Hardening Windows Installations - Security Baselines - Part 2

The Microsoft Security Compliance Toolkit 1.0 was a valuable tool in further advancing the hardening of Windows installations regarding this process. The tool, per Microsoft, "allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations." The webpage further goes on to explain "The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprises's Group Policy Objects (GPOs). Using the toolkit administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into the testbed host to test their effects."

The tool, which at the time of this writing, can be found here: link or https://www.microsoft.com/en-us/download/details.aspx?id=55319. The latest version, published on 10/31/2023, contains the initial files this process will require, plus the LGPO.zip to modify the Local Group Policy of a Windows computer. The entire scope of what is possible with the Microsoft Security Compliance Toolkit is beyond the scope of this post.

ConnectWise Automate provides Web Distributed Authoring and Versioning (WebDAV), which is a Hypertext Transfer Protocol (HTTP) extension allowing clients to perform file management on remote Web Servers. WebDAV, for this guide, will simply be a repository to store the Microsoft Security Compliance Toolkit and other files required to achieve enhanced security of Windows computers. The total folder size ConnectWise allows is 5 GB, but it will be enough for the complete package of files once the process is completed. The following articles from ConnectWise, which will require an account from ConnectWise will provide additional guidance on WebDAV, but that is outside the scope of this guide:

ConnectWise Documentation or ConnectWise Documentation

WebDAV, in layman terms, allows an individual to simply map a folder. Instead of a folder shared from a server on a Local Area Network (LAN), its a shared folder and accessed through a Web Server using HTTPS. As a business, ConnectWise provides the "My Server Dashboard" for Administrators to reset their WebDAV credentials. In the interest of security, the WebDAV credentials are only valid for 60 days.

Once the credentials are set, the ConnectWise automated system will email the administrator to the email registered on file the Account Username used for connecting. Knowing the Account Username and password, the user wishing to implement this solution would simply be able to map the WebDAV folder in a similar fashion as mapping a regularly shared folder.

Which yields remote access to the shared folder through a Web Server.

In the development of this process, orchestration to download files from the Automate WebDAV folder to each managed Windows computer was key to achieving functionality of a security baseline. Transitioning back to the Microsoft Security Compliance Toolkit, the files in question to download will be the LGPO.zip and Windows 10 version 22H2 Security Baseline.

Once downloaded the files can be extracted to their respective folders.

Which can then be uploaded to the Automate WebDAV folder established earlier.

With the initial legwork done, the following posts will endeavor to tie all of these steps together detailing how this can be applied to Microsoft Windows computers that are domain-joined, non-domain-joined, member servers, or Active Directory servers.