HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)
It does’t matter the size of your organisation or the compliance posture that it must adhere to. Every device on the network should be hardened and maintained. I worked for one of the largest IT companies in the world and it was the only company that had proper Windows Operating System hardening and Security Compliance Management. I also worked for a very large bank and the Security Team numbering in the 50+ just didn’t understand how develop a proper basis line for Security Compliance and copy and pasted information from another IT Vendor! What I am trying to say is . They are different levels of Security Experts..
So here is a basic Overview of how to create a Secure Windows 2012 R2 SOE. This method can be applied to any support OS.
Firstly, understand your security posture requirements:- I have listed a few here : https://virtualizationandstorage.wordpress.com/2013/02/21/compliance-information/
It is also important to understand SAN Critical Controls and Defeating Kill Chains.
This course is also a good starting point -SEC505: Securing Windows with the Critical Security Controls:- http://www.sans.org/course/securing-windows
Understand the Critical Security Controls – https://virtualizationandstorage.wordpress.com/2014/10/23/critical-security-controls-and-defeating-kill-chains/
These are the core Security Standards and vital information for Windows harderning
- NIST Check lists
- DIAG STIG
- IT Security Database
- Common Configuration Enumeration
- Microsoft Solutions Accelerators
- Microsoft Security Compliance Manager – http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
- Microsoft Solutions Accelerator Security baseline scans – http://technet.microsoft.com/en-us/library/jj898542.aspx
- Microsoft Baseline Configuration Analyzer – http://www.microsoft.com/en-au/download/details.aspx?id=16475
- Microsoft Best Practice Analyzer Role and SQL – http://www.microsoft.com/en-us/download/details.aspx?id=29302
- Microsoft Security Configuration Wizard
- SOX Settings
- United States Government Configuration Baseline (USGCB)
The above website and tools can be used to develop the require base line for your environments.. The Microsoft Security Compliance manager is the starting point for this process. You can use this software to understand all the settings and then export them into a Group Policy that can be used to harden the Operating System. Once you have a policy setup, you need to maintain that posture using Desired State management and Continuous Monitoring
- Using Group Policy is the best method to insure the settings are applied to all servers. You can also use System Center Configuration manager Desired State management and puppet to monitor and alert on these settings..
- Or yo could use some like http://www.deepfreeze.com.au/download.html
- The other Options for Application Servers is to use OS Streaming like Citrix PVS
- Microsoft Creating Steady States – http://technet.microsoft.com/en-us/library/gg176676(v=ws.10).aspx
Once you have the base policy using the above methods, You need to run a two types of scanners on your base OS.. The first is to use a Security Scanner against your OS and make adjust as required.. The other one I recommend is to run a tool to check and update all your software on the base OS image.. Key tool to use is Nessus which can be configured to scan and alert on items for PCI compliance,etc..
The follow three tools are required to create a sold secure SOE: These tools are NIST Security Content Automation Protocol (SCAP 1.2) Validation approved tools.
- Microsoft Security Base Line Scanner – http://www.microsoft.com/en-au/download/details.aspx?id=7558
- Secunia Software Inspector
- Tripwire SecureCheq – https://www.tripwire.com/free-tools/securecheq/
- Nessus Scanner – http://www.tenable.com/tips/enabling-the-compliance-checks-with-nessus
** you can not create a Secure hardened OS without a Security Scanner..
Implement OS Encryption
Install Microsoft Enhanced Mitigation Experience Toolkit https://technet.microsoft.com/en-us/security/jj653751
Here is a link to my own SOE settings – https://virtualizationandstorage.wordpress.com/2014/01/16/windows-2012-r2-soe/