This article, written by Santhosh Sivarajan, the author of Getting Started with Windows Server Security, will introduce another powerful Microsoft tool called Microsoft Security Compliance Manager (SCM). As its name suggests, it is a platform for managing and maintaining your security and compliance polices.

At this point, we have established baseline security based on your business requirement, using Microsoft SCW. These polices can be a pure reflection of your business requirements. However, in an enterprise world, you have to consider compliance, regulations, other industry standards, and best practices to maximize the effectiveness of the security policy. That's where Microsoft SCM can provide more business value. We will talk more about the included SCM baselines later in the article.

The goal of the article is to walk you through the configuration and administration process of Microsoft SCM and explain how it can be used in an enterprise environment to support your security needs. Then we will talk about a method to maintain the desired state of the server using a Microsoft tool called Attack Surface Analyzer (ASA). At the end of the article, you will see an option to add more security restrictions using another Microsoft tool called AppLocker.

(For more resources related to this topic, see here.)

Microsoft SCM

Microsoft SCM is a centralized security and compliance policy manager product from Microsoft. It is a standalone application. Microsoft develops these baselines and best practice recommendations based on customer feedback and other agency's recommendations. These polices are consistently reviewed and updated. So, it is important that you are using the latest policy baseline. If there is a new policy, you will be able to download and update the baseline from the Microsoft SCM console itself. Since Microsoft SCM supports multiple input and output formats such as XML, Group Policy Objects (GPO), Desired Configuration Management (DCM), Security Content Automation Protocol (SCAP), and so on, it can be a centralized platform for your network infrastructure and other security and compliance products. It is also possible to integrate SCM with Microsoft System Center 2012 Process Pack for IT GRC. More details can be found at http://technet.microsoft.com/en-us/library/dd206732.aspx.

Installing Microsoft SCM

We will start with the installation process. As mentioned earlier, it is a standalone product. It uses Microsoft SQL Server 2008 or higher as the database. If you don't have a SQL database already installed on your system, the SCM installation process will automatically install Microsoft SQL Server 2008 Express Edition. You can perform the following steps to install Microsoft SCM:

1. Download Microsoft Security Compliance Manager from http://www.microsoft.com/en-us/download/details.aspx?id=16776.
2. Double-click on Security_Compliance_Manager_Setup.exe to start the installation process.
3. Click on Next on the welcome window. Make sure to select the Always check for SCM and baseline updates option.
4. Accept the License Agreement option and click on Next.
5. Select the installation folder from the Installation Folder window by clicking on the Browse button. Click on Next.
6. On the Microsoft SQL Server 2008 Express window, click on Next to install Microsoft SQL Server 2008 Express Edition. If you have Microsoft SQL Server already installed on your system, you can select the correct server details from this window.
7. Accept the License Agreement option for SQL Server 2008 Express and click on Next.
8. Click on Install on the Ready to Install window to begin the installation.
9. You will see the progress in the Installing the Microsoft Security Compliance Manager window. If it asks you to restart the computer, click on OK.
10. Click on Finish to complete the installation.

This section provides a high level overview of the product before starting the administration and management process. The left pane of the SCMconsole provides the list of all available baselines. This is the baseline library inside SCM. The center pane displays more information based on your policy section from the baseline library. The right pane, also called the Actions pane, provides commands and options to manage your policies.

As you can see in the following screenshot, it provides a few options to export these policies into different formats. So, if you have a different compliance manager tool, you can use these files with your existing tool.

 
SCM – Export options

In compliance with other products, Microsoft SCM supports different severity levels—critical, optional, important, and none. As you can see in the following screenshot, on a custom policy, the severity levels can be changed to None, Important, Optional, or Critical based on your requirements:

For each of these events, you will see additional details and reference articles (CCE, OVAL, and so on) in the Setting Details section.

Administering Microsoft SCM

This section provides you with an overview of Microsoft SCM and some administration procedures to create and manage policies. These tasks can be achieved by performing the following steps:

1. Open Security Compliance Manager. If you see a Download Updates popup window, click on the Download button to start the download and complete the database update process.
2. Security Compliance Manager consists of mainly two sections: Custom Baselines and Microsoft Baselines. We will go through the details later in this article.

   
   SCM - Baselines

3. Expand Microsoft Baselines. Since we are focusing more on Windows Server 2012, I will start with this section.
4. Select the Windows Server 2012 node. This node contains predefined security polices based on Microsoft and industry best practices.

   

5. I will use the predefined WS2012 Web Server Security template for this exercise.
   

   You will not be able to make changes to the settings in the default template. If you need to make changes, you can make a copy of the template and make changes there.

6. Select the WS2012 Web Server Security template. From the right pane, select the Duplicate option.

   

7. In the Duplicate window, enter the name for this new security policy. Click on Save. The new template will be saved under the Custom Baselines node.

   

8. You can review the policy and make necessary changes in the newly created policy.

Creating and implementing security policies

At this point, you have installed SCM and are familiar with the basic administration tasks. From this section onwards, you will be working on a real-world scenario where you will be exporting a policy from Active Directory, importing into SCM, merging with an SCM baseline, and importing back into Active Directory. In this section, our goal is to export this web server policy and merge it with an SCM baseline and import it back into Active Directory.

Exporting GPO from Active Directory

We will start by exporting the existing web server policy from Active Directory. The following steps can be performed to export (backup) an Active Directory GPO-based policy:

1. Open the Group Policy Manager console.
2. Expand Forest | Domain | Domain Name | Group Policy Objects.
3. Right-click on the appropriate GPO and select Back Up.

   GPO – Back up

4. In the Back Up Group Policy Object window, enter the Location and Description details for the backup file. Click on the Back Up button to start the backup operation.
5. You will see the progress in the Backup window. Click on OK when it completes the backup operation.
   

   GPO can also be backed up using the Backup-GPO PowerShell cmdlet. The following is an example:
   Backup-Gpo. Name- "WebServerbaselineV2.0". Path- D:Backup -Comment "Baseline Backup"

The backup folder name will be the GUID of the GPO itself.

Importing GPO into SCM

An exported GPO-based policy can be imported directly into SCM. An administrator can perform the following steps to complete this task:

1. Open Microsoft Compliance Security Manager.
2. From the Import section on the right pane, select the GPO Backup (Folder) option.

   SCM – Import

3. In the Browse For Folder window, select the GPO backup folder. Click on OK.
4. In the GPO Name window, confirm or change the baseline name. Click on OK.
5. In the SCM Log window, you will see the status. Click on OK to close the window.

   

6. You will see the imported policy under Custom Baselines | GPO Import | Policy Name.

   

Currently, SCM supports importing from GPO backup and SCM CAB files. If you have some other policy or baseline (for example, DISA STIGs) that you would like to import into SCM, you need to import these polices into Active Directory first, and then export/backup to GPO before you can import into SCM.

Merging imported GPO with the SCM baseline policy

The third step in this process is to merge the imported policy with the SCM baseline policy. Keep in mind that some configurations and settings will be lost when you merge an existing GPO with the SCM baseline policy. For example, service-related or ACL configurations may not be preserved when you associate and merge with an SCM baseline policy. If you have these types of configuration in your GPO and want to retain them, you may need to split the GPO and use two separate GPOs. Inside the SCM, the import process is to map these configurations with the SCM library to preserve these settings. If it doesn't match or map, these settings will be dropped from the new baseline policy. For this exercise, my assumption is that you don't have a custom configuration or settings in the imported policy. The following steps can be used to Associate and Merge a GPO-based policy into an SCM-based policy:

1. Select the imported policy in Microsoft Compliance Security Manager. From the right pane, select the Associate option from the Baseline section.
   Selecting the Associate option
2. From the Associate Product with GPO window, select the appropriate baseline policy. Since we are working with a Windows Server 2012 policy, I will be selecting Windows Server 2012 as the product. If you have a different operating system, select the correct policy from the product list. Click on Associate.

   

   Your custom policy must have unique settings in the baseline policy in order to associate a custom policy with the SCM baseline policy; otherwise, the Associate button will be grayed out.

Enter a name for this policy in the Baseline Policy window.

1. You will see this policy in the Custom Baselines | Windows Server 2012 section.
2. Select this policy. From the right pane, select the Compare/Merge option from the Baseline section.

   
   Selecting the Compare / Merge option

3. Now you have associated your policy with an SCM baseline policy. The next step is to compare and merge your policy with a baseline SCM policy. From the Compare Baseline window, select the appropriate baseline policy. Since we are working with a web server baseline, we will be selecting WS2012 Web Server Security 1.0 as the policy. Click on OK.
   
4. You will see the result in the Compare Baselines window. You can review the differ and match details here. Since we are planning to merge these two polices, we will be selecting the Merge Baselines option.

   

5. You will see the summary report in the Merge Baselines window. Click on OK.
6. In the Specify a name for the merged baseline window, enter a new name for this policy. Click on OK.
7. This merged policy will be stored in the Custom Baselines– Windows Server 2012 section.

Exporting the SCM baseline policy

At this point, you have created a new policy that contains your custom policy and best practices provided by SCM. The next step is to export this policy to a supported format. Since we are dealing with Active Directory and GPO, we will be exporting it into a GPO-based policy. You can perform the following steps to export an SCM policy to a GPO-based backup policy:

1. Select the policy from Microsoft Compliance Security Manager. From the Export section, select the GPO Backup (Folder) option.

   GPO Backup (Folder)

2. From the Browse for Folder window, select the folder to store this policy in. Click on OK.

Importing a policy into Active Directory

The final step in this process is to import these settings back to Active Directory. This can be achieved by using Group Policy Management Console (GPMC). The following steps can be used to import an SCM-based policy into Active Directory:

1. Open Group Policy Manager Console.
2. Expand Forest | Domain | Domain Name | Group Policy Objects.
3. Right-click on the appropriate policy. Select the Import Settings option.

   The Import Settings option

   Unlock access to the largest independent learning library in Tech for FREE!

   Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.

   Renews at $19.99/month. Cancel anytime

   START FREE TRIAL
4. Click on Next in the Welcome window.
5. It is always a best practice to back up the existing settings. Click on Backup to continue with the backup operation. Once you have completed the backup, click on Next in the Backup GPO window.
6. In the Backup Location window, select the backup location folder. Click on Next.
7. Confirm the GPO name in the Source GPO window. Click on Next.
8. You will see the scanning settings in the Scanning Backup window. Click on Next to continue.
9. Click on Finish in the Completing the Import Settings Wizard window to complete the import operation.
10. Click on OK in the Import window.

Maintaining and monitoring the integrity of a baseline policy

Once you have baseline security in place, whether it is a true business policy or a combination of business and industry practices, you will need to maintain this state to ensure the security and integrity. The whole idea is to compare your baseline image with the current image in order to validate the settings. There are many ways to achieve this. Microsoft has a free tool called Attack Surface Analyzer (ASA) that can be used to compare the two states of the system. The details and capabilities of this tool can found at http://www.microsoft.com/en-us/download/details.aspx?id=24487.

Microsoft ASA

An administrator can perform the following steps to install, configure, and generate an Attack Surface Report using Microsoft ASA:

1. Download Attack Surface Analyzer from http://www.microsoft.com/en-us/download/details.aspx?id=24487.
2. Complete the installation. It is a standalone, simple MSI installation process.
3. Open the Attack Surface Analyzer tool.
4. The first step is to create the baseline state. Select the Run New Scan option and enter a name for the CAB file. Click on Run Scan to start the scanning process.

   

5. You will see the status and progress in the Collecting Data window. When it completes, it will create a CAB file with the result.
6. The second step in this process is to analyze the baseline state against the existing server so as to identify the differences. You will need to create another report (Product CAB) to compare the CAB file with the baseline CAB.
7. Select the Run New Scan option again and enter a name for the product CAB file. Click on Run Scan to start the scanning process. Complete the CAB creation process.

   

8. The third step in the process is to compare the baseline CAB with the product CAB to get the delta. Select the Generate Standard Attack Surface Report option. In the Select Options section, select the baseline CAB name, select the product CAB name, and enter a name for the attack report. Click on Generate to start the process. You will see the status in the Running Analysis window.

   

9. The report will be opened automatically in the web browser. This report has three sections: Report Summary, Security Issues, and Attack Surface.
10. The following is an example of a Security Issues report

    

Application control and management

At this point, you have a baseline policy for your server platform. Now we can add more restrictions based on your requirements to provide a more secure environment. In the following section, my plan is to introduce an option to "blacklist" and "whitelist" some of the applications using a built-in native option called AppLocker. The details of the AppLocker application can be found at http://technet.microsoft.com/en-us/library/hh831409.aspx.

AppLocker

AppLocker polices are part of Application Control Policies in GPOs. There are four types of built-in rules: Executable, Windows Installable, Script, and Packed App rules. Before you create or enforce a policy, you need to perform an inventory check to identify the current usage of these applications in your environment. AppLocker has an inventory process called Auditing that helps you to achieve this.

In this scenario, our goal is to block unauthorized access of the NLTEST application from all servers.

Creating a policy

As the first step, you need to identify the current usage of the application in your environment. The following steps can be performed to create a new AppLocker policy in an Active Directory environment:

1. Open Group Policy Manager Console.
2. Expand Forest | Domain | Domain Name.
3. Right-click on the Group Policy Object node and select New.
4. Enter a name for the GPO in the New GPO window. Leave Source Starter GPO as (none). Click on OK. This will create a new blank GPO in the Group Policy Object node. We will be using this GPO to configure the AppLocker settings.
5. Right-click on the newly created GPO and select Edit. This will open the Group Policy Management Editor window.
6. Expand Policies | Windows Settings | Security Settings | AppLocker. Right-click on Executable Polices and select Create Default Rules. These default rules allow users and built-in administrators to run default programs and administrators to run files and applications. Based on your requirements, you can modify and delete these rules.
   

   The default AppLocker rule allows everyone to run files located only in the Windows folder, and the administrator can run all files.

   The default AppLocker rule

7. Expand Policies | Windows Settings | Security Settings | AppLocker. Right-click on Executable Polices and select Create New Rules.
8. Click on Next in the Create Executable Rules window.
9. In the Permission window, select Deny. In the User or Group section, click on Select and select the Server Admins group. Here, I have created a security group with all server administrators in that group.

   

10. In the Conditions window, select the File Hash option. Click on Next.

    

11. In the File Hash window, select the correct file name using the Browse File option. In this scenario, I will be selecting the NLTEST.exe file. Click on Next.

    

12. In the Name and Description window, select or enter an appropriate name for this rule. Click on Create.

    

Auditing a policy

The next step in this process is to audit the previously created polices to ensure that there will not be any adverse effects to your environment. An administrator can perform the following steps to audit an existing policy in an Active Directory environment:

1. Right-click on AppLocker (Policies | Windows Settings | Security Settings) and go to Properties.
2. On the Enforcement tab, select appropriate rule types as Configured. From the drop-down list, select the rule as Audit only. Click on OK.

   
   GPO – AppLocker policy

3. You can see the application usage and history in the Event log. Open Event Viewer.
4. Navigate to Applications and Services Logs | Microsoft | Windows | AppLocker.

   

5. Based on your policy configuration, you will see the appropriate event information in the AppLocker section.

In an enterprise world, manually checking the items in an event log is not going to be a viable option. You have a few options available to automate this process. You can forward the event log to a central server (Event Forwarding) and verify from that single console, or you can use the Get-WinEvent PowerShell cmdlet to collect these events remotely.

The following section provides an option to evaluate these logs using the Get-WinEvent PowerShell cmdlet. By default, AppLocker events are located in the Applications and Services Logs | Microsoft | Windows | AppLocker section of the Event Viewer.

The Get-WinEvent -ComputerName "SERVER01.MYINFRALAB.COM" –LogName *AppLocker* | fl | out-file Server01.txt cmdlet filters all AppLocker-related events from Server01 and puts them in the output file Server01.txt.

Here are some of the events that you will see in the event log:

If you have multiple computers to evaluate, you can create a simple PowerShell script to automatically input the computer names. The following is a sample PowerShell script. The Servers.txt file will be your input file that contains all of the server names:

$OutPut = "C:InputOutput.txt" 

Get-Content "C:InputServers.txt" | Foreach-Object { 

$_| out-file $OutPut -Append -Encoding ascii 

Get-WinEvent -ComputerName "Infralab01.MYINFRALAB.COM" –LogName *AppLocker* | fl | out-file $OutPut -Append -Encoding ascii

} 

Implementing the policy

Once you have verified the audit result, you can enforce the policy using the AppLockerGPO. The following steps can be used to implement the AppLocker GPO in an Active Directory environment:

1. Open Group Policy Manager Console.
2. Expand the Forest | Domain | Domain Name | Group Policy Object node.
3. Right-click on the Server Application Restriction GPO and select Edit. This will open a Group Policy Management Editor MMC window.

   Opening the Group Policy Management Editor MMC window

4. From Group Policy Management Editor, expand Policies | Windows Settings | Security Settings. Right-click on AppLocker and select Properties.
5. In the AppLocker Properties window, change Executable rules to Enforce rules. Click on OK:

   

6. Close the Group Policy Management Editor MMC window.

The new policy will apply to the server based on your Active Directory replication interval and GPO refresh cycle. You can use the GPUPDATE/Force command to force the GPOon to a local server. Two different results are shown in the following screenshots.

As you can see in the following screenshot, the user Johndoe was denied the execution of the NLTEST.exe application:

Since the following user was part of the Server Admins group, the user was allowed to execute the NLTEST.exe application:

Some additional security recommendations to consider when installing and configuring AppLocker are included at http://technet.microsoft.com/en-us/library/ee844118(WS.10).aspx.

AppLocker and PowerShell

AppLocker supports PowerShell, and it has a PowerShell module called AppLocker. An administrator can create, test, and troubleshoot the AppLocker policies using these cmdlets. You need to import the AppLocker module before these cmdlets can be used. The following are the supported cmdlets in the module:

Summary

We started this article with baseline security for your server platform, which was originally created using Microsoft SCW. In this article, you learned how to incorporate this policy with the baseline and best practice recommendations using MicrosoftSCM. Then you used AppLocker to enforce more application-based security. We also learned how to monitor the state of the server and compare it with the baseline to identify the security vulnerabilities and issues using Microsoft ASA.

Resources for Article:

 Further resources on this subject:

• Active Directory migration [article]
• Microsoft DAC 2012 [article]
• Insight into Hyper-V Storage [article]