Microsoft Security Baseline contains recommended settings Microsoft suggests for Windows workstations and servers to provide secure configuration and protect domain controllers, servers, computers, and users.
Microsoft has developed reference Group Policy Objects and templates based on the Security Baselines. Administrators can apply them in their AD domains. The security settings in the Microsoft Security Baseline GPO enable administrators to protect Windows infrastructure in accordance with the latest global security best practices.
In this context, we shall look into how to harden Windows Using Microsoft Security Baseline.
Hardening Windows Using Microsoft Security Baseline
Today, let us see how to implement Microsoft Security Baseline GPOs in our domain.
We can use security baselines to:
1. Firstly, ensure that user and device configuration settings are compliant with the baseline.
2. Secondly, set configuration settings. For example, we can use Group Policy, Microsoft Endpoint Configuration Manager or Microsoft Intune to configure a device with the setting values specified in the baseline.
Reference Microsoft Security Baseline Group Policies are a part of Microsoft Security Compliance Manager (SCM). SCM is a free product that contains multiple tools to analyze, test and apply the best practices and current security recommendations for Windows and other Microsoft products.
Microsoft Security Compliance Toolkit is available following this link: https://www.microsoft.com/en-us/download/details.aspx?id=55319
We can download these tools:
i. LGPO is used to manage local GPO settings.
ii. PolicyAnalyzer is a tool to analyze existing Group Policies and compare them with the reference policies in the Security Baseline.
The Security Baseline archive for each Windows version contains several folders:
i. Documentation contains XLSX and PDF files with the detailed description of the settings applied in the Security Baseline.
ii. GP Reports has HTML reports with the GPO settings to be applied.
iii. GPOs – contains GPO objects for different scenarios. We can import the policies to our Group Policy Management (GPMC) console.
iv. Scripts contains PowerShell scripts to easily import GPO settings to domain or local policies: Baseline-ADImport.ps1, Baseline-LocalInstall.ps1, Remove-EPBaselineSettings.ps1, MapGuidsToGpoNames.ps1.
v. Templates – additional ADMX/ADML GPO templates (for example, AdmPwd.admx contains local password management settings for LAPS, MSS-legacy.admx, SecGuide.admx).
There are GPO Security Baseline templates for different Windows infrastructure elements:
Policies for computers, users, domain servers, domain controllers (there is a separate policy for virtual DCs), as well as Internet Explorer, BitLocker, Credential Guard and Windows Defender Antivirus settings. Configured Group Policies for various scenarios are located in the GPOs folder.
Note that there is a separate Security Baseline set for each Windows Server version or Windows 10 build.
In order to, extract the archive with the Security Baseline version matching our Windows version and open the Group Policy Management (gpmc.msc) console.
1. Firstly, copy ADMX templates to the SYSVOL PolicyDefinitions folder (GPO Central Store) on our DC.
2. Then, create a new GPO with the name Windows 10 2004 Security Baseline.
3. Next, right-click the GPO and select Import Settings.
4. Then, specify a path to the Security Baseline file for our Windows version as a Backup Location.
5. Next, import a policy with the computer settings. Select MSFT Windows 10 2004 – Computer (using the View Settings button, we can view the policy settings in the form of a gpresult report).
6. Then, we are prompted to select how to migrate reference links to security objects and UNC paths. Since the policy is new, select Copying them identically from the source.
7. Then, the reference Security Baseline policy settings for computers running Windows 10 2004 will be imported to our GPO.
To apply the Group Policy object only to computers running the specific Windows build, use GPO WMI filters. For example, for Windows 10 2004, we can use the following WMI filter:
Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE “10.0.19041%” and ProductType = “1”
Then, apply the filter to our policy and link the policy to the Organizational Unit we need.
In the same way, we can import Security Baselines for users, domain controllers, domain member servers, etc.
Security Baseline contains dozens or even hundreds of settings. Let us see a few security settings:
i. Firstly, managing the program start and installation rules: AppLocker (Software Restriction Policies), UAC and Windows Installer
ii. Then, domain password and account lockout policies
iii. Next, privileged account restrictions
iv. Next, snonymous access restrictions
v. Then, audit policy settings to get information about all events and user logon history
vi. LSA memory protection
vii. Access to peripherals (including printer and USB installation policies)
viii. Disabling NetBIOS and NTLM protocols
ix. Settings of Remote Assistance, shadow connections, RDS timeouts, CredSSP Oracle Remediation
x. PowerShell Execution Policy
xi. Then, configuration of Windows Error Reporting
xii. Management of Windows Firewall rules
xiii. WinRM settings
xiv. Disabling the built-in administrator account
xv. Hardened UNC paths policy
xvi. Finally, disabling SMBv1
If we want to protect our home computer running Windows 10, we can apply Security Baseline settings on it using a ready PowerShell script.
Allow unsigned scripts to run:
Set-ExecutionPolicy -Scope Process Unrestricted
Apply the policy:
Usually, microsoft Security Baseline settings can enhance the security of our Windows infrastructure and help to make sure that the same settings are applied to all computers (including new ones) on our network.