Posted on:

Microsoft’s Local Group Policy Object (LGPO) Utility is a standalone command-line executable that assists administrators in automating the management of a computer’s local security policy. The tool uses a combination of Group Policy Template (GptTmpl.inf) files, Registry Policy (registry.pol) files, and Audit Policy (audit.csv) files to apply desired configuration settings to endpoints. The free LGPO Utility is part of Microsoft’s Security Compliance Toolkit and can be downloaded here.

To complete the download, you can follow these simple steps:

  1. Navigate to Microsoft Security Compliance Toolkit 1.0
  2. Select Download
  3. Check the box next to LGPO.zip
  4. Select Next

By default, the download should be stored within your user profile’s Downloads directory.

At the time of this writing, LGPO is Versioned at 3.0.2004.13001 (v3.0). According to Microsoft, here is what comes packed with the new version:

Two new options were added in LGPO.exe. The first, /ef which enables Group Policy extensions referenced in the backup.xml. The second, /p which allows for importing settings directly from a .PolicyRules file, which negates the need to have the actual GPOs on hand. Additionally, LGPO.exe /b and /g now capture locally-configured client-side extensions (CSEs) (which we had an issue with previously). Lastly, /b also correctly captures all user rights assignments, overcoming a bug in the underlying “secedit.exe /export” that fails to capture user rights assignments that are granted to no one.

LGPO.exe functions as a standalone executable program that can be run directly from the command-line. It does not install additional software on your system to perform its tasks. To run the program, open a command prompt and navigate to the executable file. I have stored mine in C:\LGPO.

LGPO.exe functions as a standalone executable program that can be run directly from the command-line. It does not install additional software on your system to perform its tasks. To run the program, open a command prompt and navigate to the executable file. I have stored mine in C:\LGPO.

LGPO has four (4) core modes, each of which has been listed below:

  1. Import and apply policy settings
  2. Export local policy to a GPO backup
  3. Parse a registry.pol file to “LGPO text” format

  4. Build a registry.pol file from “LGPO text”

Using one or more of the modes listed above, this post will describe specifics regarding how to:

  1. Backup current policies (LGPO.exe /b)
  2. Import a new Local Policy (LGPO.exe /g)
  3. Import a new Group Policy Template (GptTmpl.inf) (LGPO.exe /s)
  4. Import a new Registry Policy (registry.pol) (LGPO.exe /m, /u, /ua, /un, /u:username)
  5. Import a new Audit Policy (audit.csv) (LGPO.exe /a[c])

Additional information on how to use the LGPO Utility can be found within the LGPO.pdf file that comes embedded within the .zip download.

HOW-TO GUIDE

 

 

BACKUP LOCAL POLICY

Before applying a new policy, it is always best practice to create a backup of the system’s current configuration. To do this, use the /b LGPO switch:

LGPO Task: Create a GPO backup in Path, where Path is the location the backup will be stored

LGPO Switch: /b

LGPO Steps:

  1. Open a command prompt as an administrator
  2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
  3. Run LGPO.exe /b Path, where Path is the location the backup will be stored

The following Command will back up the system’s local policy and store it in C:\LGPO\Backup

Command: C:\> C:\LGPO\LGPO.exe /b C:\LGPO\Backup

Applying Configuration with Microsoft’s LGPO Utility

IMPORT COMPLIANT POLICIES (FULL IMPORT)

There are several ways to obtain preconfigured policies, to include preconfigured DCSA and DISA releases. DCSA provides the NISP Classified Configuration (NISP CC) tool, which contains all the required policy files to facilitate the hardening exemplified within this post. DISA provides Group Policy Objects, which are located on the public-facing DoD Cyber Exchange. For more information on each, see the DCSA NISP CC Instructions and the DISA GPOs.

The /g option offers the ability to import settings from one or more policy exports/backups, which contain Registry Policy (e.g., registry.pol) files, Security Templates (e.g., GptTmpl.inf), Advanced Auditing templates (e.g., audit.csv), and backup.xml files (Used for GP client-side extensions (CSEs)). “Machine” and “User” registry.pol settings must exist within their respective “Machine” or “User” subdirectory for the associated settings to be applied to the correct registry hive.

LGPO Task: Import settings from one or more GPO exports/backups under Path, where Path is the location of the GPO GUID

LGPO Switch: /g

LGPO Steps:

  1. Open a command prompt as an administrator
  2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
  3. Run LGPO.exe /g Path, where Path is the location the GPO GUID

The following Command will apply policy settings (GptTmpl.inf, registry.pol, and audit.csv) that exist within the {F02F0236-6A68-40F2-8F91-1861194EB794} directory. {F02F0236-6A68-40F2-8F91-1861194EB794} is an example of a GUID.

Command: C:\LGPO\LGPO.exe /g 'C:\LGPO\Backup\{F02F0236-6A68-40F2-8F91-1861194EB794}\'

Command-C-LGPO-LGPO.exe-g C-LGPO-BackupF02F0236-6A68-40F2-8F91-1861194EB794

This simple command drastically increased the secure configuration of my Virtual Machine (VM), according to the DISA-released Windows 10 Benchmark.

SCAP Compliance Checker (SCC) Before Policy Import: 46.51% Compliant

SCAP Compliance Checker (SCC) After Policy Import: 96.28% Compliant

 

 

IMPORT COMPLIANT POLICIES (PARTIAL IMPORT)

Under certain circumstances, it may not be necessary to import an entire policy. Some additional use implementations have been exemplified below.

IMPORT TEMPLATE SETTINGS ONLY:

LGPO Task: Apply a specified security template

LGPO Switch: /s

LGPO Steps:

  1. Open a command prompt as an administrator
  2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
  3. Run LGPO.exe /s Path, where Path is the location of the template file.

The following Command will apply the settings defined within the C:\LGPO\Backup\GptTmpl.inf template file

Command: C:\> C:\LGPO\LGPO.exe /s C:\LGPO\Backup\GptTmpl.inf

Command-C-C-LGPO-LGPO-exe -s C-LGPO-Backup-GptTmpl-inf

IMPORT REGISTRY POLICY SETTINGS ONLY:

LGPO Task: Import settings from registry.pol into a specified config (Machine | User | Administrators | Non-Administrators | Specific User)

LGPO Switch:

/m: import settings from registry.pol into machine config

/u: import settings from registry.pol into user config

/ua: import settings from registry.pol into user config for Administrators

/un: import settings from registry.pol into user config for Non-Administrators

/u:username: Import settings from registry.pol into user config for local user specified by “username”

LGPO Steps:

  1. Open a command prompt as an administrator
  2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
  3. Run LGPO.exe /Switch Path, where Path is the location of the registry file and /Simwitch is the desired switch

The following Command will apply the machine registry settings defined within C:\LGPO\Backup\Machine\Registry.pol and the user registry settings defined within C:\LGPO\Backup\User\Registry.pol

Command: C:\> C:\LGPO\LGPO.exe /m C:\LGPO\Backup\Machine\registry.pol /u C:\LGPO\Backup\User\registry.pol

Command: C:\> C:\LGPO\LGPO.exe /m C:\LGPO\Backup\Machine\registry.pol /u C:\LGPO\Backup\User\registry.pol

IMPORT AUDIT POLICY SETTINGS ONLY

LGPO Task: Clear the system’s Audit Policy and apply a new Audit Policy configuration
LGPO Switch:
/a: Apply advanced auditing settings
/ac: Clear advanced auditing settings and apply new advanced auditing settings
LGPO Steps: 
1. Open a command prompt as an administrator
2. Navigate to the directory that contains the LGPO executable file (LGPO.exe)
3. Run LGPO.exe /ac Path, where Path is the location of the audit.csv file
The following Command will clear the system’s current audit policy to apply the Audit Policy settings defined within the C:\LGPO\Backup\audit.csv file
Command: C:\LGPO> C:\LGPO\LGPO.exe /ac C:\LGPO\Backup\audit.csv

Command: C:\LGPO> C:\LGPO\LGPO.exe /ac C:\LGPO\Backup\audit.csv