Quantcast
Channel: Microsoft Security Guidance blog
Viewing all 43 articles
Browse latest View live

Configuration Drift

June 30, 2008, 9:59 am
$
0
0
In my last blog I introduced a new Solution Accelerator called the Security Compliance Management toolkit. Today I'd like to help you learn more about this new Accelerator, but in a somewhat indirect way—by discussing a problem space known as configuration drift. Probably the simplest way to understand configuration drift is to think about those servers in your server room that have been configured with local settings. To illustrate the problem space, let's consider the need to manage a server that requires a custom setting, such as the right to log on locally. By default, Windows Server 2003 assigns the ability to log on locally as follows: Administrators - Permit Server Operators - Permit Backup Operators - Permit This is a good representation of who should be able to log on locally to a server. In fact, this configuration is recommended by the Windows Server 2003 Security Guide as one that should be enforced using Group Policy. The need to restrict which users can access a server locally is a good security measure. However, it can be inconvenient in certain situations—for example, when a server requires service and a non-administrator user needs to perform that service. Typically, one of the following two quick solutions is used: Add the user to the Administrators group temporarily, and 'trust' the user will not abuse their new power. Create a group for non-Administrator users and assign this group the right to logon locally to the server. Both are poor methods for managing local access to a server—but both are excellent examples of configuration drift. So the question is how will you manage one-off changes like this? Also, how can you discover and identify changes that have occurred in a network that may not follow policy? It's simple to correct a change in one system. However, how can you validate your systems' configurations, and then update or correct any ad-hoc changes that were made? The problem is complex, and difficult to resolve. However, for those of you using System Center Configuration Manager 2007, a feature known as Desired Configuration Manager (DCM) can be used to discover your network's configuration state. Configuration Packs that work with Configuration Manager were designed by the Solution Accelerators – Security and Compliance team (SA-SC), and you can use these Packs to check the configurations for the Windows XP, Windows Vista, and Windows Server 2003 computers in your network. The one thing that's needed to accomplish such a check is a set of desired configuration values. SA-SC considered this a vital requirement for DCM. When they looked at the security knowledge within the different security guides that they created, it was clear that translating this knowledge to DCM configuration items would be of great value for IT professionals. In upcoming blogs I'll look more closely at DCM, the required components for exploring configuration drift, and how this can be done effectively for a network. For now, if you haven't looked at the Security Compliance Management toolkit I recommend you take a few minutes to see if it can help you manage configuration drift in your organization. http://go.microsoft.com/?linkid=9040607...(read more)
Search

Partner adopts Security Compliance Management toolkit

July 9, 2008, 10:28 am
$
0
0
I wanted to thank Securevantange in making the Security Compliance Management toolkit a success in their world. Our customers and partners are all very pleased with the new baselines provided in the Security Compliance Management toolkit for DCM along with the ease of customization supported via Config Pack design and guidance. This solution gives customers another great asset for assessing risk and monitoring configuration drift in the enterprise using System Center. From a security auditing and compliance perspective this is the best resource to be released from Microsoft since the regulatory compliance planning guide. Thanks, Jeremiah Beckett President If your interested in how they are using the Solution Accelerator check them out at: http://securevantage.spaces.live.com/...(read more)

How to Use AccessChk.exe for Security Compliance Management

July 21, 2008, 3:15 pm
$
0
0
In this article we invite Michael Tan, one of our senior program mangers, to introduce a new feature in the recently updated Sysinternals tool called AccessChk. His two part article looks at how the new AccessChk feature works and the benefits of using this Sysinternals tool. The second part takes a look at the using the tool with Configuration Manager’s DCM feature, and how the Security Compliance Management toolkit benefits from the efforts. Microsoft released the Security Compliance Management toolkit on June 5, 2008, on TechNet and as a free download on the Microsoft Download Center. The toolkit enables organizations to monitor the security compliance state of their IT environments for computers running Windows operating systems by using the Desired Configuration Management (DCM) feature in Microsoft System Center Configuration Manager 2007 as mentioned in recent posts. Now let's look at a known issue for the toolkit using Resultant Set of Policy (RSOP) Windows Management Instrumentation (WMI) providers for data discovery. Solving this shortcoming of the toolkit can be accomplished by using the newly updated AccessChk.exe, with some custom DCM scripts to obtain the latest user rights assignment data from the Windows Local Security Authority (LSA) store. To make this simple, we include a working sample that customers can use to collect this data directly from the LSA store. Background The Security Compliance Management toolkit provides more than 300 security settings, including user rights assignment settings, such as Access this computer from the network , backup files and directories, and so on. The Release Notes in the toolkit include a list of settings. The data collected in the WMI repository from these settings may not synchronize with the data in the LSA store. This is because the data discovery process for the toolkit uses RSOP WMI providers to collect the setting data, and the data is queried from the WMI repository (CIMOM database) that represents existing policies or planned policies. For this reason, the data for these settings may not be consistent with user rights assignment data in the LSA store that is consumed directly by Windows components. If customers want to obtain the actual security state of the user rights assignments on a target host machine, they must query the LSA store directly instead of using RSOP. Only native application programming interfaces (APIs) or Win32 APIs are provided for LSA data queries, and these are not supported by the DCM feature in Configuration Manager 2007. To obtain this data, you can use the newly updated Sysinteranls tool, AccessChk.exe (version 4.2), with the DCM feature's scripting capability to get user rights assignment data directly from the LSA store. AccessChk.exe AccessChk.exe provides you with access to the files, registry keys or Windows services for the user or group that you specify. AccessChk.exe now supports a new option -a to query user rights assignment data directly from the LSA store. First download AccessChk.exe 4.2 from SysInternals . On a command prompt type AccessChk.exe /? -a Name is a Windows account right. Specify '*' as the name to show all rights assigned to a user Here is a partial list of all the user rights assignment that you can access directly from the LSA store : User Right name in –a option list Type Setting name Description SeBatchLogonRight Allowed Logon as a batch job Required for an account to log on using the batch logon type. SeDenyBatchLogonRight Denied Deny logon as a batch job Explicitly denies an account the right to log on using the batch logon type. SeDenyInteractiveLogonRight Denied Deny Logon locally Explicitly denies an account the right to log on using the interactive logon type. SeDenyNetworkLogonRight Denied Deny access to this computer from the network Explicitly denies an account the right to log on using the network logon type. SeDenyRemoteInteractiveLogonRight Denied Deny Logon through Terminal Services Explicitly denies an account the right to log on remotely using the interactive logon type. SeDenyServiceLogonRight Denied Deny logon as a service Explicitly denies an account the right to log on using the service logon type. SeInteractiveLogonRight Allowed Allow Logon locally Required for an account to log on using the interactive logon type. SeNetworkLogonRight Allowed Access this computer from the network Required for an account to log on using the network logon type. SeRemoteInteractiveLogonRight Allowed Allow Logon through Terminal Services Required for an account to log on remotely using the interactive logon type. SeServiceLogonRight Allowed Logon as a service Required for an account to log on using the service logon type. SeAssignPrimaryTokenPrivilege Allowed Replace a process level token Required to assign the primary token of a process. Stay tuned to the second part of this article....(read more)

Integrate AccessChk.exe with DCM Scripts

July 28, 2008, 9:31 am
$
0
0
The DCM feature supports a powerful way for data discovery by using scripting. By invoking AccessChk.exe from DCM scripts, the output of user rights assignment data from AccessChk.exe can be collected by the DCM scripting data discovery provider. The following procedure enables you to use Microsoft Visual Basic Scripting Edition (VBScript) in combination with the DCM feature to collect data about user rights assignments. To use this procedure, you must have access to a computer running Configuration Manager 2007. To add a setting using the DCM feature that uses VBScript to collect user rights assignment data 1. In the left pane of the Configuration Manager Console, expand the Desired Configuration Management folder, right-click the folder to access the submenu, and then choose Configuration Item . 2. In the Create Operating System Configuration Item Wizard, choose to create a new operating system configuration item (CI), and then on the Identification tab, name it. For example, you could name it “User Rights Assignment by AccessChk.” 3. Type a description for the CI (optional), and then click Next . 4. On the Microsoft Windows Version page, select or type the corresponding Windows operating system version information, click Next to access the Objects page, and then on this page click Next to access the Settings page. 5. On the Settings page , select the Settings node, click New , and then in the drop-down menu, sele ct Script to invoke the New Script Setting Properties dialog. 6. On the General tab of the New Script Setting Properties dialog, provide a setting Display Name . For example, Remove computer from docking station. 7. Provide Description (optional). 8. For Script Language , select VBScript (or your preferred language if you integrate AccessChk in another language). 9. Copy the VBScript from the next section of this article to the Script text box. 10. Change the second line in the script to the correct input parameters. For example, define the rule for “ SeUndockPrivilege,” to “Allowed” in this case. (See the table in the previous section for all available input parameters.) 11. On the Validation tab of New Script Setting Properties dialog, ensure that Data Type is set to String . 12. Click New under the Details list box to c reate a new val idation rule. 13. In the Name and Description fields, provide information for your new validation rule. 14. Ensure that Operator is set to Equals . 15. Defined the Value (account list) that you want to allow or deny for the user rights assignment. 16. Select Severity , and then determine the severity level of the new validation rule. 17. Click OK of New Script Setting Properties dialog to save the new setting 18. Click Finish button in Settings tab to Summary page. 19. Click Next after review the summary 20. Click Finish in Confirmation page. Sample DCM Feature VBScript for User Rights Assignments Here is a VBScript that you can use with the DCM feature to obtain user rights assignments: option explicit WScript.Echo ValidateSetting( "SeNetworkLogonRight" , "Allowed" , "Administrators,Authenticated Users" ) 'WScript.Echo ValidateSetting("SeDenyBatchLogonRight", "Denied", "Authenticated Users") Function ValidateSetting(userRightProperty, SeType, baselineValue) on error resume next ' Get expected values and actual valuse we are testing against Dim ExpectedValues, ActualValues ExpectedValues = baselineValue ' Poll LSA data through accesschk ActualValues = PollAccessChkForSettings (userRightProperty) If ActualValues = "" Then ' below line assumes DCM rule value (OperandA) is "NO ONE" if no one is allowed for the user right privilege ActualValues = "NO ONE" End If ' do our validation If SeType = "Allowed" Then ValidateSetting = ValidateAllowedResults(ExpectedValues, ActualValues) Else ValidateSetting = ValidateDeniedResults(ExpectedValues, ActualValues) End If ' do error checking, make sure our function return something. If ValidateSetting = "" Then ValidateSetting = "ValidateSetting return Nothing or Empty" If Err.Number <> 0 Then ValidateSetting = ValidateSetting & ", Error: " & Err.Number ValidateSetting = ValidateSetting & ", Error (Hex): " & Hex(Err.Number) ValidateSetting = ValidateSetting & ", Source: " & Err.Source ValidateSetting = ValidateSetting & ", Description: " & Err.Description Err.Clear End If End If End Function ' Validate allowed results Function ValidateAllowedResults(ExpectedValues, ActualValues) on error resume next ' We are always in compliant if no one has the privilege If UCase(Trim(ActualValues)) = "NO ONE" Then ValidateAllowedResults = ExpectedValues Exit Function End If ' Everify that the actual list of users is a sub-set of the expected list of users. Dim ActualValueList, ExpectedValueList, ActualValue, ExpectedValue, Result ActualValueList = Split(UCase(ActualValues), "," ) ExpectedValueList = Split(UCase(ExpectedValues), "," ) ' Verify all the actual users are in the list of expected users For Each ActualValue in ActualValueList ' Find if actual value is in list of expected values Result = false For Each ExpectedValue in ExpectedValueList If Trim(ActualValue) = Trim(ExpectedValue) Then Result = true Exit For End If Next If Result = false Then ValidateAllowedResults = ActualValues Exit Function End If Next ' Passsed all tests ValidateAllowedResults = ExpectedValues End Function ' Validate denied results Function ValidateDeniedResults(ExpectedValues, ActualValues) on error resume next ' We are always in compliant if expected no one has been denied the privilege If UCase(Trim(ExpectedValues)) = "NO ONE" Then ValidateDeniedResults = ExpectedValues Exit Function End If ' We are always not in compliant if no one has been denied the privilege but expected someones. If UCase(Trim(ActualValues)) = "NO ONE" Then ValidateDeniedResults = ActualValues Exit Function End If ' Everify that the expected list of users is a sub-set of the actual list of users. Dim ActualValueList, ExpectedValueList, ActualValue, ExpectedValue, Result ActualValueList = Split(UCase(ActualValues), "," ) ExpectedValueList = Split(UCase(ExpectedValues), "," ) ' Verify all the expected users are in the list of actual users For Each ExpectedValue in ExpectedValueList ' Find if expected value is in list of actual values Result = false For Each ActualValue in ActualValueList If Trim(ActualValue) = Trim(ExpectedValue) Then Result = true Exit For End If Next If Result = false Then ValidateDeniedResults = ActualValues Exit Function End If Next ' Passsed all tests ValidateDeniedResults = ExpectedValues End Function ' Set ActualValues to a comma deliminated list of values defined by what settings we are polling. Function PollAccessChkForSettings(userRightProperty) on error resume next Dim Result, timeout, accountArray, objWshell, oExec Set objWshell = WScript.CreateObject( "WScript.Shell" ) Set oExec = objWshell.Exec( "accesschk.exe -a " & userRightProperty) If oExec is Nothing Then PollAccessChkForSettings = "ERROR: objWshell.Exec return null, please check if accesschk.exe exists." Exit Function End if ' Wait for program to finish timeout = 200 Do While oExec.Status = 0 And timeout > 0 WScript.Sleep 10 timeout = timeout - 1 Loop If oExec.Status = 0 Then PollAccessChkForSettings = "ERROR: Timed Out" Exit Function Else Result = oExec.StdOut.ReadAll If Result = "" Then PollAccessChkForSettings = "ERROR: Get Data Failed" Exit Function Else ' not found any valid data If InStr(Result, "No more data is available" ) > 0 Then PollAccessChkForSettings = "" Exit Function End If ' concat the account to a string with comma delimiter Dim i, value accountArray = Split(Result, vbCrlf) For i = 0 To UBound (accountArray) - 1 If PollAccessChkForSettings <> "" Then PollAccessChkForSettings = PollAccessChkForSettings + "," End If value = Replace(accountArray(i), Chr(9), "" ) value = Trim(value) Dim j j = InStrRev(value, "\" ) If j = 0 Then PollAccessChkForSettings = PollAccessChkForSettings + UCase(value) Else PollAccessChkForSettings = PollAccessChkForSettings + UCase(Right(value, Len (value) - j)) End if Next 'WScript.Echo PollAccessChkForSettings End If End If End Function If you are intrested in the complete script listing for DCM you can download it from HERE To improve accuracy/integrity of Security Compliance Management collecting user rights assignment data from the right location is critical for security compliance reports. Newly updated AccessChk.exe can be integrated into Desired Configuration Management feature of Microsoft Configuration Manager 2007 to achieve the purpose ....(read more)

Now available: System Center Configuration Manager Extensions for SCAP Beta

June 1, 2009, 3:40 pm
$
0
0
If your organization is affected by the Federal Desktop Core Configuration (FDCC) mandate, and the Security Content Automation Protocol (SCAP), then this new Beta program will be of interest to you. The FDCC mandate from the Office of Management and Budget (OMB) requires federal agencies and organizations to configure their computers running Windows Vista ® and Windows ® XP according to a specific list of settings published by the National Institute of Standards and Technology (NIST). The FDCC mandate also requires these agencies and organizations to document their compliance by scanning the computers they manage using SCAP content published by NIST, and to provide the compliance results in SCAP format. The System Center Configuration Manager Extensions for SCAP enable you to use Microsoft ® System Center Configuration Manager 2007 to scan computers running these operating systems that you manage for compliance with the FDCC mandate. The System Center Configuration Manager Extensions for SCAP include command-line tools to convert SCAP content into the format used by the Desired Configuration Management (DCM) feature in Configuration Manager 2007, and to convert DCM reports into SCAP format. · You can participate in the Beta by visiting the Beta Program site on Microsoft Connect (Windows Live™ ID login and registration required). After you sign up, bookmark this link to the project site for access to download the Beta tools and guidance, and receive the latest information about the project. Note: This solution has not been formally validated by NIST. Although Microsoft will submit it at a future date, at this time NIST has not yet recognized it as a SCAP validated tool with FDCC scanning capability ....(read more)

HIPAA or PCI or FISMA Baseline? (FAQ)

June 9, 2011, 9:23 am
$
0
0
A teammate of mine posted a FAQ this week about the GRC space and how it intersects with Microsoft Baselines. Check it out! http://social.technet.microsoft.com/wiki/contents/articles/grc-baselines-made-easy.aspx -jeff PS - for those of you wanting the SCM v2 Beta, I've got great news. Just a little bit longer and we will have something for you. Hang in there, home stretch!...(read more)

Configuration Drift

June 30, 2008, 9:59 am
$
0
0
In my last blog I introduced a new Solution Accelerator called the Security Compliance Management toolkit. Today I'd like to help you learn more about this new Accelerator, but in a somewhat indirect way—by discussing a problem space known as configuration...(read more)

Partner adopts Security Compliance Management toolkit

July 9, 2008, 10:28 am
$
0
0
I wanted to thank Securevantange in making the Security Compliance Management toolkit a success in their world. Our customers and partners are all very pleased with the new baselines provided in the Security Compliance Management toolkit for...(read more)
Search

How to Use AccessChk.exe for Security Compliance Management

July 21, 2008, 3:15 pm
$
0
0
In this article we invite Michael Tan, one of our senior program mangers, to introduce a new feature in the recently updated Sysinternals tool called AccessChk. His two part article looks at how the new AccessChk feature works and the benefits of using...(read more)

Integrate AccessChk.exe with DCM Scripts

July 28, 2008, 9:31 am
$
0
0
The DCM feature supports a powerful way for data discovery by using scripting. By invoking AccessChk.exe from DCM scripts, the output of user rights assignment data from AccessChk.exe can be collected by the DCM scripting data discovery provider. The...(read more)

Now available: System Center Configuration Manager Extensions for SCAP Beta

June 1, 2009, 3:40 pm
$
0
0
If your organization is affected by the Federal Desktop Core Configuration (FDCC) mandate, and the Security Content Automation Protocol (SCAP), then this new Beta program will be of interest to you. The FDCC mandate from the Office of Management and Budget...(read more)

HIPAA or PCI or FISMA Baseline? (FAQ)

June 9, 2011, 9:23 am
$
0
0
A teammate of mine posted a FAQ this week about the GRC space and how it intersects with Microsoft Baselines. Check it out! http://social.technet.microsoft.com/wiki/contents/articles/grc-baselines-made-easy.aspx -jeff PS - for those of you...(read more)

LGPO.exe – Local Group Policy Object Utility, v1.0

January 21, 2016, 12:54 am
$
0
0

LGPO.exe is a new command-line utility to automate the management of local group policy. It replaces the no-longer-maintained LocalGPO tool that shipped with the Security Compliance Manager (SCM), and the Apply_LGPO_Delta and ImportRegPol tools.

Features:

  • Import settings into local group policy from GPO backups or from individual policy component files, including Registry Policy (registry.pol), security templates, and advanced auditing CSV files.
  • Export local policy to a GPO backup.
  • Parse a Registry Policy (registry.pol) file to readable "LGPO text" directly to the console or redirected to a file which can edited and imported into local policy.
  • Build a new Registry Policy (registry.pol) file from "LGPO text".
  • Enable group policy client side extensions for local policy processing.

The zip file attached to this post includes LGPO.exe and full documentation. This is the command line syntax:

LGPO.exe v1.00 – Local Group Policy Object utility

LGPO.exe has four modes:
  * Import and apply policy settings;
  * Export local policy to a GPO backup;
  * Parse a registry.pol file to "LGPO text" format;
  * Build a registry.pol file from "LGPO text".

To apply policy settings:

    LGPO.exe command […]

    where "command" is one or more of the following (each of which can be repeated):

    /g path               import settings from one or more GPO backups under "path"
    /m path\registry.pol  import settings from registry.pol into machine config
    /u path\registry.pol  import settings from registry.pol into user config
    /s path\GptTmpl.inf   apply security template
    /a[c] path\Audit.csv  apply advanced auditing settings; /ac to clear policy first
    /t path\lgpo.txt      apply registry commands from LGPO text
    /e <name>|<guid>      enable GP extension for local policy processing; specify a
                          GUID, or one of these names:
                          * "zone" for IE zone mapping extension
                          * "mitigation" for mitigation options, including font blocking
                          * "audit" for advanced audit policy configuration
    /boot                 reboot after applying policies
    /v                    verbose output
    /q                    quiet output (no headers)

To create a GPO backup from local policy:

    LGPO.exe /b path [/n GPO-name]

    /b path               Create GPO backup in "path"
    /n GPO-name           Optional GPO display name (use quotes if it contains spaces)

To parse a Registry.pol file to LGPO text (stdout):

    LGPO.exe /parse [/q] {/m|/u} path\registry.pol

    /m path\registry.pol  parse registry.pol as machine config commands
    /u path\registry.pol  parse registry.pol as user config commands
    /q                    quiet output (no headers)

To build a Registry.pol file from LGPO text:

    LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]

    /r path\lgpo.txt      Read input from LGPO text file
    /w path\registry.pol  Write new registry.pol file

(See the documentation for more information and examples.)

LGPO.zip

New tool: Policy Analyzer

January 22, 2016, 6:15 am
$
0
0

Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet.

Policy Analyzer lets you treat a set of GPOs as a single unit.  This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values.  It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. 

For example, the US Government Configuration Baseline (USGCB) for Windows 7 includes seven different GPOs.  Policy Analyzer can treat them as a single set, and show all the differences between them and the Microsoft recommended baselines for Windows 10 and Internet Explorer 11 with a single comparison.  You can also use it to verify changes that were made to your production GPOs.

The following screenshot shows two baselines compared with each other and to corresponding registry values on the local system. The lower pane displays the Group Policy setting, location, and other information associated with the selected row. Conflicting settings are highlighted in yellow; absent settings are shown as a grey cell. Policy Analyzer also offers options to display only rows containing conflicts or other differences.

The following screenshot shows Policy Analyzer’s Excel output. Policy Analyzer sorts results primarily by the Group Policy path and setting name columns, which are the leftmost columns.

Policy Analyzer is a lightweight standalone application that doesn’t require installation, and doesn’t require administrative rights (except for the “local policy” feature).

The downloadable attachment to this blog post contains Policy Analyzer, its full documentation and sample GPO sets taken from the Microsoft security configuration baselines.

[Updated 3 February 2016: download now includes representations of all Windows, IE, and Office GPOs published in the Security Compliance Manager.]

PolicyAnalyzer+Samples.zip

Security baseline for Windows 10 (v1507, build 10240, TH1, LTSB) — UPDATE

January 22, 2016, 6:16 am
$
0
0

Based on continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers, we are publishing a few changes to the security configuration baseline recommendations for Windows 10, version 1507. Version 1507 was the original RTM release of Windows 10, and is also known as "Build 10240," "Threshold 1," or "TH1." Version 1507 is also the current Long Term Servicing Branch (LTSB) build, which is the primary reason for continuing to update the baseline for this version. Those who are not relying on the LTSB track should have already updated to version 1511. Note that we are simultaneously releasing final guidance for version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2."

These are the updates we have made:

  • Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide "Interactive logon: Machine inactivity limit" setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for "Recovery console: Allow automatic administrative logon." This setting has been obsolete since Windows XP and its removal just got missed until now.

This specific baseline will be delivered only through the downloadable attachment to this blog post. The attachment includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will not be publishing SCM .CAB files for this baseline, as we are focusing our SCM resources on the “Threshold 2” release.

Windows 10 Security Baseline.zip

Search

Security baseline for Windows 10 (v1511, "Threshold 2") — FINAL

January 22, 2016, 6:19 am
$
0
0

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2." The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will also be publishing SCM .CAB files for this Windows 10 baseline shortly, and will announce their availability on the Security Guidance blog. (Note that we will not be providing updated SCM .CAB files for the IE11 guidance. For that content, see the attachment on this blog post.)

These are the updates we have made since the draft release in November, following continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers:

  • Enabled "Turn off Microsoft consumer experiences," which is a new setting as of version 1511.
  • Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide "Interactive logon: Machine inactivity limit" setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for "Recovery console: Allow automatic administrative logon." This setting has been obsolete since Windows XP and its removal just got missed until now.

Windows 10 TH2 Security Baseline.zip

Security baseline for Windows Server 2016 Technical Preview 5 (TP5)

May 27, 2016, 8:50 am
$
0
0

Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical Preview 5 (TP5). The final version of Windows Server 2016 will differ from the TP5 pre-release, and this security guidance will change as well. Both TP5 and this guidance are offered for evaluation purposes and we look forward to your feedback.

Download the content here: Server 2016 Beta.zip

Our Windows 10 guidance differed dramatically from our past Windows client baselines (as described here), and our evolving Windows Server guidance is following suit. In addition to the changes described in that blog post, there are a few additional differences between this new guidance and both the Windows Server 2012 R2 guidance and the Windows 10 TH2 guidance:

  • Advanced Auditing setting for Account Lockout changed from Success to Success+Failure. We will also make this change in the next revision of our Windows 10 guidance. This change is needed so that account logon failures are audited when the failure reason is that the account is locked out.
  • Some settings not relevant to Windows Server, such as Wi-Fi Sense, are omitted.
  • BitLocker is not included in the Windows Server baseline.
  • Internet Explorer is introducing a new Group Policy control, “Allow only approved domains to use the TDC ActiveX control.” We are enabling that setting in the Internet and Restricted Sites zones. We will also make this change in the next revision of our Windows 10 guidance, where it will be more important.
  • Reverted “Apply local firewall rules” and “Apply local connection security rules” to Not Configured for the Public firewall profile, enabling organizations to make their own decisions. This is a difference from the Windows 10 guidance. Internet-facing servers have varied purposes and there is a greater need for flexibility in these settings than for Windows client.
  • Removed the recommendations for specific values in the User Rights Assignments “Replace a process level token” and “Adjust memory quotas for a process.” The defaults are good and the settings are unlikely to be abused for nefarious purposes. Also, during installation some products need to grant these rights to product-specific accounts, and later break when a Group Policy reverts them back to the Windows defaults. We will also make this change in the next revision of our Windows 10 guidance.

This baseline is designed for the Member Server scenario. The final version will also include a baseline for Windows Server 2016 Domain Controller. In addition to the differences between the Member Server and DC baselines for Windows Server 2012 R2 (*), the differences for Windows Server 2016 DCs will include:

  • Do not apply the LAPS setting, “Enable local admin password management,” to DCs.
  • The “Hardened UNC Paths” setting should not be applied to DCs.

(*) You can review the differences between these baselines using Policy Analyzer.

Security Compliance Manager 4.0 now available for download!

July 28, 2016, 9:00 am
$
0
0

The Security Compliance Manager (SCM) is a free tool from Microsoft that enables you to quickly configure, and manage the computers in your environment using Group Policy and Microsoft System Center Configuration Manager. This version of SCM supports Windows 10, and Windows Server 2016.

You can easily configure computers running Windows 10 and Windows Server 2016 based on Microsoft Recommended Security Baselines and industry best practices.

You can download SCM 4.0 here.

Updates include:

  • Support for existing Windows 10 version 1511 security baselines
  • Support for upcoming Windows 10 version 1607, and Windows Server 2016
  • Bug fixes for ‘Compare’ and ‘Simple View’ features in SCM

The latest version of SCM offers all the same great features as before, plus bug fixes, and added support for upcoming baselines. SCM 4.0 provides a single location for creating, managing, analyzing, and customizing baselines to secure your environment quicker and more efficiently. In addition to the latest software releases, you can also configure previous additions of Windows client, Server, and Microsoft Office.

SCM provides DCM 2007 configuration packs that allow you to manage configuration drifts using Microsoft System Center Configuration Manager. Microsoft’s Operations Management Suite also supports monitoring for Security Baselines in your Server environments.

LGPO.exe v2.0 PRE-RELEASE: support for MLGPO and REG_QWORD

September 22, 2016, 10:00 pm
$
0
0

LGPO.exe is a command-line utility to automate the management of local group policy objects (LGPO). Version 1.0 was released last January. The PRE-RELEASE LGPO.exe v2.0 is attached to this blog post, and adds support for Multiple Local Group Policy Objects (MLGPO) and 64-bit REG_QWORD registry values. It also adds support for /e mnemonic options to enable the GP client side extensions for LAPS, Credential Guard, and Device Guard.

Full details are in the LGPO.pdf in the download. For more information about MLGPO, please review this: Step-by-Step Guide to Managing Multiple Local Group Policy Objects.

If these new features are valuable to you, please test them in your environments and let us know through the comments on this blog post how well it meets your needs.

Thanks.

LGPOv2-PRE-RELEASE

The MSS settings

October 2, 2016, 12:39 am
$
0
0

You can download the custom Administrative Template for the “MSS (Legacy)” settings here: MSS-legacy. Note that it is available only for “en-us” (US English).

Explanation:

Many years ago, before the advent of Trustworthy Computing, some Microsoft security experts identified about 20 Windows registry values (many or perhaps all of which were undocumented at the time) that could be tweaked for what was then perceived to be significant security gain. For manageability, they developed a script that added these entries to the local security settings editor with descriptive names prefixed with “MSS:” as seen in the screenshot below. [Historical note: I believe they landed there because these tweaks predated Windows 2000, Group Policy, and Administrative Templates.]

MSS settings in Security Options

 

Many of the settings remained part of our security configuration guidance until our “reset” with the Windows 10 recommendations. As part of the reset, we also created a custom ADMX and ADML and moved the settings from the Security Options section of the policy editor to Administrative Templates, as shown in this screenshot:

MSS Settings in Administrative Templates

 

The reason we did this was because adding them to Security Options relied on a technique that is no longer supportable. The script that had added them to the security editor did so in part by modifying %windir%\inf\sceregvl.inf, a text file. With the introduction of service identities in Windows Vista and Windows Server 2008, Windows configured many OS-owned resources as read-only to everyone except to the TrustedInstaller service. When a resource is configured this way, Windows explicitly tells you that even if you’re an administrator, modifying the resource is unsupported. Sceregvl.inf is one of those resources, so the script was updated to take ownership and change the permissions of the file so that the script could edit its content.

The new custom ADMX and ADML file reference the same registry settings as the older script, but in a manner that is supportable. We have included these files in the download packages with our Windows 10 and Windows Server 2016 baselines, and offer them here separately for your convenience. Note that our baselines no longer include recommendations to configure many of the MSS settings we had recommended in the past, as they have no security value against contemporary threats. The few that are still configured in our baseline have limited benefit at most.

Viewing all 43 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>