{"uuid": "4203853e-89b6-4d7e-8be9-d764095ce9b2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-34527", "type": "seen", "source": "https://gist.github.com/Svaillan/75e57329694753b175066d32305302f6", "content": "# Group Policy Current State \u2014 What Each GPO Does\n\n**Domain:** asurite.ad.asu.edu  \n**Data collected:** July 7, 2026  \n**Analysis date:** July 8, 2026  \n\n---\n\n## Summary\n\nThere are **22 GPOs** in the asurite.ad.asu.edu domain. They break down into these functional categories:\n\n| Category | GPOs |\n|----------|------|\n| Security Hardening (Protocol/Auth) | Tier ALL - Disable SMBv1, Tier ALL - Disable WDigest, Tier ALL - LDAP &amp; SMB Signing, Tier 0 - Domain Block, Remediation.Base, Remediation.Sensitive, Member Server default Policy |\n| Audit &amp; Logging | UTO.Audit.Policies, M.UTO.AuditPolicyEnable |\n| Endpoint Management | M.UTO.MSSLAPS, M.UTO.EnableWinRM, m.uto.servers.mss-sccm |\n| Application-Specific | M.UTO.Servers.AppX - Application Timeouts, M.UTO.Servers.AppX - Terminal Server Settings |\n| Service Hardening | M.UTO.Servers - Disable Print Spooler, M.UTO.Servers.Disable Windows Error Reporting to MS |\n| Avecto/BeyondTrust | M.UTO.Servers.Avecto.Admin, M.UTO.Servers.Avecto.Policy.Live |\n| Backup | M.UTO.BackupSecurity |\n| Identity/Join | Disable Hybrid Azure AD Join |\n| Certificate | M.UTO.Servers Cert Store |\n| Empty/Test | CTN-Test |\n\n---\n\n## Individual GPO Descriptions\n\n### 1. CTN-Test\n| Field | Value |\n|-------|-------|\n| Created | 7/1/2022 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | M.UTO.Servers.SecurityBL.full |\n| Settings | **NONE** \u2014 No computer or user configuration defined |\n\n**What it does:** Nothing. This GPO has zero settings. It is linked to an OU but applies no policy.\n\n---\n\n### 2. Disable Hybrid Azure AD Join\n| Field | Value |\n|-------|-------|\n| Created | 5/9/2023 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | Domain Controllers, M.PHI.Citrix.Instances, M.PHI.Servers, M.PHI.Servers - PrintSpoolEnabled, M.UTO.Servers |\n| GPO Status | User settings disabled |\n\n**What it does:** Prevents on-prem servers from performing Hybrid Azure AD Join by setting the `BlockAADWorkplacejoin` registry key to `1` under `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WorkplaceJoin`. This keeps domain-joined servers from registering a device identity in Entra ID.\n\n---\n\n### 3. M.UTO.AuditPolicyEnable\n| Field | Value |\n|-------|-------|\n| Created | 7/26/2020 |\n| Owner | S-1-5-21-...232619 (**unresolved SID**) |\n| Linked To | M.PHI.Citrix.Instances, M.PHI.Servers, M.PHI.Servers - PrintSpoolEnabled, M.UTO.LNVR, M.UTO.Servers, M.UTO.Servers - PrintSpoolEnabled |\n| Security Filtering | ASURITE\\ISAAC.Servers, Authenticated Users |\n\n**What it does:** Enables legacy audit policy (category-based) for:\n- Account logon events \u2014 Success, Failure\n- Account management \u2014 Success, Failure\n- Logon events \u2014 Success, Failure\n- Object access \u2014 Success, Failure\n- Policy change \u2014 Success, Failure\n- Privilege use \u2014 Success, Failure\n- System events \u2014 Success, Failure\n\n---\n\n### 4. M.UTO.BackupSecurity\n| Field | Value |\n|-------|-------|\n| Created | **4/19/2010** |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | M.PHI.Citrix.Instances, M.PHI.Servers, M.UTO.Servers, M.UTO.Servers - PrintSpoolEnabled, M.UTO.Servers.Test, M.UTO.Servers.VDI-VMM, M.UTO.Test |\n| Security Filtering | ASURITE\\m.uto.backupsecurity, Authenticated Users |\n\n**What it does:** Manages the IBM Tivoli Storage Manager (TSM) backup infrastructure:\n- Runs `Add2TSM.mgmt.vbs` startup script to register servers with TSM\n- Adds specific accounts to the Backup Operators group (includes an unresolved SID and MSSQL_DBA)\n- Sets TSM-Acceptor service to Automatic, TSM-Scheduler to Manual\n- Controls file system permissions on `%ProgramFiles%\\Tivoli`\n- Controls registry permissions on `HKLM\\SOFTWARE\\IBM` and `HKLM\\SOFTWARE\\Tivoli`\n\n---\n\n### 5. M.UTO.EnableWinRM\n| Field | Value |\n|-------|-------|\n| Created | 7/24/2019 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | M.PHI.Citrix.Instances, M.PHI.Servers, M.PHI.Servers - PrintSpoolEnabled, M.UTO.Servers, M.UTO.Servers - PrintSpoolEnabled |\n| Security Filtering | **None** (no groups in security filtering) |\n\n**What it does:** Enables Windows Remote Management (WinRM) for remote server administration:\n- Enables WinRM via Administrative Template (allow remote management from all IPs)\n- Sets WinRM service to Automatic (Delayed Start) via Group Policy Preferences\n- Comment references: \"Created July 24, 2019 - Doug &amp; Tom\"\n\n\u26a0\ufe0f **Note:** Security Filtering is set to \"None\" \u2014 this policy may not be applying to any computers. There's an unresolved SID with Custom permissions in delegation.\n\n---\n\n### 6. M.UTO.MSSLAPS\n| Field | Value |\n|-------|-------|\n| Created | 11/8/2016 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | M.PHI.Citrix.Instances, M.PHI.Servers, M.UTO.Desktops, M.UTO.HyperV, M.UTO.LNVR, M.UTO.Servers, M.UTO.Servers - PrintSpoolEnabled, M.UTO.Servers.VDI-VMM, M.UTO.WSUSPatched, M.UTO.WSV |\n\n**What it does:** Enables Microsoft LAPS (Local Administrator Password Solution) to automatically rotate and manage local admin passwords:\n- Enables local admin password management\n- Specifies administrator account name to manage (name not shown in export)\n\nThis is widely deployed \u2014 linked to almost every server and desktop OU.\n\n---\n\n### 7. M.UTO.Servers - Disable Print Spooler\n| Field | Value |\n|-------|-------|\n| Created | 7/1/2021 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | Domain Controllers, M.PHI.Servers, M.UTO.Servers, M.UTO.Servers.VDI-VMM, M.UTO.VDI.OPS.AdminXD.Servers.sccm |\n\n**What it does:** Mitigates PrintNightmare (CVE-2021-34527) and related print spooler vulnerabilities:\n- Disables Print Spooler service\n- Enables Point and Print Restrictions (requires elevation prompts)\n- Sets `RestrictDriverInstallationToAdministrators = 1` via registry\n\nThis was clearly created in response to the July 2021 PrintNightmare vulnerability.\n\n---\n\n### 8. M.UTO.Servers Cert Store\n| Field | Value |\n|-------|-------|\n| Created | 3/27/2023 |\n| Owner | ASURITE\\denkou |\n| Linked To | M.PHI.Citrix.Instances, M.PHI.Servers, M.PHI.Servers - PrintSpoolEnabled, M.UTO.Servers |\n| Security Filtering | **None** (delegated to ASURITE\\ADMINAPPSSF02$ only) |\n\n**What it does:** Deploys an intermediate CA certificate to the server trust store:\n- Installs \"InCommon RSA Server CA 2\" (issued by USERTrust RSA CA, expires 11/15/2032)\n- Used to trust SSL/TLS certificates issued by the InCommon certificate service\n\n\u26a0\ufe0f **Note:** Security Filtering shows \"None\" \u2014 policy application appears to be controlled through delegation with a specific computer account only.\n\n---\n\n### 9. M.UTO.Servers.AppX - Application Timeouts\n| Field | Value |\n|-------|-------|\n| Created | 6/9/2022 |\n| Owner | ASUAD\\ex_bmossop (**former employee**) |\n| Linked To | M.UTO.Servers.SecurityBL.full, M.UTO.Servers.Test |\n| Security Filtering | ASURITE\\appx.thickclient, ASURITE\\M.UTO.Servers.AppX-TS |\n\n**What it does:** Sets auto-logout timeout for the ApplicationXtender (AppX) document management application:\n- Sets `iAutoLogout` registry value to 25 (minutes) under `HKCU\\Software\\XtenderSolutions\\ApplicationXtender\\Configuration\\Data`\n- This is a **User Configuration** policy (not computer config)\n- Targets AppX terminal server sessions specifically\n\n---\n\n### 10. M.UTO.Servers.AppX - Terminal Server Settings\n| Field | Value |\n|-------|-------|\n| Created | 6/8/2022 |\n| Owner | ASUAD\\ex_bmossop (**former employee**) |\n| Linked To | M.UTO.Servers.SecurityBL.full |\n| Security Filtering | ASURITE\\M.UTO.Servers.AppX-TS |\n\n**What it does:** Configures the AppX terminal server environment:\n- Enables Print Spooler service (Automatic) \u2014 overrides the global print disable for these servers since AppX needs printing\n- Sets disconnected RDP session time limit to 30 minutes\n\n---\n\n### 11. M.UTO.Servers.Avecto.Admin\n| Field | Value |\n|-------|-------|\n| Created | 7/24/2017 |\n| Owner | S-1-5-21-...215079 (**unresolved SID**) |\n| Linked To | M.PHI.Citrix.Instances, M.PHI.Servers, M.UTO.Servers, M.UTO.Servers - PrintSpoolEnabled, M.UTO.Servers.VDI-VMM |\n\n**What it does:** Configures Windows Event Forwarding to send events to the Avecto/BeyondTrust management server:\n- Sets WinRM service to Automatic\n- Configures event forwarding subscription manager: `server=mss-avecto.asurite.ad.asu.edu`\n\n---\n\n### 12. M.UTO.Servers.Avecto.Policy.Live\n| Field | Value |\n|-------|-------|\n| Created | 10/11/2017 |\n| Owner | S-1-5-21-...-614521 (**unresolved SID \u2014 different domain**) |\n| Linked To | M.PHI.Citrix.Instances, M.PHI.Servers, M.UTO.Servers, M.UTO.Servers - PrintSpoolEnabled, M.UTO.Servers.VDI-VMM |\n| Computer Revisions | **1674** (extremely high revision count) |\n\n**What it does:** Enables the WinRM service for Avecto/BeyondTrust privilege management:\n- Sets Windows Remote Management (WS-Management) to Automatic startup\n- High revision count (1674) suggests this was frequently auto-updated by the Avecto/BeyondTrust management console\n\n\u26a0\ufe0f **Note:** Multiple unresolved SIDs in both security filtering and delegation from a different domain (S-1-5-21-1547161642...).\n\n---\n\n### 13. M.UTO.Servers.Disable Windows Error Reporting to MS\n| Field | Value |\n|-------|-------|\n| Created | 7/11/2019 |\n| Owner | S-1-5-21-...-1070968 (**unresolved SID**) |\n| Linked To | M.PHI.Citrix.Instances, M.PHI.Servers, M.UTO.Servers, M.UTO.Servers - PrintSpoolEnabled, M.UTO.Servers.VDI-VMM, M.UTO.WSV |\n| GPO Status | User settings disabled |\n\n**What it does:** Reduces outbound telemetry and prevents useless file accumulation:\n- Disables Windows Error Reporting (servers can't reach Microsoft anyway)\n- Sets diagnostic data level to \"off\" (zero)\n- Rationale in comments: servers have no internet access, queued reports waste disk space\n\n---\n\n### 14. M.UTO.Servers.Remediation.Base\n| Field | Value |\n|-------|-------|\n| Created | 3/1/2019 |\n| Owner | S-1-5-21-...215079 (**unresolved SID**) |\n| Linked To | M.CHS.BMI.Servers (disabled), M.PHI.Citrix/Servers, M.UTO.Servers.SecurityBL/Avecto/SecurityTestBL |\n| Computer Revisions | 208 |\n| GPO Status | User settings disabled |\n\n**What it does:** This is the **primary security hardening baseline** \u2014 the largest and most comprehensive GPO. It implements:\n\n**Audit Policy:**\n- Account logon, management, logon events, policy change, system events (Success + Failure)\n\n**Security Options:**\n- Guest account disabled\n- Secure channel data signing/encryption required\n- CTRL+ALT+DEL required\n- Last user not displayed\n- Legal warning banner (federal/state law + ACD 125)\n- Cached logons limited to 1\n- Password change prompt 14 days before expiration\n- DC authentication required to unlock\n- Smart card removal locks workstation\n- SMB client/server signing enforced\n- Idle session timeout 15 minutes\n- Anonymous SAM enumeration blocked\n- Virtual memory pagefile clearing enabled\n\n**Event Log:**\n- Max log sizes: ~410 MB (application, security, system)\n- Guests blocked from all event logs\n\n**Restricted Groups:**\n- ASUAD\\LocalPrivilegedOpen \u2192 Administrators\n- ASURITE\\M.UTO.RDAdmin \u2192 Remote Desktop Users\n\n**Disabled Services:**\n- Bluetooth, Connected Telemetry, icssvc, Geolocation, Downloaded Maps, WinRM*, Windows Insider, Xbox Live Auth, XblGameSave\n\n**Windows Firewall:**\n- Enabled on all profiles (Domain, Private, Public)\n- Stateful FTP/PPTP disabled\n- Core Networking inbound rules with authentication required (DHCP, IGMP, ICMP)\n\n*Note: WinRM is disabled here but enabled by the separate M.UTO.EnableWinRM GPO \u2014 processing order determines which wins.\n\n---\n\n### 15. M.UTO.Servers.Remediation.Sensitive\n| Field | Value |\n|-------|-------|\n| Created | 3/1/2019 |\n| Owner | S-1-5-21-...215079 (**unresolved SID**) |\n| Linked To | Multiple security-tiered OUs (SecurityBL.full, Avecto, VDI infra, etc.) |\n| GPO Status | User settings disabled |\n\n**What it does:** Handles **TLS 1.0 deprecation** with a sophisticated exception mechanism:\n- Disables TLS 1.0 client and server via SCHANNEL registry keys\n- Uses item-level targeting with WMI queries against `Root\\ASU` namespace and registry matching for `EXCEPT.TLS.1.0.ENABLE`\n- Servers tagged with the exception key in WMI or registry get a different TLS 1.0 configuration (likely left enabled)\n- This allows legacy applications that still require TLS 1.0 to be individually exempted\n\nAlso configures the Windows Firewall at a basic level.\n\n---\n\n### 16. Member Server default Policy\n| Field | Value |\n|-------|-------|\n| Created | 7/20/2012 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | M.PHI, M.UTO, M.UTO.Servers.Test, M.UTO.Servers.VDI-VMM, plus multiple VDI infra OUs |\n\n**What it does:** Sets a single security baseline for all member servers:\n- Enforces NTLMv2 authentication only (refuses LM and NTLMv1)\n- `Network security: LAN Manager authentication level = Send NTLMv2 response only. Refuse LM`\n\n---\n\n### 17. Tier 0 - Domain Block - Top Level\n| Field | Value |\n|-------|-------|\n| Created | 5/5/2026 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | asurite (domain root) \u2014 **Enforced** |\n| WMI Filter | \"Tier 0 - No DC Apply\" (excludes domain controllers) |\n| Security Filtering | **None** (explicitly via delegation: Domain Controllers have Custom deny) |\n| GPO Status | User settings disabled |\n\n**What it does:** Implements Tier 0 credential isolation by **blocking** Tier 0 accounts from authenticating to member servers. Denies all logon types for:\n- Tier 0 Service Accounts, Tier 0 Operators, Domain Admins, administrator, Schema Admins, Enterprise Admins, Server/Print/Account Operators\n\nLogon types denied:\n- Network access, Batch job, Service, Local logon, Terminal Services\n\nThis is a critical security boundary \u2014 prevents Tier 0 credential exposure on Tier 1/2 systems.\n\n---\n\n### 18. Tier ALL - Disable SMBv1 - Top Level\n| Field | Value |\n|-------|-------|\n| Created | 5/5/2026 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | asurite (domain root) |\n| GPO Status | User settings disabled |\n\n**What it does:** Disables SMBv1 protocol domain-wide:\n- Sets `HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1 = 0`\n- Mitigates EternalBlue/WannaCry class vulnerabilities\n\n---\n\n### 19. Tier ALL - Disable WDigest - Top Level\n| Field | Value |\n|-------|-------|\n| Created | 5/5/2026 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | asurite (domain root) |\n| GPO Status | User settings disabled |\n\n**What it does:** Disables WDigest authentication credential caching domain-wide:\n- Sets `HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential = 0`\n- Prevents plaintext password storage in LSASS memory (Mimikatz mitigation)\n\n---\n\n### 20. Tier ALL - LDAP &amp; SMB Signing - Top Level\n| Field | Value |\n|-------|-------|\n| Created | 5/14/2026 |\n| Owner | ASUAD\\Enterprise Admins |\n| Linked To | asurite (domain root) \u2014 **Enforced** |\n\n**What it does:** Requires LDAP and SMB signing domain-wide:\n- Microsoft network client: Digitally sign communications (always) = Enabled\n- Microsoft network server: Digitally sign communications (always) = Enabled\n- Network security: LDAP client signing requirements = Require signing\n\nPrevents LDAP relay attacks and man-in-the-middle attacks on SMB.\n\n---\n\n### 21. UTO.Audit.Policies\n| Field | Value |\n|-------|-------|\n| Created | 4/2/2021 |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | Domain Controllers (Enforced), M.PHI.Citrix/Servers (Enforced), M.UTO.Servers (Enforced) |\n| GPO Status | User settings disabled |\n\n**What it does:** This is the **comprehensive advanced audit policy** that supersedes the older category-based audit settings. It enables:\n\n**Security Options:**\n- Force audit subcategory settings to override category settings\n- Audit all NTLM traffic (incoming, outgoing, domain-wide)\n\n**Advanced Audit (all Success + Failure unless noted):**\n- Account Logon: Credential Validation, Kerberos Auth, Kerberos Tickets, Other\n- Account Management: All subcategories\n- DS Access: Directory Service Access + Changes\n- Object Access: Application Generated, Cert Services, File Share (detailed), File System, Filtering Platform, Handle Manipulation, Kernel Object, Registry, Removable Storage, SAM, Central Access Policy\n- Policy Change: All subcategories (except Other = Failure only)\n- Privilege Use: All subcategories\n- System: IPsec Driver, Other System Events, Security State Change, Security System Extension, System Integrity\n\nThis is enforced on DCs and all server OUs \u2014 it generates the audit trail for SIEM/security monitoring.\n\n---\n\n### 22. m.uto.servers.mss-sccm\n| Field | Value |\n|-------|-------|\n| Created | 5/9/2017 |\n| Modified | 6/24/2026 (recently updated) |\n| Owner | ASURITE\\Domain Admins |\n| Linked To | Many OUs (M.PHI, M.UTO servers, VDI infrastructure, LNVR) \u2014 several enforced |\n\n**What it does:** Assigns servers to the SCCM/MECM site and configures Windows servicing:\n- Assigns SCCM site code: **MSS**\n- Site assignment retry: 60 min interval, 12 hours duration\n- Enables download of repair content from Windows Update (not just WSUS)\n- Specifies no alternate source path for optional component installation\n\nHas `ASURITE\\ex_kwattie` (current SCCM admin) with edit permissions.\n\n---\n\n## GPO Ownership Issues\n\n| GPO | Owner |\n|-----|-------|\n| M.UTO.AuditPolicyEnable | Unresolved SID (S-1-5-21-...-232619) |\n| M.UTO.Servers.Avecto.Admin | Unresolved SID (S-1-5-21-...-215079) |\n| M.UTO.Servers.Avecto.Policy.Live | Unresolved SID (different domain: S-1-5-21-1547161642-...-614521) |\n| M.UTO.Servers.Disable Windows Error Reporting to MS | Unresolved SID (S-1-5-21-1547161642-...-1070968) |\n| M.UTO.Servers.Remediation.Base | Unresolved SID (S-1-5-21-...-215079) |\n| M.UTO.Servers.Remediation.Sensitive | Unresolved SID (S-1-5-21-...-215079) |\n| M.UTO.Servers Cert Store | ASURITE\\denkou (specific user account) |\n| M.UTO.Servers.AppX - Application Timeouts | ASUAD\\ex_bmossop (former employee) |\n| M.UTO.Servers.AppX - Terminal Server Settings | ASUAD\\ex_bmossop (former employee) |\n\n\n# Proposal: M.UTO Managed Infrastructure Group Policies\n\n**Domain:** asurite.ad.asu.edu  \n**Scope:** M.UTO OU and child OUs (M.UTO.Servers, M.UTO.Servers.SecurityBL, etc.)  \n**Date:** July 8, 2026  \n\nThese policies apply specifically to UTO-managed infrastructure \u2014 servers, Hyper-V hosts, VDI infrastructure, etc. They layer on top of the domain-wide policies to provide server-specific hardening, management, and monitoring controls.\n\n---\n\n## Currently Implemented (Validate / Keep)\n\n| Policy Name | Recommended Setting | Purpose | Documentation |\n|---|---|---|---|\n| Disable Print Spooler | System Services &gt; Print Spooler = **Disabled**; Point and Print Restrictions = Enabled with elevation prompts; RestrictDriverInstallationToAdministrators = 1 | Mitigates PrintNightmare (CVE-2021-34527) and all print spooler attack surface on servers that don't need printing. | [Microsoft KB5005010](https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7) |\n| LAPS (Local Admin Password Solution) | Enable local admin password management = **Enabled**; Managed account configured | Ensures every server has a unique, rotated local admin password. Prevents lateral movement via shared local credentials. | [Microsoft - Windows LAPS](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory) |\n| Disable Windows Error Reporting | `Allow Diagnostic Data` = Diagnostic data off; `Disable Windows Error Reporting` = Enabled | Prevents telemetry accumulation on air-gapped servers. Servers can't reach Microsoft; queued reports waste disk space. | [Microsoft - Configure Diagnostic Data](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization) |\n| Disable Hybrid Azure AD Join | `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WorkplaceJoin\\BlockAADWorkplacejoin` = 1 | Prevents on-prem servers from registering device identity in Entra ID. Appropriate for servers that should remain purely on-prem AD managed. | [Microsoft - Plan Hybrid Azure AD Join](https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join) |\n| SCCM/MECM Site Assignment | Configuration Manager Client &gt; Assigned Site = **MSS**; Retry interval 60 min / 12 hrs | Ensures all managed servers report to the correct SCCM site for patching and compliance. | [Microsoft - SCCM Client Assignment](https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/assign-clients-to-a-site) |\n| Advanced Audit Policy (UTO.Audit.Policies) | Full subcategory audit \u2014 see Document 01 for the complete list | Comprehensive security event logging for SIEM. Already enforced. | [Microsoft - Advanced Audit Policy](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing) |\n| TLS 1.0 Deprecation with Exceptions | Disable TLS 1.0 client/server via SCHANNEL registry; item-level targeting with WMI/registry exception (`EXCEPT.TLS.1.0.ENABLE`) | Disables legacy TLS while allowing tagged exceptions for legacy apps. | [Microsoft - TLS Deprecation](https://learn.microsoft.com/windows/win32/secauthn/tls-10-11-deprecation-in-windows) |\n\n---\n\n## Proposed New Policies\n\n### Server Hardening\n\n| Policy Name | Recommended Setting | Purpose | Documentation |\n|---|---|---|---|\n| Windows LAPS (Upgrade from Legacy) | Computer Config &gt; Administrative Templates &gt; LAPS &gt; `Configure password backup directory` = **Active Directory**; `Password Settings` = 24 characters, Complexity: Large+Small+Numbers+Specials, Age: 30 days; `Enable password encryption` = Enabled; `Name of administrator account to manage` = (your account name) | Upgrade from legacy LAPS MSI to built-in Windows LAPS. Adds password encryption in AD (no more cleartext `ms-Mcs-AdmPwd`), automatic account management, and supports DSRM passwords for DCs. | [Microsoft - Windows LAPS Policy Settings](https://learn.microsoft.com/en-ca/windows-server/identity/laps/laps-management-policy-settings) |\n| RDP Network Level Authentication (NLA) | Computer Config &gt; Administrative Templates &gt; Windows Components &gt; Remote Desktop Services &gt; Remote Desktop Session Host &gt; Security &gt; `Require user authentication for remote connections by using Network Level Authentication` = **Enabled** | Forces authentication before establishing RDP session. Reduces resource consumption from unauthenticated connection attempts and blocks pre-auth exploits (BlueKeep-class). | [Microsoft - NLA for RDP](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access) |\n| RDP Encryption Level | Computer Config &gt; Administrative Templates &gt; Windows Components &gt; Remote Desktop Services &gt; Remote Desktop Session Host &gt; Security &gt; `Set client connection encryption level` = **High Level**; `Require use of specific security layer for remote (RDP) connections` = **SSL** | Forces TLS for RDP connections instead of native RDP encryption. Ensures all RDP traffic is encrypted with TLS 1.2+. | [CIS Benchmark Windows Server 2022 - 18.10.57.3.9.5](https://ncp.nist.gov/checklist/1188) |\n| RDP Session Timeouts | Computer Config &gt; Administrative Templates &gt; Windows Components &gt; Remote Desktop Services &gt; Remote Desktop Session Host &gt; Session Time Limits &gt; `Set time limit for active but idle Remote Desktop Services sessions` = **Enabled, 30 minutes**; `Set time limit for disconnected sessions` = **Enabled, 4 hours**; `End session when time limits are reached` = **Enabled** | Frees up resources from abandoned RDP sessions. Limits credential exposure window from idle sessions. Idle = user connected but no keyboard/mouse input for 30 min (disconnects). Disconnected = session persists 4 hours then logs off. | [CIS Benchmark Windows Server 2022 - 18.10.57.3.10](https://ncp.nist.gov/checklist/1188); [Microsoft - Troubleshoot RDS Session Timeouts](https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/troubleshoot-unexpected-rds-session-locks-or-disconnections) |\n| Disable Remote Desktop Connection from Remediation.Base | Remove the WinRM = Disabled setting from Remediation.Base; Create a dedicated policy: `Windows Remote Management (WS-Management)` = **Automatic (Delayed Start)**; Allow remote management from `*` (all IPs) or restrict to management subnet | WinRM is essential for modern server management (Ansible, DSC, PowerShell Remoting, SCCM). Having it disabled by Remediation.Base then re-enabled by another GPO creates confusion. Make the intent explicit: WinRM should be ON for managed servers. | [Microsoft - WinRM Group Policy](https://learn.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management) |\n| Windows Firewall \u2014 Default Deny Inbound | Computer Config &gt; Security Settings &gt; Windows Firewall &gt; Domain Profile &gt; `Inbound connections` = **Block**; Outbound = Allow | Explicitly block inbound by default and define allow rules. Your current Remediation.Base has firewall \"On\" but inbound set to \"Not Configured\" which inherits the Windows default (block). Make it explicit. | [Microsoft - Windows Firewall Best Practices](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring/) |\n| Enable Firewall Logging | Windows Firewall &gt; Domain Profile &gt; Logging &gt; `Log dropped packets` = **Yes**; `Log successful connections` = **Yes**; `Log file maximum size` = **16384** KB | Provides network visibility for incident response. Currently set to \"No\" for both dropped and successful \u2014 you're blind to firewall activity. | [Microsoft - Firewall Logging](https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure) |\n| Restrict Anonymous Access to Named Pipes/Shares | Computer Config &gt; Security Settings &gt; Local Policies &gt; Security Options &gt; `Network access: Restrict anonymous access to Named Pipes and Shares` = **Enabled** | Prevents null-session enumeration of shares and named pipes. Reduces reconnaissance capability. | [CIS Benchmark Windows Server 2022 - 2.3.10.10](https://ncp.nist.gov/checklist/1188) |\n| Disable Autoplay/Autorun | Computer Config &gt; Administrative Templates &gt; Windows Components &gt; AutoPlay Policies &gt; `Turn off Autoplay` = **Enabled (All drives)**; `Set the default behavior for AutoRun` = **Do not execute any autorun commands** | Prevents malware execution via USB/removable media. Servers should never autorun anything. | [CIS Benchmark Windows Server 2022 - 18.10.7](https://ncp.nist.gov/checklist/1188) |\n| Disable PowerShell 2.0 Engine | Ensure `MicrosoftWindowsPowerShellV2` feature is removed (already done in packer for Server 2022). For ongoing enforcement via GP: Computer Config &gt; Admin Templates &gt; Windows PowerShell &gt; `Turn on PowerShell Script Block Logging` = Enabled (with transcription catching PS2 bypass attempts) | PowerShell 2.0 bypasses all modern PS logging/AMSI controls. Should be removed at build time AND verified by GP. Your packer script already removes this for Server 2022 builds. | [Microsoft - PowerShell Security](https://learn.microsoft.com/en-us/powershell/scripting/security/security-features) |\n\n### Management &amp; Operations\n\n| Policy Name | Recommended Setting | Purpose | Documentation |\n|---|---|---|---|\n| Windows Event Forwarding (WEF) | Computer Config &gt; Administrative Templates &gt; Windows Components &gt; Event Forwarding &gt; `Configure target Subscription Manager` = **Server=https://\\:5986/wsman/SubscriptionManager/WEC,Refresh=60** | Centralized event collection for SIEM/security monitoring. Replace the old Avecto server reference with your current WEC infrastructure. | [Microsoft - Windows Event Forwarding](https://docs.microsoft.com/en-gb/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection) |\n| Event Log Sizes | Computer Config &gt; Administrative Templates &gt; Windows Components &gt; Event Log Service &gt; Security &gt; `Specify the maximum log file size (KB)` = **4194304** (4 GB); Application and System = **1048576** (1 GB) | Ensures sufficient log retention for forensic investigation. 4GB Security log with Advanced Audit at your volume should give 30+ days local retention. | [Microsoft - Best Practices for EventLog Forwarding](https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/configure-eventlog-forwarding-performance) |\n| Windows Update \u2014 WSUS Configuration | Computer Config &gt; Administrative Templates &gt; Windows Components &gt; Windows Update &gt; `Configure Automatic Updates` = **4 (Auto download and schedule the install)**; Schedule = Sunday 03:00; `Specify intranet Microsoft update service location` = your WSUS/MECM URL; `No auto-restart with logged on users` = Enabled | Defines patching schedule for managed servers. Servers should download automatically but install during a defined window with controlled reboots. | [Microsoft - Configure Group Policy for WSUS](https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates) |\n| DNS Client Suffix Search List | Computer Config &gt; Administrative Templates &gt; Network &gt; DNS Client &gt; `DNS Suffix Search List` = **asu.edu, asurite.ad.asu.edu, ad.asu.edu** | Standardizes DNS resolution across all managed servers. Currently done in userdata script but GP ensures ongoing enforcement (name resolution won't break if a NIC is replaced/reset). | [Microsoft - DNS Client Settings](https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-sb-with-gp) |\n| NTP \u2014 Domain Hierarchy Sync | Computer Config &gt; Administrative Templates &gt; System &gt; Windows Time Service &gt; Time Providers &gt; `Enable Windows NTP Client` = **Enabled**; `Configure Windows NTP Client` Type = **NT5DS** | Ensures all servers sync time from the domain hierarchy (PDC emulator). Accurate time is critical for Kerberos authentication and log correlation. Currently done in userdata but GP ensures it stays configured. | [Microsoft - Windows Time Service](https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings) |\n\n### Attack Surface Reduction\n\n| Policy Name | Recommended Setting | Purpose | Documentation |\n|---|---|---|---|\n| Disable Unnecessary Services | System Services via Security Policy: `Bluetooth Support Service` = Disabled; `Xbox Live Auth Manager` / `XblGameSave` = Disabled; `Windows Insider Service` = Disabled; `Geolocation Service` = Disabled; `Downloaded Maps Manager` = Disabled; `Connected User Experiences and Telemetry` = Disabled; `icssvc (Internet Connection Sharing)` = Disabled | Reduces attack surface by eliminating unnecessary service code execution. Your Remediation.Base already does this \u2014 keep it. | [CIS Benchmark Windows Server 2022 - 5.x](https://ncp.nist.gov/checklist/1188) |\n| Block Untrusted Fonts | Computer Config &gt; Administrative Templates &gt; System &gt; Mitigation Options &gt; `Untrusted Font Blocking` = **Block untrusted fonts and log events** | Prevents kernel exploits via malicious fonts loaded from untrusted locations (network shares, web). | [Microsoft - Block Untrusted Fonts](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise) |\n| Disable Windows Script Host | Registry preference: `HKLM\\Software\\Microsoft\\Windows Script Host\\Settings\\Enabled` = 0 (DWORD) | Prevents VBScript/JScript execution on servers. Eliminates a common malware execution vector (macro \u2192 WScript.exe). Evaluate impact on any legitimate VBS scripts first (e.g., your old Add2TSM.mgmt.vbs). | [Microsoft - Windows Script Host](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc738350(v=ws.10)) |\n| Restrict Delegation of Credentials | Computer Config &gt; Administrative Templates &gt; System &gt; Credentials Delegation &gt; `Restrict delegation of credentials to remote servers` = **Enabled, Require Remote Credential Guard** | Prevents credential forwarding during RDP sessions (eliminates RDP-based credential theft). Remote Credential Guard sends only derived credentials, never full credentials to the remote host. | [Microsoft - Remote Credential Guard](https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard) |\n\n---\n\n## Packer Image vs Group Policy \u2014 Where Things Should Live\n\nYour `ASUWinServerBaseline.ps1` (v5.8.1) currently handles some settings that **should be managed by Group Policy instead**, because GP provides ongoing enforcement and central auditability.\n\n### Move FROM Packer TO Group Policy\n\n| Setting | Current Owner | Why Move to GP |\n|---|---|---|\n| **Logon Banner** (legalnoticetext / legalnoticecaption) | Packer script `Set-LogonBanner` AND Remediation.Base GP | **Duplicate.** GP already sets this. Remove from packer \u2014 if the text ever changes, you update one GP instead of rebuilding all AMIs. GP re-applies every 90 minutes; packer only runs at image build. |\n| **File/Print Sharing &amp; WMI Firewall Rules** | Packer script `Set-FirewallRules` | GP should own firewall rules. Remediation.Base already manages the firewall. If the packer rule opens a port, but GP closes it on next refresh, the behavior is confusing. Let GP be the single source of truth for firewall state. |\n| **Network Profile (Private)** | Packer script `Disable-NetworkLoc` | This is fine in packer since it's a one-time network stack setup for build time. The GP domain profile takes over once the machine domain-joins. **Keep in packer** \u2014 no conflict. |\n\n### Keep IN Packer (Appropriate for Image Build)\n\n| Setting | Reason to Keep in Packer |\n|---|---|\n| Install software (winget, .NET, VC++ Redist, Windows Terminal) | Software installation is a build-time operation. GP doesn't install MSIs well. |\n| Disable Windows Features (PowerShell 2.0, Xbox, Media Player, etc.) | Feature removal must happen once; GP can't easily re-remove features. |\n| WinRM + SSH Setup | Needed for packer provisioning itself. Chicken-and-egg: without WinRM the build can't proceed. |\n| Strong TLS for .NET (`SchUseStrongCrypto`) | Fine in packer. Could also be in GP for ongoing enforcement, but no harm in both. |\n\n### Keep IN Userdata (Instance-Specific One-Time Setup)\n\n| Setting | Reason to Keep in Userdata |\n|---|---|\n| Domain join + OU placement | Instance-specific (hostname, OU path are per-server). |\n| DNS suffix search list | Instance-specific initially, but **add GP enforcement too** as a safety net. |\n| Timezone | Region-specific, one-time. |\n| NTP domain hierarchy | One-time config, but **add GP enforcement too** since this can drift. |\n\n---\n\n## Implementation Priority\n\n| Priority | Policy | Effort | Risk Level |\n|----------|--------|--------|-----------|\n| 1 | Remove logon banner from packer (GP already does it) | 5 min | None |\n| 2 | Remove firewall rules from packer (GP already does it) | 5 min | Low \u2014 verify GP fires before any other access needed |\n| 3 | Enable RDP NLA requirement | Low | Low \u2014 already likely default on 2022/2025 |\n| 4 | Set RDP session timeouts (30 min idle / 4hr disconnected) | Low | Low \u2014 user convenience only |\n| 5 | Enable firewall logging (dropped + successful) | Low | None \u2014 visibility only |\n| 6 | Fix WinRM \u2014 single clear policy instead of conflicting GPOs | Medium | Medium \u2014 test thoroughly |\n| 7 | RDP encryption level = High + SSL | Low | Low |\n| 8 | Disable Autoplay | Low | None |\n| 9 | Windows LAPS upgrade (from legacy LAPS) | Medium | Medium \u2014 requires DFL 2016+, schema update, coexistence period |\n| 10 | DNS suffix + NTP via GP (safety net for userdata) | Low | None |\n| 11 | Windows Event Forwarding to new WEC | Medium | Low \u2014 if Avecto is gone, this fills the gap |\n| 12 | Block Untrusted Fonts | Low | Low \u2014 test first |\n| 13 | Restrict Credential Delegation | Medium | Medium \u2014 test with admin workflows |\n| 14 | WSUS/Windows Update schedule policy | Low | Low \u2014 probably already managed by SCCM |\n| 15 | Disable Windows Script Host | Medium | Medium \u2014 audit for any legitimate .vbs/.js scripts first |\n| 16 | Increase event log sizes (4GB security) | Low | None \u2014 disk space only |\n\n---\n\n## Relationship to Remediation.Base\n\nThe `Remediation.Base` GPO currently handles many of these settings. Recommendations:\n\n1. **Keep Remediation.Base** as the primary hardening GPO for now\n2. **Remove the audit category settings** from it (superseded by UTO.Audit.Policies)\n3. **Remove SMB signing** from it (now domain-wide via Tier ALL)\n4. **Remove WinRM = Disabled** from it (conflicts with EnableWinRM; create a clear single WinRM policy)\n5. **Add** the new settings from this proposal to either Remediation.Base or new focused GPOs\n6. **Long-term:** Split Remediation.Base into logical sub-policies for easier management (firewall, services, security options, groups)\n", "creation_timestamp": "2026-07-08T16:14:47.403462Z"}