Active Directory Security Hardening with GPO and Policy Analyzer

In this guide, I will discuss how to Harden Active Directory Using CIS Benchmark and MSCT 1.0. IT infrastructure security has become an essential priority for any organization. In this context, the Active Directory (AD) domain represents the core of identity management, permissions, and network resources. Please, see “An account with the same name exists in Active Directory: Re-using the account was blocked by a security policy, and How to deploy and integrate VHR with VBR“.

A compromised AD domain can lead to serious risks, including unauthorized access to sensitive data, malware propagation, or loss of control over critical company resources.

This guide aims to provide a practical and structured approach to Active Directory hardening, following internationally recognized standards. Specifically, it covers the following tools and frameworks:

GPO MSCT 1.0: Policy templates for secure configuration of Windows Server and client systems.
CIS Benchmark: Security best practices defined by the Center for Internet Security, aimed at reducing attack surfaces and ensuring compliance with industry standards.
Policy Analyzer: A tool for analyzing Group Policy settings to identify and correct potentially vulnerable or non-compliant configurations.

Also, see Configure new GPO settings and Security baseline for Windows, how to Harden your Veeam Backup Server with Microsoft AppLocker, and how to Resolve New WDAC Policy Issues in Azure Stack Local.

AD Hardening

By combining these tools, the guide provides concrete instructions on how to configure and monitor domain security policies, significantly reducing the risk of compromise.

The goal is to enable IT teams to implement effective preventive measures, enhance infrastructure resilience, and maintain a secure and controlled environment for all organizational identities and resources.

In an era where cyber threats are increasingly sophisticated and pervasive, securing the Active Directory domain is no longer optional. It is a strategic requirement for operational continuity and the protection of corporate data.

As an overview I propose this link where we discuss AD Windows security in general. Please, take a look at this link for more information.

Please see SCVMM setup Error 10421: Fix VMM Service Account conflict, SCVMM setup Fails: Fix Missing Windows ADK Deployment Files, and Integrate Hyper-V [SCVMM] with Veeam Recovery Orchestrator

Version 28 Sep 2021 #13 in the Blue Cyber Education Series

We will now proceed to analyze and implement hardening best practices for an Active Directory system via the “Microsoft Security Compliance Toolkit 1.0”.

ATTENTION: In order to implement the following Security GPOs, it is necessary to create a lab.
Many security GPOs could compromise various features of the Domain\users\computers object and applications. It is strongly recommended to carefully analyse and test each GPO before bringing it into production.

Link to the documentation & Download. Also, see this link.

Download and unpack the downloaded package.

Using the Policy Analyser you can compare the SCT GPO best practices with your own GPOs that you have implemented.
Extract PolicyAnalyzer.zip
For example, let’s extract Windows Server 2012 R2 Security Baseline.zip

Run PolicyAnalyzer.exe

Select “Add files from GPOs”

Go to the path where you extracted the Windows 2012 R2 security baseline and import it.

Set the paths

Click on View/Compare to display the imported baseline.

Compare Effective State

To compare with the configurations on your Domain Controller click on the Compare to Effective State button, which compares the selected baseline with the current system state.

In the Policy Viewer you will be able to see the results and compare the two columns with the settings on the left and the settings suggested by Microsoft (which you imported) on the right.

Identical values are displayed in white, conflicting settings are highlighted in yellow and absent settings in grey. The pane below shows the policy setting, location and other information associated with the selected row.

It is possible to export this to excel by installing the software.

Please, see How to install WSL on Windows, Testing Disk Subsystem Integrity for SQL Server with SQLIOSim, and MSSQL DMA Compatibility Mode: Prepare and Migrate Safely.

How to import GPO MSCT Hardening

After comparing the results, you can deploy the baselines proposed by Microsoft. Extract the baseline version that matches the version of your operating system and import the administrative templates that you find in the Templates folder in the Central Store (PolicyDefinitions folder of SYSVOL)

Create an empty GPO and import from the MSCT gpo template from backup. Example policy name:

Hardening Member Windows Server 2012 , 2019 ,2022
Hardening Domain Controller Windows Server 2012 , 2019 ,2022

Click on Next to proceed

Click on backup

Specify location

Click Next to proceed

Policy settings imported

Import all GPOs pertaining to the O.S. and object type.
– Doman Controllers
– Members Servers
– Users
– Computers

Change Windows Firewall GPO settings to allow Domain Controllers remote administration of member servers

Add Windows Firewall: Allow remote administration exception

You can apply GPOs via a WMI Filter per O.S. Test the WMI filter carefully to avoid applying policies on the wrong systems.

You are ready to take the propaedeutic tests

There are many interesting utilities in the package to help automate and merge your GPOs

It is possible to view all policy settings under ‘GP reports’ of each O.S. template

I hope you found this guide on how to harden Active Directory Using CIS Benchmark and MSCT 1.0 very useful. Please, feel free to leave a comment below.