Policy Analyzer - Analyzing and Comparing Group Policy Objects

Policy Analyzer

Analyzing and Comparing Group Policy Objects

Andrea Hauser
by Andrea Hauser
time to read: 8 minutes

Keypoints

How to analyze group policies in Windows

  • Policy Analyzer is a tool in the Microsoft Security Compliance Toolkit
  • It allows users to analyze and compare Group Policy Objects
  • Comparisons can be executed across several GPOs or for an individual system
  • A Policy Rules file was created for the Windows 10 hardening checklist

I recently had to read and evaluate about 300 group policy and registry settings in a project. As I didn’t want to have to check every single setting, I looked for a tool that could help me with that and came across Policy Analyzer by Microsoft.

Policy Analyzer is one of the tools that Microsoft offers in its Security Compliance Toolkit. In this article, I would like to talk about where Policy Analyzer can be used and how you can create your own Policy Rules file. You can use Policy Rules files to create your own security baselines and easily check whether a system complies with the specified security baselines.

Introducing the Policy Analyzer tool

Policy Analyzer is a tool that allows users to analyze and compare GPOs, which can be imported from different sources. It enables you to compare the GPOs applicable in the company with Microsoft’s security baselines, or to compare older backups of a GPO with the current one to show the differences. You can also compare different GPOs defined in the company with one another to detect discrepancies and duplicates.

On the other hand, a defined GPO baseline can be reconciled with local policies and registries effectively implemented in a system. The “Comparing a baseline with a client’s local settings” use case is analyzed next. As an example, a client is to be compared with the Windows 10 1909 baseline.

Once Policy Analyzer has been downloaded, it can be executed without requiring installation. To compare a GPO baseline with a local system, the GPOs have to be imported first of all. This is done by clicking Add. You can then choose the Add files from GPO(s) option.

Policy Analyzer Importer, Add files from GPO

The security baseline used in this example is a Windows 10 version 1909 and Windows Server version 1909 security baseline. It can be downloaded from the same address as Policy Analyzer. Since this baseline contains both server and client settings, the server-specific settings must be removed in the Importer by selecting all undesired settings and then tapping the Delete button.

Policy Analyzer Importer; prior to removal of unnecessary Group Policy Objects

Once the unnecessary GPOs have been removed, the rest can be imported with Import…. This step creates a Policy Rules file that all the relevant GPO settings are stored in.

Subsequently, or for later use, the GPOs no longer have to be added manually, as the newly created Policy Rules file can be used instead. You should therefore choose a meaningful name for the Policy Rules file because it is also displayed on Policy Analyzer’s main screen.

The setup of the Policy Rules file and how to create your own rules are discussed in detail later. To effectively compare the prepared GPOs with a client’s local settings, the baseline defined in this way and the Compare local registry and Local policy checkboxes above it can be selected. Click View / Compare to show the results in Policy Viewer. A new Policy Rules file that contains all settings for the local policy is created at the same time. However, the Policy Rules file generated during this process must be handled with care, because settings that can only be found in the registry are not stored in this file. It is not clear why this is the case, as it would be easy to do so.

Windows security baseline GPOs compared with the local system

In Policy Viewer, one policy is displayed per row, whereby the value of the local policy is displayed followed by the value from the local registry and finally the value from the defined baseline, which is called windows_10_hardening in the example. If the values are identical, they are displayed in white. As soon as there are any differences, they are highlighted in yellow. Values that are not available are indicated by the color gray. This makes it easy to analyze the differences from a specified security baseline. If a specific setting is chosen, a more detailed explanation of the potential settings in question is displayed in the bottom part of the window (if available).

Result of comparing the local system with the security baseline

To make searching through and filtering everything easier and to save the entire hit list, the settings read can be exported in Excel format.

Result of comparing the local system with the security baseline

Policy Rules

As already mentioned, Policy Analyzer works with Policy Rules files, which contain XML structured as follows.

<PolicyRules>

   <ComputerConfig>
      <Key></Key>
      <Value></Value>
      <RegType></RegType>
      <RegData></RegData>
      <SourceFile></SourceFile>
      <PolicyName></PolicyName>
   </ComputerConfig>

   <UserConfig>
      <Key></Key>
      <Value></Value>
      <RegType></RegType>
      <RegData></RegData>
      <SourceFile></SourceFile>
      <PolicyName></PolicyName>
   </UserConfig>

   <SecurityTemplate Section="">
      <LineItem></LineItem>
      <SourceFile></SourceFile>
      <PolicyName></PolicyName>
   </SecurityTemplate>

   <AuditSubcategory>
      <GUID></GUID>
      <Name></Name>
      <Setting></Setting>
      <SourceFile></SourceFile>
      <PolicyName></PolicyName>
   </AuditSubcategory>

</PolicyRules>

Here, settings that use a registry key are mapped under ComputerConfig and UserConfig. SecurityTemplate and AuditSubcategory can be used to map settings that are not stored in the registry. Once you know these XML elements, you can already create your own policy rules.

I did just that and created a Policy Rules file for the Windows 10 hardening checklist. So all it takes is one click to compare all the settings on the Windows 10 hardening checklist that are covered by the group policy or the registry settings.

Conclusion

Policy Analyzer is a good tool for comparing existing GPOs and comparing local settings with a defined baseline. Manually creating Policy Rules files is very time-consuming. An existing GPO should be used as a basis and extended to keep the effort to a minimum.

About the Author

Andrea Hauser

Andrea Hauser graduated with a Bachelor of Science FHO in information technology at the University of Applied Sciences Rapperswil. She is focusing her offensive work on web application security testing and the realization of social engineering campaigns. Her research focus is creating and analyzing deepfakes. (ORCID 0000-0002-5161-8658)

Links

You are looking for a speaker?

Our experts will get in contact with you!

×
Prompt Injection

Prompt Injection

Andrea Hauser

Ways of attacking Generative AI

Ways of attacking Generative AI

Andrea Hauser

XML Injection

XML Injection

Andrea Hauser

Burp Macros

Burp Macros

Andrea Hauser

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here