• This repository has been archived on 14/Jun/2023
  • Stars
    star
    1,538
  • Rank 30,420 (Top 0.6 %)
  • Language
    HTML
  • License
    Other
  • Created over 8 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber

Windows Secure Host Baseline

About the Windows Secure Host Baseline

The Windows Secure Host Baseline (SHB) provides an automated and flexible approach for assisting the DoD in deploying the latest releases of Windows 10 using a framework that can be consumed by organizations of all sizes.

The DoD CIO issued a memo on November 20, 2015 directing Combatant Commands, Services, Agencies and Field Activities (CC/S/As) to rapidly deploy the Windows 10 operating system throughout their respective organizations with the objective of completing deployment by the end of January 2017. The Deputy Secretary of Defense issued a memo on February 26, 2016 directing the DoD to complete a rapid deployment and transition to Microsoft Windows 10 Secure Host Baseline by the end of January 2017.[1]

Formal product evaluations also support the move to Windows 10. The National Information Assurance Partnership (NIAP) and National Institute of Standards and Technology (NIST) oversees evaluations of commercial IT products for use in National Security Systems.

Using a Secure Host Baseline is one of NSA Information Assurance top 10 mitigation strategies. The DoD Secure Host Baseline also exemplifies other IAD top 10 mitigation strategies such as using application whitelisting, enabling anti-exploitation features, and using the latest version of the operating system and applications.

About this repository

This repository hosts Group Policy objects, compliance checks, and configuration tools in support of the DoD Secure Host Baseline (SHB) framework for Windows 10. Administrators of National Security Systems, such as those who are part of the Defense Industrial Base, can leverage this repository in lieu of access to the DoD SHB framework for Windows 10 which requires a Common Access Card (CAC) or Personal Identification Verification (PIV) smart card to access.

Questions or comments can be submitted to the repository issue tracker or posted on Windows 10 Secure Host Baseline project forums on Software Forge which requires a CAC or PIV smart card to access.

Repository content

Group Policy Objects

Scripts and tools

Scripts for aiding users with the SHB are located in the Scripts sub folders of each component. Scripts available for use so far:

Compliance checks

Nessus (aka ACAS in the DoD) audit files are included in this repository. Compliance checks are available for:

Instructions for running the compliance checks in a domain or standalone environment can be found on the Compliance page.

Getting started

To get started using the tools:

  1. Download the repository as a zip file
  2. Configure PowerShell
  3. Load the code
  4. Apply the policies
  5. Check compliance

Downloading the repository

Download the current code to your Downloads folder. It will be saved as Windows-Secure-Host-Baseline-master.zip by default.

Configuring the PowerShell environment

The PowerShell commands are meant to run from a system with at least PowerShell 3.0 installed. PowerShell may need to be configured to run the commands.

Changing the PowerShell execution policy

Users may need to change the default PowerShell execution policy. This can be achieved in a number of different ways:

  • Open a command prompt and run powershell.exe -ExecutionPolicy Unrestricted and run scripts from that PowerShell session.
  • Open a PowerShell prompt and run Set-ExecutionPolicy Unrestricted -Scope Process and run scripts from the current PowerShell session.
  • Open an administrative PowerShell prompt and run Set-ExecutionPolicy Unrestricted and run scripts from any PowerShell session.

Unblocking the PowerShell scripts

Users will need to unblock the downloaded zip file since it will be marked as having been downloaded from the Internet which PowerShell will block from executing by default. Open a PowerShell prompt and run the following commands to unblock the PowerShell code in the zip file:

  1. cd $env:USERPROFILE
  2. cd Downloads
  3. Unblock-File -Path '.\Windows-Secure-Host-Baseline-master.zip'

Running the PowerShell scripts inside the zip file without unblocking the file will result in the following warning:

Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\users\user\Downloads\script.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):

If the downloaded zip file is not unblocked before extracting it, then all the individual PowerShell files that were in the zip file will have to be unblocked. You will need to run the following command after Step 5 in the Loading the code section:

Get-ChildItem -Path '.\Windows-Secure-Host-Baseline' -Recurse -Include '*.ps1','*.psm1' | Unblock-File -Verbose

See the Unblock-File command's documentation for more information on how to use it.

Loading the code

Now extract the downloaded zip file and load the PowerShell code used for apply the policies.

  1. Right click on the zip file and select Extract All
  2. At the dialog remove Windows-Secure-Host-Baseline-master from the end of the path since it will extract the files to a Windows-Secure-Host-Baseline-master folder by default
  3. Click the Extract button
  4. Rename the Windows-Secure-Host-Baseline-master folder to Windows-Secure-Host-Baseline
  5. Open a PowerShell prompt as an administrator
  6. Import the Group Policy PowerShell module to load the code into the PowerShell session: Import-Module -Name .\Windows-Secure-Host-Baseline\Scripts\GroupPolicy.psm1

Applying the policies

The Invoke-ApplySecureHostBaseline command found in the Group Policy PowerShell module is the main command for applying policies. By default this command will:

  • Import both Computer and User policies. Use the -PolicyScopes option and specify only the 'User' or 'Computer' value to import only User or Computer policies.
  • Import policies, that have an audit option (e.g. AppLocker), in audit mode. To import those policies in enforcement mode, use the -PolicyMode option and specify the 'Enforced' value.
  • Make a backup copy of existing imported SHB Group Policy objects (and Group Policy templates if the -UpdateTemplates option is used) if they exist. The backups will be in a directory located at %UERPROFILE%\Desktop\Backup_yyyyMMddHHmmss corresponding to the time when the command was executed. To change this location use the -BackupPath option and specify a path to an existing folder where the Backup_yyyyMMddHHmmss will be created.
  • not update the Group Policy template files that correspond to the applied Group Policy objects. Use the -UpdateTemplates option to update the Group Policy templates.

Options for the command are:

  • -Path - Required. The path to the folder containing the downloaded and extracted GitHub SHB repository.
  • -PolicyNames - Required. The names of the policies to apply. Can be 1 or more policy names. Available names: 'ActivClient', 'Adobe Reader', 'AppLocker', 'Certificates', 'Chrome', 'Internet Explorer', 'Office 2013', 'Office 2016', 'Windows', 'Windows Firewall'.
  • -PolicyScopes - Optional. The scope of the policies to apply. Available scopes: 'Computer', 'User'. Defaults to 'Computer','User'.
  • -PolicyType - Optional. The type of policies to apply. Available types: 'Domain', 'Local'. Defaults to 'Domain' when joined to a domain. Defaults to 'Local' when not joined to a domain.
  • -PolicyMode - Optional. The mode of policies to apply, if supported by the specific policy. For example, AppLocker supports audit and enforcement modes. Available modes: 'Audit', 'Enforced'. Defaults to 'Audit'.
  • -BackupPath - Optional. The path to a folder to save backups of existing imported SHB Group Policy objects (and Group Policy templates if the -UpdateTemplates option is used) if they exist in case a rollback is needed. Defaults to $env:USERPROFILE\Desktop\Backup_yyyyMMddHHmmss corresponding to when the script was executed.
  • -ToolPath - Optional. The path to the LGPO tool. Required when PolicyType is 'Local'.
  • -UpdateTemplates - Optional. Update Group Policy templates that correspond to the applied Group Policy objects.

Type man Invoke-ApplySecureHostBaseline at a PowerShell prompt for more help and examples or submit a question to the repository issue tracker.

Applying the SHB policies to a standalone system

If applying the SHB policies to a standalone system (e.g. not joined to a domain), then download the LGPO tool from this Microsoft blog post and extract the executable.

Invoke-ApplySecureHostBaseline -Path '.\Windows-Secure-Host-Baseline' -PolicyNames 'Adobe Reader','AppLocker','Certificates','Chrome','Internet Explorer','Office 2013','Office 2016','Windows','Windows Firewall' -ToolPath '.\LGPO\lgpo.exe'

Applying the SHB policies to a domain

If applying the SHB policies to a domain, note that the Group Policy objects are only loaded into Active Directory. The policies are not linked to any OUs so the settings do not automatically take affect.

Invoke-ApplySecureHostBaseline -Path '.\Windows-Secure-Host-Baseline' -PolicyNames 'Adobe Reader','AppLocker','Certificates','Chrome','Internet Explorer','Office 2013','Office 2016','Windows','Windows Firewall'

Checking compliance

Once the policies have been applied (and linked to appropriate OUs in the domain case), see the Compliance page for instructions on how to check compliance to the policies.

License

See LICENSE.

Disclaimer

See DISCLAIMER.

More Repositories

1

WALKOFF

A flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down. #nsacyber
Python
1,191
star
2

goSecure

An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi. #nsacyber
Python
971
star
3

Mitigating-Web-Shells

Guidance for mitigation web shells. #nsacyber
YARA
951
star
4

GRASSMARLIN

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Java
910
star
5

Event-Forwarding-Guidance

Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
PowerShell
840
star
6

Hardware-and-Firmware-Security-Guidance

Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance. #nsacyber
C
748
star
7

ELITEWOLF

OT security monitoring #nsacyber
560
star
8

Windows-Event-Log-Messages

Retrieves the definitions of Windows Event Log messages embedded in Windows binaries and provides them in discoverable formats. #nsacyber
C#
392
star
9

Mitigating-Obsolete-TLS

Guidance for mitigating obsolete Transport Layer Security configurations. #nsacyber
PowerShell
269
star
10

nsacyber.github.io

NSA Cybersecurity. Formerly known as NSA Information Assurance and the Information Assurance Directorate
PowerShell
257
star
11

AppLocker-Guidance

Configuration guidance for implementing application whitelisting with AppLocker. #nsacyber
PowerShell
204
star
12

Pass-the-Hash-Guidance

Configuration guidance for implementing Pass-the-Hash mitigations. #nsacyber
PowerShell
196
star
13

HIRS

Trusted Computing based services supporting TPM provisioning and supply chain validation concepts. #nsacyber
Java
171
star
14

simon-speck

The SIMON and SPECK families of lightweight block ciphers. #nsacyber
167
star
15

unfetter

Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework. #nsacyber
163
star
16

Control-Flow-Integrity

A proposed hardware-based method for stopping known memory corruption exploitation techniques. #nsacyber
C
152
star
17

BAM

The Binary Analysis Metadata tool gathers information about Windows binaries to aid in their analysis. #nsacyber
Python
146
star
18

WALKOFF-Apps

WALKOFF-enabled applications. #nsacyber
YARA
141
star
19

Maplesyrup

Assesses CPU security of embedded devices. #nsacyber
C
140
star
20

RandPassGenerator

A command-line utility for generating random passwords, passphrases, and raw keys. #nsacyber
Java
118
star
21

BitLocker-Guidance

Configuration guidance for implementing BitLocker. #nsacyber
HTML
113
star
22

Certificate-Authority-Situational-Awareness

Identifies unexpected and prohibited certificate authority certificates on Windows systems. #nsacyber
PowerShell
107
star
23

netfil

A kernel network manager with monitoring and limiting capabilities for macOS. #nsacyber
C
103
star
24

LOCKLEVEL

A prototype that demonstrates a method for scoring how well Windows systems have implemented some of the top 10 Information Assurance mitigation strategies. #nsacyber
JavaScript
99
star
25

HTTP-Connectivity-Tester

Aids in discovering HTTP and HTTPS connectivity issues. #nsacyber
PowerShell
96
star
26

Splunk-Assessment-of-Mitigation-Implementations

Automatically scores how well Windows systems have implemented some of the top 10 Information Assurance mitigation strategies. #nsacyber
Python
72
star
27

netman

A userland network manager with monitoring and limiting capabilities for macOS. #nsacyber
C
71
star
28

serial2pcap

Converts serial IP data, typically collected from Industrial Control System devices, to the more commonly used Packet Capture (PCAP) format. #nsacyber
Python
65
star
29

PRUNE

Logs key Windows process performance metrics. #nsacyber
C#
62
star
30

paccor

The Platform Attribute Certificate Creator can gather component details, create, sign, and validate the TCG-defined Platform Credential. #nsacyber
Java
53
star
31

Blocking-Outdated-Web-Technologies

Guidance for blocking outdated web technologies. #nsacyber
PowerShell
51
star
32

Detect-CVE-2017-15361-TPM

Detects Windows and Linux systems with enabled Trusted Platform Modules (TPM) vulnerable to CVE-2017-15361. #nsacyber
PowerShell
49
star
33

Driver-Collider

Blocks drivers from loading by using a name collision technique. #nsacyber
C
45
star
34

simon-speck-supercop

Fast implementations of the SIMON and SPECK lightweight block ciphers for the SUPERCOP benchmark toolkit. #nsacyber
C
43
star
35

Cyber-Challenge

Supporting files for cyber challenge exercises. #nsacyber
Jupyter Notebook
39
star
36

Chinese-State-Sponsored-Cyber-Operations-Observed-TTPs

Supporting files for the Chinese State-Sponsored Cyber Operations: Observed TTPs Cybersecurity Advisory. #nsacyber
34
star
37

AtomicWatch

Intel Atom C2000 series discovery tool that parses log files and returns results if a positive match is found. #nsacyber
Python
25
star
38

CodeGov

Creates a code.gov code inventory JSON file based on GitHub repository information. #nsacyber
PowerShell
22
star