IT professionals everywhere strive to secure their network, but it can be a daunting task. Luckily, Microsoft provides some boilerplate templates to get you started.
In this session, Frank begins by providing an overview of the Microsoft Security Baselines, explaining what they are and how they relate to the Center for Internet Security (CIS) Benchmarks, why Security Baselines are important (especially in PCI- or HIPAA-regulated environments), what to expect to change when implementing a baseline, when it is appropriate to implement a Microsoft Security Baseline, and provide you with project success criteria.
Then it's time for the details: Frank explains how to inventory your systems, how to download the Microsoft Security Baselines, how to apply your first Baseline to Active Directory, and how to manage the implementation---including recommendations on how to make changes (or "overrides") to the Security Baselines both from a process standpoint and a technical standpoint (using Group Policy Management).
5. “There are now only two types of
companies left in the United States:
those that have been hacked and
those that don’t know they’ve been
hacked” - Various
5
State sponsored: Stuxnet, Flame
Still need to limit ability to get in
But, will have a security breach eventually
Once in, limit -> layered approach, reduce attack surface, limit user privs
[PC: Pop quiz question for the room: does anyone know why MS picked 42 days rather than 40 or 45?]
[PC: based on my review and comparison at Benihana, the MS member Server baseline includes all “scored” components of the CIS benchmark – is that not your experience?]
[FEL: good point. I revised this slide. Let me know what you think.]
Pop quiz: Does anyone know how Windows “knows” a file came from the internet?
If apps were 100% compat -> no issues implementing baselines
Need to know what we’re dealing with
ACT – inventorying websites requires users to install a special agent on their system and turn it on proactively
Enterprise Site Discovery Toolkit – compatibility issues are kind of collected because it collects doc mode info, browser hang/crash/nav failures, zone information, etc.
[PC: By “lower risk”, I assume you mean “lower risk of issues”? I think that’s OK, but in phase 1, IMO, you should also include high-impact settings that do things like limiting remote access, disabling unnecessary system services and other lateral-hacking vectors, since that will significantly restrict an intruder’s movement.]
[FEL: I clarified this slide – by “lower risk”, I meant that we should start by implementing the baseline as-is when you export it. In other words, don’t go out of your way during initial configuration to configure settings like the one in this screenshot that has “Not Defined” in the Microsoft column. While I’m sure that setting is a great idea, it’s better to get the initial baseline in place and tested, then circle back to the settings that Microsoft does not recommend implementing without extensive testing.]
[PC: intrigued by this one – what is “bad” about the certificate?]
[FEL: Honestly, this is a crappy example. This is showing ACT, which is not the best way to inventory website issues. Since I wrote this original deck, Microsoft released the Enterprise Site Discovery Toolkit, which seems to be much-better suited for detecting issues. The main point that I wanted to get across on this slide is how to use ActiveX filtering]