Security baselines are helpful but to be sure of their effectiveness you need to perform regular audits. Here’s how you can use Tenable.io and Nessus Professional to audit the security baselines included within the Microsoft Security Compliance Toolkit.
An important portion of information security is ensuring systems and software are configured in a secure manner. If you look at the Critical Security Controls lists many organizations produce, Secure Configurations typically appear within the top 5. To support this, we have seen more and more vendors create Security Best Practices documents to help customers protect their infrastructure, such as Microsoft with the Microsoft Security Compliance Toolkit (MSCT). There are also organizations such as the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) producing best practice documents. At Tenable, we have also created Best Practice audits for some popular software.
Some of these documents contain principles (ie: Limit Administrator Privilege) vs prescriptive statements (ie: Lock-out Account After 3 Failed Logins). While both types of documents provide value to an organization, the documents with prescriptive statements are generally easier to validate compliance, as the value is either a pass or fail. Documents with principle statements are usually open to more interpretation, so audits usually require more effort to determine compliance. The Microsoft Security Compliance Toolkit provides prescriptive configurations and guidance.
What is Microsoft Security Compliance Toolkit?
Microsoft produced a set of tools so organizations can apply Microsoft-recommended security configurations to their environment. The typical method for deploying the baselines is via Active Directory using Group Policy Objects (GPOs), or individually via local policy. Also included with the baselines are spreadsheets documenting the settings.
The toolkit contains baselines for newer Microsoft Operating Systems, including:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows 10 v1809 (October 2018 Update)
- Windows 10 v1803 (April 2018 Update)
- Windows 10 v1709 (Fall Creators Update)
- Windows 10 v1703 (Creators Update)
- Windows 10 v1607 (Anniversary Update)
- Windows 10 v1511 (November Update)
- Windows 10 v1507
The Windows Server and Windows 10 baselines cover the Core OS and Internet Explorer.
There is also a security baseline for Office 2016.
Why utilize the Microsoft Security Compliance Toolkit?
When you leverage the configuration baselines from Microsoft Security Compliance Toolkit, you are taking an important step to improve your security posture. There are also operational benefits to adopting the baselines. Some of these benefits include:
- Less complex environment. When using a standard configuration, there is an expectation that all hosts with the same configuration will behave in a similar manner. The fewer different configurations you have to maintain, the easier to test and troubleshoot.
- Leverage expertise. Most organizations don’t have the resources to completely develop and test their own security baselines. It is good practice to leverage expertise from a trusted source. They can save you a lot of time and effort in creating and maintaining baselines.
- Better awareness. Having standard configurations is beneficial when analyzing impacts to the environment, including detection of new vulnerabilities, impact of change requests, detecting configuration drift/misconfigurations, etc.
Configuration Auditing with Tenable.io and Nessus
Security baselines are great, but to be sure of their effectiveness you need to perform regular audits. Tenable.io and Nessus Professional include recently created audits for the security baselines included within the Microsoft Security Compliance Toolkit. In addition to the benefits listed above, automated configuration auditing adds the following benefits:
- Validate the configuration is properly applied.
- Ensure changes to the environment have not inadvertently modified security settings.
- Based on scan frequency, be able to narrow down the suspected window of a configuration change.
- Greatly reduce the manual effort of performing these tasks.
- Individual checks are mapped to several cybersecurity frameworks and standards. This information and scan history can help support evidence of compliance efforts.
Getting Started Auditing Microsoft Security Compliance Toolkit
You can get started auditing security baselines from the Microsoft Security Compliance Toolkit today. Visit http://downloads.tenable.com and select the audit file(s) for the baselines applied in your environment, then log into Tenable.io or Nessus.
These audits are simple to set up as they do not leverage variables, and the audits have platform checks built in, so each audit will only run on the appropriate OS version.
For example, if you have a Windows 10 environment with v1809 and v1803, you can set up a scan with both audits, and only the appropriate audit will be evaluated on the host.
Once the configuration is saved, run the scan and review the results.
For demonstration purposes, this scan was run against a single non-remediated host. Below is example output from one of the checks.
Each result contains the following information:
- Status - Pass / Fail / Warning
- Remediation steps are displayed if the check did not pass
- When possible, actual results from the system will be included
If your organization currently does not follow security baselines, or you have created your own but the maintenance is a burden, it may be worth taking a look at the baselines provided as part of the Microsoft Security Compliance Toolkit. These baselines can save you a lot of effort in creation and maintenance.
Additionally once you adopt the security baselines, ensure you are performing regular audits to ensure the baselines are properly in effect.
At Tenable, we strive to regularly update our policy compliance audits to match the newest versions published by Microsoft. We also realize there are many cybersecurity frameworks available for organizations to follow, so we regularly map the checks in the policy compliance audits to various framework controls.