Automatic import of local Group Policy and security policy

Source: Internet
Author: User
Tags password protection

Automatic import of local Group Policy and security policy

http://blog.csdn.net/wzsy/article/details/5754894

Received a request yesterday because the company requires the server to deploy some of the required security policies, but for non-domain-joined servers you want to have a convenient deployment method.

First, extract the items that you want to deploy in a policy that can be implemented through Group Policy or security policy, as shown in the table (partial demo):

Serial number Requirements
1

"Password must meet complexity requirements" select "Started"

2

"Maximum password Age" is set to "90 days"

3

"Account lockout threshold" is set to less than or equal to 6 times

4

"Force shutdown from remote system" set to "assign only to Administrtors group"

5

"Shut down system" is set to "Assign only to Administrators group"

6

"Take ownership of a file or other object" is set to "Assign only to Administrators group"

7

Audit logon events, set to both success and failure auditing.

8

Audit policy change is set to success and failure are audited

9

Audit object access is set to success and failure are audited

10

Audit directory server access is set to success and failure are audited

11

Audit directory server access is set to success and failure are audited

12

Audit system events is set to success and failure are audited

13

Audit account management is set to success and failure are audited

14

Audit process tracking set to failed requires auditing

15

The Microsoft network server is set to 15 minutes of idle time before suspending the session.

16

Enable the screen saver, set the wait time to 5 minutes, and enable password protection on recovery.

17

All drives "Turn off AutoPlay"

The top 15 items in the preceding table are security policies, the 16th item belongs to the Computer Configuration policy in Group Policy, and the 17th item belongs to the User Configuration policy. The following is an analysis and testing of the operations of the Windows 2003 platform only.

One, for security policy, you can use the following steps for application deployment:

:: On the test machine, use Gpedit.msc to manually change the policy (such as the first 15 sides of the table), and then export the current policy with the following command

Secedit/export/cfg Sec.inf

:: Edit the Sec.inf file with a text editor to remove content that does not need to be adjusted, leaving only the policy to be customized

The contents of the INF file for the 15 policy in the table are as follows:

[Unicode]
Unicode=yes
[Version]
Signature= "$CHICAGO $"
Revision=1
[System Access]
MaximumPasswordAge = 90
passwordcomplexity = 1
Lockoutbadcount = 6
[Event Audit]
Auditsystemevents = 3
Auditlogonevents = 3
Auditobjectaccess = 3
Auditprivilegeuse = 3
Auditpolicychange = 3
Auditaccountmanage = 3
Auditprocesstracking = 2
Auditdsaccess = 3
[Registry Values]
machine/system/currentcontrolset/services/lanmanserver/parameters/autodisconnect=4,15
[Privilege Rights]
SeRemoteShutdownPrivilege = *s-1-5-32-544
SeShutdownPrivilege = *s-1-5-32-544
SeTakeOwnershipPrivilege = *s-1-5-32-544

:: Generate a SDB file with a command

secedit/configure/db sec.sdb/cfg Sec.inf

:: Update the custom policy to the target server with the command, cannot use the/overwrite parameter, otherwise the policy other than the custom policy is lost

secedit/configure/db Sec.sdb

:: Refresh Group Policy

Gpupdate/force

Second, the application of other Group Policy

I have studied the use of Gpcvreg and Gpscript command-line programs to apply Group Policy, and have written the UDF autoit3 script, this time can be exploited.
Use Gpedit.msc to modify the 16/172 policy in the test machine, and use Regedit to view the hkey_current_user/software/microsoft/windows/without closing the Gpedit.msc Currentversion/group Policy objects, the analysis of the corresponding settings coexist into a reg file

Machine.reg, disable AutoPlay for all drives

[Hkey_local_machine/software/microsoft/windows/currentversion/policies/explorer]
"NoDriveTypeAutoRun" =dword:000000ff

User.reg, customizing screen protection settings

[Hkey_current_user/software/policies/microsoft/windows/control Panel/desktop]
"ScreenSaverIsSecure" = "1"
"ScreenSaveActive" = "1"
"ScreenSaveTimeOut" = "300"
"Scrnsave. EXE "=" SCRNSAVE.SCR "
Third, Batch application script

With the Sec.sdb, Machine.reg, and User.reg files, and then using the previously written Poledit.au3 UDF, only the following scripts can be used to automatically apply the policies listed earlier.

#RequireAdmin
#NoTrayIcon
#include "Poledit.au3"
If fileexists ("Sec.sdb") then  runwait (@ComSpec & "/C" & "secedit/configure/db Sec.sdb", @ScriptDir, @SW_HI DE)
_regwritetopol ("Machine.reg", "Machine", 1)
_regwritetopol ("User.reg")
_gpupdate ()

Automatic import of local Group Policy and security policy

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.