Sunday, 21 January 2018

Windows Server 2012 Hardening (Part II)

Windows Server 2012 Hardening (Part II)

Using the Security and Configuration Analysis

Microsoft provides security templates for Windows Server and client operating systems, containing security configuration designed for different scenarios and server roles. There are some security templates that are part of the operating system and get applied during different operations, such as when promoting a server to a domain controller.
In Windows Server 2008 and later versions, security templates are located in %systemroot%inf and are more limited than in Windows Server 2003. Templates include:
  • Defltbase.inf (baseline)
  • Defltsv.inf (web/file/print servers)
  • DCfirst.inf (for the first domain controller in a domain)
  • Defltdc.inf (other domain controllers)
Basically, you should repeat the procedures already explained for Windows 7 with two different tools, but instead of loading the .inf from the STIG now you load one of the security templates shipped with Windows Server 2012.

Analyze the baseline template with the Policy Analyzer

Add the baseline template
image

Compare
image
Analyze the differences.
image

Apply the template with SCA

Load the baseline into SCA
image
Analyze and apply
image
Repeat the procedure using another of the templates, according to your needs and to the server role in your environment.

Using the Security Configuration Wizard

With the release of the 2003 Service Pack 1 (SP1) version, Windows Server started to include the Security Configuration Wizard tool aimed at analyzing the server’s profile and recommending changes to adjust system’s security according to the server’s role. In Windows Server 2012, the Security Configuration Wizard is conveniently located in the new Server Manager dashboard.

Create a new policy with SCW

image
When starting the Security Configuration Wizard, the first step is to choose which action is going to be performed on the server’s security policy.
image
You then select the server that you want to apply the policy to.
image
In Windows Server 2012, the Security Configuration Wizard then parses the selected server and the information collected, and compares that with Microsoft’s security recommendations for that server profile (file, database, web, etc).
image
The Security Configuration Database contains information about server roles, client features, administration options, services, Windows Firewall, and other settings.
image
The results of the Security Configuration Wizard analysis, and its suggestions for amendments, will be adapted according to your specific needs.
image
Select additional services
image
How do you to handle unspecified services?
image
Confirm changes
image
Next, you’ll have the chance to configure firewall policy, registry settings and audit policy or you can skip them. Once the Security Configuration Wizard has completed its analysis and recommendations, you can save and apply the policy.
image
Want to apply the policy immediately?
image

Convert the policy to a GPO

Since there is often more than one server in the profile that was analyzed by the wizard, it might be a good idea to create a Group Policy Object (GPO) to apply that policy to all servers with the same characteristics.
To do this, use Windows PowerShell and run the following command:
scwcmd transform /p:<FullFilePathToSecurityPolicy> /g:<GPOName>
image

When you run this command, the SCW will create a GPO folder for the newly created GPO in the SYSVOL folder and the GPO will be available in the GPMC for you to use.
image
This can result in a better standardization of the security policies applied to your environment, and make it easier for you to organize those policies as part of your overall server security strategy.

Edit a policy with SCW

If you feel the need to change your policy definitions, you can edit it with SCW.
image
Obviously, once the changes are complete you’ll have to reapply the policy

Using the STIGs

Use the STIG Viewer and check the system’s compliance after applying the appropriate Microsoft’s security templates.
Don’t forget to use also the STIGs for SQL Server, Exchange, .NET, etc.

Windows Server 2012 Hardening (Part I)

Windows Server 2012 Hardening (Part I)

Servers are the penultimate layer of security between potential threats and your organization’s data. Therefore, applying proper security policies specifically for each server profile is both important and necessary.
Common sense recommendations are to "stop all unnecessary services" or "turn off unused features". Fortunately, every new version of Windows Server is built to be more secure by default. That said, it is common to have several of different roles assigned to a single server as well as multiple sets of file servers, web servers, database servers, etc.  So, how can we guarantee that each of these servers, with their different characteristics, is configured in compliance with the best security practices?

Using the Security Compliance Manager

Using SCM in Windows Server is basically the same as using it on a workstation. The major difference is related to what you can do with your GPOs once you are done.
You cannot install SCM 4 on a Windows Server 2012 just like that, you’ll probably get a warning from the Program Compatibility Assistant. This is a known issue when installing SQL Server 2008 Express, even on supported OSes.
Besides, Windows Server is not on the list of SCM 4 supported OSes…
image
To overcome this, install a newer version of SQL Server, like SQL Server 2014 Express, before installing SCM and everything will go smoothly.
The procedure will be exactly the same as what we did for Windows 10, but now we are going to do same extra steps.

Add a new setting to SCM

Select one of the Windows 2012 Baselines
image

Duplicate and save
image
Create a new setting group
image
Add setting and select the previously created group
image
Under Choose Settings, click the black arrow to the left of the red cross and select Computer Configuration from the drop-down menu.
A new menu will appear to the right. Set it to Administrative Templates. Set the following menus to Windows Components and Windows Installer respectively as shown in the figure below.
In the list of settings below the menus, select Prohibit non-administrators from applying vendor signed updates and click Add.
image
If you scroll down the list of settings in the template in the central pane of SCM, you should now see an ExtraSecurity group with the setting we added in the above steps.
image

Create a GPO based on a SCM template

In the right pane of SCM under Export, click GPO Backup (folder). Select or create a new folder within which to store the backup files and click OK. File Explorer will then open showing the exported Group Policy Object backup.
image
Now, using the Group Policy Management Console (GPMC), we can create a Group Policy Object from the backup we just made.
To start GPMC, open Server Manager and select Group Policy Management from the Tools menu.
In GPMC, expand your Active Directory (AD) forest and domain in the left pane. In the left pane of GPMC, right click Group Policy Objects and click New.
image
Name the new GPO and click OK. Right click the GPO you just created and select Import Settings… from the menu
image
As there are no settings in our GPO, click Next on the Backup GPO screen. On the Backup location screen, click Browse and select the backup folder created using SCM. Click Next to continue
image
On the Source GPO screen, select the desired GPO backup and click Next.
image
Wait a second while the wizard scans the backup, then click Next on the Scanning Backup screen.
image
If the GPO backup contains references to security principals and/or UNC paths, you will be shown the Migrating References screen.
image
If the GPO contains unique UNCs or security descriptors referencing names of servers or domains, you may need to use a migration table to map them to the new GPO.
If that is the case, choose “Using this migration table to map them in the destination GPO” and then click “New”.
In the Migration Table Editor window, click Tools and select Populate from Backup from the menu.
image
In the Select Backup dialog, make sure the backup location is set to the location of the GPO backup created in SCM, under Backed up GPOs select the GPO backup you created in SCM and then click OK.
image
In the Migration Table Editor window, you’ll see the security descriptors and UNC paths listed. If any of them will not work in the target domain, you can type the appropriate path or name in the Destination Name column.
image
In this example, I don’t need to make any changes as all the security descriptors listed will work in the target domain.
If you made any modifications to the table, select File and then Save from the menu to save the migration table to a location of your choice. Otherwise, close the Migration Table Editor window, and click No when prompted to save the table.
image
If you save a migration table that you need to use to map the references in the GPO backup for the target domain, click Browse on the Migrating References screen and select the migration table that you just saved.
image
If you don’t need to use a migration table, choose “Copying them identically from the source”.
One more screen and it’s done!
image
Check your settings:
image
Previous post: GPEdit vs SecPol

Linux Hardening with OpenSCAP

Linux Hardening with OpenSCAP

The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard, and has been awarded the SCAP 1.2 certification by NIST in 2014. The project provides tools that are free to use anywhere you like, for any purpose.
The OpenSCAP basic tools are:
  • OpenSCAP Base
    • Provides a command line tool which enables various SCAP capabilities such as displaying the information about specific security content, vulnerability and configuration scanning, or converting between different SCAP formats.
  • SCAP Workbench
    • User friendly graphical utility offering an easy way to tailor SCAP content to your needs, perform local or remote scans, and export results.

    Using OpenSCAP in Ubuntu

    At the time of writing this guide, there was no package available to install OpenSCAP Workbench in Ubuntu. However, it’s possible to use OpenSCAP Base without the GUI, or run a remote scan from other machine, running Windows or other Linux distribution.

    Installing OpenSCAP

    Install SSH
    sudo apt-get install openssh-server
    Install OpenSCAP Base:
    sudo apt-get install libopenscap8
    Get the OVAL file:
    wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml

    Running OpenSCAP

    This is an example usage of the basic command:
    oscap oval eval --results /tmp/results-xenial.xml --report /tmp/report-xenial.html com.ubuntu.xenial.cve.oval.xml
    You can get a full list of options here.
    To see the results:
    firefox /tmp/report-xenial.html
    image

    Using OpenSCAP in Fedora 25

    In Fedora, you can install not only the scanner but also the GUI

    Installing OpenSCAP

    Install OpenSCAP Base using DNF:
    dnf install openscap-scanner
    Install SCAP Workbench:
    dnf install scap-workbench

    Running OpenSCAP

    To run the app under Fedora type:
    sudo scap-workbench
    Or use the GUI:
    image
    SCAP Security Guide:
    image

    Run a local scan choosing the General-Purpose compliance tests:
    image

    Initial results:
    image

    The report:
    image

    Explanation for one of the vulnerabilities:
    image

    Group by…
    image


    One of OpenSCAP’s best features is the ability to automatically fix some of the vulnerabilities discovered.
    Try running a scan choosing the option to Remediate:
    image

    The overall score didn’t improve but some of the medium and low severity flaws were automatically corrected after the scan:
    image

    Customize a scan. Start with a small and simple one:
    image

    Rename it:
    image

    Add some additional scans:
    image


    Start:
    image

    You’ll get new results according to your customized request:
    image

    Using OpenSCAP in CentOS 7

    In this OS the procedures are almost exactly the same as for Fedora.

    Installing OpenSCAP

    Install OpenSCAP Base using Yum:
    yum install openscap-scanner
    Install SCAP Workbench:
    yum install scap-workbench

    Running OpenSCAP

    To run the application under CentOS type:
    sudo scap-workbench
    Or use the GUI:
    image

    SCAP Security Guide:
    image


    Run a local scan choosing the Common Profile compliance tests. Choose the option to Fetch Remote Resources.
    image

    Notice the availability of several STIGs and other compliance standards.
    These are the results:
    image

    Now run the same scan but choose to Remediate. This is the new report:
    image

    You’ll get the same overall score but the vast majority of flaws were corrected.

    Using OpenSCAP in Windows

    You cannot run a scan on a Windows machine because there is no OpenSCAP Base scanner available for this OS. However, you can install OpenSCAP Worbench and use it to remotely scan Linux machines Smile

    Installing OpenSCAP

    Download and install the workbench application:
    https://www.open-scap.org/tools/scap-workbench/download-win32
    image
    Download the SCAP Security Guide:
    https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.31/scap-security-guide-0.1.31-oval-5.10.zip
    Extract all files to any directory:
    image
    Copy all the.xml files to the SCAP Workbench installation directory replacing the existing ones.
    image

    Running OpenSCAP

    Now you can run a remote scan of an Ubuntu machine Winking smile
    image
    Results:
    image

    Try to Remediate remotely:
    image

    Not very good, but it works!

    Conclusion:

    OpenSCAP is a wonderful tool but while SCAP Benchmarks are really useful and a time saver when they can be used, they're not a magic solution. Most SCAP Benchmarks do not cover all of the checks found in the matching STIG Manual review. Some of these are things that cannot be automated. So, at the very best, SCAP Benchmarks will only cover a certain percentage of the STIG Manual Review checks.