A security baseline is a group of Microsoft-recommended configuration settings that explains their security implication. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
Installation and configuration of prerequisite software
This section outlines the prerequisites and procedures for applying Microsoft security baselines from the Security Compliance Toolkit, which consists of tools to assist admins in managing baselines in addition to the security baselines. Follow these steps:
- Log in to the Microsoft Windows Server or Workstation operating system to be hardened.
- Download the appropriate security baselines from the Microsoft website.
- Download the LGPO tool.
- Extract the security baseline to a working directory.
- Browse to the security baseline folder and then the Scripts and then Tools folder.
- Copy the LGPO.exe file into the Tools folder from the previously downloaded files.
- Open PowerShell as an Administrator.
- Browse to the security baseline working directory and then the “Scripts” folder.
- If this is a Server OS: Run the following with the appropriate switch:
PowerShell.exe -ExecutionPolicy RemoteSigned -File .\Baseline-LocalInstall.ps1 -WSMember
Note: Replace -WSMember with the appropriate switch:-WSMember - Windows Server, domain-joined member server
-WSNonDomainJoined - Windows Server, non-domain-joined
-WSDomainController - Windows Server, domain controller
- Reboot.
- If this is a Desktop OS: Run the following with the appropriate switch:
PowerShell.exe -ExecutionPolicy RemoteSigned -File .\Baseline-LocalInstall.ps1 -Win10DomainJoined
Note: Replace -Win10DomainJoined with the appropriate switch:-Win10DomainJoined - Windows 10, domain-joined
-Win10NonDomainJoined - Windows 10, non-domain-joined
- Reboot.