How do I extract all Group Policy Objects through PowerShell so I can compare them to the CIS Benchmark configuration guidelines for a safe and secure environment?
No code provided as I am an intern and looking to learn.
EDIT:
Export all GPO via the below.
Get-GPO -All | Foreach-Object {$_.GenerateReport('html') | Out-File "$($_.DisplayName).htm"}
To ensure your GPO is CIS compliant you can't really just run a PowerShell script and let it update them all. Your best bet is to use one of the supplied Microsoft administrative GPO templates.
If you have already set up your environment then you can download the template above and compare it to your current GPOs using the Microsoft Policy Analyzer to ensure you are meeting the security baseline standards set out by CIS Benchmark and the Australian Information Security manual.
Related
In Local Group Policy Editor (GUI) there is a setting called Do not allow window animations located in Computer Configuration->Administrative Templates->Windows Components->Desktop Window Manager that I would like to set as Enabled using the powershell, Since my windows version is professional I can added the RSAT GroupPolicy capability to my machine which I did and now I can use the Group Policy Cmdlets in Windows PowerShell
but I am clue less on how to Enable that feature using the commands
I tired to use
Get-GPO -Name "Do not allow window animations"
but this returns
Get-GPO : Current security context is not associated with an Active Directory domain or forest.
the grouppolicy module is wokring fine but I can't figure out how to query or change the value of any settings in the GPO
If you want cmdlets in order to change values you can use the PolicyFileEditor module from the gallery
https://www.powershellgallery.com/packages/PolicyFileEditor/3.0.1
The Get-GPO function is meant exclusively for Domain Group Policies, and not Local Policies, which it seems you are referencing. The description for the module also mentions this:
Gets one GPO or all the GPOs in a domain.
In order to modify local policies, you need to make a change to the respective setting in the registry
For example to disable the Shutdown button, you would need to modify:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown
Value = 1
I have a working PS script that gets the boot time of remote servers
#$ServerArray is the list of servers
$cso = New-CimSessionOption -Protocol Dcom
$cs = New-CimSession -ComputerName $ServerArray -SessionOption $cso
Get-CimInstance -CimSession $cs -ClassName win32_operatingsystem -OperationTimeoutSec 10 | select csname, Caption, lastbootuptime | sort lastbootuptime | format-table -autosize
Result:
csname Caption lastbootuptime
------ ------- --------------
server1 Microsoft Windows Server 2012 R2 Standard 10/30/2021 3:07:23 AM
server2 Microsoft Windows Server 2012 R2 Standard 10/30/2021 3:12:35 AM
server3 Microsoft Windows Server 2012 R2 Standard 10/30/2021 3:13:34 AM
Are there any other details that can be extracted using PowerShell or another API to show that the server has properly booted?
Note: This may be difficult to use PowerShell for depending on the mechanism of execution; PowerShell Remoting is not available during early stages of boot, nor is an interactive CLI. However, some agents or services (like VMware Tools as an example) can facilitate remote execution at times like these. Scheduled Tasks can also be leveraged to run code locally during some earlier boot phases. Though this answer centers around PowerShell, the general information can be used with other programming languages as well.
There are boot states of Windows you can attempt to look for ways to check these but the most reliable way I've found to know if the computer is in a state for a user to log on is to wait for Get-Process winlogon to return a process back. Once winlogon is running, the computer is near or able to facilitate logon sessions, pending completion of GPO application.
This SuperUser answer explains how to use the Windows Performance Toolkit (part of the Windows SDK) to initiate a boot trace and disseminate its report, but that isn't the focus of this question or answer. I'm including it here to show that waiting for winlogon is the right way to identify when the system is ready for interaction; execution of winlogon is actually the final Windows boot phase and that answer exemplifies this.
Note: Technically, logging in and waiting for scheduled tasks to complete on login is the final step but that portion comes after after kernel boot has completed, and can be repeated for multiple logon sessions. I don't consider this part of the "boot sequence" or system initialization.
As for the boot phases of Windows I've only been able to generate a report of a boot trace using xbootmgr. I'm not sure there is a documented API (win32 or otherwise) exposed to the userspace to check for the current boot phase outside of the boot trace. At this time I can only recommend looking at environmental details to know the current boot phase (such as checking for the winlogon process), although I'm not familiar enough with the environments of the other boot phases to make additional recommendations here.
If I learn more information about the other phases I will update this answer.
I have a rather simple task. Is there any way to add a Group Policy under User-Configuration (particularly logon / logoff PowerShell scripts) ? I have seen tons of guides Like this one, but they are making it via GUI. I'd like to run a script, so all files are mapped from Network Fileshares.
I need an automation to configure master-image for citrix environment. (Maybe this can be achieved with BIS-F? or is there some sort of registry key? )
Thank you in Advance!
Here's a screenshot of this Policy (i can't make my own, because it's in German)
The New-GPO cmdlet creates a GPO with a specified name. By default, the newly created GPO is not linked to a site, domain, or organizational unit (OU).
See more: https://learn.microsoft.com/en-us/powershell/module/grouppolicy/new-gpo?view=win10-ps
How can i add user into permission list using Windows PowerShell command
Information about dcom permission could be accessed via winregistry, HKLM\Software\Microsoft\Ole, DefaultAccessPermission / DefaultLaunchPermission, or via wmi.
Either way you need to get sid of your user, create object in SDDL format, and put it to registry. There is already few examples of powershell implementation on internet, for example this one.
But for real life I can suggest to do it not from powershell, but from GPO (Computer configuration - windows settings - security settings - local policies - security options - DCOM: Machine Launch/Access Restrictions in Security Descriptor Definition Language (SDDL) syntax ). Its easy, GUI-provided, could be used in SCCM compliance checks, etc etc.
I'm looking for some guidance on how to automat applying a set of permissions withn the local security policy to a multiple users on multiple servers.
For example, via a script, I want to apply "act as part of the operating system" and "adjust memoroy quotas for a process" to user TEST1 and TEST2.
Any feedback on how to get started would be appreciated. thanks!
From a command line, the Microsoft-provided solution is secedit. AppDeploy is a great resource for packaging in general, and they have a good page on secedit here: http://www.osdeploy.com/tips/detail.asp?id=23
In short, change your policies using the Local Security Settings MMC snap-in, then export with secedit as in this page (http://www.webservertalk.com/message534715.html -- also assuming this computer isn't a member of a domain), then import as usual.
Is this machine domain joined? If so, you'll need to make sure no domain policies are applied. Otherwise the domain policies will be exported along with the local ones.
Simpler answer here:
Scripting Local Security Policy
Use ntrights.exe from the Windows 2003 Resource Kit.
However, this doesn't seem to help with the "adjust memory quotas for a process" right.