Geek of All Trades: Automate Baseline Security Settings
I once worked for a manager we called the “Queen of the Baseline.” Her primary responsibility was to ensure the desktops of hundreds of developers who were writing code for a satellite system’s ground station only ever had authorized changes.
In those days, that was no easy task. Technologies to automatically monitor desktop configurations simply weren’t available. While she was successful at her job, maintaining her configuration baseline required as much peer pressure as any technological solution. The “Queen” regularly attended meetings defending changes to that baseline and exerting her influence to ensure that only the correct software and settings were eventually approved.
Her reason for this fanatical devotion to “the baseline” was to ensure a stable and well-documented environment for the satellite system’s customer. As you’d expect, this customer didn’t want to launch its billion-dollar satellite only to find out years later that part of its processing was written with unapproved software. That customer also wanted assurance that no inappropriate code could inadvertently make its way into the satellite’s operating systems.
Control the Baseline: Control Configuration
Most of us aren’t responsible for the health and well-being of billion-dollar satellite systems, but we are all conscious of the trouble bad code can cause when it gets into our networks. Most of the time that code will sneak in through an attack, propagated by some piece of malware. There may have been a security hole due to an improperly configured desktop that may have missed a security update.
Even we administrators can miss updates from time to time. We might have neglected to close the hole, or missed some recently recommended security update released from a manufacturer or regulatory agencies. All of these security configuration updates can pose a problem. All create a less-secure computing environment. Some protect that environment from user activities, while others may introduce the chance we’ll fail our next security or compliance audit.
For all of these reasons, Microsoft continues to strengthen its tools for centrally configuring computer settings. Group Policy and Group Policy Preferences have long provided a simple solution for enforcing security policy via Active Directory. System Center Configuration Manager (SCCM) takes this enforcement a step further through its Desired Configuration Management (DCM) functionality.
There are also numerous third parties that produce their own configuration management software. Their capabilities typically include making global changes and issuing alerts when configurations deviate from the baseline. The U.S. government’s own security policy protocol development is a central driver in these types of efforts. The Security Content Automation Protocol (SCAP) is a smartly designed protocol that provides a framework to create, distribute and validate security settings on computers throughout your network.
Ther’s an extensive list of third-party solutions that support SCAP. These solutions, along with those from Microsoft, create a platform upon which you can import databases with approved security settings. Many of these platforms also provide automated ways to “fix” incorrect settings, so you can quickly elevate your environment to compliance.
Knowledge Is Control
In order to actually fix a bad configuration, you first need to identify it. Tools like Group Policy and DCM provide an automation platform for enforcing your baseline’s settings. They don’t necessarily help you visualize how those settings should be structured. You can create a report that lists the settings in a GPO, but that type of report isn’t necessarily attuned to your security needs.
You need a level of visualization to ensure you’re enforcing the proper settings. You need an easy way to see and to check your security baseline settings. You need to know which configurations enforcing that baseline will adjust. You need some mechanism to compare the contents of one security policy against another. This way you could compare, for example, your internal security baselines against each other, or yours against those provided by Microsoft or external regulatory agencies.
Your answer for this dilemma is the recently released Microsoft Security Compliance Manager. This is not intended to be a policy enforcement solution, but this relatively simple download is exceptionally handy for all the “other” management tasks associated with security baseline management, such as baseline configuration review, baseline editing, baseline comparison and reporting, and so on. This free tool is packaged as a Solution Accelerator from Microsoft and can accomplish all these tasks.
Figure 1 shows the Security Compliance Manager dashboard. Here you can see some common security baselines for products like Internet Explorer, Windows 7, Microsoft Office and Windows Server. You’ve seen these baselines and their content before. They’re the same ones you used to find in documents for previous OSes like the “Windows 7 Security Guide” or the “Windows Server 2008 Attack Surface Reference*.*”
Figure 2 Groups of settings within a baseline.
The real power of the Microsoft Security Compliance Manager comes in the visualizations it creates for these baselines. Take a look at Figure 2’s zoomed-in view from Figure 1. You can see the security baseline Win7-EC-Desktop 1.0. This one represents the Enterprise Client security recommendations for Windows 7 and includes a range of configuration changes controlled through Group Policy.
Figure 3 Individual baseline configurations.
Click on any of the settings groups in Figure 2 to see a list of the individual baseline configurations in Local Policies\Security Options, as shown in Figure 3. You can see the default settings alongside the Microsoft suggested settings. The column on the right shows any changes you’ve made to the baseline to customize it for your environment.
Customize, Compare and Deploy
This type of customization brings to light one of the more-challenging activities associated with security policy management: tailoring default recommendations for your specific needs. You may recognize that Microsoft recommendations (or those handed down from government agencies) don’t necessarily fit your environment’s needs. Perhaps Microsoft policy shuts a firewall port you need to keep open, or your auditing requirements are more stringent than a default baseline. In any of these cases, managing the differences between a supplied baseline and the one you need can be a challenge.
Figure 4 Editing a security setting in a baseline.
The Microsoft Security Compliance Manager can help you manage those differences. Right-clicking any imported baseline and selecting Customize | Duplicate creates a standard baseline copy that you can then edit to suit your needs. Selecting a setting in this editable copy and choosing the Definition tab gives you a place to customize the policy (see Figure 4).
Figure 5 Comparing two policies.
Once you’ve made your own customizations to a policy, compare the resulting policy against another by right-clicking the policy and choosing Manage | Compare. In the subsequent screen, select a second policy against which you can compare yours. The tool completes the comparison and shows you a screen similar to Figure 5. Here you’ll see how Contoso.com’s baseline has one policy setting that is different from the Microsoft Win7-EC-Desktop baseline.
Once you’ve completed your customization, you can publish any policies within the interface, making them read-only and preserving their settings. When your policies are ready to deploy, export them in file formats that Group Policy, DCM,or any tool that supports the U.S. government’s SCAP protocol can import.
This tiny but impressive freeware tool really does help with the occasionally complicated process of security baseline management. While it’s not designed to actually manage policy enforcing—that’s a task for other solutions like SCCM, Group Policy or third-party solutions—it does provide a handy desktop for visualizing, editing and comparing the baselines you need to deploy.
It reminds me that I haven’t talked with my former manager from that old job. I wonder how she’s doing with her own baselines, now that the technology to truly enforce them has really caught up.
Greg Shields, *MVP, is a partner at Concentrated Technology. Get more of Shields’Jack-of-all-Trades tips and tricks at *ConcentratedTech.com.