Creating a compliance baseline using GPO to ensure system security

This recipe provides an introduction to basic compliance, focusing on small businesses.

Getting ready

You should read the previous two recipes Preparing for the creation of a compliance baseline in addition to Installing Security Compliance Manager.

How to do it...

Research the subject by doing one or more of the following things:

• Research the settings available in group policies, including the product-specific ones you can download. Understand the settings and the risk they mitigate. Information for most group policies is available on the Internet, or you can even use Security Compliance Manager itself as it shows policy information. Additionally, there are tools that help you create your own policies for application and system settings.
• Based on your organizational requirements, corporate policies, and compliance standards, along with any regulatory requirements, define your compliance baselines and determine which OUs the baselines should target.

To create a compliance baseline, perform the following steps:

1. Open Security Compliance Manager. If updates for compliance baselines are available, an update window, similar to the one shown in the following screenshot, will appear; select all the baselines you require:
   
2. In the next window, agree to add all the baselines you downloaded, and click on Next.
3. Click on Import to make all baselines available in Security Compliance Manager. Have a look at the following screenshot:
   

As shown in the following diagram, there are three areas within Security Compliance Manager Console:

The following table provides information on the functions of those three areas:

The most important features of Security Compliance Manager are as follows:

• Creation of new GPO-based baselines
• Creation of baselines based on an existing one (copy of an existing baseline)
• Checking (and optionally merging) an existing GPO against an industry best-practice
• Exporting created baselines for use in other tools
• Testing created baselines against Active Directory

The easiest way to create a compliance baseline is as shown in the following screenshot:

As discussed in the preface and your systems is essential for a successful compliance program. Access management is part of several regulatory requirements, such as privacy laws, PCI DSS and SOX. As usernames and passwords are one of the easiest access controls to implement, we will start our compliance program with a simple control to ensure adherence to a password policy.

1. Within Security Compliance Manager, go to Microsoft Baselines and open, for example, the Windows 8.1 folder. There are several compliance baselines available depending on which kind of settings/configuration/rights you want to customize. As we want to create a password policy, we have to select the Domain Security Computer policy. Have a look at the following screenshot:
   
2. From the Actions menu, select Duplicate. Click on the Baseline Name field, enter a name for your custom baseline, for example HuDCloud Domain Security Compliance, and then click on Save. This will create a copy of the baseline.
3. The custom baseline you created should launch automatically; it is displayed in the console under Custom Baselines.
4. Click on this baseline. In the work area, you will find all settings that are available within it.

   The first column displays the name of each settings group; under each settings group is the name of each individual setting. For example:

   • The Default column shows the default value of the setting.
   • The Microsoft column shows the Microsoft-recommended setting.
   • The Customized column shows the value of the setting if it has been modified.
   • The Severity column provides a severity level for this setting with regard to securing your environment. The following table gives a brief description of the severity levels:
   

   You can change the severity level on custom baselines. When designing a custom baseline, be careful not to change the severity level unless there is a clearly documented reason; otherwise, when reviewing a baseline, a critical setting could be overlooked.

5. Each baseline comes with relative information about its settings. To access this information, select a baseline in the Baseline Library menu, and then navigate to Attachments | Guides. For example, for Windows 8.1, you can access the Windows 8.1 Security Guide.docx as shown in the following screenshot:
   
6. To create your password policy baseline, you must configure the settings values based on your security and compliance requirements. As shown in the next screenshot, make the following changes:
   1. Navigate to Customized Baselines and then open the HuDCloud Domain Security Compliance baseline.
   2. In the work area, select (for example) Minimum password length and, in the Customize setting value field, enter your required value. Each value that you customize is shown in bold characters afterwards:
   
7. When designing security and compliance baselines, it is paramount for success that you understand each setting in detail. It is best not to make an educated guess, as detailed settings information is just a click away. To access this information, click on Setting Details. A small example of the details available for the password complexity setting is as follows:
   • The meaning of minimum password length and full information about the minimum complexity requirements, such as uppercase and lowercase characters and digits.
   • The kind of vulnerability this setting eliminates or mitigates.
   • The impact that this setting has; a section of the detailed information that aligns with this chapter is that, if you enable the password complexity setting, an increased level of helpdesk request may be logged, as there would be more than the usual number of password lockouts. Earlier in the chapter, we mentioned the need to involve management in the creation of compliance baselines; for this setting, by involving management, a strategy can be provided for users to create and remember more complex passwords before the deployment of the policy is initiated.
   • Countermeasure details; this advises on mitigating risk and may suggest combining a setting with other settings to achieve compliance and/or enhanced security. Have a look at the following screenshot:
   
8. After you are satisfied with your changes, you need to export the customized baseline. To do this, go to the Actions/Tools menu and, under the Export section, click on GPO_Backup (folder). The Browse for folder dialog will open; select the folder that you want to export your GPO to. After the export, a folder with the exported GPO will open containing the backup.

You are now ready to enforce your first compliance baseline based on GPO settings.

How it works...

Creation of a new compliance baseline is made easy by the folks at Microsoft, who have compiled and provide information based on established standards for GPOs. These standards included severity levels and recommended setting values for the most common computer, user, and application settings. Each baseline contains detailed information on each setting; valuable help is provided to customize it based on company requirements.

Note

Use the information provided in the baseline as a starting point. Even though established standards are provided, careful considerations have to be made when selecting settings. What works in one company may not work in another company. In addition, some of the settings may not be up-to-date with the latest research on recommended configuration.

There's more…

As mentioned before, Security Compliance Manager offers more functionality. Some useful functions are discussed in the next sections.

Auditing or checking your existing GPO policies against established standards

If you already have a GPO policy within your company, there is an option to check your policy against the industry best practice as shown in the baselines provided by Microsoft. The following steps show you how to do this and assume you have access to, and are familiar with, Group Policy Management Console (GPMC):

1. Open Group Policy Management Console, navigate to your domain, and then expand the tree until you see the GPO that you want to compare with.
2. Right-click on your GPO and then select Back up, as shown in the following screenshot:
   
3. Enter a backup folder and then click on OK.
4. Copy the GPO export created to the system where Security Compliance Manager is installed.
5. Open Security Compliance Manager Console and, in the Action/Tools menu under Import, choose GPO_Backup (folder). In the new window, go to the folder you copied your company GPO to and import it. The GPO Name dialog opens and the GPO name is displayed by default. If required, you can change the name by clicking on the Baseline Name field and entering an alternative name. To accept the default name or a modified name, click on OK.
6. The SCM Log dialog opens displaying the status of the import. Click on OK to close the dialog. The imported baseline is now listed under the GPO Imports section under Custom Baselines.
7. In the Baseline Library menu, select a customized baseline, here we will select the previously created baseline HuDCloud Domain Security Compliance. If you do not have one, create it before proceeding. This baseline will be used to merge your existing GPO policy. The customized baseline you choose should contain all your changes.
8. In the Action/Tools menu, select Compare/Merge:
   
9. A new window opens asking you for the GPO policy that the Security Compliance Manager should compare against. Choose your company baseline. Have a look at the following screenshot:
   
10. As shown in the preceding screenshot, a summary is shown with a number of the same, and different, settings. Click on Close to finish your review. Have a look at the following screenshot:
    

    Tip

    Optionally, notice the Merge Baselines button; this feature allows you to merge two baselines. You may want to merge two similar custom baselines to reduce management complexity during a department merger.

11. In case you want to merge two baselines, click on the Merge Baselines button to start the process. In the new window, you have to decide which setting to use for each setting that differs between your two policies. Check the radio button beside each value, and click on the OK button. This will start the merge process:
    
12. The Export to Excel button will create a useful spreadsheet; this contains the following four workbooks:
    • Differences
    • Matches
    • Settings only in A
    • Settings only in B
13. This spreadsheet is useful to share information with auditors or managers, to anyone who does not have access to the Security Compliance Manager console, or to record information at a point in time.
14. After the merge, you will be able to export the compliance baseline based on the GPO and import it into your Active Directory. Please see the next recipe for the process.

    Note

    When designing and importing baselines in SCM, it is important to know that not all GPO settings are supported; for example, group policy preferences are not supported. To find out more about what is, and is not, supported, you can review the SCM FAQs; these can be viewed at http://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx#Q_What_setting_types_are_not_supported_i.

Exporting baselines to other tools

The Security Compliance Manager tool is great for testing and configuring GPO-based compliance. System Center Configuration Manager offers more compliance functionalities, but it lacks the testing capabilities and out-of-the-box baselines the Security Compliance Managers offers. Therefore, it makes sense to create and test your baselines with SCO. Then use System Center Configuration Manager for operations as you are able to centralize more compliance controls within this tool. The following steps provide a guideline to the export of your GPO-based baseline. For more details on System Center 2012 R2 Configuration Manager, please refer to Chapter 3, Enhancing the Basic Compliance Program Using Microsoft System Center 2012 Configuration Manager.

1. Open the Security Compliance Manager Console.
2. In the Baseline Library menu, choose the baseline you want to export.
3. In the Actions/Tools menu, expand Export. As shown in the following screenshot, several options are available. For usage in other configuration tools, such as System Center Configuration Manager, choose the .cab format. Here simply select SCCM_DCM_2007 (.cab):
   
4. In the file explorer window, choose your export folder; under File name: choose a name for your CAB file and then select Save. You are now ready to import the baseline to another tool.

Deploying new GPO settings

So far, we talked about Security Compliance Manager and GPOs with regard to compliance management. The tool also enables you to deploy baselines based on industry standards for new technologies. For example, in June and September 2014, new Security Compliance Manager baselines were provided by Microsoft for Windows 8.1, Windows Server 2012 R2, and Microsoft Office 2013. Hundreds of new GPO settings are made available with those new technologies. Security Compliance Manager helps to test those new settings and decide which settings to use.

The following link provides information about new baselines as they are made available:

http://blogs.technet.com/b/secguide/archive/2014/09/04/scm-baselines-for-windows-8-1-ie-11-and-server-2012-r2-are-now-live.aspx

Active Directory Domain Services fine-grained password policies

Since Windows 2008 R2 AD DS, fine-grained password policies have been available. With those policies, you are able to create different policies for different groups of users. For more information, please see the following URL:

http://technet.microsoft.com/en-us/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd75.aspx