As mentioned in my other blogs, Center for Internet Security (CIS) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organisations against cyber threats. This non-profit entity have created a lot of baselines or benchmark as they like to call it that can be applied to resources, for example the CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark. In this blog I will explain how i create the CIS DSC resource for Windows Server 2016 Member Server Level 1.
To get the CIS benchmark applied to a IAAS workload there are several options:
- Use the pre-defined CIS Azure marketplace item.
- Use a custom script extension, for example the one that can be found here.
- Use the DSC configuration that I have created and explained in this blog post.
If a company chooses to use DSC for configuration management and you want to get the companies IaaS workloads hardened. I will explain how to get a IaaS workload based on Windows Server 2016 compliant with the CIS bench mark using DSC.
First of all, to test the configuration you are building you shoud do this on your laptop using Hyper-V with console access, in case you lock yourself out. Happened to me a couple of times. Before testing the config it is good create a checkpoint to be able to revert to.
In the configuration I end up using 3 DSC modules and a lot of registry settings.
All the modules can be found on the PowerShell gallery (link).
The module NetworkingDsc I use to set the network adapters connection profile (NetConnectionProfile) to ‘Private’. You must change the interface alias referencing the alias your server uses. This module can do a lot more, for example to define the Windows Firewall with rules and do settings on the complete networking stack of Windows. In a later stadium I probably will use this module for replacing parts of the registry.
This module is used to enable audit features. All these settings come from chapter 17 in the CIS Microsoft Windows Server 2016 Benchmark. To get both the setting for Failure and Succes you need to create the setting twice just like the example in the screenshot.
This module enables you to set UserRights assignments and account security options. Currently in the account security options there are two bugs:
- The ability to set “Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM
” is not present, this is reported in this bug.
- The ability to set more than one path in the “Network_access_Remotely_accessible_registry_paths_and_subpaths” setting, this is report in this bug.
The registry part in the DSC config is create by doing a convertion of the GPO that can be downloaded from the CIS website. This convertion does not include Audit, Security and UserRight settings. The convertor I used can be found here. I have imported the GPO on a domain controller using the Group policy management tool and run the ADMXtoDSC tool. The script would not finish succesfull because of two settings for remote assistent. I have removed this setting in the GPO and added them again in the registry part.
Next to executing the DSC config directly on the server my preferred way is to have an Automation Account in Azure. It is very easily created and the VMs can be connected after creation. After creating a Automation Account you have to import the modules that are being used in the configuration. After importing you can import my DSC configuration and compile this config. If you connect you VM workload to this automation account it get complaint and your workload is CIS hardened.
It have cost me a lot of time to create the configuration, but once finished it can be used for a greater audience. My configuration can be found on my github. Since DSC is a perfect way of getting and keeping complaint I will be creating a DSC config to get complaint to the Azure Security Center Common Configuration Identifiers and Baseline Rule to. I earlier created a blog about this baseline here.