Winning GPO information can help identify conflicts for key settings

[olamotte-roche]

Hello @0x6d69636b,

Thanks for the quick chat recently! As mentioned we've made use of RSOP* CIM classes to audit key settings. I have looked at the list of URA we want to audit at scale and had come up with the following code sample for it. In this case, the effectiveness of AD Tiering GPOs, and control of other sensitive privileges in an environment.

#User Right Assignment of interest
$URA=@('SeDenyServiceLogonRight',
    'SeDenyBatchLogonRight',
    'SeDenyNetworkLogonRight',
    'SeDenyInteractiveLogonRight',
    'SeDenyRemoteInteractiveLogonRight',
    'SeDebugPrivilege',
    'SeEnableDelegationPrivilege',
    'SeImpersonatePrivilege',
    'SeBatchLogonRight',
    'SeServiceLogonRight',
    'SeInteractiveLogonRight',
    'SeNetworkLogonRight',
    'SeRemoteInteractiveLogonRight')

# Inspect RSOP classes
# Having a precedence of 1 indicates the winning GPO
$URA_RSOP = Get-WmiObject RSOP_UserPrivilegeRight -namespace "root\RSOP\Computer" | where UserRight -in $URA | where precedence -eq 1 | select UserRight,AccountList,GPOID

The GPOID is the Distinguished Name of the object in AD, in the policies container. I'll have a look at the overall structure of HK, perhaps the name or GUIDs of GPOs expected to manage these settings can be stored in a config as well? Do you see this check fit in the current execution flow of HK?

A full list of RSOP classes can be found here, somehow this content is "outdated", but there's a ton more settings to review if needed. https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/rsop-wmi-classes

Cheers

[0x6d69636b]

Hi Oliver,

Thank you for the issue. I'll look into it for HardeningKitty. Could you please open the issue on https://github.com/0x6d69636b/windows_hardening as well - because the scipag repo is stable and I use the other repo for development. :-)

Best, Mick

[olamotte-roche]

Moved to other repo