I'm hardening a Windows Server 2012 R2 machine for serving secure web pages and following a guide that lays out multiple Local Group Policy Settings and Registry Settings.
When researching how to automate this process I only find ways to export and import Group Policy using Powershell as follows:
https://technet.microsoft.com/en-us/library/ee461027.aspx
This server machine is not joined to a domain and doesn't have Group Policy Management Console installed. Unfortunately, I have not found a resource to use an automatic method (script, code) to change Local Group Policy settings such as:
Local Group Policy Editor -> Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Global Object Access Auditing -> Defined this Policy -> Configure
Local Group Policy Editor -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network access: Do not allow anonymous enumeration of SAM accounts and shares
My end goal is to create a process or script that can set around 100 different Registry Settings and Local Group Policy Settings on a server machine in order to lock it down. Avoiding manually configuring each one.
Best Answer
I have been able to research and find what I need on this goal! The resource I found the best direction from was as follows:
http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates
The local group policy settings and security settings can be transferred in a couple of steps:
1. Security Settings:
Right click Security Settings in Local Group Policy Editor (Edit Group Policy) and select Export Policy... Save the .inf file and transfer to the machine you wish to use the same settings. On the new machine, open a command prompt and use the secedit command
Review any errors that come back, I was dealing with user accounts trying to be set for permissions that did not exist on the new machine.
2. The rest of Local Group Policy
Locate the %systemroot%\system32\grouppolicy\ hidden folder and copy the sub folders to the target machine in the same location.
Open a command prompt and use
3. The remains
For the miscellanous I was able to use powershell commands to add or edit registry keys:
Add:
Edit: