Hardening Windows 2016 Server base on CIS Benchmarks

  • by

Steps to perform hardening Windows 2016 Server base on CIS Benchmarks

  1. Install latest Windows Updates
  2. Download CIS-2016.zip and extract it to C:\CIS
  3. Run C:\CIS\CIS-2016-Install.ps1 with Administrator Right
  4. Run C:\CIS\CIS-2016-PostInstallation.ps1 with Administrator Right
  5. Run C:\CIS\CIS-2016-Firewall.ps1 with Administrator Right
  6. Reboot the Windows 2016 Server and login with the myadmin
  7. Verification with Nessus Pro Scanner

Apply Policies

Copy the following custom Policy to local computer and install Local Administrator Password Solution (LAPS) Agent

#Copy ADMX & ADML File to %SystemRoot%\PolicyDefination
Get-ChildItem -Path C:\CIS | ? Name -like "*.admx" | ForEach-Object {Copy-Item C:\CIS\$_ -Destination C:\Windows\PolicyDefinitions}
Get-ChildItem -Path C:\CIS | ? Name -like "*.adml" | ForEach-Object {Copy-Item C:\CIS\$_ -Destination C:\Windows\PolicyDefinitions\en-US}

#Silent Install LAPS 
msiexec.exe /i C:\CIS\LAPS.x64.msi /quiet

Apply the Security, Advance Audit, Machine & User Policies

#Apply Security Template
cmd /c "C:\CIS\LGPO.exe /s C:\CIS\CIS-WIN2016-Security.inf"

#Apply Advanced Audit Policy
cmd /c cmd /c "C:\CIS\LGPO.exe /ac C:\CIS\CIS-WIN2016-Audit.csv"

#Apply Machines GPO
cmd /c "C:\CIS\LGPO.exe /m C:\CIS\Machine.pol"

#Apply User GPO
cmd /c "C:\CIS\LGPO.exe /u C:\CIS\user.pol"

Local Administrator will be renamed to myadmin

Post Installation

Apply the following registry setting which cannot be found in Windows 2016 GPO settings

#Disable Online Tips
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer"
$OnlineTips = "AllowOnlineTips"
New-ItemProperty -Path $RegPath -Name $OnlineTips -Value "0" -PropertyType DWord

#Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')
$NodeType = "NodeType"
$RegPathNodeType = "HKLM:\System\CurrentControlSet\Services\NetBT\Parameters"
New-ItemProperty -Path $RegPathNodeType -Name NodeType -Value "0x2" -PropertyType DWord

#Remote host allows delegation of non-exportable credentials' is set to 'Enabled
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows"
$CredentialDelegation = "CredentialsDelegation"
New-Item -Path $RegPath -Name $CredentialDelegation
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -Name AllowProtectedCreds -Value "1" -PropertyType DWord

#Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection"
$DisableAuthProxy = "DisableEnterpriseAuthProxy"
New-ItemProperty -Path $RegPath -Name $DisableAuthProxy -Value "1" -PropertyType DWord

#Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' (Scored)
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\"
$Messaging = "Messaging"
New-Item -Path $RegPath -Name $Messaging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging -Name AllowMessageSync -Value "0" -PropertyType DWord

#Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\"
$MicrosoftAccount = "MicrosoftAccount"
New-Item -Path $RegPath -Name $MicrosoftAccount
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount -Name DisableUserAuth -Value "1" -PropertyType DWord

#Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\"
$WindowsSearch = "Windows Search"
New-Item -Path $RegPath -Name $WindowsSearch
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search' -Name AllowCloudSearch -Value "0" -PropertyType Dword

Windows Firewall

Allow the common Firewall Ports following the PowerShell Script provided as Windows Firewall are configured to block all incoming traffics with the machine.pol policy applied

Change the default RDP Port from 3389 to 33890

#Change RDP Ports
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value "33890"

#Open TCP 33890 in Windows Firewall
New-NetFirewallRule -DisplayName "Allow RDP TCP33890" -Direction Inbound -Protocol TCP -LocalPort 33890 -Action Allow -Enabled True

#Restart Terminal Services 
Restart-Service TermService -force

Allow ICMP / PING – Optional

#Allow Ping Response for IPv4 for 192.168.1.0/24 segment only - Optional 
New-NetFirewallRule -DisplayName "Allow inbound ICMPv4" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow

Allow File Sharing & WMI (TCP 135,139 & 445) – Optional

#File Sharing - Optional 
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True
Set-NetFirewallRule -Displaygroup "Windows Management Instrumentation (WMI)" -Enabled True

Verification with Nessus Pro Scanner

The following information are required prior performing VA scanning

  1. Firewall Ports – TCP 135, 139 & 445
  2. Credential for Local Administrator (myadmin)

PowerShell Script to allow TCP 135,139 & 445 from 192.168.1.126 (Nessus Pro Machine) only the following ports are NOT allowed in Windows Firewall

#Nessus Pro Scanning
#File and Printer Sharing (SMB-In) - TCP 135
Set-NetFirewallRule -DisplayName "Windows Management Instrumentation" -Direction Inbound -RemoteAddress 192.168.1.126/32 -Action Allow -Enabled True

# File and Printer Sharing (NB-Session-In) - TCP 139
Set-NetFirewallRule -DisplayName "File and Printer Sharing (NB-Session-In)" -Direction Inbound -RemoteAddress 192.168.1.126/32 -Action Allow -Enabled True

#TCP 445- File and Printer Sharing (SMB-In)
Set-NetFirewallRule -DisplayName "File and Printer Sharing (SMB-In)" -Direction Inbound -RemoteAddress 192.168.1.126/32 -Action Allow -Enabled True

Perform scanning and review the CIS Compliance Result

CIS-WIN2016-01

Notes

  • It is NOT recommended to disable IPv6

  • Removed Local Account from Deny Access this computer from the network & Deny log on through Remote Desktop Service as Remote Desktop is required

  • Do NOT disabled the local Administrator Account

  • User Account Control : Admin Approval mode for Build-In Administrator is NOT enabled as accessible to C$ is required for Nessus Pro Scanning

    C$ is NOT accessible with UAC enabled even with the correct username & password

    C:\Users\admin>net use T: \\192.168.1.127\c$ /user:admin XXXXXXXXXXXXXXXX
    System error 5 has occurred.
    Access is denied.