How to implement the ASD Essential 8 via Group Policy

The Australian Government Department called the Australian Signals Directorate has a list of mitigation strategies that is used to help protect IT system against security risks. This list is called the “ASD Essential 8“. While this its generated by the Australian Government department it is an excellent starting point for securing any organisation or government IT Assets. The really great thing about this list is all of the items on the list can at least be partially implemented via Group Policy and the documentations they provide give explicit examples of policy setting that should be implemented.

It also happens that over the years I have published a number of articles that go into detail as to hope to actually implement some of the items via Group Policy. So below I go though as summary of the essential 8 and link to mine and other post as to how to actually implemented these configurations.

Application whitelisting

Since Windows 7 AppLocker has been the main way that admins can black/white list application. This software is provided out of the box and there is a relatively simple UI in GPMC that allows you to configure what programs are required. Specifically the guidelines calls out “the use of cryptographic hashes, publisher certificates (combining both publisher names and product names), absolute paths and parent folders are all considered suitable if implemented correctly.” which is exactly how AppLocker configures what application to run.

On my site I have two main article about AppLocker, First is the a How to Disable Application using AppLocker post that show you how to block an example application (Chrome) and the other is my AppLocker Troubleshooting guide that helps with common reason as to why AppLocker does not work.

In this case AppLocker is probably the system of choice to implement this, it’s free, out of the box and has a wide range of options for blocking applications.

Patch applications

For a Microsoft environment WSUS has long been the go to product for patching Microsoft products (not just the OS’s) . It supports patching for a very a wide range of Microsoft Application but give IT Admins control over exactly when and what will be deployed.

The guidance in the ASD article also talks about establishing a priority for deploying patches based on the criticality of the patch.

For example they recommend:

a.      extreme risk: within 48 hours of a patch being released

b.      high risk: within two weeks of a patch being released

c.       moderate or low risk: within one month of a patch being released.

Back in 2011 I wrote a comprehensive post about how to use WSUS to deploy a patching strategy for your organisation http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/ .

There are certainly other applications such as SCCM (which leverages WSUS), Altiris and many other systems that can be used to patch your environment. What is important is that you have a method of patching all your third party applications and not just you Microsoft software. As not a lot of vendors have dedicate patching tools this may mean that you have a way to rapidly deploy newer version of the apps when they are release. Either way, make sure you have a way to path ALL you applications (especially Java).

User application hardening

In this case the A.S.D. talk about ways to harden Microsoft Office 2013, 2016 and Java. However, this just talks about common application that you might have installed and should not be treated as an exhaustive list of application to secure. For example if you have Chrome deployed then this can also be secured using Chrome Group Policy settings.

But if you don’t have applications that are Group Policy aware then you might want to consider using third party GPO tools such as Policy Pack https://www.policypak.com/ to mange all your legacy applications. One added advantage of Policy Pak is that it allows you to easily manage installed version Java on your computers.

Restrict administrative privileges

Local administration access to computer used to be something that admin gave out like candy to their users. However, for some time now it has been strongly recommended that users are never give local admin permissions or at the very least they should be using separate admin and normal user accounts on their computers.

For a comprehensive artical as to how to security the local admin group on your comptuers see my post http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

For managing the local admin account on all your computers then also look at another Microsoft tool called Local Admin Password Service (a.k.a LAPS) this allow you to automatically set a random local admin account password on all your comptuers and store it in AD similar to how BitLocker Recovery keys are stored. See  https://technet.microsoft.com/en-us/mt227395.aspx

Patch operating systems

This is pretty much the same as the Application Patching topic as mentioned above. Weather you use WSUS, SCCM, InTune or Windows Update it does not really matter so long as you patch your computers.

If you are using Windows Update natively from Microsoft you can still control the rollout scheduled of new version of patches and OS update via the Windows Update for Business Group Policy setting. See http://www.grouppolicy.biz/2015/11/windows-10-1512-admx-out-now/

What is also very important is that if you are implements a rollout schedule to all your computer based on the importance of the patch is that you should also have a pre-defined test strategy. I also go into how to do this in my article http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/ .

Multi-factor authentication

Mult-Factor Authentication also commonly now as Two Factor Authentication is common place for external access to organisation. While Group Policy is not typically used to implement Multi-Factor auth. It still can be used to help with this such as using Group Policy to automatically deploy certificate to all your workstations. These computer certificates can then be used authenticate devices connecting in via IPSec.  For a guide on how to setup automatic computer and users certificate enrolment see https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

While not group policy relate you might also want to consider having Multi-Factor authentication implemented in conjunction with tool like CyberArk so that your internal highly privileged accounts are also kept secure. This helps prevents anyone internally from escalating their privileges by resetting a higher level admins password on their accounts.

Daily backups

While you can’t directly implement daily backups via Group Policy there are a number of Group Policy settings that you can use to make sure that end-user data that is stored on the local computer is save to the network servers. This then enables you to back the network servers on a daily basis thus achieving the goal of daily backups.

The most common way that this can be done is to use Windows Folder redirection and Roaming Profiles to make sure that all the user data is backed up. See http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/

But also out of the Box with Windows 10 and available in Windows 7 you can use WorkFolders as a way to make sure that the users work files are synchronised with the back-end file server. See http://www.grouppolicy.biz/2013/07/how-to-setup-work-folder-using-group-policy/

Summary

In summary the ASD Essential 8 is a great guide that should be used in your organisation, you may already have implemented some of the points or you might have your own reasons not to carry out some of these items. Either way it’s a great starting point to compare agains what you do in your environment to make sure you are secure and stays secure going into the future…

Reference https://www.asd.gov.au/publications/protect/essential-eight-explained.htm 

Remote Server Admin Tools (a.k.a RSAT) for Windows 10 v1803 Redstone 4

Microsoft has release a new version of the Windows 10 Remote Server Admin Tools for builds of Windows 10 17110 or higher. While it was normally practice for Microsoft to release a new RSAT version with every release of a Windows client OS in recent years they have been releasing these tools less frequently (see http://www.grouppolicy.biz/2017/04/microsoft-will-not-be-releasing-remote-server-admin-tools-rsat-for-windows-10-redstone-2/ )

While it does not seem like there is much in this new version I still always recommend that admin run the latest version of RSAT on their computer to ensure the least amount of problem, especially with Group Policy Management Console.

What’s new:

  • FIXED: DNS server tools are now correctly installed as part of the RSAT package.
  • FIXED: Shielding data files and template disks can now be created by their respective wizards in the RSAT package.
  • KNOWN ISSUE: The x86 RSAT package may fail during installation on Windows 10 builds older than 17110, and on builds other than the 171xx series.

Also note that Microsoft is already moving away from using RSAT tools for management and with a new tool called codename “Honolulu”. This tool currently only comes with Windows Server 2016 and is a replacement for Windows Server Manage. Its an extensible PowerShell based single management pane tool that can be used to perform many of the admin tasks across multiple servers. For an overview of the tool check out the video below…

Security Baseline Teamplate for Windows 10 v1803 Redstone 4 “Draft”

Microsoft is hurtling toward the end of development of the latest version of Windows 10 v1803 (which ironically will be released in April) and as such they have now release the near final version to the Windows Insider Fast Ring.

In conjunction with this they have also released a new draft security baseline configuration to be used for securing the OS with recommended settings.

In case you missed it Microsoft is no longer support the Security Compliance Manager tool and now only release a Security Templates via individual ZIP files. As such similar information is contained in this tool such as relevant documentation, GPO templates, scripts and even relevant WMI filters.

Notably this version also has a new script that allows you to remove the local admin account restrictions from non-domain joined computers. This is very handy as normally domain joined computers prevent network access for the local admin account, but for non-domain joined it makes managing these devices a lot harder as there is no other way to remotely access these devices.

So if you are using Windows 10 in your organisation then your more than likely be upgrading to this version over the new few month. Therefore it would definitely be good to download and start testing with this template now.

Source: https://blogs.technet.microsoft.com/secguide/2018/03/27/security-baseline-for-windows-10-v1803-redstone-4-draft/

Blocked Site Based GPO due to Blocked SOM

I recently came across a problem with applying a site linked GPO to some Citrix servers that were giving Blocked SOM (see below) as the reason for being denied. For the longest time I could not figure out why the GPO was being blocked. It was then with some help that I found out that the computer was in an OU that had blocked Inheritance enabled. This meant that Windows also blocked site link GPO if the computer is in an OU with inheritance blocked.

This behaviour was confusing to me as Site Based GPO on the surface seem to have nothing to do with OU’s. But this behaviour is exactly as designed due to the order or precedents that GPO are applied (Local, Site, Domain then OU). As the OU based policy settings take precedence over the Site this also means that OU based blocking will take precedence over Site based GPO as well.

So if you come across this same problem there a number of way that you can work around this problem:

  1. The obvious, and remove the the Blocked Inheritance on the OU that the computer object is located.
  2. Link the Site based GPO to an OU below the Blocked Inheritance. If you do this you lose the ability to dynamically apply the setting based on the site that the computer is located which then defeats the purpose of having the GPO linked at the site. But if it is something like a Citrix server, then you’ll be able to create a Site based OU (e.g. PAW\SiteName ) and then you can link the GPO to the SiteName OU.
  3. You can enabled the “Enforced” option to ignore the “Blocked Inheritance” option.
  4. If it is a Group Policy Preference then you can also use the Item Level Targeting to apply the policy only when the computer is in the correct IP address range and/or Site (see below).

Reference for Order of Precedence: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/

Thanks to Darren Mar-Elia for helping me figure this one out…

 

Group Policy Resources for Windows 10 build 1709

Windows 10 a.k.a. Redstone 3, a.k.a. 1709 a.k.a. Fall Creators Update has now been released to the public for download. If you would like to get a copy of the new version early to start testing you can download the PRO version using the Windows 10 ISO/USB download tool at https://www.microsoft.com/en-au/software-download/windows10 . Alternatively, you can download the images from your MSDN or Volume licencing web site.

Now normally, with any release of Windows 10 I would go though the new list of Group Policy features. But in this new version of Windows 10 there is no new major (or minor) Group Policy engine changes. This meaning that the delivery mechanism of Group Policy has not changed.

But of course, there are many new settings that come with every new version of Windows. So for your easy reference, below is a list of essential reference for any Group Policy Administrator:

  • Group Policy Settings Reference for Windows and Windows Server – This is a spreadsheet with that list all the new, updated or replaced Group Policy setting in the 1709 build. Just for the record, there is 55 new Group Policy setting in 1709 which you can find easily in this spreadsheet. You can download this spreadsheet here https://www.microsoft.com/en-us/download/details.aspx?id=25250&751be11f-ede8-5a0c-058c-2ee190a24fa6=True .
  • Administrative Templates (.admx) for Windows 10 Fall Creators Update (1709) – This is a downloadable version of the updated ADMX and ADML files that are used to define the new Group Policy settings (See above point). If you already have a copy of Windows 10 1709 installed then you can find these files in the C:\Windows\PolicyDefenitions folder. In the past, you could blindly copy the ADMX/ADML files of the new version of the OS with the old version of the OS but since Windows 10 1703 some of the old policy settings have been removed. This would not cause anything to break, but it might show up as undefined setting the Group Policy Management Console when viewing GPO reports. You can get these files from https://www.microsoft.com/en-gb/download/details.aspx?id=56121
  • Remote Server Admin Tools – Yes… Yet another new version of the Remote Server Admin Tools (a.k.a. RSAT) has been released for the Windows 10 1709. These tools are essential for anyone performing admin work with a new version of Windows 10 or Windows Server 2016 in their environment. Generally, I always recommend that any Group Policy Administrator upgrade their RSAT tools to the latest version ASAP. However, I would note that the Windows Server 2016 1709 release of Windows it is *ONLY* available as a Server Core image (see https://docs.microsoft.com/en-us/windows-server/windows-server) . This means that if you are going to install the latest version of Windows Server 2016 then these new admin tools are essential as there is no GUI option to install on the server.
  • Security baseline for Windows 10 “Fall Creators Update” – The new 1709 security templates have been added to the Microsoft Security Compliance Toolkit . These provide updated guidance and group policy settings that Microsoft recommends are applied to all new Windows 10 computers. The new settings in this security template all revolve around new 1709 features and details of these changed can be viewed here Security baseline for Windows 10 “Fall Creators Update” (v1709) – FINA
  • SMB1 Off by Default – While not a Group Policy specific change I think it is important to note that there are new ADMX setting (see above) that do have have a way to SMB1 client and server protocols. These are especially important as SMB1 is https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709 disabled in 1709 by default (in some circumstances). If you have not already disabled SMB1 then definitely something to look at ASAP and Microsoft has also published an SMB1 Clearing House list (a.k.a. name and shame list) of vendors that still required SMB1 see SMB1 Product Clearinghouse