{"id":29573,"date":"2023-05-09T00:09:41","date_gmt":"2023-05-08T22:09:41","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=29573"},"modified":"2023-05-12T12:18:35","modified_gmt":"2023-05-12T10:18:35","slug":"microsoft-security-compliance-toolkit-1-0-the-dark-side","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/05\/09\/microsoft-security-compliance-toolkit-1-0-the-dark-side\/","title":{"rendered":"Microsoft Security Compliance Toolkit 1.0 – \"the dark side\""},"content":{"rendered":"

\"Sicherheit[German<\/a>]At the beginning of April 2023, Microsoft released a new version of its Microsoft Security Compliance Toolkit 1.0. Actually, it is a compulsory exercise for administrators in companies to deal with this part. In the following, I will briefly introduce the Microsoft Security Compliance Toolkit 1.0 – but I will also discuss its downsides. Because the implementation of this toolkit is a \"laughing stock\" that shows that the people in charge at Microsoft no longer understand what they are putting together and bringing to the administrators.<\/p>\n

<\/p>\n

Microsoft Security Compliance Toolkit 1.0<\/h2>\n

\"\"The Microsoft Security Compliance Toolkit iis a set of tools that allow enterprise security administrators to download, analyze, test, edit and save Microsoft-recommended security configuration baselines for Windows and other Microsoft products and compare them to other security configurations. The download from this Microsoft web page<\/a> includes the following files as of April 7, 2023:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Version: 1.0<\/td>\nPublished: 4\/7\/2023<\/strong><\/td>\n<\/tr>\n
File Name:<\/strong><\/td>\nSize<\/strong><\/td>\n<\/tr>\n
Windows 11 version 22H2 Security Baseline.zip<\/td>\n1.4 MB<\/td>\n<\/tr>\n
LGPO.zip<\/td>\n520 KB<\/td>\n<\/tr>\n
Microsoft 365 Apps for Enterprise-2206-FINAL.zip<\/td>\n722 KB<\/td>\n<\/tr>\n
Microsoft Edge v112 Security Baseline.zip<\/td>\n352 KB<\/td>\n<\/tr>\n
PolicyAnalyzer.zip<\/td>\n1.5 MB<\/td>\n<\/tr>\n
SetObjectSecurity.zip<\/td>\n314 KB<\/td>\n<\/tr>\n
Windows 10 Update Baseline.zip<\/td>\n453 KB<\/td>\n<\/tr>\n
Windows 10 Version 1507 Security Baseline.zip<\/td>\n904 KB<\/td>\n<\/tr>\n
Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip<\/td>\n1.5 MB<\/td>\n<\/tr>\n
Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip<\/td>\n1.3 MB<\/td>\n<\/tr>\n
Windows 10 Version 20H2 and Windows Server Version 20H2 Security Baseline.zip<\/td>\n1.5 MB<\/td>\n<\/tr>\n
Windows 10 version 21H2 Security Baseline.zip<\/td>\n1.2 MB<\/td>\n<\/tr>\n
Windows 10 version 22H2 Security Baseline.zip<\/td>\n1.2 MB<\/td>\n<\/tr>\n
Windows 11 Security Baseline.zip<\/td>\n1.2 MB<\/td>\n<\/tr>\n
Windows Server 2012 R2 Security Baseline.zip<\/td>\n699 KB<\/td>\n<\/tr>\n
Windows Server 2022 Security Baseline.zip<\/td>\n1.3 MB<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows 11, Windows Server 2022 are supported, though Windows 8.1 has been out of support since January 2023. About the toolkit, Microsoft writes<\/a>:<\/p>\n

The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise's Group Policy Objects (GPOs).\u00a0 Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into testbed hosts to test their effects. For more information, see <\/em>Windows Security Baselines<\/a>.<\/em><\/p><\/blockquote>\n

The dark sides of the toolkit<\/h2>\n

German security expert Stefan Kanthak has set me on BCC on a mail he sent to the Microsoft Security Response Center (MSRC) at the end of April 2023. He wrote:<\/p>\n

Hi MSRC,<\/p>\n

have you lately dared to look at your calendar?
\nHave you noticed that it shows the year 2023?<\/p>\n

Then visit your companies the web page Download Microsoft Security Compiance Toolkit 1.0<\/a>, click the circled plus sign in front of the \"System Requirements\" and see the (fortunately DEAD) hyperlink \"Microsoft Word Viewer\"!<\/p><\/blockquote>\n

Kanthak is concerned about the following passage with the system requirements for using Microsoft Security Compliance Toolkit 1.0.<\/p>\n

\"Microsoft<\/p>\n

Because under the system requirements, the Microsoft Word Viewer is indeed still mentioned and even linked. The Word Viewer was withdrawn almost 6 years ago (see my German blog post Word Viewer: R\u00fcckzug im November 2017<\/a>). Consequently, the link on the Microsoft page also leads to a landing page that no longer has anything to do with Word Viewer. The reference to Windows 8.1 also shows that Microsoft doesn't really revise the system requirements page anymore. But there is another security flaw, which Kanthak describes like this.<\/p>\n

The executables of the Microsoft Security Compliance Toolkit offered there are still vulnerable to DLL hijacking. Will your developers ever learn to use \/DEPENDENTLOADFLAG:2048?<\/p><\/blockquote>\n

It is remarkable that the Microsoft Security Compliance Toolkit executable is vulnerable to DLL hijacking. Raymond Chen has provided some guidance in this post<\/a> that when linking programs, you can use the \/DEPENDENTLOADFLAG parameter to specify that Windows (as of Windows 10 version 1607) only statically loads dependent DLLs. With the value LOAD_LIBRARY_SEARCH_SYSTEM32 as parameter DLLs may be loaded only also the Windows folder System32. Kanthak also points out this issue in\u00a0this German comment<\/a>.This doesn't leave me with a good impression that Microsoft is in control, what his developers do.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]At the beginning of April 2023, Microsoft released a new version of its Microsoft Security Compliance Toolkit 1.0. Actually, it is a compulsory exercise for administrators in companies to deal with this part. In the following, I will briefly introduce … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,2],"tags":[69,1544,194],"class_list":["post-29573","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-windows","tag-security","tag-software","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=29573"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29573\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=29573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=29573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=29573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}