Group Policy vs. System Hardening: Why GPOs don’t provide sustainable security

We are often asked why we do not perform system hardening based on group policies or group policy objects. The quick answer: Because the handling is inefficient and the results are unsatisfactory! We explain why in this article.

GPOs: A short overview

Group Policy Objects were a great thing at the time of their introduction – about 25 years ago (ActiveDirectory with Windows NT/2000). And they represented a big step forward. Administrators came closer to the goal of obtaining a uniform configuration on remote or distributed systems with little time effort.

Today, GPOs remain a popular and much-used tool for distributing and maintaining configurations. However, important functionalities are missing or not in focus. These include monitoring, auditing, overarching or role-oriented configurations, and uniform, infrastructure-wide reporting. And this will not change.

Microsoft explains in this article, for example, what advantages newer technologies such as PowerShell DSC have over GPOs.

Can system hardening be done via Group Policy?

Yes, basically GPOs can technically be used to distribute system configurations and thus hardening settings.

For example, you have the option of following the BSI’s SiSyPHuS specifications and downloading the group policy objects for hardening Windows 10. Then you push a hardening configuration on GPO basis to your systems.

But: In a constantly changing (cyber) threat world, you should ask yourself whether you really want to set GPOs for the topic of cyber security. Because eminently important functionalities are missing for a meaningful Security Configuration Management (SCM)!

Secure system configuration via GPO: the advantages and disadvantages

In the following table, we have summarized the advantages and disadvantages of GPO-based system hardening that we consider relevant:

Advantages Disadvantages
 The Microsoft baselines can be downloaded free of charge Deep know-how about configurations is needed
 Since the baselines are delivered as GPO, they can be applied directly  Since the baselines are delivered as GPO, they can be applied directly
 No special infrastructure is required for the application  Configurations for GDPR / DSGVO topics are to be developed by yourself
 No additional licenses need to be purchased Settings are to be adapted independently to newer versions of hardening frameworks
 The technology is well known and successfully million times in use A simple rollback of the settings is not possible, “inverted” GPOs are necessary
There is no central control and reporting facility, only individual evaluations
A hardening configuration cannot be further processed in third-party systems, because no interfaces exist
For systems not integrated in AD, special paths are necessary to apply GPOs

In other words, system hardening via Active Directory and Group Policy is a monolithic solution. One that requires a lot of manual work – which heavily loaded IT departments have a hard time doing.

Add to that the fact that OS Hardening must be done, monitored, and adjusted on an ongoing basis! Otherwise, gaps quickly develop that data octopusses, hackers and “cyber gangsters” can exploit. The consequences can be expensive and even threaten the existence of your company.

How can sustainable system hardening be realized?

If you only have a few systems to administer, for example a few workstations and servers, hardening via GPO may be in order. The effort required for implementation, monitoring and adjustments is significant, but doable with a well-staffed IT team.

However, true, in-depth and permanent system hardening with all aspects of high-level security configuration management cannot be accomplished with GPOs for large IT landscapes – at least not with reasonable effort.

There is only one sensible solution: automation!

Enforce Administrator - Report (Bild: FB Pro GmbH)

Various solutions are available for automation, including the Enforce Administrator. With the Enforce Administrator, automated system hardening is performed on the basis of proven and current standards.

Also integrated: A systems management and audit system for monitoring compliance status. Regular self-healing based on the defined configurations is also included.

GPO versus Enforce Administrator: the comparison

Features Group Policy Objects Enforce Administrator
Opportunity to set an innovative, company-wide standard Yes Yes
Simple, role-based management of diverse hardening configurations No Yes
Automatic correction of non-conforming settings Yes Yes
Detection of non-conforming settings No Yes
Automation via REST API and integration with third-party systems No Yes
Simple web interface for configuration No Yes
Merging of several hardening recommendations (e.g. from CIS,  BSI, Microsoft and DISA) into one configuration No Yes
Risk minimization by avoiding permanent (local) admin rights No Yes
Permanent monitoring and alarming function No Yes
Easy creation of reports, e.g. for compliance and DSGVO audits No Yes
Entry and Time to Result High Low
Restore old configurations High effort Low effort

Note: We will update this table regularly.


Group Policies and Active Directory were and are a great thing. But when it comes to Security Configuration Management, GPOs quickly reaches their limits. This is because SCM requires process integration, detection options and monitoring in addition to the actual implementation of a secure configuration.

To compensate the limitations, an extremely large amount of time would have to be invested in manual activities. However, the current shortage of skilled workers does not allow this in almost any company.

For sustainable system hardening, SCM needs to be automated – at all levels: setup, monitoring, and customization. This is the only way to keep IT infrastructures compliant with current recommendations and standards in the long term and effectively reduce the risk of successful cyber attacks.

If you need support in this regard, please feel free to contact us.

Contact us!

Image: Pexels

Leave a Reply