Microsoft has released its Common Configuration Identifiers and Baseline Rules to version 4. These identifiers are the input for the baselines that reside in Azure Security Center. These baselines can be found here.
In this post I will explain how to get compliant on Windows Server 2016 to the fourth version of the baseline used for Azure Security Center.
Azure Security Center Common Configuration Identifiers and Baseline Rules v4
Microsoft has published a new set of baseline rules that are used in Azure Security Center. They gave this the name ‘version four’, which sounds logical because the previous one was version three ;). The biggest adjustment in this version is the list of rules for Windows server 2016. In version three these where not in the list and as of now, everybody can download and see the baseline rules that Microsoft checks for a VM that is hooked up to Azure Security Center.
In my previous post that can be found here, I mentioned that the baseline rules that are check within Azure Security Center are all given a CCEID. When opening up the fourth version of the baseline rules there are some rules that are not given a CCEID, but they are listed as NOT_ASSIGNED. In the 131 rules that are in the list for Windows Server 2016, there are 19 rules listed as NOT_ASSIGNED. I interpreted these rules as add-ons to the CCE standard rules, which come from Microsoft as a guidance to secure your environment even better.
As mentioned before, there are 131 rules that are checked for compliance in the new version of the ASE CCI rule set. So the moment I came home and the lights were already out outside, I began to install a clean Windows Server 2016 image from the Azure Marketplace and added it to ASC. After the VM deployment with source image / WindowsServer / 2016-Datacenter / 2016.127.20180220, it has 56 configuration items that need your attention. When you read the recommendation you can get compliant by doing a GPO setting on each VM. But what I did is: I created a GPO on a domain controller, so it can be distributed over domain-joined VMs. It can also be distributed over non-domain-joined VMs with the tool LGPO.exe. How I did this can be found in one of my previous posts that can be found here.
To make it easier for everybody I have uploaded the GPOs that I created to Github and will keep them there. My repository can be found here.
To get a Windows Server 2016 compliant (except one) the following Powershell script will install a custom script extension that will execute the Powershell script that is in my repo.
In this blog post I have explained and provided the knowledge how to get compliant to the latest baseline of Microsoft that is used for Azure Security Center. This guide will get you compliant for 99%. The rule with CCEID “CCE-37954-5” is a rule where you must configure ‘Deny access to this computer from the network’ with the expected Value: Guests, Local Account. As you can see the expected value is: Guests (sounds logical) and Local Account. The last expected value is blocking inbound connections from the network for all local accounts. This might be a logical setting on a domain joined VM, but not on a non domain joined VM. I have provided Microsoft with feedback regarding this.
Stay tuned for new updates and other GPOs for Server 2012 R2 and scripts for Linux.