Ready to learn?

Preparation for Security Baselines & Tiering Model

๐Ÿ”’ย Secure Bits ๐Ÿ’ก
๐—›๐—ผ๐˜„ ๐˜๐—ผ ๐—ฝ๐—ฟ๐—ฒ๐—ฝ๐—ฎ๐—ฟ๐—ฒ ๐—ณ๐—ผ๐—ฟ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—•๐—ฎ๐˜€๐—ฒ๐—น๐—ถ๐—ป๐—ฒ๐˜€ & ๐—ง๐—ถ๐—ฒ๐—ฟ๐—ถ๐—ป๐—ด ๐— ๐—ผ๐—ฑ๐—ฒ๐—น โ€“ ๐˜„๐—ถ๐˜๐—ต๐—ผ๐˜‚๐˜ ๐—ฏ๐—ฟ๐—ฒ๐—ฎ๐—ธ๐—ถ๐—ป๐—ด ๐—ฒ๐˜ƒ๐—ฒ๐—ฟ๐˜†๐˜๐—ต๐—ถ๐—ป๐—ด?

Implementing Security Baselines and the Tiering Model can significantly improve your Windows Infrastructure security.

But letโ€™s be honest โ€” if youโ€™re working with anย ๐—ผ๐—น๐—ฑ๐—ฒ๐—ฟ ๐—ผ๐—ฟ ๐—บ๐—ฒ๐˜€๐˜€๐˜† ๐—ฒ๐—ป๐˜ƒ๐—ถ๐—ฟ๐—ผ๐—ป๐—บ๐—ฒ๐—ป๐˜, this change can turn into chaos quickly.

๐—œ๐—ป ๐—ฎ ๐—ป๐—ฒ๐˜„, ๐—ฐ๐—น๐—ฒ๐—ฎ๐—ป ๐—ฒ๐—ป๐˜ƒ๐—ถ๐—ฟ๐—ผ๐—ป๐—บ๐—ฒ๐—ป๐˜? No problem.
๐—œ๐—ป ๐—ฎ ๐—ฝ๐—ฟ๐—ผ๐—ฑ๐˜‚๐—ฐ๐˜๐—ถ๐—ผ๐—ป ๐—ฒ๐—ป๐˜ƒ๐—ถ๐—ฟ๐—ผ๐—ป๐—บ๐—ฒ๐—ป๐˜ ๐—ณ๐—ฟ๐—ผ๐—บ ๐Ÿฎ๐Ÿฌ๐Ÿญ๐Ÿญย with undocumented GPOs and legacy services? Now thatโ€™s where things get tricky.

Hereโ€™s the approach I useย ๐—ฏ๐—ฒ๐—ณ๐—ผ๐—ฟ๐—ฒ ๐—œ ๐—ฎ๐—ฝ๐—ฝ๐—น๐˜† ๐—ฏ๐—ฎ๐˜€๐—ฒ๐—น๐—ถ๐—ป๐—ฒ๐˜€ ๐—ฎ๐—ป๐—ฑ ๐˜๐—ถ๐—ฒ๐—ฟ๐—ถ๐—ป๐—ดย to any device:

๐Ÿ”ย ๐Ÿญ. ๐—–๐—ต๐—ฒ๐—ฐ๐—ธ ๐—Ÿ๐—ผ๐—ฐ๐—ฎ๐—น ๐—จ๐˜€๐—ฒ๐—ฟ๐˜€ & ๐—š๐—ฟ๐—ผ๐˜‚๐—ฝ๐˜€
Look for leftover accounts and custom group memberships. Sometimes theyโ€™re obsolete โ€” sometimes theyโ€™re tied to production services. Know before you break something.

๐Ÿงฐย ๐Ÿฎ. ๐—ฅ๐—ฒ๐˜ƒ๐—ถ๐—ฒ๐˜„ ๐—ฆ๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐—ฐ๐—ฒ๐˜€ & ๐—ฆ๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐—ฐ๐—ฒ ๐—”๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜๐˜€
I check whatโ€™s running, what accounts are used, and whether I canย upgrade to MSA/GMSA/VSA. If the tiering model restricts access โ€” service accounts must follow suit.

๐Ÿ›ก๏ธย ๐Ÿฏ. ๐—”๐—ป๐—ฎ๐—น๐˜†๐˜‡๐—ฒ ๐—จ๐˜€๐—ฒ๐—ฟ ๐—ฅ๐—ถ๐—ด๐—ต๐˜๐˜€ ๐—”๐˜€๐˜€๐—ถ๐—ด๐—ป๐—บ๐—ฒ๐—ป๐˜๐˜€ (๐—จ๐—ฅ๐—”)
Security baselines and tiering willย overwrite many of these settings. This is where legacy config hides โ€” and itโ€™s often essential for apps to function. Export and document them early.

๐Ÿงชย ๐Ÿฐ. ๐—ฅ๐˜‚๐—ป ๐—ฃ๐—ผ๐—น๐—ถ๐—ฐ๐˜† ๐—”๐—ป๐—ฎ๐—น๐˜†๐˜‡๐—ฒ๐—ฟ
This is my favorite tool for baseline comparison. It showsย GPO differences, conflicts, and potential impactsย โ€” perfect for validating changes before rollout. Exporting this gives you a good rollback reference too.

๐Ÿ’ก ๐—˜๐˜…๐˜๐—ฟ๐—ฎ ๐˜๐—ถ๐—ฝ๐˜€:
โ€ข If a 3rd-party app is installed, I try to get theย application owner involvedย (they rarely know the technical details, but itโ€™s worth a shot).
โ€ข Youโ€™ll never catch 100% of the issues beforehand โ€” but this prepย avoids 90% of post-implementation surprises.
โ€ข For high-value systems, I spendย more time on analysis and documentationย before rollout.

๐ŸŽ“ย ๐—ง๐—ต๐—ถ๐˜€ ๐—ถ๐˜€ ๐—ฒ๐˜…๐—ฎ๐—ฐ๐˜๐—น๐˜† ๐˜๐—ต๐—ฒ ๐—ธ๐—ถ๐—ป๐—ฑ ๐—ผ๐—ณ ๐—ฝ๐—ฟ๐—ฎ๐—ฐ๐˜๐—ถ๐—ฐ๐—ฎ๐—น ๐˜„๐—ผ๐—ฟ๐—ธ ๐˜„๐—ฒ ๐—ฑ๐—ผ in my course Building a Secure Active Directory:
https://horizon-secured.com/courses/building-a-secure-active-directory/

In the next Secure Bits post, Iโ€™ll show you what theย actual migration looks likeย after preparation is done.

Whatโ€™s been your experience rolling outย ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—•๐—ฎ๐˜€๐—ฒ๐—น๐—ถ๐—ป๐—ฒ๐˜€ ๐—ผ๐—ฟ ๐—ง๐—ถ๐—ฒ๐—ฟ๐—ถ๐—ป๐—ด ๐— ๐—ผ๐—ฑ๐—ฒ๐—น? Any horror stories or success tips?

buy a course