Microsoft has eased your mind and efforts to apply Best Practices to your environment.
With a few simple clicks and commands, you’ve got your environment safe and ready to defend against its attack surface.
In the past there were some huge installations and else searching and applying each individual setting to your best practices. That’s over now.
Preparing and Downloading the Tools
Follow this link to download the tools:
Click on Download en select the appropriate versions for your OS.
Note: this guide only applies to Windows 10 1809. Don’t lock yourself out! And perform it FIRST on a Test Machine. Do not apply these settings because you think you cannot go wrong.
You need at least LGPO to apply the Group Policy to your local OS:
And you can choose your OS of the following options:
- 1607 & Server 2016
- 1809 & Server 2019
- Sever 2012 R2
- Another option is Office 2016 Baseline
While older versions like Windows 10 1709 have a Batch file to apply the LGPO
Windows 10 1809 has a Powershell script to apply your LGPO / DCGPO settings.
Let’s have a look at that.
Unpacking and Running the LGPO on a Workstation to apply Local Group Policy Workstation Best Practices.
Copy the zip files to: for example C:\LGPO
And unpack LGPO and Windows 10 1809 ….
Copy the LGPO.exe to the folder of the Windows 10 1809 version
Go Up one folder level and see the BaselineLocalInstall.ps1 is there.
Make sure you are Local Admin on your Workstation before your perform any action.
You’re going to lock CMD.exe and Powershell.exe if you’re not an Administrator.
Then your only fail safe before you lock yourself with a policy is to login with the Administrator Account.
Open Powershell as Administrator and navigate to the next path:
C:\LGPO\Windows 10 Version 1809 and Windows Server 2019 Security Baseline\Local_Script
You have several options to choose from:
.\BaselineLocalInstall.ps1 -Win10DomainJoined - for Windows 10 v1809, domain-joined
.\BaselineLocalInstall.ps1 -Win10NonDomainJoined - for Windows 10 v1809, non-domain-joined
.\BaselineLocalInstall.ps1 -WS2019Member - for Windows Server 2019, domain-joined
.\BaselineLocalInstall.ps1 -WS2019NonDomainJoined - for Windows Server 2019, non-domain-joined
.\BaselineLocalInstall.ps1 -WS2019DomainController - for Windows Server 2019, domain controller
Here you can see you have different options.
So once more: My advice is to do this on a test machine, so you don’t lock yourself out. Make sure you’re an Administrator of the machine you’re working on!
Open an Elevated Powershell Session prompt by typing powershell.exe in your start menu and (right) click RunAs Administrator.
Enter the command:
Cd “C:\LGPO\Windows 10 Version 1809 and Windows Server 2019 Security Baseline\Local_Script”
You can see the script in action in the next screenshot:
That’s it: You’ve applied best practices to your Test Computer.
Test some applications such as Outlook / cmd / PowerShell and check If they run properly.
You’ve got yourself a good protected PC.
Exporting the Policy
Go to the folder of the LGPO.exe
And enter the following command:
.\LGPO.exe /b C:\LGPO\LGPO\ /n "My Best Practices for Windows 10 1809"
To Import the policy one more:
.\LGPO.exe /g C:\LGPO\LGPO\
You can put the generated folder under C:\LGPO\LGPO> To a Network Share.
You need to include the policy as seen above with the LGPO.exe in the root of the Powershell script.
In case you’re on a domain environment you can put the folder in the NETLOGON folder and apply a GPO to execute it via the following command:
# File: Powershell Import Local Policy Best Practices Windows 10 1809.ps1
# Copy to User Configuration > Logon Script
# Test version 1.0
Powershell –ExecutionPolicy bypass “\\DOMAIN.LOCAL\NETLOGON\LGPO\ImportLocalGPOPolicy.ps1”
That’s it. Have fun!
Now you have two settings that are applied you should be aware of and might want to disable / adjust those.
I’ve never encountered any issue’s with all the settings applied except for two:
NTLM & UAC
I’ll show you how to get around that:
In the same Powershell session enter the following command:
Now go to:
Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Scroll down to Network security: LAN Manager authentication level:
It’s default to Send NTLMv2 response only. Refuse LM & NTLM
In case of issues, you might want to revert to NTLM
Do know, that other settings are less secure and you should try to find the reason in your application. Net downgrade Security Settings.
The Other setting is UAC
User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
This settings just denies any effort of trying to run CMD or PowerShell as Administrator and won’t let you enter credentials.
Now you have two options:
Either you adjust settings to one of these:
With Prompt for Credentials ….
Or you’ll leave it be and use other methods such as:
start a PowerShell the normal way and give the following command likewise to your environment.
runas /user:Administrator Powershell.exe | Start-Process PowerShell -Verb RunAs
It will prompt you for credentials and you can perform any needed tasks.