We are often asked why we do not perform system hardening based on group policies or group policy objects. The quick answer: Because the handling is inefficient and the results are unsatisfactory! We explain why in this article.
GPOs: A short overview
Group Policy Objects were a great thing at the time of their introduction – about 25 years ago (ActiveDirectory with Windows NT/2000). And they represented a big step forward. Administrators came closer to the goal of obtaining a uniform configuration on remote or distributed systems with little time effort.
Today, GPOs remain a popular and much-used tool for distributing and maintaining configurations. However, important functionalities are missing or not in focus. These include monitoring, auditing, overarching or role-oriented configurations, and uniform, infrastructure-wide reporting. And this will not change.
Microsoft explains in this article, for example, what advantages newer technologies such as PowerShell DSC have over GPOs.
Can system hardening be done via Group Policy?
Yes, basically GPOs can technically be used to distribute system configurations and thus hardening settings.
For example, you have the option of following the BSI’s SiSyPHuS specifications and downloading the group policy objects for hardening Windows 10. Then you push a hardening configuration on GPO basis to your systems.
But: In a constantly changing (cyber) threat world, you should ask yourself whether you really want to set GPOs for the topic of cyber security. Because eminently important functionalities are missing for a meaningful Security Configuration Management (SCM)!
Secure system configuration via GPO: the advantages and disadvantages
In the following table, we have summarized the advantages and disadvantages of GPO-based system hardening that we consider relevant:
| Advantages | Disadvantages |
| The Microsoft baselines can be downloaded free of charge | Deep know-how about configurations is needed |
| Since the baselines are delivered as GPO, they can be applied directly | Since the baselines are delivered as GPO, they can be applied directly |
| No special infrastructure is required for the application | Configurations for GDPR / DSGVO topics are to be developed by yourself |
| No additional licenses need to be purchased | Settings are to be adapted independently to newer versions of hardening frameworks |
| The technology is well known and successfully million times in use | A simple rollback of the settings is not possible, “inverted” GPOs are necessary |
| There is no central control and reporting facility, only individual evaluations | |
| A hardening configuration cannot be further processed in third-party systems, because no interfaces exist | |
| For systems not integrated in AD, special paths are necessary to apply GPOs |
In other words, system hardening via Active Directory and Group Policy is a monolithic solution. One that requires a lot of manual work – which heavily loaded IT departments have a hard time doing.
Add to that the fact that OS Hardening must be done, monitored, and adjusted on an ongoing basis! Otherwise, gaps quickly develop that data octopusses, hackers and “cyber gangsters” can exploit. The consequences can be expensive and even threaten the existence of your company.
How can sustainable system hardening be realized?
If you only have a few systems to administer, for example a few workstations and servers, hardening via GPO may be in order. The effort required for implementation, monitoring and adjustments is significant, but doable with a well-staffed IT team.
However, true, in-depth and permanent system hardening with all aspects of high-level security configuration management cannot be accomplished with GPOs for large IT landscapes – at least not with reasonable effort.
There is only one sensible solution: automation!
Various solutions are available for automation, including the Enforce Administrator. With the Enforce Administrator, automated system hardening is performed on the basis of proven and current standards.
Also integrated: A systems management and audit system for monitoring compliance status. Regular self-healing based on the defined configurations is also included.
GPO versus Enforce Administrator: the comparison
| Features | Group Policy Objects | Enforce Administrator |
| Opportunity to set an innovative, company-wide standard | Yes | Yes |
| Simple, role-based management of diverse hardening configurations | No | Yes |
| Automatic correction of non-conforming settings | Yes | Yes |
| Detection of non-conforming settings | No | Yes |
| Automation via REST API and integration with third-party systems | No | Yes |
| Simple web interface for configuration | No | Yes |
| Merging of several hardening recommendations (e.g. from CIS, BSI, Microsoft and DISA) into one configuration | No | Yes |
| Risk minimization by avoiding permanent (local) admin rights | No | Yes |
| Permanent monitoring and alarming function | No | Yes |
| Easy creation of reports, e.g. for compliance and DSGVO audits | No | Yes |
| Entry and Time to Result | High | Low |
| Restore old configurations | High effort | Low effort |
Note: We will update this table regularly.
Conclusion
Group Policies and Active Directory were and are a great thing. But when it comes to Security Configuration Management, GPOs quickly reaches their limits. This is because SCM requires process integration, detection options and monitoring in addition to the actual implementation of a secure configuration.
To compensate the limitations, an extremely large amount of time would have to be invested in manual activities. However, the current shortage of skilled workers does not allow this in almost any company.
For sustainable system hardening, SCM needs to be automated – at all levels: setup, monitoring, and customization. This is the only way to keep IT infrastructures compliant with current recommendations and standards in the long term and effectively reduce the risk of successful cyber attacks.
If you need support in this regard, please feel free to contact us.
Image: Pexels