Implementing a baseline

Once a direction has been determined on which baseline controls to use within your organization, you need to review the controls and deploy them throughout your organization, as well as build them into your current process moving forward.

CIS

If you opt to move forward with CIS benchmarks, you will need to download the checklist and customize them for your specific needs. CIS also has the option of purchasing hardened images to provide an easier deployment.

To download the latest CIS benchmarks, follow these steps:

1. Open a browser and navigate to https://www.cisecurity.org/.
2. Click on Cybersecurity Tools.
3. Click on Download under CIS Benchmarks.
4. Enter the required information, agree to the terms, then click on Get Free Benchmarks Now:
   

   Figure 2.6 – The CIS Benchmarks download page.

5. Go to your mailbox and look for an email from CIS (check your Junk email folder too).
6. Open the email and click on Access PDFs. You will be provided with a list of all the available CIS benchmarks in PDF format.
7. Scroll down and you will see the Windows Server benchmarks:
   

   Figure 2.7 – The CIS benchmarks PDF

8. Keep scrolling down and you will also see the Azure benchmarks:
   

   Figure 2.8 – The CIS benchmarks PDFs

9. In addition, there are many more Windows-specific benchmarks for specific roles, such as IIS, SQL, Exchange, and so on.
10. Once you have downloaded the PDFs, follow and implement the recommendations on them to strengthen your systems.

    Tip

    Visit the following link to access the CIS hardened images that map back to the CIS benchmarks: https://www.cisecurity.org/cis-hardened-images/.

Next, let's look at using the Microsoft SCT to download baselines for Windows.

Microsoft SCT

If you go down the Microsoft route with Windows security baselines, they provide a repository of resources that can be downloaded to allow the implementation of a baseline. To download these resources, follow these steps:

1. Browse to https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10.
2. Scroll down and click on download the tools.
3. Click Download:
   

   Figure 2.9 – Microsoft SCT 1.0 download

4. Select the desired versions or click on the box next to the filename to select them all.
5. Click Next. You will receive all the toolkits in .zip format.

Downloading the preceding referenced toolkit will provide you with everything you need to deploy the recommended baselines from Microsoft. The following screenshot provides a quick overview of the baseline settings that can be deployed using the provided GPOs within the toolkit in Excel format. Notice that Microsoft provides separate settings not just for Windows 10 but also for a member server versus a Domain Controller (DC) server, providing additional settings specifically for your DCs. Also, if you look at the bottom of the spreadsheet, you will see the different categories that the strengthening is being applied to:

Figure 2.10 – The MS Security Baseline Windows 10 v1909 and Server v1909.xlsx spreadsheet

The referenced spreadsheet is MS Security Baseline Windows 10 v1909 and Server v1909.xlsx from the downloaded .zip files from the Windows 10 version 1909 and Windows Server version 1909 security baseline ZIP files referenced in the preceding steps. Chapters 8, Administration and Remote Management, Chapter 9, Keeping Your Windows Client Secure, and Chapter 10, Keeping Your Windows Server Secure, will provide more details on the implementation of security controls.

Tip

Microsoft SCT also provides additional details on the available tools to more efficiently manage your Windows baselines. You can find these details at https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10.

It is highly recommended that if you make any configuration changes from newly released baselines, you ease them into production and thoroughly test them first. In addition, ensure any changes go through your change control process for tracking and to offer transparency to your business.

Next, let's recap what we have covered in this chapter by providing a checklist of best practices that will help when building a security framework and implementing your baselines.