How to Configure Security Compliance Baselines on Windows Server 2012 R2

Microsoft’s Security Compliance Toolkit (SCT) provides pre-built, tested Group Policy baselines for Windows Server 2012 R2 that align with both Microsoft’s own security recommendations and industry frameworks such as CIS and NIST. Rather than building a security baseline from scratch, the SCT gives you a starting point developed by the Microsoft Security Engineering team, which you can then customize for your environment. This guide walks through downloading the toolkit, importing the baseline GPOs, reviewing and customizing settings, and deploying the baseline to your server fleet.

Prerequisites

  • Windows Server 2012 R2 domain environment with a domain controller
  • GPMC installed on your management workstation
  • Internet access to download the Security Compliance Toolkit from Microsoft
  • Domain Admin or Group Policy permissions to create and link GPOs
  • A test OU where you will apply the baseline before rolling it out to production

Step 1: Download the Security Compliance Toolkit

Download the toolkit from the Microsoft Download Center. The package includes GPO backups, documentation, and the Policy Analyzer tool. The relevant download for Windows Server 2012 R2 is the Windows Server 2012 R2 Security Baseline:

# PowerShell download (or use a browser)
$url = "https://www.microsoft.com/en-us/download/details.aspx?id=55319"
# After downloading, extract the ZIP to C:SCT
Expand-Archive -Path "C:DownloadsSCT-WS2012R2.zip" -DestinationPath "C:SCT" -Force

The extracted folder will contain:

  • GP Reports — HTML reports documenting every setting
  • GPOs — Backup folders importable into GPMC
  • Templates — ADMX/ADML administrative templates
  • Tools — PolicyAnalyzer.exe and LocalGPO.exe
  • Documentation — Excel spreadsheet mapping settings to CIS and NIST controls

Step 2: Install Administrative Templates

Copy the ADMX templates from the toolkit to the central store so that all Group Policy editors can access them:

# Create central store if it doesn't exist
$domain = (Get-WmiObject Win32_ComputerSystem).Domain
$centralStore = "\$domainSYSVOL$domainPoliciesPolicyDefinitions"

if (-not (Test-Path $centralStore)) {
    New-Item -Path $centralStore -ItemType Directory
    New-Item -Path "$centralStoreen-US" -ItemType Directory
}

# Copy ADMX and ADML files
Copy-Item "C:SCTTemplates*.admx" $centralStore -Force
Copy-Item "C:SCTTemplatesen-US*.adml" "$centralStoreen-US" -Force
Write-Host "Templates installed to central store"

Step 3: Import Baseline GPOs

The SCT ships with separate GPO backups for the domain controller policy and member server policy. Import them into GPMC:

# Import via GPMC (PowerShell using GroupPolicy module)
Import-Module GroupPolicy

# Import Member Server baseline
$backupPath = "C:SCTGPOsWS2012R2-MS"
Import-GPO -BackupGpoName "MSFT Windows Server 2012 R2 - Member Server" `
    -Path $backupPath `
    -TargetName "Baseline-WS2012R2-MemberServer" `
    -CreateIfNeeded

# Import Domain Controller baseline (if deploying to DCs)
$dcBackupPath = "C:SCTGPOsWS2012R2-DC"
Import-GPO -BackupGpoName "MSFT Windows Server 2012 R2 - Domain Controller" `
    -Path $dcBackupPath `
    -TargetName "Baseline-WS2012R2-DC" `
    -CreateIfNeeded

Write-Host "GPOs imported successfully"

Step 4: Use Policy Analyzer to Compare Baselines

The Policy Analyzer tool (included in the SCT) lets you compare the baseline GPO settings against your current production policy and against each other. Launch it from C:SCTToolsPolicyAnalyzer.exe.

  1. Click Add and browse to the GPO backup folder
  2. Click Add again to add your existing production GPO backup (exported with Backup-GPO)
  3. Click View/Compare to see a side-by-side grid of all settings
  4. Settings highlighted in yellow differ between policies—review each one

Export the current production baseline for comparison:

Backup-GPO -Name "YourExistingServerPolicy" -Path "C:SCTProductionBackup"

Step 5: Link Baseline GPO to Test OU

Never link a new security baseline directly to production servers. Create a test OU, move one server into it, link the baseline GPO, and verify the server continues to function normally:

# Create a test OU
New-ADOrganizationalUnit -Name "SecurityBaseline-Test" `
    -Path "OU=Servers,DC=corp,DC=example,DC=com"

# Move a test server to the OU
Move-ADObject -Identity "CN=TESTSERVER01,OU=Servers,DC=corp,DC=example,DC=com" `
    -TargetPath "OU=SecurityBaseline-Test,OU=Servers,DC=corp,DC=example,DC=com"

# Link the GPO
New-GPLink -Name "Baseline-WS2012R2-MemberServer" `
    -Target "OU=SecurityBaseline-Test,OU=Servers,DC=corp,DC=example,DC=com" `
    -Enforced No

# Apply and test
gpupdate /force

Step 6: Review and Customize Key Settings

The Microsoft baseline is a starting point, not a one-size-fits-all solution. Review these common settings that may need adjustment for your environment:

UAC Settings (User Account Control):

  • The baseline sets UAC to prompt for credentials on the secure desktop—appropriate for most servers
  • For headless servers managed via PowerShell remoting, review whether UAC prompts will block automation

SMB Settings:

  • The baseline disables SMBv1—verify all file-sharing clients support SMBv2 before applying

Remote Desktop (RDP) settings:

  • Network Level Authentication (NLA) is enforced—ensure all RDP clients support NLA

Edit the imported GPO in GPMC to customize before linking to production:

# Open GPO for editing (launches GPME)
Start-Process -FilePath "gpme.msc" -ArgumentList "/gpobject:`"LDAP://CN={GPO-GUID},CN=Policies,CN=System,DC=corp,DC=example,DC=com`""

Step 7: Apply Baseline to Production Servers

After testing and customizing, link the GPO to the production Servers OU:

New-GPLink -Name "Baseline-WS2012R2-MemberServer" `
    -Target "OU=Servers,DC=corp,DC=example,DC=com" `
    -Enforced Yes

# Force refresh on all servers in the OU
Invoke-GPUpdate -Computer "SERVER01" -Force
Invoke-GPUpdate -Computer "SERVER02" -Force

Step 8: Generate Compliance Reports

Generate HTML reports of the applied GPO for documentation:

Get-GPOReport -Name "Baseline-WS2012R2-MemberServer" `
    -ReportType HTML `
    -Path "C:ReportsBaseline-WS2012R2-MemberServer.html"

Write-Host "Report saved to C:ReportsBaseline-WS2012R2-MemberServer.html"

Use the Policy Analyzer to create a periodic drift report—compare the current effective policy on a server against the approved baseline to detect unauthorized changes:

# Export effective policy from a server
secedit /export /cfg C:ReportsCurrentPolicy-SERVER01.cfg /areas SECURITYPOLICY USER_RIGHTS REGKEYS

Summary

Microsoft’s Security Compliance Toolkit provides a professionally engineered, well-documented security baseline for Windows Server 2012 R2 that maps to CIS and NIST standards. By importing the baseline GPOs, comparing them against your current configuration with Policy Analyzer, deploying first to a test OU, and then rolling out to production, you establish a documented, auditable security standard for your server fleet. Keep the baseline synchronized with periodic SCT updates and track configuration drift as part of your routine security operations.