securing your windows network with the microsoft security baselines

Securing Your Windows NetworkWith the Microsoft Security Baselines

© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.2

Quick Introduction

Frank Lesniak


I. Security Baselines: OverviewII. Get an InventoryIII. Get the BaselinesIV. Apply the First Baseline to Active DirectoryV. Managing the Implementation

Today’s Agenda


Security Baselines: Overview CIS Benchmarks vs. Microsoft Security Baselines Why Security Baselines are Important What to Expect to Change When Implementing a Baseline When it is Appropriate to Implement a Microsoft Security Baseline Project Success Criteria

“There are now only two types of companies left in the United States:

those that have been hacked and those that don’t know they’ve been

hacked” - Various

5


All IT systems have vulnerabilities (Manadhata & Wing, 2010) Known/current Unknown/future

You cannot make a system “hack-proof” Given infinite time, most IT systems can be hacked or decrypted (brute-force, massive

parallelism) Hackers/malware often have more resources than YourCorp (state-sponsored hacks,

toolkits)

Today’s threat landscape: We need to limit the ability for the bad guys to get in. However, the reality of today’s

threat landscape is that all systems will inevitably be attacked/compromised/hacked. Therefore, we need to consider IT security as a layered approach.

Once the bad guys are “in”, we need to also limit what they can do. Don’t forget breach detection and response!

Take a layered approach to security. Limit your “attack surface” and reduce user privileges.

http://www.cs.cmu.edu/~pratyus/tse10.pdf

http://www.cs.cmu.edu/~pratyus/tse10.pdf


The Center for Internet Security (CIS) is a nonprofit organization that seeks to “enhance the security readiness and response of public private sector entities, with a commitment to excellence through collaboration.”

CIS publishes consensus-based, secure configuration guidelines called CIS Benchmarks. To quote CIS’s materials, the CIS Benchmarks seek to: be practical and prudent; provide a clear security benefit; and not inhibit the utility of the technology beyond acceptable means

Benchmarks are available for Windows, Linux, Cisco, and other platforms

Enter the CIS Benchmarks: a “free” security layer to protect servers and workstations!


Sample from CIS Benchmark for Windows Server 2012 R2 v1.0.0


Microsoft security baselines are available within Microsoft’s Security Compliance Manager (SCM) toolkit and are divided into groups of settings by product and logical function.

For example, for Windows Server 2012 R2, SCM includes: Windows Server 2012 R2 Domain Controller Security Compliance baseline; Windows Server 2012 R2 Domain Security Compliance baseline; and, Windows Server 2012 R2 Member Server Security Compliance baseline You guessed it: they align with the CIS Benchmark “CIS Microsoft Windows Server 2012 R2 v1.0.0”

Check yourself, lest you wreck yourself: Although CIS and Microsoft collaborate, it is possible for CIS to revise a Benchmark or for Microsoft to revise

a baseline without a corresponding revision by Microsoft / CIS Each baseline addresses dozens to hundreds of vulnerabilities. For each vulnerability, SCM

documents: the vulnerability’s severity its compensating control (labeled Countermeasure in SCM) risks to consider before implementing the compensating control (labeled Potential Impact in SCM)

Microsoft includes additional vulnerabilities and compensating controls in its SCM toolkit, but doesn’t implement the compensating controls that they consider high-risk (e.g., likely to have a compatibility problem)

For those settings not adopted, Microsoft recommends evaluating the risks to consider before implementing the setting (“Potential Impact”), and conduct appropriate testing before implementation

Microsoft collaborates with CIS in development of their baselines. Adopting them should give you all of the “scored” CIS Benchmark settings.


Enforce user privilege-limiting controls (UAC, session isolation) Disable code execution (ActiveX, Java) and downloads from non-whitelisted websites

Applies whitelisting to explorer.exe; Windows “knows” when you download an executable on another computer and bring it over on a flash drive

Enforce the use of strong protocols/cryptographic algorithms over weak ones (or not using one at all) e.g., users are prevented from accessing websites with certificate errors

Enforce the use of security auditing, and define what should be audited Enforce the use of security mitigations (e.g., Internet Explorer protected mode) Limit user privileges (Windows rights assignment) Enforce strong passwords (14-character, complex) and PW policies (expiration, lockout) Enable the Windows Firewall and enforce logging Windows 8/8.1/10: prevent sign-in with Microsoft accounts and access to the Store

You can still link a Microsoft account to a corporate account Enforce macro security in Microsoft Office

In some cases, this means disabling macros and add-ins altogether… more on this later. Outlook: enable the junk mail filter; author and open emails in plain text mode by default Enforce miscellaneous “leading practices”

The Microsoft security baselines include lots of good security stuff:


SANS Critical Security Controls “First Five Quick Wins” Application whitelisting (IE whitelisting enforced, Windows Firewall on, but not AppLocker –

quarter point) Use of standard, secure system configurations (point) Patch application software within 48 hours (Microsoft software - quarter point) Patch system software within 48 hours (point) Reduced number of users with administrative privileges (point)

Fuzzy math: Implementing security baselines help address 3.5 out of 5 of these SANS controls

Qualys “Top 4 Controls” Application Whitelisting (IE whitelisting enforced, Windows Firewall on, but not AppLocker –

quarter point) Application Patching (Microsoft software – quarter point) OS Patching (point) User Privileges (point)

Fuzzy math: Implementing security baselines addresses 2.5 out of 4 of the Qualys controls

In case you’re still not convinced that this is a good idea, deploying security baselines also upholds modern IT security frameworks


Group Policy is a centralized configuration management tool for Windows environments and is a component of Active Directory Domain Services (AD DS)

Settings are stored in containers known as Group Policy Objects (GPOs), which can be applied to either computers, users, or both

To assign a GPO to computers/users, an administrator “links” the GPO either to the root of the domain, an Organizational Unit (OU), or an AD DS Site. When a GPO is linked, its settings will apply to the computers/users within the relevant portion of the directory

More on this in a bit…

Enterprise-wide adoption of Microsoft’s security baselines requires the use of Group Policy


Implementation of security baselines is especially important when: Working in an industry subject to regulations (PCI, HIPAA, etc.) Working in an environment that would be considered “high value” for attackers/hackers Building a system that is accessed over the Internet Building a system that would be considered “core” from a security perspective (e.g., Active Directory

Domain Services, Active Directory Federation Services, etc.) If you are working with a modern application, chances are that it will function just fine

with the security baseline Policy exceptions may be necessary when a service account needs elevated privileges. NBD.

No access to Group Policy Management? The security baselines can be exported from SCM and then imported on a Windows system using local policy This approach is also useful for systems in a perimeter network (DMZ) Any settings pushed via Group Policy will overwrite local policy, so any GPOs that conflict with the

security baseline applied to local policy will “win”

Security baselines should be implemented whenever a new server is built


Security baselines are more likely to negatively affect users when applied to workstations Careful testing and change control processes required ahead of deployment Executive sponsorship is critical

Need a “security decision maker” for times when an exception to the baseline needs to be made When a change needs to be made, communicate with this person in terms of the vulnerability, its

severity, its compensating control, the change that is being proposed to the compensating control, why the change needs to be made, and who needs to receive the change (e.g., all users, or just some?)

The executive sponsor should communicate the changes to IT staff (rationale behind the implementation, what to expect, etc.)

Set expectations with users It’s important that users understand that Windows, Internet Explorer, and Microsoft Office will not

behave the same after the security baselines are applied Unless extreme amounts of testing have been performed, it is likely that users will encounter an issue

that disrupts their ability to work Business and IT should work together on the communications to users and change management Ensure that users can quickly get support for issues related to the implementation. Prioritize issues as

they come in and provide status updates to users frequently The time to implement, test, and remediate issues is non-trivial

~320-400 consultant-hours on a recent project Do not implement without a comprehensive application inventory

Security baselines should also be applied to workstations… with some cautions


Get an Inventory Introduction to Inventory Tools


Application Compatibility Toolkit 6.1 (Windows Assessment and Deployment Kit “8.1 Update”) Inventory of applications Inventory of websites (kind of…) Application compatibility issues Website compatibility issues (kind of…)

Enterprise Site Discovery Toolkit for Internet Explorer 11 Inventories of websites: URLs, domains, ActiveX controls, # of visits, etc. Website compatibility issues (kind of…) Requires users to be using Internet Explorer 11

AppLocker in “Audit Mode” Will log events against a single PC; you will need to set up event collection & forwarding to aggregate from multiple PCs Cannot inventory websites or identify their compatibility issues Very limited identification of application compatibility issues

System Center Configuration Manager (ConfigMgr) Can inventory applications, but not websites Cannot identify compatibility issues

Windows Intune Can inventory applications, but not websites Cannot identify compatibility issues

WMP Inventory Script Can inventory applications, but not websites Cannot identify compatibility issues

You need a solid application and business website inventory before you start


ACT Demo Creating Data Collection Packages Using Compatibility Monitor Information Gathered by ACT Example Compatibility Problem


After installing ACT, create one or more data-collection packages


Set up a testing workstation that has Compatibility Monitor already running


Application Vendor, Name, and Version Assessment Tracking Vendor, Community, and User Assessment Detected Compatibility Issues Also indicates the number of computers, and number of versions of each program

ACT gathers and tracks lots of useful information


ACT will show issues with UAC or session isolation to focus testing efforts


Get the Baselines Introduction to Security Compliance Manager


Microsoft’s database of pre-canned security baselines Automatic updates Allows export in a variety of formats Version support for:

Windows XP – Windows 8.1 Windows Server 2003 – Windows Server 2012 R2 Internet Explorer 8 – Internet Explorer 11 Office 2007 – 2013 Exchange 2007 – 2010 SQL Server 2012

No support (as of Feb 20, 2015) for: Windows 10 / Windows Server vNext Internet Explorer 12 Office 2015/2016 …bummer. Best bet: use the next-closest version as a proxy until the baseline is released.

Security Compliance Manager (SCM) 3.0 allows us to work with the Microsoft security baselines


SCM Demo Navigating SCM Exporting baselines


A comprehensive list of baselines is available via a built-in check for updates


Focus your initial implementation on the lower risk compensating controls that Microsoft defined in the security baseline


Almost always want to export to GPO Backup (folder)

Compare / Merge is interesting, too

Do not duplicate or modify baselines in SCM

With a baseline selected, many options appear on the right side.


Exported baselines show up in the designated folder as GUIDs for import.


Apply the First Baseline to Active Directory Build an OU Structure That Makes Sense Import the Baseline to Active Directory (Demo) Create a WMI Filter (Demo) Apply the GPO to Active Directory (Demo)


Organizational Units (OUs) should be created to serve three purposes: Forming the structure by which rights can be delegated to subordinate administrators Forming the structure by which Group Policies are most-often applied Organization, for organization sake

Build an OU structure that makes sense for your organization

Not going to cut it!


Unless you have separate AD forests for test/dev, create top-level OUs that represent each stage of development.

Keep everyone in “prod” unless they are directly involved in test/dev of Group Policy / security baselines.





Create additional OUs, primarily for delegated administration





Create additional OUs, primarily for delegated administration

Separate workstations from servers; users from admins



Start by creating an empty GPO

Name it so that you can easily tie it to the name of the baseline in SCM

Import baselines as they come from Microsoft without modifications


Next, right-click on the empty GPO and click Import Settings.

You might be tempted to click Restore from Backup. Don’t; it will not work.



Choose the same folder that you backed-up the baselines to(the one that contained all the GUID folders…)



Select the intended baseline



In our OU structure, we did not separate Windows 10 computers from Windows 7 computers. Yet we need to ensure that Windows 10 policies are only applied to Windows 10 systems, etc…

This is possible using WMI Filtering Allows an administrator to write a structured query to limit whether or not a GPO’s settings are applied to a

given user/object. For example, an administrator may want to limit a given GPO such that it is applied only to Windows Server

2012 R2 domain controllers – this can be achieved using a WMI Filter and corresponding structured query:Select * from Win32_OperatingSystem Where Version like "6.3%" and ProductType = "2“

Other useful WMI filters: Computers Running IE 11:SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version like "11.%"

Windows 10 and Windows Server vNext Systems:Select * from Win32_OperatingSystem Where Version like "6.4%“ or Version Like “10.0%”

Windows 10, Only:Select * from Win32_OperatingSystem Where (Version like "6.4%“ or Version Like “10.0%”) and ProductType = "1“

WMI filtering is not necessary for Microsoft Office Office 2013 settings are stored in registry keys separate from Office 2010, etc. This allows different versions’

settings to co-exist on the same computer without issue

With the baseline imported, it’s time to apply it. Use WMI filters to ensure that the baselines are applied to the intended environment


Create your WMI Filter for Windows 10…


… and with your baseline selected, you can apply your new WMI filter


Because of Group Policy inheritance, objects in child OUs will automatically inherit the policies applied to their parent…

…unless someone blocked inheritance. Find that person and hit them on the head.

Finally, link the security baseline to the OU containing your workstations or users (depending on the baseline you are deploying…)


Managing the Implementation Issues Likely to Encounter After Implementation Troubleshooting User-Reported Problems (Demo) Security Baseline “Overrides” (Demo) Group Policy Precedence: Overview Requesting Review and Approval from a Security Decision Maker (Demo) Decreasing Time-to-Implement Through Scripting


Applications that require admin privileges Can attempt to shim them, or use application virtualization (App-V) Can deploy dual credentials (flesniak and admin.flesniak)

User Downloads All downloads are blocked by default

Website Whitelisting GPO length limitation – build a script to write to: HKLM\SOFTWARE\Policies\Microsoft\Windows\

CurrentVersion\Internet Settings\ZoneMap Consider local whitelist in addition to global whitelist to allow one-offs

FIPS-Compliance Microsoft does not include this in security baselines anymore BitLocker on Windows 7; Intuit TurboTax

BitLocker – Backup of Recovery Keys to AD Security baseline requires PKI-based recovery agent and blocks backup to AD by default

Outlook Internet hyperlinks in Outlook Plain text email (default view; default authoring mode) Office 365 – requires anonymous authentication and the use of saved passwords Outlook 2007 and 2010 baseline – requires digital signature (purchased from public CA)

Workstation Imaging Automatic logon blocked, UAC applied to Administrator account

With the baseline implemented, you are going to need to address some issues…


Website problem? Try ActiveX filtering

I applied the baseline and something broke! How do I fix it?


Several websites will need to be “opted-in” by users due to ActiveX filtering.


Website problem? Try ActiveX filtering Review, then add to Trusted Sites zone if appropriate• Executable file download locations must be in Trusted Sites• Trusted Sites disables protected mode, which allows 32-bit only ActiveX controls to load on a 64-bit OS

running IE 11



Follow the GUI, or write trusted sites using a script to: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap



running IE 11 Compatibility view



Follow the GUI, or use the Group Policy setting “Use Policy List of Internet Explorer 7 sites”



running IE 11 Compatibility view …or a combination of these?

Application problem? SysInternals Process Monitor (Procmon) is your friend. Fire it up, reproduce the problem, then stop

recording. Look for RegReads happening in HKLM\SOFTWARE\Policies or HKCU\SOFTWARE\Policies



After you reproduce the problem, use Process Monitor to find a suspect registry entry…


…then, use Process Monitor to jump to the registry value. Make note of its “data” field…





recording. Look for RegQueryValue happening in HKLM\SOFTWARE\Policies or HKCU\SOFTWARE\Policies Google the registry key – you are bound to find a reference to a relevant setting






recording. Look for RegQueryValue happening in HKLM\SOFTWARE\Policies or HKCU\SOFTWARE\Policies Google the registry key – you are bound to find a reference to a relevant setting You can also look for “ACCESS DENIED” entries or audit failures in the Windows Security event log Stuck? Ask for help!

Once you find the relevant setting, it’s time to test it Don’t change the baseline GPO that you imported from SCM Instead, create an “override” GPO!



Leave the original baseline alone; create a separate GPO for any setting that deviates from or is not configured by it Allows changes and updates to be tracked and applied independently of other GPO settings Encapsulation and separation allows for simplified change control and test procedures (change in a

business requirement or justification for a setting -> change in the corresponding GPO) Microsoft periodically releases new baselines; keeping the original baseline untouched allows easy

drop-in This approach allows for exceptions to the security baselines to be self-evident and self-

documenting in nature This process will be known as overriding a security baseline setting

When overrides are necessary, store comments in the GPO to document the purpose for the override, who approved it, and the date last reviewed. Your client should review the list of overrides periodically to ensure the continued appropriateness

of them in their environment.

Now that you have identified the setting, you must implement it in Group Policy


Implement your “override” in its own GPO and keep good documentation for future audits


Precedence enables an order of evaluation to be applied to Group Policy settings. If a GPO with higher precedence implements a setting that conflicts with a GPO of lower

precedence, the higher-precedence GPO setting value will be used When considering precedence, several rules apply:

A GPO linked directly to a child OU has a higher precedence than a GPO inherited from a parent OU Within the root of the domain, a given OU, or within an AD site, the link order of the GPOs dictates

their precedence. A lower-numbered link order equates to a higher GPO precedence

Group Policy precedence allows us to purposely apply conflicting settings to a computer (original baseline + override) with an expected result (override wins)


Within a given OU, the override policies should have a lower link order in order to have higher precedence


Precedence enables an order of evaluation to be applied to Group Policy settings. If a GPO with higher precedence implements a setting that conflicts with a GPO of lower

precedence, the higher-precedence GPO setting value will be used When considering precedence, several rules apply:

A GPO linked directly to a child OU has a higher precedence than a GPO inherited from a parent OU Within the root of the domain, a given OU, or within an AD site, the link order of the GPOs dictates

their precedence. A lower-numbered link order equates to a higher GPO precedence GPOs linked to OUs have a higher precedence than GPOs linked to the domain GPOs linked to the domain have a higher precedence than GPOs linked to the site GPO links can be “enforced”. If an administrator enforces a GPO link, it has highest precedence of

any other GPOs (including those GPOs applied to subordinate OUs). Enforcement of a GPO link also bypasses the blocking of GPO inheritance. Find the person that enforced a GPO link and hit them on the head*!

As one might imagine from reading these rules, GPO precedence can become complex. An Administrator can always utilize the Group Policy Inheritance tab in Group Policy Management

(or other Resultant Set of Policy (RSoP) tools) to model the effective Group Policy settings that would be applied to a given computer or user

* - There are good reasons to enforce certain types of policies… but I will not cover these in this presentation. 99% of the time I see policy enforcement, it makes life more difficult.

Group Policy precedence allows us to purposely apply conflicting settings to a computer (original baseline + override) with an expected result (override wins)


Once the override is implemented and tested successfully, your “security decision maker” should review: The vulnerability The vulnerability severity The countermeasure (setting) originally in the baseline The impact of having the countermeasure implemented What the proposed change is and why a change is proposed The scope of the change (e.g., are all users receiving the change, or just some?)

Pull these data points directly from Security Compliance Manager!

Have your security decision maker review the setting change after you successfully test it


You can easily pull vulnerability information from SCM


Sample email to “security decision-maker”


Many of our clients have similar requirements (e.g., the use of BitLocker without a PKI recovery agent)

Instead of starting from scratch at each client, we can export (back-up) GPOs from an environment already configured with the baselines… https://gallery.technet.microsoft.com/scriptcenter/Comprehensive-Group-Policy-5f9d3ea6

…and then import the baselines into the new environment https://gallery.technet.microsoft.com/scriptcenter/Comprehensive-Group-Policy-212562cb

Don’t ignore learnings on previous engagements. Use import/export tools to speed up your security baseline implementation

https://gallery.technet.microsoft.com/scriptcenter/Comprehensive-Group-Policy-5f9d3ea6

https://gallery.technet.microsoft.com/scriptcenter/Comprehensive-Group-Policy-5f9d3ea6

https://gallery.technet.microsoft.com/scriptcenter/Comprehensive-Group-Policy-212562cb

https://gallery.technet.microsoft.com/scriptcenter/Comprehensive-Group-Policy-212562cb


Thanks! Connect with Frank Lesniak: twitter.com/franklesniak linkedin.com/in/flesniak flesniak <atsign> westmonroepartners.com

securing your windows network with the microsoft security baselines

Technology

internet security cis

cis benchmarks

microsoft security baselines

security readiness

free security layer

clear security benefit

windows server

baselines iv