GPOs put to the test: Why group policies are not enough for professional system hardening
8788
post-template-default,single,single-post,postid-8788,single-format-standard,bridge-core-3.3.1,,qode-title-hidden,qode-child-theme-ver-1.0.0,qode-theme-ver-30.8.1,qode-theme-bridge,disabled_footer_top,qode_header_in_grid,qode-wpml-enabled,wpb-js-composer js-comp-ver-7.9,vc_responsive

GPOs put to the test: Why group policies are not enough for professional system hardening

We are often asked why we do not carry out system hardening using Group Policies or Group Policy Objects. The simple answer is that it is extremely inefficient and leads to unsatisfactory results. In this article, we explain why this is the case.

 

A guest article from our partner: FB Pro GmbH

Group policies: Effective and essential

Group Policy Objects (GPO), known as group policies in German, marked a significant advance when they were introduced around 25 years ago. They enable administrators to implement a consistent configuration on remote or distributed systems in a minimum of time.

Creating effective group policies was relatively straightforward when they were first introduced. To this day, GPOs remain a common and widely used tool for distributing and maintaining configurations. Nevertheless, it is becoming increasingly clear that Group Policy Objects lack important functions or do not focus on them.

Microsoft itself, for example, emphasizes in an article the advantages that newer technologies such as PowerShell DSC offer over GPOs.

Can system hardening be carried out using GPOs?

Yes, in principle, GPOs can technically be used to distribute system configurations and corresponding hardening settings.

For example, you can follow the BSI’s SiSyPHuS guidelines by downloading the recommended group policy objects for hardening Windows 10. Hardening configurations can then be transferred to the target systems on the basis of GPOs. The Center for Internet Security (CIS) also offers group policy-based configuration sets.

However, there are weighty arguments against implementation via GPO:

    • The use of group policies is associated with a high level of manual configuration and documentation effort, both initially and on an ongoing basis.
    • Systems that are not integrated into the domain must be handled separately, as GPOs managed centrally in the Active Directory are not applicable here. This includes DMZ or OT environments, for example.
    • Linux-based systems also require separate consideration.
    • The hardening requirements of organizations such as the BSI and CIS often exceed the technical possibilities that can be implemented with standard GPOs.
    • For an adequate implementation, additional technical configuration methods such as PowerShell must be used or own ADMX templates must be developed, which significantly increases the complexity and documentation effort.
    • GPO settings do not always reach the target systems. With hundreds of servers or clients, it is necessary to check whether the settings have been applied correctly.
    • OU structures often contain historically outdated computer objects, which makes an initial clean-up necessary – especially as there are no recovery options.

In a world where cyber threats are constantly evolving, the question arises as to whether it is still appropriate to rely on “rigid” group policies in IT security. As mentioned at the beginning, there is a lack of crucial functionalities for effective Security Configuration Management (SCM)!

Secure system configuration with group policies: The pros and cons

In the table below, we summarize what we consider to be the most important plus and minus points of system hardening using GPOs:

In other words: System hardening using Active Directory and group policies forms a monolithic approach that requires extensive manual work. A challenge that overloaded IT departments often find difficult to overcome.

How can sustainable system hardening be achieved?

If you only have a few systems to administer, for example a few workstations and servers, hardening via GPO may be fine. The effort required for implementation, monitoring and adjustments is considerable, but feasible with a well-staffed IT team.

However, in extensive IT landscapes, comprehensive and sustainable system hardening that covers all facets of security configuration management at a high level is not feasible with GPOs – at least not without a disproportionate amount of effort.

The only sensible solution for this is automation! To date, there are hardly any professional solutions on the market for automating system hardening. One exception: the Enforce Administrator.

This tool enables hardening to be carried out independently, based on proven and current standards – for example from Microsoft, BSI, CIS and DISA.

Enforce Administrator also offers a systems management and audit system to monitor the compliance status. Regular “self-healing” according to the defined configurations is also part of the solution.

Group policies vs. Enforce Administrator

What are the strengths ofGPOs? And in which areas does the Enforce Administrator score points? You can find the answers here:

Conclusion

Group policies and Active Directory undoubtedly have their strengths. However, they quickly reach their limits when it comes to implementing Security Configuration Management (SCM). SCM requires not only the implementation of secure configurations, but also integration into existing processes, security incident detection capabilities and continuous monitoring.

Due to the current skills shortage, it is almost impossible to find the time for the extensive manual work required to overcome these limitations.

For sustainable system hardening, SCM needs to be automated – at all levels: setup, monitoring and customization. This is the only way to keep IT infrastructures compliant with current recommendations and standards in the long term and effectively reduce the risk of successful cyber attacks.

____

About FB Pro GmbH:

FB Pro focuses on the hardening of IT systems and infrastructures. The Rhineland-Palatinate-based team has developed its own standardized solutions and products for this purpose. These help companies to preventively protect their system landscapes faster and more efficiently.

LATEST POSTS

  • It was a special premiere for TEAL: together with our partner FB Pro GmbH, we were not only represented there as an exhibitor for the first time, but were also able to offer real added value for the 40 or so participants with ...

  • In this article, we give you a closer look at the importance of Microsoft Tiering for your IT security. We have looked at the underlying issues and the critical areas and systems that need to be protected to prevent total loss ...

  • This year we will be represented for the first time together with our partner FB Pro GmbH with a stand and a specialist lecture at one of the most important IT security trade fairs in Europe: it-sa 2024 in Nuremberg...