Everything About GCB

什麼是 GCB?

政府組態基準 (Government Configuration Baseline，簡稱GCB) 由國家資通安全研究院提出，規範資通訊設備(如個人電腦、伺服器主機及網通設備等) 的一致性安全設定(如密碼長度、更新期限等)，以降低成為駭客入侵管道，進而引發資安事件之風險。

國家資通安全研究院 - 政府組態基準(GCB)

簡單來說， GCB 是一連串的「規範條件」，例如「密碼長度要多長」、「阻擋第三方 Cookie 使用」等。

GCB 官方網站提供一狗票的套用包。隨機一個，可能會長得像這樣：

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

如何套用 GCB

最有用的教學！

��F��պA��GCB�ɤJ�u��P��k null https://www.cc.ntu.edu.tw/chinese/epaper/0059/20211220_5903.html

https://download.nics.nat.gov.tw/api/v4/file-service/UploadFile/attachfilegcb/112%E5%B9%B4GCB%E5%AF%A6%E4%BD%9C%E6%96%87%E4%BB%B6_Windows%20Server%202022v1.0_1130702.pdf https://download.nics.nat.gov.tw/api/v4/file-service/UploadFile/attachfilegcb/112%E5%B9%B4GCB%E5%AF%A6%E4%BD%9C%E6%96%87%E4%BB%B6_Windows%20Server%202022v1.0_1130702.pdf

403 Forbidden - HackMD Build together with Markdown

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

HackMD

套用 GCB 到 Windows 上面的方法，是透過設定群組原則（GPO）來達成。
由於 GCB 有上千項，通常不會手動套用…。反之，推薦你使用微軟工具。

注意：機房可能有專屬連線作業須知，例如衛生福利部。請向櫃檯詢問關於 GCB 套用後有無注意事項，例如連線使用者的設定需如何做修正。

安裝 LocalGPO 程式。這個程式可以讓你快速套用 GCB 內容。下載當中的「LGPO.zip」檔案即可！
將下載之 LGPO.zip 程式解壓縮至任意位置。
用系統管理員身分執行「命令提示字元」，cd 到 LGPO 資料夾的位置（例如 cd C:\User\Admin\Desktop\LGPO ）
備份當前設定（可跳過）：執行指令 LGPO.exe /b <絕對路徑> 以把當前電腦的 GPO 進行備份。
把你要套用的 GCB 封包解壓縮後，複製路徑。（到那一串奇怪代碼的地方）
套用：執行指令 LGPO.exe /g <GCB 封包路徑> 。你理當看到匯入成功的訊息，參考下方。
Image Not Showing Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
更新群組原則 (GPO)： (1) 重新開機即可。或者 (2) 執行 gpupdate /force 指令。

P.S. 若你要還原回原先的備份狀態，只需重新匯入備份即可 - LGPO.exe /g <備份的絕對路徑>

特殊：伺服器角色專用 GPO

資安院提供 2+4 個群組原則 for Windows Server. 每一台應套用 2+1 個群組原則。

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

判斷伺服器角色、與詳細套用，請前往 112年GCB實作文件_Windows Server 2022v1.0_1130702

安裝 SecGuide （可以到微軟官網預先下載） P. 21-25
單機版部署流程 P. 52-59
檢查伺服器角色並安裝 P. 68-98

如何驗收 GCB

稽查標準：

國家資通安全研究院 - GCB說明文件國家資通安全研究院－為提升國家資通安全科技能力、推動資通安全科技研發及應用，特設國家資通安全研究院(以下簡稱本院)，行政院核定本院設置條例於112年1月1日正式施行，監督機關為數位發展部。 https://www.nics.nat.gov.tw/core_business/cybersecurity_defense/GCB/GCB_Documentation/

驗收方式採用「人工抽查」。你沒看錯…人工抽查。
透過 GPEdit 程式執行，搭配 GCB 文件，隨機選擇幾項進行檢查是否符合。

GCB 說明文件會指示你該前往群組原則的哪一層級觀看。通常說明文件會長得像是這樣：

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

注意「GPO 設定路徑」欄位。

執行群組原則編輯器：以系統管理員身分執行 gpedit.msc 程式
依照說明文件與你的心情，隨機抽選一個，然後在群組原則編輯器上檢查
有符合「GCB 設定值」欄位的值，即算為套用成功。

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted