm using during the work
  2. my win server 2016 is non-domain machine - stand alone

Thanks in advance

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,719 questions
{count} votes

Accepted answer
  1. Anonymous
    2020-07-08T17:49:14.923+00:00

    Windows server security and group policy are not currently supported here on QnA. They're actively answering questions in dedicated forums here.
    https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity
    https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverGP

    --please don't forget to Accept as answer if the reply is helpful--


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


0 additional answers

Sort by: Most helpful