Maintaining security in a Windows environment is important to reduce the risk of bad actors being able to cause harm to an organization. Although Windows is built to be secure out of the box, enforcing security through policies is necessary to prevent configuration drift in organizations. Each iteration of Windows includes new security features that are sometimes not enabled by default to reduce the chances of operational impact to an environment, which makes the organization responsible for enabling these new security features.
As bad actors become more sophisticated in attacking organizations, it has become important to implement best practices for securing Windows systems. Organizations can leverage baseline policies to secure their environments and slow or stop bad actors in their tracks.
A security baseline is a collection of settings that is applied to systems in an operating environment. In the context of a Windows operating environment, these settings can be found in a variety of locations, including domain controllers (DCs), member servers, and desktops. These settings can also be applicable to computer objects and user objects in Active Directory (AD), Entra ID, and stand-alone/workgroup systems.
Why implement security baselines?
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
Security baselines help to enforce security posture in an environment. They help prevent blind spots and configuration variances across devices, known as configuration drift. Attack surface reduction techniques are leveraged to disable components that could otherwise be used by a bad actor. Security baselines also harden systems against some of the most common attack vectors and methods, such as pass-the-hash by leveraging signing and encryption where applicable.
Depending on the type of organization, there may be government or regulatory compliance requirements where security baselines are required or assist in achieving compliance. Organizations looking to obtain and maintain cyber security insurance may be required by the insuring company to provide proof that the organization is doing their due diligence to maintain a secure environment. Additionally, audits may be required to be performed by an external entity to determine if the organization is in compliance with regulatory bodies.
Who are the sources of authority that provide security baselines?
There are various sources of authority who provide security baselines for Microsoft software including but not limited to Windows, Windows Server, Office and Microsoft 365 Enterprise Apps, SQL Server, Exchange Server, SharePoint Server, Internet Information Services (IIS), Edge Internet Explorer, and more.
Microsoft provides group policy objects (GPOs) and Microsoft Intune policies as mechanisms to enforce policies which can be used for deploying baselines. Their Microsoft security baselines are comprehensive collections of recommended security settings that help protect against common security threats and vulnerabilities. They have a vested interest in providing secure software to individuals, businesses, and governments.
The Center for Internet Security (CIS) is a nonprofit organization dedicated to making the connected world a safer place for individuals, businesses, and governments. CIS provides PDF guides and pre-configured GPOs and Microsoft Intune policies to apply their baselines, also called CIS Benchmarks. They also provide hardened cloud provider images based on CIS Benchmarks.
The National Institute of Standards and Technology (NIST) is a United States government entity that exists to promote U.S. innovation and industrial competitiveness. They provide XML-based files as guides for secure configurations. These secure configurations are known as security technical implementation guides (STIGs). They also provide pre-configured GPOs.
How can security baselines and related tools be obtained?
While it is possible to manually transcribe baseline settings from text-based formats such as the PDF files that can be obtained from CIS and the XML files that can be obtained from NIST, it is recommended to not use these for creating GPOs to implement these baselines because there are too many opportunities to make errors. For this reason, it’s highly recommended to implement baselines based on pre-configured GPOs that the sources of authority provide.
- Microsoft provides baselines in GPO format in their free Security and Compliance Toolkit.
- CIS provides CIS Build Kits which contains pre-built GPOs and Microsoft Intune policies for accelerating the deployment of CIS Benchmarks to Windows systems and requires a paid subscription.
- NIST provides pre-configured GPOs that align to the STIGs and can be downloaded for free.
How should security baselines be implemented?
The first thing that must be done when deciding to implement baselines is to prioritize and define a scope of systems to work on. Domain controllers are typically the least amount of effort to implement a baseline for, so consider starting there. Next, determine a source of authority to create baselines from. Using the Microsoft baseline is a great way to start. CIS Benchmarks would be a great alternative if the organization has a CIS SecureSuite subscription, and they are looking to take their security posture a step further by implementing more robust security controls.
Below is an example 15-step process for implementing a security baseline for DCs.
- Define a target scope of systems to work on (i.e., DCs).
- Choose one authority source to implement baselines from (Microsoft, CIS, NIST) and download the relevant GPO(s) that are applicable to the operating system(s) that is running on DCs.
- Import all relevant administrative templates into the policy store (SYSVOL). This can include administrative templates found in the Security and Compliance Toolkit such as AdmPwd (Legacy LAPS), MSS-legacy, and SecGuide. Do not forget to keep all administrative templates updated in the policy store as new software is released for Windows, Windows Server, OneDrive, Office, and more.
- Make copies of any GPOs that have multiple links and are linked to the Domain Controllers organizational unit (OU). Replace the existing links with new ones using the newly copied GPO.
- Back up existing GPOs linked to the target (i.e., the Domain Controllers OU).
- Consolidate existing GPOs wherever possible.
- Segregate any changes made to the Default Domain Controllers policy (Use a GPO comparison tool to determine which settings those would be).
- Lower the link order of the Default Domain Controllers policy to the lowest value possible.
- Restore the Default Domain Controllers policy to its original settings by using dcgpofix.exe.
- Use a GPO comparison tool like SDM Software’s Group Policy Reporting Pak or Microsoft Policy Analyzer against the source authority GPO and the existing GPO(s) linked to the target to determine which settings will be new and which settings are different from the settings are already in place.
- Create a new GPO (or use an existing one that is not the Default Domain Controllers policy) with a higher link order than everything else and place any desired custom settings in this GPO.
- Create GPO(s) for the source authority’s pre-defined settings. Ensure the revision and operating system version is included in the name of the GPO.
- Import the GPO settings into the new GPO(s).
- Link the new GPO(s) so that the link order is in between the Default Domain Controllers policy and the custom settings GPO.
- Validate the settings are applying correctly by using gpresult.exe.
Iterate this process every 6 months. Keep up to date with revisions of baselines from the source authority. Implement controls for new operating system versions. Evaluate compliance to a baseline with one of the targets. This regular review cycle should align with your organization’s patch management strategy to ensure security vulnerabilities are addressed promptly.
This process will be different when choosing to apply baselines to member servers and workstations. For example, perhaps workstations are enrolled in Microsoft Intune and baselines will be applied from there. Remember that Microsoft Intune is an entirely separate policy enforcement mechanism from Group Policy, but it offers similar capabilities to protect data security – especially in a cloud environment.
Best Practices
Implement security baselines in a test environment first. Pay attention to settings in DC baselines being defined by source authorities to reduce chances of impact to the environment. Incorporate vulnerability management practices by testing how security baseline changes might interact with existing applications before rolling them out broadly. The following settings defined in security baselines commonly are found to cause compatibility issues due to technical debt or misconfiguration on endpoints:
- LSA protection is enabled
- Path: Computer Configuration\Policies\Administrative Templates\MS Security Guide
- Setting: LSA Protection
- Kerberos Encryption Types is restricted to only allow AES keys
- Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
- Setting: Network security: Configure encryption types allowed for Kerberos
- NTLM v1 is disabled
- Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
- Setting: Network security: LAN Manager authentication level
- SMB v1 is disabled
- Path: Computer Configuration\Policies\Administrative Templates\MS Security Guide
- Setting: Configure SMB v1 server
- SYSVOL and NetLogon (SMB version limiting) access is restricted
- Path: Computer Configuration\Policies\Administrative Templates\Network\Network Provider
- Setting: Hardened UNC Paths
- LDAP signing is required
- Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
- Setting: Domain Controller: LDAP server signing requirements
- LDAP channel binding is required
- Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
- Setting: Domain Controller: LDAP server channel binding token requirements
- Windows Firewall enabled
- Path: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security
- Setting: Windows Defender Firewall with Advanced Security
- Windows Firewall is enabled for all profiles
- Path: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security
- Setting: Windows Defender Firewall with Advanced Security
The baseline value of the settings mentioned may have varying degrees of impact. Many of the settings can be audited for impact prior to being implemented. Ensure there is appropriate auditing and logging configured to capture important data from logs to avert operational issues from technical debt and endpoint misconfiguration.
It’s very important to include the revision and operating system version in the name of the policy for the security baseline being implemented. This is so that there’s a point of reference when comparing new revisions of a security baseline, which helps prevent confusion and guessing if the organization is running the most up-to-date baseline. Use a Windows Management Instrumentation (WMI) filter on the baseline GPOs when necessary to ensure the baseline is being applied to the correct operating system.
Do not modify the security baselines as they are provided by the vendor. Any settings that must be modified should be done with a custom GPO that has a higher link order than the baseline GPO and should contain only the settings that must be different. This will make replacing security baselines with new revisions significantly easier and faster and ensures that core security principles are maintained while accommodating organization-specific needs.
Stick to one trusted source of authority. There are typically very few differences in the settings that are defined between the sources of authority, but one of the major differences is that CIS goes beyond what Microsoft provides, meaning there are settings that CIS provides that Microsoft does not. Each security measure should be evaluated based on its impact on your environment and the sensitive information you’re trying to protect.
Conclusion
By adhering to these guidelines, organizations can streamline the process of applying and maintaining security baselines, ensuring that systems are fortified against threats while remaining compliant with industry standards. Consistent application of these baselines not only shields the infrastructure from potential breaches but also promotes operational efficiency and reliability. Remember, the path to a secure environment is a continuous journey, requiring diligence and regular updates to stay ahead of cybersecurity challenges.
Ravenswood Technology Group can help in implementing security baselines. Reach out to us to inquire how we can help!
