Understanding Microsoft Security Baselines and Applying Them – Part 1

What are security baselines? Why do I need them?

Security Baselines are published by various companies however I will focus strictly on Microsoft Security Baselines, and how to apply them safely in your environment.

Microsoft Security Baselines are created to give our customers a benchmark and to utilize the latest features possible, while also guiding them on which security settings should be used. It is very important to note that it’s a baseline for a reason, this will be the “minimum” configuration with all your custom differences put on top of it.

In this series I will be sharing my knowledge and experience that I have gained over the years with various clients. I have specifically gained a lot of experience through Microsoft’s Premier Offering called ‘Active Directory Security: Domain and Domain Controller Hardening‘ which leverages a lot of the concepts and toolsets I am showcasing.

Why do I need security baselines?
Very simply put, a security baseline allows you to ensure that a certain level of security is maintained across your environment. As your environment grows and you expand, you will find that you have many different systems that often don’t have the same security settings as each other. A security baseline helps keep all systems in line, while also allowing you to update the baselines when you decide to finally upgrade an Operating System or when a newer version of your software comes out, and still maintain a certain level of security/configuration across your environment.

Where do I download the baselines from?

The baselines are downloadable from the link below. These are the official download links, and you should never download from any other source.

Microsoft Security Compliance Toolkit (SCT) – all baselines and the toolkit itself can be downloaded from here.
https://www.microsoft.com/en-us/download/details.aspx?id=55319

Alternatively you can go below to get all the latest information of what’s been released, and also what discussions have gone around each baseline itself.
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines#


If you would like to follow all the latest that is happening in the world of Security Baselines from Microsoft, please visit the below URL as this is our official blog;
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines

Which one should I download? Do I need all of them?

My advice to customers is to generally wait for the (FINAL) version of whatever software they are getting baselines for. Generally speaking though, once there is a (FINAL) version released then that’s the last iteration we will issue for that software or OS Version.

Do I need all of the baselines?
The answer to the second part is very simply – No. You do not need to download every single baseline for every single version of product. I implore you to instead download the ones that constitute most of your environment, or the software you want to protect eg. Edge, IE, Server 2012R2, Windows 10 v1909 etc.

For example, if your organization is on Windows 10 SAC releases, you should see an update that is pushed every 6 months. An example of this is Windows 10 v1903 and Windows 10 v1909. In this situation, download just Windows 10 v1903, and v1909. You do not need to get Windows 10 v1607 if you don’t have any installed in your environment. If you have an SCCM or asset inventory system, it will come in very handy here to understand exactly what you have in your environment and give you a clear scope of what to protect.


Should I download only the latest version available for Windows 10/Server 2019 or should I get the precise version per OS/software?

You should always try your best to download exactly the version you want to apply the baselines to. Of course you can apply the very latest baselines on your Organizational Units (OU’s) however don’t expect all the settings to apply since some features are only present in the later version of the OS.

Generally what most customers’ would do in this situation is to have a difference OU per OS, and then apply the baseline for that specific OS to the single OU. However there is a catch with this method, since you don’t always have the ideal OU structure to support this implementation.

Due to this situation above, I always advise clients to use WMI Filters to then be able to have multiple baselines applying to a single parent OU, but the GPO will only apply if a very specific OS Version is detected. So based upon that logic you can do the following with a very simple AD structure and you don’t have to be concerned about where the computer objects are exactly, nor do you need an OU per Windows version.

OU Structure for TIER 2

What is included in the Security Baseline package?

First I will download the Windows 10 v1909 baseline from the SCT Link above.

Select which baselines to download
Extracted baseline file

Documentation – Contains the default policyrules files which are used with the Security Compliance Toolkit, differences between the previous baseline release (in this case v1903), and the new settings that were added.

GP Reports – This folder contains all the GPResults as released by us for each Group Policy. This is what the GPO should look like when its applied to a machine/user.

GPO’s – These are the group policy folders themselves which you can then use to import the exact security baselines. These GPO’s were originally backed up and can simply be imported to new GPO’s.

Scripts – Scripts that can simplify your work, most notably to import all the GPO’s into your environment, it should be run on a Domain Controller with a user account that has the necessary permissions. The local Install script will map these group policy settings to a local workstation and make the changes to the local security policy (secpol.msc) whether its joined to a Domain, or in a Workgroup – this will utilize the LGPO.exe functionality.

Templates – These are the relevant admx/adml files that are needed to interpret the settings within the GPO’s themselves. If you are missing these files in your PolicyDefinitions folder you will not see the settings when editing the GPO’s. You will also see “Extra Registry Keys” beneath your GPResults. These should be imported into your Central Store so that all clients will immediately be able to use these across all your clients.

What is the Security Compliance Toolkit?

The Security Compliance Toolkit (SCT) is the successor to the original Security Compliance Manager 4.0 (SCM). If you have used SCM previously you will get the idea of what need this tool fulfills.

If you are totally new to GPO’s, SCT is a tool that allows you to view and compare GPO’s so that you can import the entire security baseline, and compare that to what is currently running on your environment. The tool itself does require some learning however within a short while you can get very comfortable with it. PS. there is a PDF included in the toolkit which gives a very good overview.

PolicyAnalyzer.exe with some baselines imported already
Comparing 2 policies in SCT
Server 2008 R2 and 2012 R2 comparison only displaying comparisons with the explanation beneath it


Conclusion

To conclude part 1 of this series, I have introduced the possibility of maintaining security settings across your whole organization with the use of Group Policy and Microsoft Security Baselines. I have showed how to download them, and how to start exploring them with the SCT toolkit.

In the next part I will dig deeper into importing the default security baselines, and how you can append your custom security settings which you require to make your own applications and tools work per system/service. I will also dig into the testing of GPO’s and reverting your changes if needed.

Hope you enjoyed the post and look forward to the next one.