Difference between gpedit.msc and secpol.msc
Just wondering if there are any differences between using gpedit.msc of secpol.msc when configuring local GPOs. The reason I ask is that there are several registry keys that determine if a given setting is set, or in effect (which can make it a headache when performing a system audit)...
As a quick example, the following registry keys all govern the Domain Profile active state:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
When I audit various machines, I can see a varying combination of those keys set to 1 or 0... which makes it a giant pain in the arse when attempting to automate the audit process (because now I have to check 3 (or more!) registry keys...
As a quick example, the following registry keys all govern the Domain Profile active state:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
When I audit various machines, I can see a varying combination of those keys set to 1 or 0... which makes it a giant pain in the arse when attempting to automate the audit process (because now I have to check 3 (or more!) registry keys...
Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
Comments
-
coty24
Member Posts: 263 ■□□□□□□□□□
I don't know this helps but I found this link:
server 2008 - local security policy vs. domain security policyPassed LOT2
Working on FMV2(CHFI v8 ) Done! -
Claymoore
Member Posts: 1,637
Here is a link to my response to your earlier post regarding Group Policy vs SecPol:
http://www.techexams.net/forums/off-topic/84475-microsoft-security-compliance-manager-vs-local-security-policy-secpol-msc.html
In that post I mention that you will have to run an audit against every workstation to verify compliance if you choose to go the Local Group Policy / SecPol path instead of domain based Group Policy and Group Policy preferences. As you now know, that isn't much fun.
If you are using SecPol and Group Policies the audit gets complicated. SecPol edits the registry directly while Group Policy configures the settings in a Policy subkey that overrides the regular registry setting. You will need to audit the HKLM\Softwary\Policies subkeys as well, and compare where those settings override the settings in HKLM. When you see the conflicts in the registry settings you are auditing above, the setting in HKLM\Software\Policies will be the ones that are applied.
Do you have access to System Center Configuration Manager? The Desired Configuration Management feature would automate the collection for you.