Question

In 2010, I was hired for a Department of Defense (DoD) contract to help deploy the technical assets for the newly formed Air Force Global Strike Command (AFGSC) with Lt. General Klotz in command. The AFGSC mission was to manage the U.S. Air Force (USAF) portion of the U.S. nuclear arsenal. With a newly formed team of 10, the decision was made to split up the team based on our strengths, and I ended up in the lab with someone who was to become one of my very best friends, newly retired Master Sergeant Robert Bills. He is the type of IT guy who does IT for the fun of it. His call sign in the lab was Crazy Talk because sometimes solving the problem was so obvious it was crazy.

When we walked into the lab, the process was to take a Windows XP, Windows Vista, or Windows 7 .iso of an operating system, burn it to a DVD, and image a single machine. After imaging, patching, joining to the domain, adding the appropriate software, and then forcing group policy on the system, it could take 7 to 10 days to get just one machine ready for the end user. Over the next two years, we developed a system using master images, an old 40‐port Cisco switch, and a whole lot of cable to scale down the deployment process to about 45 minutes per machine with a hardened gold image built especially for the division it was intended for.

Some administrators refer to a golden image as a master image that can be used to clone and deploy other devices consistently. System cloning is an effective method of establishing a baseline configuration for your organization. It requires effort and expertise to establish and maintain images for deployment. However, the ability to push a tested and secure system image to your devices can save countless hours per tech refresh. In fact, our images were so good, the other technicians in other divisions would take them to the field to reimage machines that were having issues rather than troubleshoot the problem. It took less time to image them than to fix them.

To start this process in your organization, build an inventory of every server, router, switch, printer, laptop, desktop, and mobile device in your environment that is going to be connected to the network by using some of the tools we have already explored. Ideally, the inventory list should be dynamically and automatically collected. Manually entering an inventory list into a spreadsheet is not scalable and opens up opportunities for human error. This should include the location, hostname, IP address, MAC address, and operating system. For servers, identifying the function and services running on those systems is also helpful.

After you have an inventory of systems, you need to configure the image you will use in the future for all servers and workstations. I have worked with small to medium businesses whose idea of provisioning a laptop for a new user is to order one from New Egg, open the box, hand the new employee the machine, and let him or her set it up. If you accept the default options on a Windows machine, how many vulnerabilities are sitting there out in the open?

Security is about balance. Considering the CIA triad, use caution when securing a workstation. Some organizations lock down their systems so hard they make it difficult for end users to do their job. Some organizations do nothing to preconfigure a system and leave themselves vulnerable. There are a couple of free tools you can use to compare a configuration to a predetermined template.

Microsoft has a Security Configuration and Analysis tool that is free. It is a stand‐alone snap‐in tool that users can add to import one or more saved configurations. Importing configurations builds a specific security database that stores a composite configuration. You can apply this composite configuration to the computer and analyze the current system configuration against the baseline configuration stored in the database. These configurations are saved as text‐based .inf files.

In Lab 12.3 , you'll be adding the Security Configuration and Analysis (SCA) tool to a Microsoft Management Console (MMC).

---

LAB 12.3 : ADDING THE SCA TO THE MMC

1. Open your Microsoft Management Console by going to the Start menu and searching for MMC.
2. Under File, scroll down to Add/Remove Snap In. You will have many choices to add to this customizable console.
3. Navigate down to Security Configuration And Analysis, click to select this tool, and click the Add> button in the middle of the screen (see Figure 12.9 ). Add the Security Template add‐in too.

   

   Figure 12.9 : Building the Security Configuration And Analysis MMC

4. Save the MMC using the Save As button. (As you can see in Figure 12.10 , I have saved this customized MMC as SecurityConfig.) Click the OK button.

   

   Figure 12.10 : Saving the SecurityConfig MMC for future use

5. On the left side of the screen, find the Security Templates snap‐in and use the arrow to open each menu through the console tree. When you get to the template path, right‐click the path. Choose the New Template command from the shortcut menu. When prompted, enter a name for the template that you are creating. You can see what the newly created template looks like in Figure 12.11 . Drill down into each policy to configure appropriate settings for your environment.

   

   Figure 12.11 : Configuring the test security template's Maximum Password Age policy

---

If you are unsure of what the settings should be, next to the configuration window there is an Explain tab. It will go into details about why this is a feature you can change and what your options are. As you see in Figure 12.12 , there is an explanation for why we change our passwords every 30 to 90 days. You also see that the default is 42. Someone at Microsoft has a sense of humor or likes to read. If you have ever read The Hitchhikers Guide to the Galaxy, you know the answer to the universe is 42.

Figure 12.12 : Microsoft explanation of password‐policy best practices

You can also configure and see explanations and guidance for the following:

• Account Policies—settings for password and account lockout policy
• Event Logs—manage controls for Application, System, and Security events
• File Systems—manage file and folder permissions
• Local Policies—user rights and security options
• Registry—permission for registry keys
• System Services—manage startup and permission for services

You can use the Security Configuration And Analysis tool to configure a computer or to analyze a computer. For an established Windows machine, you will want to perform an analysis. To do so, right‐click the Security Configuration And Analysis option, and select the Analyze Computer Now command from the shortcut menu. When prompted, enter the desired log file path, and click OK.

You can compare the template settings against the computer's settings. As you analyze the comparison, pay attention to the icons associated with the policy setting. A green icon indicates that the setting is defined within the template, and the PC is compliant with that setting. A gray icon indicates that the setting is undefined in the template, and a red icon indicates that the setting is defined within the template, but the machine is not compliant.

As stated earlier, a security template is a plain‐text file that takes an .inf extension. This means it's possible to copy, edit, and manipulate security templates using nothing more than a text editor. It is better to work from an existing template file. So, always begin working on security templates by opening an existing template; then always use the Save As command to save it under a new name. If you use the Save command but find you have made a mistake in the configuration, you have nothing to restore. From experience, it is much easier to save the original and change the next template to keep working templates working and leave default templates in a restorable state.

In Lab 12.4 , you'll be analyzing a system with a configuration .inf file.

---

LAB 12.4 : COMPARING A HOST TO AN .INF FILE

1. Open the Microsoft Management Console you created in Lab 12.3 .
2. Click the Security Configuration And Analysis option under Console Root. In the middle workspace, you see the instructions for opening an existing database or how to create a new one, as shown in Figure 12.13 .

   

   Figure 12.13 : Opening or creating a new database

3. Right‐click the Security Configuration And Analysis action in the right panel and select Open Database.
4. Type in a new database name and click Open in the Import Template dialog box. Select the template you modified in Lab 12.3 and then click Open (see Figure 12.14 ).

   

   Figure 12.14 : Opening the template created in Lab 12.3 with modifications

5. To analyze your system and compare the new .inf file to your existing system, right‐click Security Configuration And Analysis and choose Analyze System Now in the Management Console. You also have the option of configuring the system to the .inf file. The log file should display automatically, showing what was reconfigured successfully.

---

Microsoft also has a Security Configuration Toolkit, published in late 2018, that offers the ability to compare current group policies with a Microsoft‐recommended Group Policy or other baselines, edit them, and store them. As you see in Figure 12.15 , the toolkit is available to download. Currently supported operating systems include Windows 10, Windows 8.1, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.

Figure 12.15 : Microsoft Security Compliance Toolkit 1.0

Now that you have the asset configured with all the proper policies and patched, it is time to prepare it for cloning.