SkillAgentSearch skills...

Hardening

Python script to remotely deploy GPO Backup and ADMX/ADML templates to Local Group Policy using LGPO import.

GenerateConvertImprove

Install / Use

/learn @MoBlue/Hardening
About this skill

Quality Score

0/100

Category

Operations

Supported Platforms

Universal

README

Windows Local GPO Hardening

Simple python script to remotely deploy security settings via local GPO, using Microsoft LGPO tool.

Getting Started

Download deploy.py, edit relevant options and run.

Prerequisites

Tested only on Windows 10, should work on any LGPO supported system.

The following files should be hosted on internal/external site, available for download by the script:<br/><br/>

  • LGPO.exe — Microsoft Local Group Policy Object Utility
  • GPO.zip — Password protected zip of GPO backup folder — may be produced by AD GPMC backup, SCM and more. The zip is expected to host 'GPO' directory, holding the GPO {ID} folder tree and manifest.<br/> GPO.zip_<br/>               |GPO_<br/>                        |{GPO GUID}_<br/>                        |manifest.xml<br/>
  • ADMX.zip — Password protected zip of ADMX and ADML files — may be downloaded from various sources. The zip is expected to host 'ADMX' directory, hodling under it the ADMX files and 'en-us' ADML folder.<br/> ADMX.zip_<br/>                  |ADMX_<br/>                              |/en-us/.adml<br/>                              |.admx<br/>

Configurable options:

The following settings should be modified in 'deployment.py':

  • rootpath = r'C:/Installs/' # local root path for files and folders
  • win10path = os.path.join(rootpath, 'WIN10/') # optional Version folder under local root path
  • admxFlag = 1 # 0 or 1 for ADMX download and deploy
  • lgpoURL = 'https://{SITE}/LGPO.exe' # Microsoft LGPO download link
  • win10gpoURL = 'https://{SITE}/GPO.zip' # Encrypted Zipped GPO backup download link
  • win10admxURL = 'https://{SITE}/ADMX.zip' # Encrypted Zipped ADMX/ADML download link
  • zipPWD = "{ZIP PASSWORD}" # Encrypted zip password. Note! use the same password for all zip files.

Notes and Limitations

The script makes use of ZipFile library, posing the following limitations:

  1. The zipfile module does not support ZIP files with appended comments, or multi-disk ZIP files. It does support ZIP files larger than 4 GB that use the ZIP64 extensions.
  2. zipfile only supporting traditional PKWARE encryption method, if you try a WinZip AES-256 encrypted zip, zipfile.extractall raises a RuntimeError "Bad password for file" when given the correct password.

Zip files encryption:

  1. Same password should be used for all files.
  2. Zip encryption is mostly used as integrity control, due to the PKWARE encryption method limitation, it should not be relied upon for protection of sensitive data.

To Do:

  1. Allow multiple passwords for different zip files
  2. Cleanup procedure of local resources
  3. GPO Update procedure
  4. GPO Compare & Report procedure

License

The code may be used by anyone and everyone for any purpose.

Acknowledgments

Inspired by Comodo ITSM Procedures.

Related Skills

healthcheck

354.2k

Host security hardening and risk-tolerance configuration for OpenClaw deployments

tmux

354.2k

Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.

prose

354.2k

OpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.

Writing Hookify Rules

112.2k

This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.

MoBlue

View profile

View on GitHub
GitHub Stars6
CategoryOperations
Updated1y ago
Forks6
MoBlue/hardening

Languages

Python

Security Score

60/100

Audited on Dec 14, 2024

No findings