The default configuration of a system strikes a balance between security and compatibility, allowing most applications to work smoothly. However, achieving a secure configuration for system hardening requires additional steps, known as system hardening best practices. This process is vital for protecting the system from modern advanced threats.
Recognizing the importance for bolstering server security and following hardening guidelines, Microsoft acknowledges the significance of employing security baselines. To address this, Microsoft offers a comprehensive compilation of hardening techniques and best practices for hardware hardening tailored to various platforms.
Enhancing system security through hardening is intricate and often susceptible to errors, encompassing areas like admin accounts, users group, administrator account, and guest account settings to mitigate the risk of unauthorized gain access. Therefore, we believe that implementing automation in the hardening process is essential.
This blog post will discuss what system hardening includes and types of system hardening:
- Using the CIS Benchmarks
- Auditing Security Benchmarks
- System hardening policy for setting remediations
- Monitoring configuration changes
- Generating reports showing the security status of your servers
When necessary, you'll see how the popular scripting language PowerShell can help with some of these tasks.
Using the Benchmarks from CIS
The Center for Internet Security (CIS) also provides its own security benchmarks to help safeguard systems, software, and network traffic against today's evolving cyber threats. Each CIS recommendation references one or more controls that were developed to help organizations improve protection against cyber threats. CIS controls map to frameworks like PCI DSS, HIPPA, ISO 27000, and others.
The CIS benchmarks are divided into Level 1 and Level 2 security settings to help organizations implement them. Level 1 settings are considered the minimum requirements to which every system should be configured, and they aren't likely to cause application compatibility issues or interrupt service. Level 2 settings are recommended for systems that need better protection and where some reduction in functionality might be accepted.
Auditing Security Settings for System hardening
The initial step in ensuring the proper security of your servers involves understanding their configuration and network hardening best practices. A frequently used tool for uncovering system configurations is PowerShell.
However, depending solely on PowerShell may not provide the best outcomes, especially when dealing with aspects beyond registry-based settings and management systems. Automation for comparing your systems configuration to security benchmark standards demands more intricate coding, particularly when addressing areas such as application hardening, patching and updating, data breaches, database hardening, network hardening, network traffic, software applications, user accounts, and access controls.
Account Policies
The first set of recommendations in the security benchmarks for system hardening standards are settings for account policies like Enforce password history and Maximum password age. If you have an Active Directory domain, these settings are configured in the Default Domain GPO and are propagated to all domain-joined devices, assuming an out-of-the-box domain configuration. The Get-ADDefaultDomainPasswordPolicy PowerShell cmdlet can be used to audit domain password settings but it does not audit the setting configured on each endpoint.
Auditing Registry-Based Settings
Settings that are backed by a registry key are easier to audit. For example, the Allow indexing of encrypted files setting for Windows Search is set in the HKLM hive of the system registry using the AllowIndexingEncryptedStoresOrItems value. HKEY_LOCAL_MACHINESearch:AllowIndexingEncryptedStoresOrItems.
By default, the Allow indexing of encrypted files setting is disabled and the AllowIndexingEncryptedStoresOrItems value doesn't exist in the registry. Disabled is the recommended CIS benchmark setting for Windows Server hardening.
If the value of AllowIndexingEncryptedStoresOrItems is 1 (true), then indexing of encrypted files has been enabled. A zero value (false), indicates that indexing has been explicitly disabled. If the value doesn't exist in the registry, PowerShell will return an error.
All settings backed by a documented registry key can be audited in the same way. For example, AllowCloudSearch is backed by the following value in the registry:
HKEY_LOCAL_MACHINESearch:AllowCloudSearch
The policy should be set to Enabled: DisableCloud Search and results in the AllowCloudSearch value being set to zero. The default setting in Windows Server is Enabled: Enable Cloud Search but there is no registry value present out-of-the-box because it isn't required.
Remediating System Security Settings
Using the previous code examples, you will need to manually compare existing server settings with the CIS benchmarks. To ensure system hardening, an entirely automated solution can be employed for continuous server monitoring, verifying alignment with the security benchmarks.
Before remediating a setting, make sure that you have a system hardening checklist as a record of the current value and have tested reverting it. Some settings require a reboot before they take effect and usually document this information as part of the related Group Policy setting.
When altering settings on a production system, there’s a risk of disruptions and compatibility problems with applications. Test changes in a pre-production setup and have a rollback plan. Automating this process, especially for server operators, is efficient and prudent, as it evaluates whether configuration changes could impact operational stability on live systems.
Monitoring Changes to System Configuration
While PowerShell can audit settings and automate comparisons with security baselines, a product capable of real-time monitoring and automatic remediation offers a more secure solution, addressing security vulnerabilities and ensuring a secure configuration more effectively.
Even if an organization follows system hardening best practices for managing Active Directory, system configuration changes can still occur if a robust change control process is not in place. Additionally, malware can also lead to unwanted server setting modifications, highlighting the importance of hardware hardening and hardening best practices.
Without proper change control procedures, configuration drift occurs, causing servers to deviate from their intended configuration. This not only complicates support but also heightens the risk of compromise by exposing vulnerabilities to attack vectors, impacting compliance with CIS benchmarks and PCI DSS.
Auditing and the Systems Event Log
Since there isn't a uniform way of auditing settings configured by the CIS benchmarks for system hardening, monitoring changes can be challenging. System hardening auditing, the built-in technology for monitoring changes to system configuration, can be configured to monitor registry keys.
Global Object Access Auditing is a way to configure auditing for system hardening that makes it easier to set up auditing. You can use Global Object Access Auditing to set security access control lists (SACL) per server rather than on each part of the registry that you want to audit. But you still need to know what to look for in the Event Log, extract events that indicate a change to specific registry values, and then alert someone to the change.
Real-Time Monitoring
Tracking changes to settings that don't have documented registry settings can be done by exporting the local security database using secedit and then comparing before and after values. You can use PowerShell to create objects from the text files exported by secedit and then use arrays to compare the information. For more information on how to compare data in PowerShell arrays, read Comparing arrays with PowerShell. Alternatively, an automated tool that tracks before and after values would be needed to monitor changes to these settings.
Generating Reports on System Hardening Configuration
Generating reports from text-based files isn't always straightforward, like from files generated by secedit. Although it's worth noting that you can process information with PowerShell using the Import-Csv cmdlet, and files that use delimiters other than a comma by adding the Delimiter parameter.
Formatting reports making them easy to read is also important. For example, you could export Windows Event Log security events to an HTML file by piping the results of Get-EventLog into ConvertTo-HTML like this:
Get-EventLog -LogName “Security” | ConvertTo-Html > c:\temp\securityevents.html
PowerShell also has some filtering capabilities, making it possible to display only specific information in your reports. The code below uses Get-EventLog to extract events from the Application log that were generated by Outlook. The results are piped to the Where-Object cmdlet to further filter the results by including only events where the EventID is 63.
Finally, Select-Object is used to format the results in a table displaying only the Source, EventID, InstanceId, and Message properties for each event.
Get-EventLog -LogName Application -Source Outlook | Where-Object {$_.EventID -eq 63} | Select-Object -Property Source, EventID, InstanceId, Message
Using PowerShell to generate HTML reports is possible but to have complete control over how your reports look, some experience in working with HTML and Cascading Style Sheets (CSS) would be required.
Do you need to automate report generation using built-in Windows components? If so, you'll need to set up scheduled tasks conduct operating system hardening. You could set up an automated task to run a PowerShell script on a schedule.
Summary
By applying security standards for os hardening and securing the infrastructure, the overall security is greatly enhanced. This approach not only strengthens the systems but also reduces the potential for attacks. But to ensure that servers remain secure, you need to constantly audit configuration and automate the remediation of changed settings.
