GPO's for System Hardening

Obsolesce

A hardened system doesn't use ADDS and Windows.

PhlipElder

@obsolesce said in GPO's for System Hardening:

A hardened system doesn't use ADDS and Windows.

The subject says "GPO's ... "?

GPO = Group Policy Object

GPOs are linked to OUs.

OU = Organization Unit

Jeremy Moskowitz is one of the preeminent Group Policy folks in the world. One of the best to learn from. His books a really, really good.

ADDS and Group Policy are still very much relevant today.

EDIT: PAW is not a part of the production domain. It's either workgroup or in a separate AD Forest (Host/Tenant type of AD structure).

Dashrender

Don't have any printers on this network BTW

What weird place do you work? I want to work there!

EddieJennings

@dashrender said in GPO's for System Hardening:

Don't have any printers on this network BTW

What weird place do you work? I want to work there!

This. 100% this :P.

Dashrender

@phlipelder said in GPO's for System Hardening:

EDIT: PAW is not a part of the production domain. It's either workgroup or in a separate AD Forest (Host/Tenant type of AD structure).

What do you mean?

PhlipElder

@dashrender said in GPO's for System Hardening:

@phlipelder said in GPO's for System Hardening:

EDIT: PAW is not a part of the production domain. It's either workgroup or in a separate AD Forest (Host/Tenant type of AD structure).

What do you mean?

PAW: https://techcommunity.microsoft.com/t5/data-center-security/privileged-access-workstation-paw/ba-p/372274

We treat all production environments as hostile now.

So, when we deploy a new cluster it goes into its own AD Forest with its own DCs running at the local level on a couple of cluster nodes (Hyper-V).

A dedicated PAW or Jump Server could be set up in that AD Forest.

Otherwise, it should be in a workgroup and have 2FA/MFA set up.

ElecEng

@dashrender It is a manufacturing network for equipment comms, etc. Printers are on the corporate network but both networks are isolated from each other. Very common.

JaredBusch

@eleceng said in GPO's for System Hardening:

Very common.

Sadly not.

ElecEng

@jaredbusch That is the correct way and the way it's done in most manufacturing plants in the U.S. and International. That has been best practice for the last 25-30 years. I am in 8-10 different manufacturing plants [per week as a consultant and that's how it done.

Dashrender

@eleceng said in GPO's for System Hardening:

@jaredbusch That is the correct way and the way it's done in most manufacturing plants in the U.S. and International. That has been best practice for the last 25-30 years. I am in 8-10 different manufacturing plants [per week as a consultant and that's how it done.

That's awesome that the plants you work for do it that way - but I agree with JB - it's likely not that common in reality.

Hell - the sure number of SCADA systems on the internet in mind boggling.