group policy – How to Import Windows Server 2019 Security Policies on Windows 2012 AD Server

I have two Windows 2012 domain controllers. Our environment also has a few Windows 2016 and 2019 servers. Scans are performed weekly to check for security compliance and to ensure certain security policies have been applied.

Certain policies on the 2019 servers are missing. When I try to add these specific security policies (ex: user & group audit policies) to a GPO on our 2012 AD servers the specific settings I’m looking for are missing/unavailable, therefore I can’t create a GPO for our 2019 servers to meet this security requirement. Is there a way to import these security policies or the settings so I can set them on our 2019 servers using a GPO?

My confusion is being able to set/create GPO’s for Windows 2019 servers when my AD server is 2012 and is missing certain settings. I’d appreciate any help/support, thanks.

Content Security Policy in Drupal 8, implementation question

I’m currently working on improving the security of a Drupal 8 site by implementing a Content Security Policy. As this is still new to me, I would like to get some input on my strategy.

  • Drupal 8, with a custom patch that makes ckeditor.js pass on nonces when loading it’s plugins, CKEditor only being used by logged in users
  • Security Kit, patched to provide an alter hook for the CSP directives (https://www.drupal.org/project/seckit/issues/2844205#comment-14217383).
  • Custom code to make modifications to the rendered HTML and to the CSP configuration from the Security Kit module

I would like to not use 'unsafe-inline' for scripts if possible, but I finally figured that this would only work for certain browsers.
I would also like to have an adequate CSP for different situations (different browsers, logged-in vs not logged-in).

This leads me to this idea for script-src:

  • using nonce and 'strict-dynamic' for browsers that support CSP v3 and non-cachable pages
  • using hashes for browsers that support CSP v3 and cachable pages
  • using 'unsafe-inline' together with a domain-based list for all other browsers

The main reason for having a browser distinction is that I couldn’t find a way of creating the CSP directives backward-compatible without an unreasonable amount of changes to core and contrib modules.

I have added logic that uses a nonce and 'strict-dynamic' for chrome based browsers for logged in users, for which pages are not cached, assuring that the nonces are new and unique for every request. That logic is based on the User Agent string (which I know is unsafe, but don’t see a better solution).

So basically, for chrome based browser, logged in users will get a CSP header with those script related CSP policies ('unsafe-inline' in the script-src will be ignored by browsers that support 'strict-dynmic'):

script-src 'self' 'unsafe-inline' *.googletagmanager.com  *.google-analytics.com 'nonce-SECURENONCE' 'strict-dynamic';
script-src-attr 'unsafe-inline';

Anonymous users will get a CSP that looks roughly like this:

script-src 'self' 'unsafe-inline' *.googletagmanager.com *.google-analytics.com 'sha256-HASH_1' 'sha256-HASH_2' 'sha256-HASH_3' 'sha256-HASH_4' 'sha256-HASH_5' ...;
script-src-attr 'unsafe-inline';

Non chrome based browsers get a CSP header that looks like this:

script-src 'self' 'unsafe-inline' *.google-analytics.com *.googletagmanager.com;

I have also added logic, that, based on the above selection criteria, adds either nonce attributes to every script tag (non-cached pages), or hash codes for every script tag (cached pages). This also allows me to have CKEditor working fine in the backend.

It seems to be working well on the different browsers I have tested with: Brave, Chrome, Edge, Firefox and Safari. Only the three former have a CSP that I would consider safe (also checked with https://csp-evaluator.withgoogle.com/).

Does that make sense as a general approach? Or is it flawed in a way that I start over from the beginning?

Main questions:

  1. Is it a valid approach to have a different CSP for logged-in vs anonymous users?
  2. Is it a valid approach to have different CSPs for different browsers (or different “reported browsers” actually)?

group policy – Configuring User Rights Assignment policies via GPO

I’m configuring a GPO to add a local group to a user right policy, however, when configuring through GPO, all existing members of the right are removed on GPO application. You can obviously add all the users to the GPO to make sure these are retained but when the user is only local to the remote server e.g. NT SERVICESQLSERVERAGENT, this can’t be added to the GPO from the DC which simply doesn’t recognise it.

Am I right in assuming it’s a case of using GPO when the user right should only contain domain accounts/groups, built-in users/groups but if additional user types need to be added then manual addition should be used instead?

Shame if it’s the latter. Could do with being able to configure this via GPP like you can with local users/groups and having the option to retain the existing members which would address this initial observation

Cheers
Jamie

powershell – Adding “Never saved” websites to Edge via Group Policy, Registry, Script, etc

I would like to push “Never saved” websites to users’ Chromium Edge settings. The goal is to disable password saving for these particular websites/domains.

The method doesn’t matter, only the end result. In this way, solutions that use Group Policy, registry change, script, etc. are all okay if they work. (Of course, adding the settings manually is no good).

NOTE: I have searched the Group Policy settings and I don’t think that there is a relevant policy for this (I could be wrong).

I tried adding the following registry setting but it didn’t seem to have any effect:

KEY: HKCRSoftwareMicrosoftInternet ExplorerLowRegistryDOMStorage<website>
NAME: (Default) 
TYPE: REG_DWORD 
DATA: 0x28 (40) 

The “Never saved” websites section can be found if you open Edge and look in:

Settings → Profiles → Passwords → Never saved

Here is a screenshot of the setting location:

Never saved sites setting location

Your ideas are appreciated!

group policy – GPO to set DFS Path to Active in Referral List for mapped drive

I have a DFS Namespace of domain.lclDFS that replicates a folder ReplFolder across 3 geographically dispersed servers:

\VANCOUVERFolderA
\MADRIDFolderA
\TOKYOFolderA

I can manually map a drive to \domain.lclDFSReplFolder and it works great.

However, I want to be able to set up a GPO to set the active path so that the users in Vancouver, their active path is set to \VANCOUVERFolderA, and same for the users in the other 2 locations. Is there a GPO or Registry setting that would be able to set this?

This can already be manually done by right clicking the drive letter on the client, selecting the DFS tab, and setting the preferred Path to “Active”. But for 500+ users, I’d like to automate this somehow.

Unfortunately we do not have AD Sites & Services enabled in our environment, otherwise I would go that route.

Thanks very much in advance.

sharepoint online – Retention Policy base on selection

I need to create a SharePoint online retention policy on the document library to keep documents forever. To do this, I am using the Office365 compliance center. The condition is based on a choice column. For instance, if the users select Policy, then that records need to keep forever. Is this something that we can achieve using the Office365 compliance center?

Kind Regards

powershell – WDAC policy not accepting MS signed DLLs

I’m working on WDAC / windows defender application control policy. Around 80% of what I have left is from system32 DLL files, hundreds of them. Windows 10 client systems, mostly 20h2.

The base policy is about as stock as you can get. Allow MS using allowmicrosoft.xml sample policy, the recommended best practice block drivers & apps, and SCCM. The DLLs are failing are MS signed but are coming back with event 3091 failures that will be blocked when going to enforcement mode.

All the DLLs failing share these certificate attributes.

[Subject]
  CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

[Issuer]
  CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

I added the certs on the chain to a blank policy using Add-SignerRule -CertificatePath .signature1.cer -user -kernel -update, and merged them. These certificates should definitely exist now, even if they weren’t part of allowmicrosoft.xml for some reason.

The check still fails, even after a policy refresh. What am I missing?