1

I’ve been tasked with hardening windows server 2025. I wanted to see what the general consensus is on the best way to do it - should I used local group policy or domain group policy? This will be done on a vCenter VM which will be converted to a template to use in production.

7 Spice ups
2

The best way to do this is centrally, so it applies to all machines from your template, certain policies may be overridden by a domain policy.

2025 still has it’s issues, just be aware of this.

If you’re following any specific guides and you do it at domain level, this can target all OSes, not just 2025.

You can use the CIS Benchmarks to configure your policies. They cover how, where and why.

5 Spice ups
3

Another advantage of using domain group policy objects is that the policy objects are self-documenting: only the deviations from default will be listed in the policy objects.

If you use local policy, you can’t easily go back later and tell what changes you made, because many policies have settings by default. There is only ever one local policy object.

3 Spice ups
4

My answer might be slightly out of scope, but why use local Group Policy Objects (GPOs)? Why not leave the GPOs as they are in the domain and instead change the daily admin accounts used for administrative tasks? Many IT administrators use the same account to log into both their personal machines and servers. To harden our environment and move towards a Zero Trust model, our daily accounts should remain standard user accounts. When performing changes or configurations, we should use separate domain admin accounts.

2 Spice ups
5

It would really depend on what “hardening” and what use cases of the VMs ?

For example “'hardening” for RDS servers is different from SQL, different from Oracle DB different from file servers different from application servers ? Seldom 1 rule fits all ?

2 Spice ups
6

But you can have a baseline.

You are correct though, the OP needs to be mindful that each deployed OS may need a second layer of policy to secure the apps being hosted.

CIS Benchmarks provide hardening guides for most popular applications, including SQL, Oracle and Domain controllers. Their list is quite plentiful.

3 Spice ups
7

A baseline is baseline while “hardening” usually is for not general setups…

I do not like giving general ideas especially for anyone who we may not really know what is the usage for ? Especially if it is for server templates coz I have met with lots of admins who really “harden” servers then at a later stage when deploying these templates by other admins face lots of issues who have to undo what have been done on these templates ?
Then the “troubleshooting” takes much longer then deploying another server from ISO ?

2 Spice ups
8

What you describe is best practice (Least Privilege via “Tiered Accounts,”) but is not the same as hardening which is more specific to configuration of the OS/environment. GPO is particularly good at centralizing OS configuration.

You should do both.

2 Spice ups
9

Which is why it should be done by GPO and OU, so each server gets the policy it needs.

My point was, an OS can have a generic baseline for hardening, excluding the apps and apps can have another policy applying specifics

2 Spice ups
10

But what do you mean by done on a vCenter VM ?

1 Spice up
11

I am totally agree with you on that…

Thats why the question of “apps type or server purpose” was posted to OP instead of to you ??
Coz when he can analyze & answer, he then can know the answer to the main question of “local vs GPOs” ? Especially if he is going to create a “VM” Server template for use with vCenter ?

“Give the man a fish and he eats for a day. Teach him how to fish, he eats for life”…

1 Spice up
12

I am aware of who you was asking, I’m unsure why this would change if it’s local or domain GPO though.

1 Spice up
13

Coz not every server needs or may have to be in Domain.
For example, we worked with some retailers that have their POS servers in HQ or data centers but they do not want the servers to be in the Windows Domain but using “standalone” local accounts. Or like now Veeam B&R also recommends that the server not be in Domain as well ? Thus the GPOs may not affect ot implement on these servers ?
But on the other hand, if someone “locks down” or “harden” the server template like blocks ports or functions used by Postgres or MS SQL etc , the next admin who uses the template may have issues…

1 Spice up
14

Hi Lee,

In this case you have to Remember the Group Policy hierarchy. If you apply any Policy locally it will be the highest priority. Those policies applied at local level cannot be overwrite by Domain Policy. If you wan to over write such policy which is applied locally you have to change it in each and every machine so it is suggested to apply policy at Domain level. It is very helpful to showcase policies at the time of audit.

1 Spice up
15

@adrian_ych

I’m not disagreeing, and for non domain joined, you are correct, my point was more that 95% of the VMs are likely to be in the domain, therefore a domain GPO will cover all of these.

Applying a local GPO will work, but a domain GPO can override this, so the OP will need to ensure it’s not undoing what a local GPO has set.

1 Spice up
16

Domain GPOs best for centralized, consistent hardening Local GPOs use only for standalone servers or testing

1 Spice up
17

The answer based on your requirements is both - local and GPO.
As it is a template then local policy objects are required to ensure a new build is hardened from initial creation.
Domain GPOs should also exist.

Also policy objects are not the only hardening. general stuff like not installing components not required etc.

The starting point should be MS security baselines: Security baselines guide | Microsoft Learn

Then CIS benchmarks CIS Benchmarks®
Finally any specific requirements that may apply e.g. US gov/Mil have helpful resources: https://public.cyber.mil/stigs/

1 Spice up