search

0x6d69636b / windows_hardening

HardeningKitty and Windows Hardening Settings
MIT License
2.36k stars 315 forks source link

Question About the Use of SecEdit #165

Closed lonkey closed 7 months ago

lonkey commented 7 months ago

Hello,

I am currently working on another automation project that also uses SecEdit to import local security policies. To give me a little idea of how this works, I have used the following code section from HardeningKitty as a reference:

$Area = "";

Switch ($Finding.Category) {
    "Account Policies" { $Area = "SECURITYPOLICY"; Break }
    "Security Options" { $Area = "SECURITYPOLICY"; Break }
}

$TempFileName = [System.IO.Path]::GetTempFileName()
$TempDbFileName = [System.IO.Path]::GetTempFileName()

&$BinarySecedit /export /cfg $TempFileName /areas $Area | Out-Null

$Data = Get-IniContent $TempFileName

Set-HashtableValueDeep -Table $Data -Path $Finding.MethodArgument -Value $Finding.RecommendedValue

Out-IniFile -InputObject $Data -FilePath $TempFileName -Encoding Unicode

&$BinarySecedit /import /cfg $TempFileName /overwrite /areas $Area /db $TempDbFileName /quiet | Out-Null

[...]

&$BinarySecedit /configure /db $TempDbFileName /overwrite /areas SECURITYPOLICY /quiet | Out-Null

As I understand this section of code:

  1. The entire local security configuration is exported to a temporary INF file, limited to the area specified by $Area.
  2. Within the INF file, one configuration value, the one corresponding to the current loop position of the CSV file, is updated.
  3. The entire local security configuration is imported to a temporary security database using the temporary INF file, limited to the area specified by $Area.
  4. The temporary security database is merged into the system security database.

Now to my question:

Why is it necessary to execute both the /import command and the /configure command? Wouldn't the end result be identical if only the /configure command was executed, like this:

[...]

&$BinarySecedit /export /cfg $TempFileName /areas $Area | Out-Null

$Data = Get-IniContent $TempFileName

Set-HashtableValueDeep -Table $Data -Path $Finding.MethodArgument -Value $Finding.RecommendedValue

Out-IniFile -InputObject $Data -FilePath $TempFileName -Encoding Unicode

&$BinarySecedit /configure /cfg $TempFileName /overwrite /areas $Area /db $TempDbFileName /quiet | Out-Null

URL: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit-configure Parameter: /db Description: Required. Specifies the path and file name of the database containing the stored configuration. If the file name specifies a database that hasn't had a security template (as represented by the configuration file) associated with it, the /cfg option must also be specified.

Thanks for your help!

0x6d69636b commented 7 months ago

Hi Lukas

Thank you for your questions and your argument makes sense to me. I'll run some tests, but I think you're right, we can take this direct step.

Best, Mick

0x6d69636b commented 7 months ago

I've done some tests and it looks good, I'm going to simplify the code

lonkey commented 7 months ago

I just want to say a big thank you for your outstanding work and for taking the time to review and incorporate my suggestion!

0x6d69636b commented 7 months ago

You're welcome! 😻 By the way, what is the name of your project?

lonkey commented 7 months ago

A Python module that is able to fully parse GPO exports to convert them into configurable Ansbile roles. Unfortunately, it is closed-source as it is job-related.

0x6d69636b commented 7 months ago

Sounds exciting and useful, especially with the Ansible angle, too bad it's not public. Best of luck anyway

lonkey commented 7 months ago

Thank you and I wish you the same. I will advise my employer to publish it publicly on GitHub in the future. After all, we ourselves would also benefit from a broader community-driven development.