Securing your Windows Network with the Microsoft Security Baselines

Securing Your Windows Network
With the Microsoft Security Baselines

© 2015 West Monroe Partners | Reproduction and distribution without West Monroe Partners prior consent is prohibited.
Quick Introduction
Frank Lesniak
2

I. Security Baselines: Overview
II. Get an Inventory
III. Get the Baselines
IV. Apply the First Baseline to Active Directory
V. Managing the Implementation
Today’s Agenda
3

Security Baselines: Overview
4
 CIS Benchmarks vs. Microsoft Security Baselines
 Why Security Baselines are Important
 What to Expect to Change When Implementing a Baseline
 When it is Appropriate to Implement a Microsoft Security Baseline
 Project Success Criteria

“There are now only two types of
companies left in the United States:
those that have been hacked and
those that don’t know they’ve been
hacked” - Various
5

All IT systems have vulnerabilities (Manadhata & Wing, 2010)
 Known/current
 Unknown/future
You cannot make a system “hack-proof”
 Given infinite time, most IT systems can be hacked or decrypted (brute-force, massive
parallelism)
 Hackers/malware often have more resources than YourCorp (state-sponsored hacks,
toolkits)
Today’s threat landscape:
 We need to limit the ability for the bad guys to get in. However, the reality of today’s
threat landscape is that all systems will inevitably be attacked/compromised/hacked.
 Therefore, we need to consider IT security as a layered approach.
 Once the bad guys are “in”, we need to also limit what they can do.
 Don’t forget breach detection and response!
Take a layered approach to security. Limit your “attack surface” and reduce user
privileges.
6

 The Center for Internet Security (CIS) is a nonprofit organization that seeks to “enhance
the security readiness and response of public private sector entities, with a commitment
to excellence through collaboration.”
 CIS publishes consensus-based, secure configuration guidelines called CIS Benchmarks. To
quote CIS’s materials, the CIS Benchmarks seek to:
 be practical and prudent;
 provide a clear security benefit; and
 not inhibit the utility of the technology beyond acceptable means
 Benchmarks are available for Windows, Linux, Cisco, and other platforms
Enter the CIS Benchmarks: a “free” security layer to protect servers and
workstations!
7

Sample from CIS Benchmark for Windows Server 2012 R2 v1.0.0
8

9

10

 Microsoft security baselines are available within Microsoft’s Security Compliance Manager
(SCM) toolkit and are divided into groups of settings by product and logical function.
 For example, for Windows Server 2012 R2, SCM includes:
 Windows Server 2012 R2 Domain Controller Security Compliance baseline;
 Windows Server 2012 R2 Domain Security Compliance baseline; and,
 Windows Server 2012 R2 Member Server Security Compliance baseline
 You guessed it: they align with the CIS Benchmark “CIS Microsoft Windows Server 2012 R2 v1.0.0”
 Check yourself, lest you wreck yourself:
 Although CIS and Microsoft collaborate, it is possible for CIS to revise a Benchmark or for Microsoft to
revise a baseline without a corresponding revision by Microsoft / CIS
 Each baseline addresses dozens to hundreds of vulnerabilities. For each vulnerability, SCM
documents:
 the vulnerability’s severity
 its compensating control (labeled Countermeasure in SCM)
 risks to consider before implementing the compensating control (labeled Potential Impact in SCM)
 Microsoft includes additional vulnerabilities and compensating controls in its SCM toolkit, but
doesn’t implement the compensating controls that they consider high-risk (e.g., likely to have a
compatibility problem)
 For those settings not adopted, Microsoft recommends evaluating the risks to consider before
implementing the setting (“Potential Impact”), and conduct appropriate testing before
implementation
Microsoft collaborates with CIS in development of their baselines. Adopting them
should give you all of the “scored” CIS Benchmark settings.
11

 Enforce user privilege-limiting controls (UAC, session isolation)
 Disable code execution (ActiveX, Java) and downloads from non-whitelisted websites
 Applies whitelisting to explorer.exe; Windows “knows” when you download an executable on
another computer and bring it over on a flash drive
 Enforce the use of strong protocols/cryptographic algorithms over weak ones (or not
using one at all)
 e.g., users are prevented from accessing websites with certificate errors
 Enforce the use of security auditing, and define what should be audited
 Enforce the use of security mitigations (e.g., Internet Explorer protected mode)
 Limit user privileges (Windows rights assignment)
 Enforce strong passwords (14-character, complex) and PW policies (expiration, lockout)
 Enable the Windows Firewall and enforce logging
 Windows 8/8.1/10: prevent sign-in with Microsoft accounts and access to the Store
 You can still link a Microsoft account to a corporate account
 Enforce macro security in Microsoft Office
 In some cases, this means disabling macros and add-ins altogether… more on this later.
 Outlook: enable the junk mail filter; author and open emails in plain text mode by default
 Enforce miscellaneous “leading practices”
The Microsoft security baselines include lots of good security stuff:
13

 SANS Critical Security Controls “First Five Quick Wins”
 Application whitelisting (IE whitelisting enforced, Windows Firewall on, but not AppLocker –
quarter point)
 Use of standard, secure system configurations (point)
 Patch application software within 48 hours (Microsoft software - quarter point)
 Patch system software within 48 hours (point)
 Reduced number of users with administrative privileges (point)
Fuzzy math: Implementing security baselines help address 3.5 out of 5 of these SANS controls
 Qualys “Top 4 Controls”
 Application Whitelisting (IE whitelisting enforced, Windows Firewall on, but not AppLocker –
quarter point)
 Application Patching (Microsoft software – quarter point)
 OS Patching (point)
 User Privileges (point)
Fuzzy math: Implementing security baselines addresses 2.5 out of 4 of the Qualys controls
In case you’re still not convinced that this is a good idea, deploying security
baselines also upholds modern IT security frameworks
14

 Group Policy is a centralized configuration management tool for Windows environments
and is a component of Active Directory Domain Services (AD DS)
 Settings are stored in containers known as Group Policy Objects (GPOs), which can be
applied to either computers, users, or both
 To assign a GPO to computers/users, an administrator “links” the GPO either to the root of
the domain, an Organizational Unit (OU), or an AD DS Site. When a GPO is linked, its
settings will apply to the computers/users within the relevant portion of the directory
 More on this in a bit…
Enterprise-wide adoption of Microsoft’s security baselines requires the use of
Group Policy
15

 Implementation of security baselines is especially important when:
 Working in an industry subject to regulations (PCI, HIPAA, etc.)
 Working in an environment that would be considered “high value” for attackers/hackers
 Building a system that is accessed over the Internet
 Building a system that would be considered “core” from a security perspective (e.g., Active
Directory Domain Services, Active Directory Federation Services, etc.)
 If you are working with a modern application, chances are that it will function just fine
with the security baseline
 Policy exceptions may be necessary when a service account needs elevated privileges. NBD.
 No access to Group Policy Management? The security baselines can be exported from
SCM and then imported on a Windows system using local policy
 This approach is also useful for systems in a perimeter network (DMZ)
 Any settings pushed via Group Policy will overwrite local policy, so any GPOs that conflict with the
security baseline applied to local policy will “win”
Security baselines should be implemented whenever a new server is built
16

 Security baselines are more likely to negatively affect users when applied to workstations
 Careful testing and change control processes required ahead of deployment
 Executive sponsorship is critical
 Need a “security decision maker” for times when an exception to the baseline needs to be made
 When a change needs to be made, communicate with this person in terms of the vulnerability, its
severity, its compensating control, the change that is being proposed to the compensating control,
why the change needs to be made, and who needs to receive the change (e.g., all users, or just
some?)
 The executive sponsor should communicate the changes to IT staff (rationale behind the
implementation, what to expect, etc.)
 Set expectations with users
 It’s important that users understand that Windows, Internet Explorer, and Microsoft Office will not
behave the same after the security baselines are applied
 Unless extreme amounts of testing have been performed, it is likely that users will encounter an
issue that disrupts their ability to work
 Business and IT should work together on the communications to users and change management
 Ensure that users can quickly get support for issues related to the implementation. Prioritize issues
as they come in and provide status updates to users frequently
 The time to implement, test, and remediate issues is non-trivial
 ~320-400 consultant-hours on a recent project
 Do not implement without a comprehensive application inventory
Security baselines should also be applied to workstations… with some cautions
17

Get an Inventory
18
 Introduction to Inventory Tools

 Application Compatibility Toolkit 6.1 (Windows Assessment and Deployment Kit “8.1 Update”)
 Inventory of applications
 Inventory of websites (kind of…)
 Application compatibility issues
 Website compatibility issues (kind of…)
 Enterprise Site Discovery Toolkit for Internet Explorer 11
 Inventories of websites: URLs, domains, ActiveX controls, # of visits, etc.
 Website compatibility issues (kind of…)
 Requires users to be using Internet Explorer 11
 AppLocker in “Audit Mode”
 Will log events against a single PC; you will need to set up event collection & forwarding to aggregate from
multiple PCs
 Cannot inventory websites or identify their compatibility issues
 Very limited identification of application compatibility issues
 System Center Configuration Manager (ConfigMgr)
 Can inventory applications, but not websites
 Cannot identify compatibility issues
 Windows Intune
 WMP Inventory Script
You need a solid application and business website inventory before you start
19

ACT Demo
20
 Creating Data Collection Packages
 Using Compatibility Monitor
 Information Gathered by ACT
 Example Compatibility Problem

After installing ACT, create one or more data-collection packages
21

Set up a testing workstation that has Compatibility Monitor already running
22

 Application Vendor, Name, and Version
 Assessment Tracking
 Vendor, Community, and User Assessment
 Detected Compatibility Issues
 Also indicates the number of computers, and number of versions of each program
ACT gathers and tracks lots of useful information
23

ACT will show issues with UAC or session isolation to focus testing efforts
24

Get the Baselines
25
 Introduction to Security Compliance Manager

 Microsoft’s database of pre-canned security baselines
 Automatic updates
 Allows export in a variety of formats
 Version support for:
 Windows XP – Windows 8.1
 Windows Server 2003 – Windows Server 2012 R2
 Internet Explorer 8 – Internet Explorer 11
 Office 2007 – 2013
 Exchange 2007 – 2010
 SQL Server 2012
 No support (as of Feb 20, 2015) for:
 Windows 10 / Windows Server vNext
 Internet Explorer 12
 Office 2015/2016
 …bummer. Best bet: use the next-closest version as a proxy until the baseline is released.
Security Compliance Manager (SCM) 3.0 allows us to work with the Microsoft
security baselines
26

SCM Demo
27
 Navigating SCM
 Exporting baselines

A comprehensive list of baselines is available via a built-in check for updates
28

Focus your initial implementation on the lower risk compensating controls that
Microsoft defined in the security baseline
29

 Almost always want to export to GPO Backup (folder)
 Compare / Merge is interesting, too
 Do not duplicate or modify baselines in SCM
With a baseline selected, many options appear on the right side.
31

Exported baselines show up in the designated folder as GUIDs for import.
32

Apply the First Baseline to Active
Directory
33
 Build an OU Structure That Makes Sense
 Import the Baseline to Active Directory (Demo)
 Create a WMI Filter (Demo)
 Apply the GPO to Active Directory (Demo)

Organizational Units (OUs) should be created to serve three purposes:
 Forming the structure by which rights can be delegated to subordinate administrators
 Forming the structure by which Group Policies are most-often applied
 Organization, for organization sake
Build an OU structure that makes sense for your organization
34
Not going to cut it!

 Unless you have separate AD
forests for test/dev, create top-
level OUs that represent each
stage of development.
 Keep everyone in “prod” unless
they are directly involved in
test/dev of Group Policy / security
baselines.
35

baselines.
 Create additional OUs, primarily
for delegated administration
36

baselines.
 Create additional OUs, primarily
for delegated administration
 Separate workstations from
servers; users from admins
37

 Start by creating an empty GPO
 Name it so that you can easily tie
it to the name of the baseline in
SCM
Import baselines as they come from Microsoft without modifications
38

 Next, right-click on the empty GPO and click Import Settings.
 You might be tempted to click Restore from Backup. Don’t; it will not work.
39

 Choose the same folder that you backed-up the baselines to
(the one that contained all the GUID folders…)
40

 Select the intended
baseline
41

 In our OU structure, we did not separate Windows 10 computers from Windows 7 computers.
Yet we need to ensure that Windows 10 policies are only applied to Windows 10 systems, etc…
 This is possible using WMI Filtering
 Allows an administrator to write a structured query to limit whether or not a GPO’s settings are applied to
a given user/object.
 For example, an administrator may want to limit a given GPO such that it is applied only to Windows Server
2012 R2 domain controllers – this can be achieved using a WMI Filter and corresponding structured query:
Select * from Win32_OperatingSystem Where Version like "6.3%" and ProductType
= "2“
 Other useful WMI filters:
 Computers Running IE 11:
SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="Program
FilesInternet Explorer" AND filename="iexplore" AND extension="exe" AND version
like "11.%"
 Windows 10 and Windows Server vNext Systems:
Select * from Win32_OperatingSystem Where Version like "6.4%“ or Version Like
“10.0%”
 Windows 10, Only:
Select * from Win32_OperatingSystem Where (Version like "6.4%“ or Version Like
“10.0%”) and ProductType = "1“
 WMI filtering is not necessary for Microsoft Office
 Office 2013 settings are stored in registry keys separate from Office 2010, etc. This allows different
versions’ settings to co-exist on the same computer without issue
With the baseline imported, it’s time to apply it. Use WMI filters to ensure that
the baselines are applied to the intended environment
42

Create your WMI Filter for Windows 10…
43

… and with your baseline selected, you can apply your new WMI filter
44

 Because of Group Policy inheritance, objects in child OUs will automatically inherit the
policies applied to their parent…
 …unless someone blocked inheritance.
 Find that person and hit them on the head.
Finally, link the security baseline to the OU containing your workstations or users
(depending on the baseline you are deploying…)
45

Managing the Implementation
46
 Issues Likely to Encounter After Implementation
 Troubleshooting User-Reported Problems (Demo)
 Security Baseline “Overrides” (Demo)
 Group Policy Precedence: Overview
 Requesting Review and Approval from a Security Decision Maker (Demo)
 Decreasing Time-to-Implement Through Scripting

 Applications that require admin privileges
 Can attempt to shim them, or use application virtualization (App-V)
 Can deploy dual credentials (flesniak and admin.flesniak)
 User Downloads
 All downloads are blocked by default
 Website Whitelisting
 GPO length limitation – build a script to write to:
HKLMSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
 Consider local whitelist in addition to global whitelist to allow one-offs
 FIPS-Compliance
 Microsoft does not include this in security baselines anymore
 BitLocker on Windows 7; Intuit TurboTax
 BitLocker – Backup of Recovery Keys to AD
 Security baseline requires PKI-based recovery agent and blocks backup to AD by default
 Outlook
 Internet hyperlinks in Outlook
 Plain text email (default view; default authoring mode)
 Office 365 – requires anonymous authentication and the use of saved passwords
 Outlook 2007 and 2010 baseline – requires digital signature (purchased from public CA)
 Workstation Imaging
 Automatic logon blocked, UAC applied to Administrator account
With the baseline implemented, you are going to need to address some issues…
47

 Website problem?
 Try ActiveX filtering
I applied the baseline and something broke! How do I fix it?
48

Several websites will need to be “opted-in” by users due to ActiveX filtering.
49

 Review, then add to Trusted Sites zone if appropriate
• Executable file download locations must be in Trusted Sites
• Trusted Sites disables protected mode, which allows 32-bit only ActiveX controls to load on a 64-bit OS
running IE 11
50

Follow the GUI, or write trusted sites using a script to:
HKLMSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet
SettingsZoneMap
51

running IE 11
 Compatibility view
52

Follow the GUI, or use the Group Policy setting “Use Policy List of Internet
Explorer 7 sites”
53

running IE 11
 …or a combination of these?
 Application problem?
 SysInternals Process Monitor (Procmon) is your friend. Fire it up, reproduce the problem, then stop
recording.
 Look for RegReads happening in HKLMSOFTWAREPolicies or HKCUSOFTWAREPolicies
54

After you reproduce the problem, use Process Monitor to find a suspect registry
entry…
55

…then, use Process Monitor to jump to the registry value. Make note of its “data”
field…
56

running IE 11
recording.
 Look for RegQueryValue happening in HKLMSOFTWAREPolicies or HKCUSOFTWAREPolicies
 Google the registry key – you are bound to find a reference to a relevant setting
57

running IE 11
recording.
 Look for RegQueryValue happening in HKLMSOFTWAREPolicies or HKCUSOFTWAREPolicies
 Google the registry key – you are bound to find a reference to a relevant setting
 You can also look for “ACCESS DENIED” entries or audit failures in the Windows Security event log
 Stuck? Ask for help!
 Once you find the relevant setting, it’s time to test it
 Don’t change the baseline GPO that you imported from SCM
 Instead, create an “override” GPO!
59

 Leave the original baseline alone; create a separate GPO for any setting that deviates from
or is not configured by it
 Allows changes and updates to be tracked and applied independently of other GPO settings
 Encapsulation and separation allows for simplified change control and test procedures (change in a
business requirement or justification for a setting -> change in the corresponding GPO)
 Microsoft periodically releases new baselines; keeping the original baseline untouched allows easy
drop-in
 This approach allows for exceptions to the security baselines to be self-evident and self-
documenting in nature
 This process will be known as overriding a security baseline setting
 When overrides are necessary, store comments in the GPO to document the purpose for
the override, who approved it, and the date last reviewed.
 Your client should review the list of overrides periodically to ensure the continued appropriateness
of them in their environment.
Now that you have identified the setting, you must implement it in Group Policy
60

Implement your “override” in its own GPO and keep good documentation for
future audits
61

Implement your “override” in its own GPO and keep good documentation for
future audits
62

 Precedence enables an order of evaluation to be applied to Group Policy settings.
 If a GPO with higher precedence implements a setting that conflicts with a GPO of lower
precedence, the higher-precedence GPO setting value will be used
 When considering precedence, several rules apply:
 A GPO linked directly to a child OU has a higher precedence than a GPO inherited from a parent OU
 Within the root of the domain, a given OU, or within an AD site, the link order of the GPOs dictates
their precedence. A lower-numbered link order equates to a higher GPO precedence
Group Policy precedence allows us to purposely apply conflicting settings to a
computer (original baseline + override) with an expected result (override wins)
63

Within a given OU, the override policies should have a lower link order in order to
have higher precedence
64

 Precedence enables an order of evaluation to be applied to Group Policy settings.
 If a GPO with higher precedence implements a setting that conflicts with a GPO of lower
precedence, the higher-precedence GPO setting value will be used
 When considering precedence, several rules apply:
 A GPO linked directly to a child OU has a higher precedence than a GPO inherited from a parent OU
 Within the root of the domain, a given OU, or within an AD site, the link order of the GPOs dictates
their precedence. A lower-numbered link order equates to a higher GPO precedence
 GPOs linked to OUs have a higher precedence than GPOs linked to the domain
 GPOs linked to the domain have a higher precedence than GPOs linked to the site
 GPO links can be “enforced”. If an administrator enforces a GPO link, it has highest precedence of
any other GPOs (including those GPOs applied to subordinate OUs). Enforcement of a GPO link also
bypasses the blocking of GPO inheritance. Find the person that enforced a GPO link and hit them on
the head*!
 As one might imagine from reading these rules, GPO precedence can become complex.
 An Administrator can always utilize the Group Policy Inheritance tab in Group Policy Management
(or other Resultant Set of Policy (RSoP) tools) to model the effective Group Policy settings that
would be applied to a given computer or user
* - There are good reasons to enforce certain types of policies… but I will not cover these in this presentation. 99% of the time I see
policy enforcement, it makes life more difficult.
Group Policy precedence allows us to purposely apply conflicting settings to a
computer (original baseline + override) with an expected result (override wins)
65

 Once the override is implemented and tested successfully, your “security decision maker”
should review:
 The vulnerability
 The vulnerability severity
 The countermeasure (setting) originally in the baseline
 The impact of having the countermeasure implemented
 What the proposed change is and why a change is proposed
 The scope of the change (e.g., are all users receiving the change, or just some?)
 Pull these data points directly from Security Compliance Manager!
Have your security decision maker review the setting change after you
successfully test it
66

You can easily pull vulnerability information from SCM
67

Sample email to “security decision-maker”
68

 Many of our clients have similar requirements (e.g., the use of BitLocker without a PKI
recovery agent)
 Instead of starting from scratch at each client, we can export (back-up) GPOs from an
environment already configured with the baselines…
 https://gallery.technet.microsoft.com/scriptcenter/Comprehensive-Group-Policy-5f9d3ea6
 …and then import the baselines into the new environment
 https://gallery.technet.microsoft.com/scriptcenter/Comprehensive-Group-Policy-212562cb
Don’t ignore learnings on previous engagements. Use import/export tools to
speed up your security baseline implementation
69

Thanks! Connect with Frank
Lesniak:
70
 twitter.com/franklesniak
 linkedin.com/in/flesniak
 flesniak <atsign> westmonroepartners.com

Securing your Windows Network with the Microsoft Security Baselines

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Securing your Windows Network with the Microsoft Security Baselines

Similar to Securing your Windows Network with the Microsoft Security Baselines (20)

Recently uploaded

Recently uploaded (20)

Securing your Windows Network with the Microsoft Security Baselines

Editor's Notes