Add GPO option

[gderybel]

This option allows the user to create a GPO based on registry policies, in a domain. The user should be a domain admin.

[An-dir]

I was waiting for something like that. Any plans to do more methods? As far as I could see in some minutes there are the following:

• [x] registry
• [ ] accountpolicy
• [ ] secedit
• [ ] accesschk
• [ ] localaccount
• [ ] service
• [ ] auditpol
• [ ] MpPreferenceAsr
• [ ] WindowsOptionalFeature
• [ ] RegistryList
• [ ] CimInstance
• [ ] BitLockerVolume
• [ ] LanguageMode
• [ ] MpComputerStatus
• [ ] MpPreferenceAsr
• [ ] MpPreferenceExclusion
• [ ] Processmitigation
• [ ] bcdedit
• [ ] ProcessmitigationApplication
• [ ] FirewallRule
• [ ] ScheduledTask
• [ ] ASRRules

[gderybel]

Fixing an issue where integer value is too high for int32 type (> 2 147 483 647).

Issue was found in TLS policies 1045, 1048 & 1049. It might have a few more.

[gderybel]

Trying to implement other methods in GPO mode.

[0x6d69636b]

Hi @gderybel Thank you very much for this work. I did not found the time to look into it but it sounds promising. :-) Regarding other modules, not all of them can be used for GPOs and some of them are only used to check implementations. The most important ones would be accountpolicy, secedit, accesschk and auditpol.

[gderybel]

Hi @gderybel Thank you very much for this work. I did not found the time to look into it but it sounds promising. :-) Regarding other modules, not all of them can be used for GPOs and some of them are only used to check implementations. The most important ones would be accountpolicy, secedit, accesschk and auditpol.

Thanks for your feedback, I was focused on the implementation with account policies and I got solutions but I don't know which one I should choose (actually, you can't create a GPO that deploy a password policy) :

1. I deploy the password policy to the whole domain using "Set-ADDefaultDomainPasswordPolicy"
2. I apply a password policy to a User Group using "Set-ADFineGrainedPasswordPolicy"
3. I create a GPO that execute HardeningKitty with the finding list

All of these solutions have at least a problem :

1. The whole domain will be concerned, while a GPO will only apply to a specific OU (too large scope and not fitting with GPO method)
2. Only a user group is concerned, while a GPO will only apply to a specific OU (too small scope and not fitting with GPO method)
3. This policy will probably not apply to domain users, it will be overrides by DomainPasswordPolicy, but will maybe apply to local accounts on the computers receiving GPOs (not very effective but fitting with GPO method)

I've searched for a way to apply a password policy to an OU but I can't find out something that work has expected.

What solution would you prefer ?

I would personally choose the first one that applies to the whole domain because it's the one that's more effective.

UPDATE : The third option is tricky to setup, I was planning to use HKLM:\Software\Microsoft\Windows\CurrentVersion\Run key that run a command each time a user connect, but the command won't run as admin since the user is not an admin.

[0x6d69636b]

Finally I found time to look into it and I like it very much :) I merge this PR and will open a issue to develop this function further on and continue the discussion