Security Baselining with AGPM Templates
Microsoft has provided many different solutions for streamlining the creation of Group Policy Objects and their settings to help administrators make fast, reliable, and efficient settings to servers and desktops. The history of these solutions is quite lengthy, including options such as security templates, Security Configuration Wizard, and the latest option which is the Starter GPOs in Windows Server 2008. Unfortunately, these solutions are only creating a partial baseline of settings, which don't provide an end-to-end solution. However, now that we have Advanced Group Policy Management (AGPM), a new option is available that takes the concepts of streamlining GPOs to a whole new level. The GPO templates that are incorporated in the AGPM are second to none and include far more than you could ever imagine.
Security templates have been around for a long time. They were first introduced back in Windows NT and have not changed much since then. The premise of the security template is that you can pre-determine and configure security settings for the different types of computers that are on your network. Once these settings are determined, you can then distribute them through Group Policy.
The premise of the security templates is not only solid, it is a fantastic idea. Unfortunately, the concept fell short as the security template does not include all of the security settings, nor any of the other key settings that are included in most GPOs.
To give you an overview of what these security templates do, first off we need to understand how to get to them. You access the security templates using the MMC, then adding in the Security Templates snap-in. The end result will be the list of Microsoft generated security templates, as shown in Figure 1.
Figure 1: Security templates snap-in can be seen using the MMC
For information on how to establish a baseline of settings that will be used in the security templates, as well as deployment of the security templates, refer to the following articles:
- Baselining with Security Templates
- Understanding Windows Security Templates
- Customizing Windows Security Templates
- Hardening Servers with Security Templates
When you expand the security template to see the different areas that can be configured, you will see that the list of settings is close to the complete list within a GPO, but it is missing some key areas of configuration, as shown in Figure 2.
Figure 2: Security templates cover most of the security settings, but not all
The security templates don't provide enough breadth to function with the newly updated GPO settings that are included with Windows XP, Windows Vista, and Windows Server 2008.
Security Configuration Wizard
The Security Configuration Wizard (SCW) was a fantastic idea that was developed in the early Windows Server 2003 timeframe. The goal was to provide administrators with a solution that would allow a wizard based environment to set difficult to reach and understand settings. The wizard was very intuitive, providing explanations, best practices, and suggested settings for certain roles that a computer might be servicing.
For more information on how to use and configure the SCW, refer to the article:
The SCW does have some powerful capabilities, but like the security templates, they only cover a portion of the security settings in a GPO, not all of them. The SCW will allow you to configure settings in the follow areas:
- Network security
- Registry settings
- Audit policy
Once the SCW has run, the results can then be ported into a GPO. If you combine these settings with the settings from the security template you are getting closer to a baseline of security settings, but still more settings are missing.
As a final option for creating a baseline of settings that can be used in a GPO, Windows Server 2008 includes Starter GPOs. Starter GPOs are designed in a similar fashion to the security templates, but configure a totally different area of the GPO from them. Starter GPOs only include the Administrative Template settings which are located under both the Computer Configuration and User Configuration nodes in the GPO, as shown in Figure 3.
Figure 3: Starter GPOs allow you to preset settings under the Administrative Templates nodes in a GPO
As you can see, this solution does not help the previous two solutions with rounding out the security settings that are missing from them. However, Starter GPOs do help the overall situation where administrators want to have a method for creating initial settings in a GPO, which can then be copied into one or more production GPOs.
To learn more about Starter GPOs read this article:
AGPM GPO Templates
As a final option for creating a baseline of settings that can cover the gamut of settings that exist in a routine GPO, the AGPM tool comes to the rescue. AGPM is a tool that is designed for better management of GPOs, especially the follow features:
- Offline editing
- Role based delegation
- Automatic archiving of GPO changes
- Roll back and Roll forward to any GPO in the history
- Workflow for GPO management tasks
What makes the AGPM GPO templates different than the other solutions is that you can configure every single setting that can be included in a GPO within the GPO template. This solution has absolutely no limitations on the settings that can be included within.
The following is a brief step-by-step procedure that you will need to follow to make efficient use of the AGPM GPO templates.
- Create a GPO in AGPM that encompasses the majority of settings that are in all GPOs of a certain type (Might be for desktops, servers, certain user accounts, specific departments, etc.)
- Configure the settings within the GPO as you wish to meet your needs.
- Use AGPM to create a template from the GPO and its settings that you just created, as shown in Figure 4
- Now that you have the new AGPM GPO template, you can create new GPOs in AGPM from it
Figure 4: You can create a GPO template from an existing GPO within AGPM
Your solution might be one, two, or tens of GPO templates that you can leverage when you create new GPOs. The key is the fact that you can include every setting that is possible in a GPO within the GPO template. This even includes the settings from PolicyMaker standard edition or the new Group Policy Preferences that Microsoft is including in Windows Server 2008.
There have been many attempts to facilitate the creation of GPOs when there are numerous settings that need to be in the GPO. Initially, you were given security templates, which are proven to be standard and stable, but you don't get all of the security settings that you would want in a GPO used for baselining. Next, the SCW was a more robust and sophisticated solution, but it too did not incorporate all of the security settings in a GPO, even with the security templates being used. Starter GPOs are now on the scene in Windows Server 2008. This solution does not even tackle the security settings, rather it focuses on the Administrative Templates. As a solution to all of these partial baselining solutions, the AGPM GPO templates solve all of these limitations. AGPM GPO templates can configure any setting, including the new technology of Group Policy Preferences (and the legacy PolicyMaker settings). Once these settings are established and GPO templates created from them, the initial creation and configuration of the settings in a GPO can be lessened or even eliminated with this new found feature.