Questions about baselines

[StefanSa]

Hi rich,
in the baseline Excel sheet you write e.g. following.

Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Scored)

Your remark:

Note: A Member Server that holds the Web Server (IIS) Role with Web Server Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right.

My question about this:
Where and how do i best make these special exceptions for this PAW AD GPO structure?
can you please show an example in such a case?

Thanks again for your help
regards
Stefan

[utsecnet]

Of course! Group Policies are applied to OU's in AD. Each GPO you apply to the same container immediately overwrites any conflicting previously-applied policy via inheritance. You can change the inheritance order in GPMC by clicking the container in question and selecting the "Group Policy Inheritance" tab at the top right. So, say you have a GPO that sets ALL of your audit policy settings that you apply to your Computers OU, with a security filtering of Tier1-servers. You may also have another GPO that sets ONLY the conflicting audit policy settings (generate security audits) applied to the same Computers OU, but security filter on your IIS-servers group. Then in the GP inheritance tab, you would have your IIS-Servers policy have higher precedence than your Tier1-Servers GPO by moving it above the Tier1-Servers OU.

Hope that helps.

[StefanSa]

Rich,
thanks for the exact explanation and your time, but now i have the following problem.

Example:
User Rights Assignment -> Generate security audits.
For an IIS, all "IIS APPPools" must be added.
However, i cannot add local groups directly to a GPO if i edit them on the DC.
What am i doing wrong or how do i add these "IIS APPPools"
or how do i best make an exception for an IIS / MSSQL?

[utsecnet]

Yes you can. You do not select. You simply type them out. Ideally you are not configuring directly on the DC. You should be using RSAT in a prod environment. Please note, I am glad to assist with content in these guides, but when it comes to how to use the tools to configure these settings, there are already thousands of articles that can tell you how to use them.

…

On Thu, Dec 19, 2019 at 9:39 AM StefanSa ***@***.***> wrote: Rich, thanks for the exact explanation and your time, but now i have the following problem. Example: User Rights Assignment -> Generate security audits. For an IIS, all "IIS APPPools" must be added. However, i cannot add local groups directly to a GPO if i edit them on the DC. What am i doing wrong or how do i add these "IIS APPPools" or how do i best make an exception for an IIS / MSSQL? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADRU7GDS5B2RR53Z62LCLK3QZOPU5ANCNFSM4J4IYUQA> .

-- Rich Johnson 385-204-4011