[German]At the beginning of April 2023, Microsoft released a new version of its Microsoft Security Compliance Toolkit 1.0. Actually, it is a compulsory exercise for administrators in companies to deal with this part. In the following, I will briefly introduce the Microsoft Security Compliance Toolkit 1.0 – but I will also discuss its downsides. Because the implementation of this toolkit is a "laughing stock" that shows that the people in charge at Microsoft no longer understand what they are putting together and bringing to the administrators.
Advertising
Microsoft Security Compliance Toolkit 1.0
The Microsoft Security Compliance Toolkit iis a set of tools that allow enterprise security administrators to download, analyze, test, edit and save Microsoft-recommended security configuration baselines for Windows and other Microsoft products and compare them to other security configurations. The download from this Microsoft web page includes the following files as of April 7, 2023:
Version: 1.0 | Published: 4/7/2023 |
File Name: | Size |
Windows 11 version 22H2 Security Baseline.zip | 1.4 MB |
LGPO.zip | 520 KB |
Microsoft 365 Apps for Enterprise-2206-FINAL.zip | 722 KB |
Microsoft Edge v112 Security Baseline.zip | 352 KB |
PolicyAnalyzer.zip | 1.5 MB |
SetObjectSecurity.zip | 314 KB |
Windows 10 Update Baseline.zip | 453 KB |
Windows 10 Version 1507 Security Baseline.zip | 904 KB |
Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip | 1.5 MB |
Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip | 1.3 MB |
Windows 10 Version 20H2 and Windows Server Version 20H2 Security Baseline.zip | 1.5 MB |
Windows 10 version 21H2 Security Baseline.zip | 1.2 MB |
Windows 10 version 22H2 Security Baseline.zip | 1.2 MB |
Windows 11 Security Baseline.zip | 1.2 MB |
Windows Server 2012 R2 Security Baseline.zip | 699 KB |
Windows Server 2022 Security Baseline.zip | 1.3 MB |
Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows 11, Windows Server 2022 are supported, though Windows 8.1 has been out of support since January 2023. About the toolkit, Microsoft writes:
The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into testbed hosts to test their effects. For more information, see Windows Security Baselines.
The dark sides of the toolkit
German security expert Stefan Kanthak has set me on BCC on a mail he sent to the Microsoft Security Response Center (MSRC) at the end of April 2023. He wrote:
Hi MSRC,
have you lately dared to look at your calendar?
Have you noticed that it shows the year 2023?Then visit your companies the web page Download Microsoft Security Compiance Toolkit 1.0, click the circled plus sign in front of the "System Requirements" and see the (fortunately DEAD) hyperlink "Microsoft Word Viewer"!
Kanthak is concerned about the following passage with the system requirements for using Microsoft Security Compliance Toolkit 1.0.
Advertising
Because under the system requirements, the Microsoft Word Viewer is indeed still mentioned and even linked. The Word Viewer was withdrawn almost 6 years ago (see my German blog post Word Viewer: Rückzug im November 2017). Consequently, the link on the Microsoft page also leads to a landing page that no longer has anything to do with Word Viewer. The reference to Windows 8.1 also shows that Microsoft doesn't really revise the system requirements page anymore. But there is another security flaw, which Kanthak describes like this.
The executables of the Microsoft Security Compliance Toolkit offered there are still vulnerable to DLL hijacking. Will your developers ever learn to use /DEPENDENTLOADFLAG:2048?
It is remarkable that the Microsoft Security Compliance Toolkit executable is vulnerable to DLL hijacking. Raymond Chen has provided some guidance in this post that when linking programs, you can use the /DEPENDENTLOADFLAG parameter to specify that Windows (as of Windows 10 version 1607) only statically loads dependent DLLs. With the value LOAD_LIBRARY_SEARCH_SYSTEM32 as parameter DLLs may be loaded only also the Windows folder System32. Kanthak also points out this issue in this German comment.This doesn't leave me with a good impression that Microsoft is in control, what his developers do.
Advertising