IT-Artikelen

Windows 10 1809 (Server 2019) Best Practices Tutorial

Microsoft has eased your mind and efforts to apply Best Practices to your environment.

With a few simple clicks and commands, you’ve got your environment safe and ready to defend against its attack surface.

In the past there were some huge installations and else searching and applying each individual setting to your best practices. That’s over now.

 

Preparing and Downloading the Tools

2019 03 03 21 11 24

Follow this link to download the tools:

https://www.microsoft.com/en-us/download/details.aspx?id=55319

 

Click on Download en select the appropriate versions for your OS.

 

Note: this guide only applies to Windows 10 1809. Don’t lock yourself out! And perform it FIRST on a Test Machine. Do not apply these settings because you think you cannot go wrong.

 

Dependency

You need at least LGPO to apply the Group Policy to your local OS:

2019 03 03 21 12 26

 

And you can choose your OS of the following options:

Windows 10:

  • 1507
  • 1511
  • 1607 & Server 2016
  • 1703
  • 1709
  • 1803
  • 1809 & Server 2019
  • Sever 2012 R2
  • Another option is Office 2016 Baseline

 

2019 03 03 21 15 16

2019 03 03 21 15 35

 

While older versions like Windows 10 1709 have a Batch file to apply the LGPO

 

2019 03 03 21 21 38

 

Windows 10 1809 has a Powershell script to apply your LGPO / DCGPO settings.

Let’s have a look at that.

 

In Action

Unpacking and Running the LGPO on a Workstation to apply Local Group Policy Workstation Best Practices.

Copy the zip files to: for example C:\LGPO

2019 03 03 21 18 50

And unpack LGPO and Windows 10 1809 ….

 

Copy the LGPO.exe to the   folder of the Windows 10 1809 version

2019 03 03 21 28 37

Go Up one folder level and see the BaselineLocalInstall.ps1 is there.

2019 03 03 21 29 04

Prerequisite check

Make sure you are Local Admin on your Workstation before your perform any action.

 

You’re going to lock CMD.exe and Powershell.exe if you’re not an Administrator.

Then your only fail safe before you lock yourself with a policy is to login with the Administrator Account.

 

Open Powershell as Administrator and navigate to the next path:

C:\LGPO\Windows 10 Version 1809 and Windows Server 2019 Security Baseline\Local_Script

2019 03 03 21 50 24

 

You have several options to choose from:

.\BaselineLocalInstall.ps1 -Win10DomainJoined      - for Windows 10 v1809, domain-joined

.\BaselineLocalInstall.ps1 -Win10NonDomainJoined   - for Windows 10 v1809, non-domain-joined

.\BaselineLocalInstall.ps1 -WS2019Member           - for Windows Server 2019, domain-joined

.\BaselineLocalInstall.ps1 -WS2019NonDomainJoined  - for Windows Server 2019, non-domain-joined

.\BaselineLocalInstall.ps1 -WS2019DomainController - for Windows Server 2019, domain controller

 

 

Here you can see you have different options.

So once more: My advice is to do this on a test machine, so you don’t lock yourself out. Make sure you’re an Administrator of the machine you’re working on!

 

Open an Elevated Powershell Session prompt by typing powershell.exe in your start menu and (right) click RunAs Administrator.

Enter the command:

 

Cd “C:\LGPO\Windows 10 Version 1809 and Windows Server 2019 Security Baseline\Local_Script”

Followed by:

.\BaselineLocalInstall.ps1 -Win10NonDomainJoined  

 

You can see the script in action in the next screenshot:

 

2019 03 03 21 52 47

 

That’s it: You’ve applied best practices to your Test Computer.

 

Test some applications such as Outlook / cmd / PowerShell and check If they run properly.

You’ve got yourself a good protected PC.

 

 

Exporting the Policy

 

Go to the folder of the LGPO.exe

C:\LGPO\LGPO>

 

And enter the following command:

.\LGPO.exe /b C:\LGPO\LGPO\ /n "My Best Practices for Windows 10 1809"

2019 03 03 22 19 14

 

To Import the policy one more:

.\LGPO.exe /g C:\LGPO\LGPO\

2019 03 03 22 21 24

 

You can put the generated folder under C:\LGPO\LGPO> To a Network Share.

You need to include the policy as seen above with the LGPO.exe in the root of the Powershell script.

In case you’re on a domain environment you can put the folder in the NETLOGON folder and apply a GPO to execute it via the following command:

[[

# File: Powershell Import Local Policy Best Practices Windows 10 1809.ps1

# Copy to User Configuration > Logon Script

# Test version 1.0

Powershell –ExecutionPolicy bypass “\\DOMAIN.LOCAL\NETLOGON\LGPO\ImportLocalGPOPolicy.ps1”

]]

 

That’s it. Have fun!

 

Troubleshooting

 

Now you have two settings that are applied you should be aware of and might want to disable / adjust those.

I’ve never encountered any issue’s with all the settings applied except for two:

 

NTLM & UAC

 

NTLM Adjustment

 

I’ll show you how to get around that:

In the same Powershell session enter the following command:

gpedit.msc

Now go to:

Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

 

2019 03 03 21 56 20

 

Scroll down to Network security: LAN Manager authentication level:

It’s default to Send NTLMv2 response only. Refuse LM & NTLM

In case of issues, you might want to revert to NTLM

2019 03 03 21 58 16

 

Do know, that other settings are less secure and you should try to find the reason in your application. Net downgrade Security Settings.

 

The Other setting is UAC

 

User Account Control: Behavior of the elevation prompt for standard users

This policy setting controls the behavior of the elevation prompt for standard users.

2019 03 03 22 09 08

 

This settings just denies any effort of trying to run CMD or PowerShell as Administrator and won’t let you enter credentials.

Now you have two options:

Either you adjust settings to one of these:

With Prompt for Credentials ….

2019 03 03 22 00 59

Or you’ll leave it be and use other methods such as:

start a PowerShell the normal way and give the following command likewise to your environment.

 

runas /user:Administrator Powershell.exe | Start-Process PowerShell -Verb RunAs

2019 03 03 22 05 09

It will prompt you for credentials and you can perform any needed tasks.