• List of iSCSI Mutual CHAP Posts by OS
  • Tools and Utilities for Windows
  • Unix and Linux Distros

slice2

slice2

Monthly Archives: July 2015

Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server

18 Saturday Jul 2015

Posted by Slice2 in Security, Windows

≈ Leave a comment

Tags

Security, Windows

This post demonstrates how to apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server that is not in the domain. For this example, I’ll use the Internet Explorer 11 (IE11) lock downs I applied using a domain GPO.

This process also worked when I applied the 2012 R2 IE policy to a standalone Windows 7 Enterprise workstation.

1) Launch Group Policy Management on the Domain Controller. Browse to the policy you want to apply to the standalone servers (in my case IE11), right-click it and select Backup. Save it to a location of your choice and give it a description, such as IE11 GPO.

2) Download and install Microsoft SCM 3.0 (not on your domain controller). I just built a VM since SCM is only needed temporarily. I was only able to get it fully installed without errors on Windows 2008 R2. It supposedly supports Vista through 2012. I opted to install the bundled SQL Express since all I want is the LocalGPO executable. No need to point to a SQL server. You can uninstall the whole thing when done. The only reason to install the full package is so you can get a copy of the LocalGPO folder. Download it from:

Security Compliance Manager (SCM) Info:
https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Download page:
https://www.microsoft.com/en-us/download/details.aspx?id=16776

a) When done downloading, double-click the Security_Compliance_Manager_Setup.exe > click Run > deselect Always check for SCM baseline updates (you don’t care about them right now) and click Next > accept the license and click Next > Next > Next > accept the SQL Express license and click Next > Install > Finish. The app will auto-load the baselines. Just let it finish.

b) When done installing, browse to C:\Program Files (x86)\Microsoft Security Compliance Manager. Copy the LocalGPO folder to a location of your choice. You will need to install the executable in this folder on each standalone server that will receive the Domain GPO.

5) Login as a local admin on the server to receive the GPO. Install LocalGPO on your standalone server. When done, browse to the C:\Program Files (x86)\LocalGPO folder, right-click LocalGPO.wsf, select Properties, select the Security tab and give your admin user full control of the file.

6) Create a folder on this server called c:\gpos. Copy your IE11 GPO backup folder into the c:\gpos folder.

7) Edit the LocalGPO.wsf file to recognize 2012 R2 (Windows 2012 R2 is version 6.3). Open C:\Program Files (x86)\LocalGPO\LocalGPO.wsf in notepad (right-click > Edit). Search for 6.2. On the first instance of 6.2, change it to 6.3.

From this: If(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then

To this: If(Left(strOpVer,3) = “6.3“) and (strProductType <> “1”) then

8) The Windows Firewall must be running temporarily before you run this tool. Even though you may have disabled the firewall and use a third-party product like McAfee Firewall, etc., turn on the native Windows firewall in the services.msc applet now.

9) Click start (lower left corner), and then Search icon in the upper right. Enter LocalGPO. Right-click LocalGPO Command line and select Run as Administrator. Before you run the next command, close all Windows except the cmd prompt.

Enter this command:

> cscript localgpo.wsf /path:”C:\gpos\{A81C84F4-F8F5-4E8A-B077-9EA1471B3886}”

– note: your IE11 GPO backup folder name inside c:\gpos will be different. Just add your folder name in the command above.

You should see Applied valid Machine POL and Applied valid User POL. No valid audit or INF is OK.

10) Clean up after yourself. Uninstall LocalGPO if you don’t plan to use it again. Delete the gpo backup in c:\gpos.

You can run > gpupdate /force or reboot the server to apply the policy completely.

11 Verify that it applied the policy. Launch IE11 and verify your settings are locked down. Note that on a fresh system, you  may have to launch IE and then immediately close it. Launch it again and the lock downs will be set. Sometimes it takes two startups for the settings to apply. Not sure why. If you had the Windows firewall turned off, open services.msc and disable it.

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Recent Posts

  • Patch Alma Linux 8.7 on an Offline or Air-Gapped System
  • HOWTO Remove /home logical volume and add that space to the root partition
  • Patch Rocky Linux 8.6 on an Offline or Air-Gapped System
  • HOWTO Install the Splunk Universal Forwarder on FreeBSD
  • HOWTO install a Splunk Universal Forwarder on Solaris 11 SPARC and x64 Using pkg(p5p) and tar
  • HOWTO install a Splunk Universal Forwarder on Solaris 10 SPARC and x64 Using pkgadd and tar
  • Recover Files from a Windows NTFS partition using Linux based SystemRescue
  • Sysmon Event ID 1 Process Creation rules for Splunk Universal Forwarder and McAfee All Access
  • Upgrading CentOS 7.2003 to 7.2009 on an Offline or Air-Gapped System
  • HOWTO Easily Resize the Default LVM Volume on Ubuntu 18.04
  • Create a Docker Container for your Cisco ESA, SMA or WSA Offline Content Updates
  • Apply the Mozilla Firefox STIG to Firefox on Ubuntu Linux 18.04
  • Dynamically Resize Those Tiny BlackArch Linux Terminals and Add a Scrollbar
  • Kali Linux OVA for Air-Gapped Use Build Process
  • HOWTO install the XFCE 4 Desktop on NetBSD 8.1
  • Build a Kali Linux ISO with the latest OS patches and packages
  • HOWTO quickly STIG Firefox 59.01
  • HOWTO mount a Synology NAS SMB share on Linux with SMBv1 disabled
  • Howto safely delete the WSUS WID on Windows 2012R2
  • HOWTO quickly STIG Firefox 45.0.1
  • Completing the vSphere vCenter Appliance Hardening Process
  • HOWTO install the XFCE 4.12 Desktop on NetBSD 7
  • Enabling TLS 1.2 on the Splunk 6.2x Console and Forwarders using Openssl and self signed certs.
  • HOWTO enable SSH on a Cisco ASA running 9.1.x
  • Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server
  • Enable legacy SSL and Java SSL support in your browser for those old, crusty websites
  • HOWTO update FreeBSD 10.1 to the latest 11-current release
  • HOWTO Secure iSCSI Luns Between FreeBSD 10.1 and NetApp Storage with Mutual CHAP
  • HOWTO install the XFCE 4 Desktop on NetBSD 6.1.5
  • HOWTO Secure iSCSI Luns Between Ubuntu Server 14.10 and NetApp Storage with Mutual CHAP

Categories

  • Cisco (2)
  • ESXi (4)
  • FreeBSD (2)
  • HP (5)
  • iSCSI (12)
  • Linux (31)
  • Nessus (3)
  • NetApp (31)
  • NetBSD (10)
  • Oracle (9)
  • Security (48)
  • Solaris (9)
  • Splunk (5)
  • VMware (19)
  • Windows (20)
  • Wireshark (4)
  • XFCE (3)

Archives

  • February 2023
  • August 2022
  • July 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • January 2021
  • December 2020
  • November 2020
  • August 2020
  • May 2020
  • September 2019
  • August 2019
  • March 2018
  • November 2016
  • March 2016
  • January 2016
  • November 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013

Blogroll

  • Adobe Security Bulletins
  • CentOS Blog
  • Cisco Security Blog
  • CSO Magazine
  • DHS National Vulnerability Database
  • Eric Sloof's NTPRO
  • HT SSL Tests
  • Intel Corp Security Advisories
  • Internet Usage World Stats
  • Kali Linux Blog
  • Linux Mint Blog
  • Meltdown and Spectre
  • Microsoft Security Blog
  • Microsoft Security Intelligence Report
  • Microsoft Security Research & Defense
  • Microsoft Security Response Center
  • MITRE CVE Site
  • NetApp Blogs
  • NetBSD Blog
  • Oracle OTN Security
  • Oracle Security Blog
  • PacketStorm
  • Redhat Security Blog
  • SC Magazine
  • Shodan Search Engine
  • US-CERT Alerts
  • US-CERT Bulletins
  • US-CERT Vulnerability Notes KB
  • VMware Blogs
  • VMware Security Advisories

Category Cloud

Cisco ESXi FreeBSD HP iSCSI Linux Nessus NetApp NetBSD Oracle Security Solaris Splunk VMware Windows Wireshark XFCE

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 38 other subscribers

Powered by WordPress.com.

 

Loading Comments...