2020年7月1日 星期三

[研究][GCB]LGPO.exe v2.2試用 (Windows Server 2019)

[研究][GCB]LGPO.exe v2.2試用 (Windows Server 2019)

 2020-07-01、2023-12-05更新

研究測試「政府組態基準(Government Configuration Baseline,簡稱GCB)」。

本測試主要在 Windows Server 2019 繁體中文標準版上套用 GCB 相關的 GCB-WindowsServer2016-gpos.zip 的 WindowsServer2016AccountSettings 和 WindowsServer2016CommonSettings 兩類 GPO。

(Windows Server 2019 和 Windows Server 2016 都是 Windows NT 10.0 核心)

先警告,LGPO 套用 GCB GPO 改掉的設定,無法輕易還原。請先看完全文。

研究測試「政府組態基準(Government Configuration Baseline,簡稱GCB)」
LGPO.exe v2.2 – Local Group Policy Object Utility

Microsoft Security Compliance Toolkit 1.0
2020-03-17釋出
Supported Operating System
Windows 10, Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

LGPO 是 Microsoft Security Compliance Toolkit 1.0 提供的檔案之一,取代 LocalGPO.msi (只支援到 NT 6.2 的 Windows )
環境:Windows Server 2019 繁體中文標準版。
Windows Server 2019 和 Windows Server 2016 是相同核心,都為 NT 10.0,理論上 GPO 可以通用。
(NCCST於 2023年1月1日法人化成為 NICS)
(下圖)先備份 (目的地目錄要先手動建立)
請用系統管理員身分執行「命令列提示字元」,切換到安裝目錄。

C:\GCB\LGPO>mkdir C:\GCB\LGPOBackup
C:\GCB\LGPO>LGPO.exe  /b  C:\GCB\LGPOBackup
LGPO.exe v2.2 - Local Group Policy Object utility

Creating LGPO backup in "C:\GCB\LGPOBackup\{218C0FD9-F27E-4B63-9BBB-06572C291751}"

C:\GCB\LGPO>

先開啟遠端桌面,測試可以連上使用。(稍後證明 LGPO.exe   /b  沒有備份所有設定)

(下圖)套用 (要先切換到程式所在目錄)

C:\GCB\LGPO>LGPO.exe /g C:\GCB\GPO\GCB-WindowsServer2016-gpos\WindowsServer2016AccountSettings\{4eab021f-d752-4ede-9230-e4eaedbe4172}
LGPO.exe v2.2 - Local Group Policy Object utility

Apply security template: C:\GCB\GPO\GCB-WindowsServer2016-gpos\WindowsServer2016AccountSettings\{4eab021f-d752-4ede-9230-e4eaedbe4172}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

C:\GCB\LGPO>LGPO.exe /g C:\GCB\GPO\GCB-WindowsServer2016-gpos\WindowsServer2016CommonSettings\{2AB0C8F5-631B-48DB-B420-083580D08176}
LGPO.exe v2.2 - Local Group Policy Object utility

Created directory for audit policy
Copied C:\GCB\GPO\GCB-WindowsServer2016-gpos\WindowsServer2016CommonSettings\{2AB0C8F5-631B-48DB-B420-083580D08176}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
to C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv
Clearing existing audit policy
Apply Audit policy from C:\GCB\GPO\GCB-WindowsServer2016-gpos\WindowsServer2016CommonSettings\{2AB0C8F5-631B-48DB-B420-083580D08176}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
Apply security template: C:\GCB\GPO\GCB-WindowsServer2016-gpos\WindowsServer2016CommonSettings\{2AB0C8F5-631B-48DB-B420-083580D08176}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf
Import Machine settings from registry.pol: C:\GCB\GPO\GCB-WindowsServer2016-gpos\WindowsServer2016CommonSettings\{2AB0C8F5-631B-48DB-B420-083580D08176}\DomainSysvol\GPO\Machine\registry.pol
Import User settings from registry.pol: C:\GCB\GPO\GCB-WindowsServer2016-gpos\WindowsServer2016CommonSettings\{2AB0C8F5-631B-48DB-B420-083580D08176}\DomainSysvol\GPO\User\registry.pol

C:\GCB\LGPO>gpupdate   /force
正在更新原則...

電腦原則更新已成功完成。
使用者原則更新已成功完成。
C:\GCB\LGPO>


檢查套用情形
執行 gpedit.msc 



測試遠端桌面連線

PS:WindowsServer2016AccountSettings 和 WindowsServer2016CommonSettings 這2個GCB GPO套用後,administrator 會被改名 Renamed_Admin,連線時不要用 administrator



嘗試還原

接下來用 RD 指令刪除設定,重新匯入舊備份測定

local group policy 設定存放在3個目錄 (前2個在相同目錄,所以也可說2個)

(Computer Configuration)
%SystemRoot%\System32\GroupPolicy\Machine

(User Configuration)
%SystemRoot%\System32\GroupPolicy\User

(User/Group Specific GPOs Configuration)
%SystemRoot%\System32\GroupPolicyUsers

檢視 C:\GCB\LGPOBackup\{218C0FD9-F27E-4B63-9BBB-06572C291751}\DomainSysvol\GPO 目錄,只有 Machine 和 User,沒有 GroupPolicyUsers

GroupPolicyUsers 是 Active Directory-based Group Policy

C:\GCB\LGPO>RD /s /q C:\Windows\System32\GroupPolicy
C:\GCB\LGPO>LGPO.exe  /g  C:\GCB\LGPOBackup\{218C0FD9-F27E-4B63-9BBB-06572C291751}
LGPO.exe v2.2 - Local Group Policy Object utility

Created directory for audit policy
Copied C:\GCB\LGPOBackup\{218C0FD9-F27E-4B63-9BBB-06572C291751}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
to C:\Windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv
Clearing existing audit policy
Apply Audit policy from C:\GCB\LGPOBackup\{218C0FD9-F27E-4B63-9BBB-06572C291751}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv
Apply security template: C:\GCB\LGPOBackup\{218C0FD9-F27E-4B63-9BBB-06572C291751}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf
Import Machine settings from registry.pol: C:\GCB\LGPOBackup\{218C0FD9-F27E-4B63-9BBB-06572C291751}\DomainSysvol\GPO\Machine\registry.pol
Import User settings from registry.pol: C:\GCB\LGPOBackup\{218C0FD9-F27E-4B63-9BBB-06572C291751}\DomainSysvol\GPO\User\registry.pol

C:\GCB\LGPO>gpupdate  /force
正在更新原則...

電腦原則更新已成功完成。
使用者原則更新已成功完成。


C:\GCB\LGPO>


重新嘗試遠端桌面連線,發現仍不行。
(注意:Renamed_Admin 會被還原成 administrator,所以遠端桌面連線要用 administrator 帳號。)

所以 LGPO.exe 疑似沒有備份全部值。(LocalGPO.msi 會還原遠端桌面設定)
所以 GCB GPO 套用後,用 /g 匯入之前的備份,會無法完全還原。

~~~Too Bad ~~~
~~~Too Bad ~~~
~~~Too Bad ~~~

********************************************************************************

修改允許遠端桌面連上

參考這裡:

政府組態基準(GCB)-FAQ-作業系統專區
點「Server 2012 R2」頁簽,

Q1:如何解決使用者電腦無法連入遠端桌面主機的狀況?

Ans:政府組態基準(GCB)之設定值原則上不宜隨意更動,但如因公務執行需求,必須調整TWGCB-01-006-0116、TWGCB-01-006-0107、TWGCB-01-006-0145設定值,方法如下:

1.至「"電腦設定"=>"Windows設定"=>"安全性設定"=>"本機原則"=>"使用者權限指派"=>"允許透過遠端桌面服務登入"」設定允許透過遠端桌面服務登入之使用者清單
2.至「"電腦設定"=>"Windows設定"=>"安全性設定"=>"本機原則"=>"使用者權限指派"=>"拒絕透過遠端桌面服務登入"」設定不允許透過遠端桌面服務登入之使用者清單
3.及將「"電腦設定"=>"系統管理範本"=>"Windows元件"=>"遠端桌面服務"=>"遠端桌面工作階段主機"=>"安全性"=>"設定用戶端連線加密層級"」依機關規定設定加密層級即可。 

重點在第2點,


把「本機帳戶」移除,按下確定,執行  gpupdate  /force 後 (可能不用?),應該就可以遠端連線登入了。

PS:實際測試,如果主控端和被控端在同網段,可以成功。
如果被控端為 VMware Workstation 的 NAT  VM,仍不行,不知是測試錯誤,或還要改其他設定。

********************************************************************************

2020-07-02 補充

遠端桌面連線發生「這個系統的本機原則不允許您使用互動式登入」錯誤

https://support.microsoft.com/zh-tw/help/289289.


執行 secpol.msc

發現「本機原則/使用者權限指派/拒絕從網路存取這台電腦」,預設應該空,但目前「Guests」和「本機帳戶與Administrators群組的成員」都在名單中。

刪除後,執行 gpupdate   /force 後,遠端登入成功了。




********************************************************************************

LGPO.exe 2.2提供的參數
Microsoft Windows [版本 10.0.17763.1217]
(c) 2018 Microsoft Corporation. 著作權所有,並保留一切權利。

C:\Users\Administrator>cd\gcb\lgpo

C:\GCB\LGPO>dir
 磁碟區 C 中的磁碟沒有標籤。
 磁碟區序號:  78F7-0A42

 C:\GCB\LGPO 的目錄

2020/07/01  下午 03:34    <DIR>          .
2020/07/01  下午 03:34    <DIR>          ..
2020/07/01  下午 03:34           410,088 LGPO.exe
2020/07/01  下午 03:34           638,115 LGPO.pdf
               2 個檔案       1,048,203 位元組
               2 個目錄  1,061,073,833,984 位元組可用

C:\GCB\LGPO>lgpo /?
LGPO.exe v2.2 - Local Group Policy Object utility

Unrecognized option "/?"

LGPO.exe has four modes:
  * Import and apply policy settings;
  * Export local policy to a GPO backup;
  * Parse a registry.pol file to "LGPO text" format;
  * Build a registry.pol file from "LGPO text".

To apply policy settings:

    LGPO.exe command [...]

    where "command" is one or more of the following (each of which can be repeated):

    /g path                import settings from one or more GPO backups under "path"
    /m path\registry.pol   import settings from registry.pol into machine config
    /u path\registry.pol   import settings from registry.pol into user config
    /ua path\registry.pol  import settings from registry.pol into user config for Administrators
    /un path\registry.pol  import settings from registry.pol into user config for Non-Administrators
    /u:username path\registry.pol
                           import settings from registry.pol into user config for local user
                           specified by "username"
    /s path\GptTmpl.inf    apply security template
    /a[c] path\Audit.csv   apply advanced auditing settings; /ac to clear policy first
    /t path\lgpo.txt       apply registry commands from LGPO text
    /e <name>|<guid>       enable GP extension for local policy processing; specify a
                           GUID, or one of these names:
                           * "zone" for IE zone mapping extension
                           * "mitigation" for mitigation options, including font blocking
                           * "audit" for advanced audit policy configuration
                           * "LAPS" for Local Administrator Password Solution
                           * "DGVBS" for Device Guard virtualization-based security
                           * "DGCI" for Device Guard code integrity policy
    /boot                  reboot after applying policies
    /v                     verbose output
    /q                     quiet output (no headers)

To create a GPO backup from local policy:

    LGPO.exe /b path [/n GPO-name]

    /b path               Create GPO backup in "path"
    /n GPO-name           Optional GPO display name (use quotes if it contains spaces)

To parse a Registry.pol file to LGPO text (stdout):

    LGPO.exe /parse [/q] {/m|/u|/ua|/un|/u:username} path\registry.pol

    /m path\registry.pol   parse registry.pol as machine config commands
    /u path\registry.pol   parse registry.pol as user config commands
    /ua path\registry.pol  parse registry.pol as user config for Administrators
    /un path\registry.pol  parse registry.pol as user config for Non-Administrators
    /u:username path\registry.pol
                           parse registry.pol as user config for local user
                           specified by "username"
    /q                     quiet output (no headers)

To build a Registry.pol file from LGPO text:

    LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]

    /r path\lgpo.txt      Read input from LGPO text file
    /w path\registry.pol  Write new registry.pol file

(See the documentation for more information and examples.)

C:\GCB\LGPO>

********************************************************************************
2023-12-05 補


LGPO.exe 3.0提供的參數
C:\LGPO_30>LGPO.exe /?

LGPO.exe - Local Group Policy Object Utility
Version 3.0.2004.13001
Copyright (C) 2015-2020 Microsoft Corporation
Security Compliance Toolkit - https://www.microsoft.com/download/details.aspx?id=55319

Unrecognized option "/?"

LGPO.exe has four modes:
  * Import and apply policy settings;
  * Export local policy to a GPO backup;
  * Parse a registry.pol file to "LGPO text" format;
  * Build a registry.pol file from "LGPO text".

To apply policy settings:

    LGPO.exe command [...]

    where "command" is one or more of the following (each of which can be repeated):

    /g path                   import settings from one or more GPO backups under "path"
    /p path\lgpo.PolicyRules  import settings from a Policy Analyzer .PolicyRules file
    /m path\registry.pol      import settings from registry.pol into machine config
    /u path\registry.pol      import settings from registry.pol into user config
    /ua path\registry.pol     import settings from registry.pol into user config for Administrators
    /un path\registry.pol     import settings from registry.pol into user config for Non-Administrators
    /u:username path\registry.pol
                              import settings from registry.pol into user config for local user
                              specified by "username"
    /s path\GptTmpl.inf       apply security template
    /a[c] path\Audit.csv      apply advanced auditing settings; /ac to clear policy first
    /t path\lgpo.txt          apply registry commands from LGPO text
    /e <name>|<guid>          enable GP extension for local policy processing; specify a
                              GUID, or one of these names:
                              * "zone" for IE zone mapping extension
                              * "mitigation" for mitigation options, including font blocking
                              * "audit" for advanced audit policy configuration
                              * "LAPS" for Local Administrator Password Solution
                              * "DGVBS" for Device Guard virtualization-based security
                              * "DGCI" for Device Guard code integrity policy
    /ef path\backup.xml       enable GP extensions referenced in backup.xml from a GPO backup
    /boot                     reboot after applying policies
    /v                        verbose output
    /q                        quiet output (no headers)

To create a GPO backup from local policy:

    LGPO.exe /b path [/n GPO-name]

    /b path               Create GPO backup in "path"
    /n GPO-name           Optional GPO display name (use quotes if it contains spaces)

To parse a Registry.pol file to LGPO text (stdout):

    LGPO.exe /parse [/q] {/m|/u|/ua|/un|/u:username} path\registry.pol

    /m path\registry.pol   parse registry.pol as machine config commands
    /u path\registry.pol   parse registry.pol as user config commands
    /ua path\registry.pol  parse registry.pol as user config for Administrators
    /un path\registry.pol  parse registry.pol as user config for Non-Administrators
    /u:username path\registry.pol
                           parse registry.pol as user config for local user
                           specified by "username"
    /q                     quiet output (no headers)

To build a Registry.pol file from LGPO text:

    LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]

    /r path\lgpo.txt      Read input from LGPO text file
    /w path\registry.pol  Write new registry.pol file

(See the documentation for more information and examples.)

C:\LGPO_30>

3.0版比 2.2版多了下面參數

/p path\lgpo.PolicyRules  import settings from a Policy Analyzer .PolicyRules file
/ef path\backup.xml       enable GP extensions referenced in backup.xml from a GPO backup

(完)

相關

How to Backup and Restore Local Group Policy Settings in Windows 10

[研究][GCB]先套用GCB後安裝SQL Server 2019測試

[研究][GCB]Windows 2019 AD 主機套用 GCB、啟用、停用

[研究][GCB]已安裝SQL Server 2019後套用GCB測試

[研究][GCB]「本機安全性原則 (secpol.msc)」還原LGPO套用GCB測試

[研究][GCB]遠端桌面連線出現「系統管理員已限制您可以使用的登入類型 (網路或互動式)。」

[研究][GCB]LGPO.exe試用 (Windows 2019)

[研究][GCB]LocalGPO.msi試用 (Windows 2019)

[研究][GCB] Microsoft Security Compliance Manager 4.0 安裝試用

張貼者:
標籤: ,

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)