CIS Hardening with Desired State Config (DSC)
In this blog post I will explain how to your Windows Server 2016 workload compliant to the CIS benchmark using Desired State Configuration (DSC).
As mentioned in my other blogs, Center for Internet Security (CIS) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. This non-profit entity have created a lot of baselines or benchmark as they like to call it that can be applied to resources, for example the CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark. In this blog I will explain how i create the CIS DSC resource for Windows Server 2016 Member Server Level 1.
To get the CIS benchmark applied to a IAAS workload there are several options:
- Use the pre-defined CIS Azure marketplace item.
- Use a custom script extension, for example the one that can be found here.
- Use the DSC configuration that I have created and explained in this blog post.
If a company chooses to use DSC for configuration management and you want to get the companies IaaS workloads hardened. I will explain how to get a IaaS workload based on Windows Server 2016 compliant with the CIS bench mark using DSC.
First of all, to test the configuration you are building you should do this on your laptop using Hyper-V with console access, in case you lock yourself out. Happened to me a couple of times. Before testing the config it is good create a checkpoint to be able to revert to.
The module NetworkingDsc I use to set the network adapters connection profile (NetConnectionProfile) to ‘Private’. You must change the interface alias referencing the alias your server uses. This module can do a lot more, for example to define the Windows Firewall with rules and do settings on the complete networking stack of Windows. In a later stadium I probably will use this module for replacing parts of the registry.
This module enables you to set UserRights assignments and account security options. Currently in the account security options there are two bugs:
Next to executing the DSC config directly on the server my prevered way is to have an Automation Account in Azure. It is very easily created and the VMs can be connected after creation. After creating a Automation Account you have to import the modules that are being used in the configuration. After importing you can import my DSC configuration and compile this config. If you connect you VM workload to this automation account it get complaint and your workload is CIS hardened.
It have cost me a lot of time to create the configuration, but once finished it can be used for a greater audience. My configuration can be found on my github. Since DSC is a perfect way of getting and keeping complaint I will be creating a DSC config to get complaint to the Azure Security Center Common Configuration Identifiers and Baseline Rule to. I earlier created a blog about this baseline here.