Bobcares

Hardening Windows Using Microsoft Security Baseline

by | May 3, 2021

Wondering how to do ‘Hardening Windows Using Microsoft Security Baseline’? We can help you with it.

Microsoft Security Baseline contains recommended settings Microsoft suggests for Windows workstations and servers to provide secure configuration and protect domain controllers, servers, computers and users.

As part of our Server Management Services, we assist our customers with several Windows queries.

Today, let us see how our Support techs harden Windows Using Microsoft Security Baseline.

 

Hardening Windows Using Microsoft Security Baseline

 

Today, let us see how to implement Microsoft Security Baseline GPOs in our domain.

We can use security baselines to:

  •  Firstly, ensure that user and device configuration settings are compliant with the baseline.
  • Secondly, set configuration settings. For example, we can use Group Policy, Microsoft Endpoint Configuration Manager or Microsoft Intune to configure a device with the setting values specified in the baseline.

Reference Microsoft Security Baseline Group Policies are a part of Microsoft Security Compliance Manager (SCM). SCM is a free product that contains multiple tools to analyze, test and apply the best practices and current security recommendations for Windows and other Microsoft products.

Microsoft Security Compliance Toolkit is available following this link: https://www.microsoft.com/en-us/download/details.aspx?id=55319

We can download these tools:

  • LGPO is used to manage local GPO settings.
  •  PolicyAnalyzer is a tool to analyze existing Group Policies and compare them with the reference policies in the Security Baseline.
  •  SetObjectSecurity

The Security Baseline archive for each Windows version contains several folders:

  •  Documentation contains XLSX and PDF files with the detailed description of the settings applied in the Security Baseline.
  •  GP Reports has HTML reports with the GPO settings to be applied.
  •  GPOs – contains GPO objects for different scenarios. We can import the policies to our Group Policy Management (GPMC) console.
  •  Scripts contains PowerShell scripts to easily import GPO settings to domain or local policies: Baseline-ADImport.ps1, Baseline-LocalInstall.ps1, Remove-EPBaselineSettings.ps1, MapGuidsToGpoNames.ps1.
  •  Templates – additional ADMX/ADML GPO templates (for example, AdmPwd.admx contains local password management settings for LAPS, MSS-legacy.admx, SecGuide.admx)

 

There are GPO Security Baseline templates for different Windows infrastructure elements:

Policies for computers, users, domain servers, domain controllers (there is a separate policy for virtual DCs), as well as Internet Explorer, BitLocker, Credential Guard and Windows Defender Antivirus settings. Configured Group Policies for various scenarios are located in the GPOs folder.

Note that there is a separate Security Baseline set for each Windows Server version or Windows 10 build.

In order to, extract the archive with the Security Baseline version matching our Windows version and open the Group Policy Management (gpmc.msc) console.

1. Firstly, copy ADMX templates to the SYSVOL PolicyDefinitions folder (GPO Central Store) on our DC.
2. Then, create a new GPO with the name Windows 10 2004 Security Baseline.
3. Next, right-click the GPO and select Import Settings.
4. Then, specify a path to the Security Baseline file for our Windows version as a Backup Location.
5. Next, import a policy with the computer settings. Select MSFT Windows 10 2004 – Computer (using the View Settings button, we can view the policy settings in the form of a gpresult report).
6. Then, we are prompted to select how to migrate reference links to security objects and UNC paths. Since the policy is new, select Copying them identically from the source.
7. Then, the reference Security Baseline policy settings for computers running Windows 10 2004 will be imported to our GPO.

To apply the Group Policy object only to computers running the specific Windows build, use GPO WMI filters. For example, for Windows 10 2004, we can use the following WMI filter:

Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE “10.0.19041%” and ProductType = “1”

Then, apply the filter to our policy and link the policy to the Organizational Unit we need.

In the same way, we can import Security Baselines for users, domain controllers, domain member servers, etc.

Security Baseline contains dozens or even hundreds of settings. Let us see a few security settings:

  • Firstly, managing the program start and installation rules: AppLocker (Software Restriction Policies), UAC and Windows Installer
  •  Then, domain password and account lockout policies
  •  Next, privileged account restrictions
  •  Next, snonymous access restrictions
  •  Then, audit policy settings to get information about all events and user logon history
  •  LSA memory protection
  •  Access to peripherals (including printer and USB installation policies)
  •  Disabling NetBIOS and NTLM protocols
  •  Settings of Remote Assistance, shadow connections, RDS timeouts, CredSSP Oracle Remediation
  •  PowerShell Execution Policy
  •  Then, configuration of Windows Error Reporting
  •  Management of Windows Firewall rules
  •  WinRM settings
  •  Disabling the built-in administrator account
  •  Hardened UNC paths policy
  •  Finally, disabling SMBv1

If we want to protect our home computer running Windows 10, we can apply Security Baseline settings on it using a ready PowerShell script.

Allow unsigned scripts to run:

Set-ExecutionPolicy -Scope Process Unrestricted

Apply the policy:

Baseline-LocalInstall.ps1 -Win10NonDomainJoined

Usually, microsoft Security Baseline settings can enhance the security of our Windows infrastructure and help to make sure that the same settings are applied to all computers (including new ones) on our network.

 

[Need help to harden Nagios XI server? We’d be happy to assist]

Conclusion

In short, today we discussed about Hardening Windows Using Microsoft Security Baseline

Are you using Docker based apps?

There are proven ways to get even more out of your Docker containers! Let us help you.

Spend your time in growing business and we will take care of Docker Infrastructure for you.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF