Kiosk Lockdown with GPOs and Scripts

Tech Savvy

Tech Savvy

Active Member
Reaction score
211
Location
New Jersey
I’m working on a lockdown procedure for a stand-alone government kiosk system. In other words this system is air gapped and is not on a domain. The system has only one application that needs to run, but the application spawns other applications throughout its use.

As some of you may know, the US government uses STIGs as a set of guidelines on how to lockdown the computers. The STIGs have permade GPOs and admin templates that are used as a baseline which can be imported into the host machine.

Everything I do needs to be documented in order to recreate it. So for simplicity I would like to create multiple group policies (like you would in a domain environment) and apply them to the machine via a command line script.

For example a group policy for disabling the screen saver, or creating a lock out policy.

The problem is, the group policy manager doesn’t allow me to create multiple individual policies. (A policy that only changes one or a subset of settings) that collectively would lockdown the system.

Does anyone know how to do this? I want it so that my script would import the individual group policy files to recreate the system. Currently I import via LGPO, but I’m open to other options.

Not actual code, but my script would look something like this:

Apply-GPO disable-screen-saver.gpo
Apply-GPO create-lockout-policy.gpo
Apply-GPO disable-control-panel-functions.gpo
... etc

Obviously that’s an actual script, but that’s essentially what I would like to be doing so that by the end of it we would have a locked down system with all of the individual policies applied after restart, but it’s organized where if something needed to be changed you know right where to look.

Any ideas?
 
The issue is the lack of domain membership, the only consistent means I know to maintain this is to convert all the GPOs into the relevant registry settings and build a powershell that can pull those in and out on demand.
 
Sky-Knight said:
The issue is the lack of domain membership, the only consistent means I know to maintain this is to convert all the GPOs into the relevant registry settings and build a powershell that can pull those in and out on demand.
Click to expand...
Yeah, this definitely isn’t a standard use case nor manageable. For this project, it only one windows 7 box per “network”. I use quotes cause it’s air gapped with no other windows machines. The process is like this

create GPOs
Export individual GPOs
Script import of individual GPOs documenting what each one does and the affected group policy


Now that it’s all created all the user does is image the machine
Run DISA STIG import
Run newly created GPO import script
Then it goes into production abs it never gets changed after that. No updates or anything.

Any changes in the future would require paperwork and retesting of the entire system. But at least if during testing I find that a gpo is causing a problem I can comment out that import in the script reimage and run commented script. Also it makes it easy to document here is what this part is doing and here is the requirement it came from rather than a dumped list of every GPO applied to the system

The reason why it works is cause once the system is in production that’s it, no changes at all, ever.
 
Why not just take the image after the scripts are run?

Sent from my SM-G870W using Tapatalk
 
You must log in or register to reply here.

Similar threads

HCHTech
Group policy won't let go when user is moved to another OU
Replies
5
Views
810
Sky-Knight
Sky-Knight
HCHTech
Hot-Desking setup
Replies
0
Views
580
HCHTech
HCHTech
Galdorf
May update issues
Replies
13
Views
4K
Galdorf
Galdorf
HCHTech
Office App pinning not working with redirected folders
Replies
12
Views
2K
HCHTech
HCHTech
phaZed
Synology warns of malware infecting NAS devices with ransomware (Bruteforce)
Replies
1
Views
1K
Sky-Knight
Sky-Knight
Back
Top