search

utsecnet / PAW

306 stars 55 forks source link

Questions about baselines #7

Open StefanSa opened 4 years ago

StefanSa commented 4 years ago

Hi rich, in the baseline Excel sheet you write e.g. following.

Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Scored)

Your remark:

Note: A Member Server that holds the Web Server (IIS) Role with Web Server Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right.

My question about this: Where and how do i best make these special exceptions for this PAW AD GPO structure? can you please show an example in such a case?

Thanks again for your help regards Stefan

utsecnet commented 4 years ago

Of course! Group Policies are applied to OU's in AD. Each GPO you apply to the same container immediately overwrites any conflicting previously-applied policy via inheritance. You can change the inheritance order in GPMC by clicking the container in question and selecting the "Group Policy Inheritance" tab at the top right. So, say you have a GPO that sets ALL of your audit policy settings that you apply to your Computers OU, with a security filtering of Tier1-servers. You may also have another GPO that sets ONLY the conflicting audit policy settings (generate security audits) applied to the same Computers OU, but security filter on your IIS-servers group. Then in the GP inheritance tab, you would have your IIS-Servers policy have higher precedence than your Tier1-Servers GPO by moving it above the Tier1-Servers OU.

Hope that helps.

StefanSa commented 4 years ago

Rich, thanks for the exact explanation and your time, but now i have the following problem.

Example: User Rights Assignment -> Generate security audits. For an IIS, all "IIS APPPools" must be added. However, i cannot add local groups directly to a GPO if i edit them on the DC. What am i doing wrong or how do i add these "IIS APPPools" or how do i best make an exception for an IIS / MSSQL?

utsecnet commented 4 years ago

Yes you can. You do not select. You simply type them out. Ideally you are not configuring directly on the DC. You should be using RSAT in a prod environment. Please note, I am glad to assist with content in these guides, but when it comes to how to use the tools to configure these settings, there are already thousands of articles that can tell you how to use them.

On Thu, Dec 19, 2019 at 9:39 AM StefanSa notifications@github.com wrote:

Rich, thanks for the exact explanation and your time, but now i have the following problem.

Example: User Rights Assignment -> Generate security audits. For an IIS, all "IIS APPPools" must be added. However, i cannot add local groups directly to a GPO if i edit them on the DC. What am i doing wrong or how do i add these "IIS APPPools" or how do i best make an exception for an IIS / MSSQL?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/unassassinable/PAW/issues/7?email_source=notifications&email_token=ADRU7GHNC6CQTQPGPBDUR2DQZOPU5A5CNFSM4J4IYUQKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHKGAHA#issuecomment-567566364, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRU7GDS5B2RR53Z62LCLK3QZOPU5ANCNFSM4J4IYUQA .

-- Rich Johnson 385-204-4011