- Microsoft Security Compliance Toolkit Download Windows 7
- Microsoft Security Compliance Toolkit Download Mac
- Microsoft Security Compliance Toolkit Download Free
- Hipaa Security Compliance
Mar 25, 2019·7 min read
To access the security guidance for Windows client and server operating systems and Microsoft applications, simply download the tool, and select the 'Attachments Guides' node within each product baseline tree. Take advantage of the experience of Microsoft security professionals, and reduce the time and money required to harden your environment. Download and Online Locations. To learn more about this product baseline, see the Windows 7 SP1 Security Baseline page in the TechNet Library To download the Security Compliance Manager tool, visit the Microsoft Download Center. Dec 01, 2021 Nov 28, 2021 Microsoft Toolkit For Windows 10 64-bit The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products. Keywords Suggestions. See More: Related websites. This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the Security Compliance Toolkit (SCT), which can be downloaded from the Microsoft Download Center.
Some Windows hardening with free tools
First, big thanks to @gw1sh1n and @bitwise for their help on this.
Second, as I hear at security meetups, “if you don’t own it, don’t pwn it”. I’m using my virtual environment to reproduce these steps which consists of a 2016 domain controller, a 2008 r2 server and a windows 10 user machine. You could reproduce any one of these machines by asking your build server admin to make and OVA copy of a “gold” image server you want to review. If you only have physical machine, you could get a fresh machine, disconnect it from your network, isolate it and start testing! The point here is I’m testing in a completely isolated environment and I often run tools that I might never run on a computer connected to a real domain. As always, I take frequent snapshots before I install/use tools so I can easily roll back. Run these tools at your own risk and only in an isolated environment where you have permission to test.
First up Microsoft Security Compliance ToolKit https://www.microsoft.com/en-us/download/details.aspx?id=55319
For Microsoft Security Compliance Toolkit download it all to a single folder. I’m going to look at my windows 10 machine which is running version 1803 of windows 10.
Put the zip files all in a folder off of the root due to the path size of the download. I’m using C:MSCT (short for Microsoft Security Compliance Toolkit). I’m unzipping Policy Analyzer and the Windows 10 Version 1803 Security Baseline zip files into folder C:MSCT. If you extract it somewhere with a big file path you may run into the path is too long issue.
Now browse to the Policy Analyzer folder and click on PolicyAnalyzer.exe and select the “Add” button
Select “File” and “Add files from GPO’s”
Now Browse here and when you have the “Windows 10 Version 1803 Security Baseline” folder selected click “Select Folder”
You should see this screen and since it is all applicable, just select “Import”
- **BE SURE TO SAVE THE FILE IN THE LOCATION IT SUGGUESTS!!!!*** I’m not sure why but if I try to save it in other locations it just doesn’t work some of the time. Do yourself a favor and save it where it suggests. I’m calling my import Microsoft1803BestPractices so I can easily understand what I’m comparing it to.
Microsoft Security Compliance Toolkit Download Windows 7
If you did everything correct your screen should look like this
Next select “Compare Local registry” and “Local Policy” check boxes then click on the “View/Compare” button
At this point it will ask you for an administrative account to pull what it needs. Enter admin credentials for the computer so it can read what it needs.
When the comparison is done you should see this
To focus on conflicts with Microsoft recommendations select view and “Show only Conflicts”
This will help you focus on where you might want to make changes. As you select each individual row, you will see detail about the setting
Next up, Hardening Auditor (https://github.com/cottinghamd/HardeningAuditor) I’m downloading the tools to my Windows 10 box here and I’ll take a snapshot before I run these. This is based on the recommendations from this great PDF here: https://www.asd.gov.au/publications/protect/Hardening_Win10.pdf . Troy Hunt isn’t the only great thing from Australia!
**NOTE, this tool requires at least .net framework 4.0 so make sure you have that if you want to run the .exe file*** Now, click on the .exe and follow the prompts
Say yes (y) to all of the prompts except for the one that wants to know if you want to compare it. When it is done you will get the results and a file called results.csv
It nice to scroll up through to see the details but its also in the CSV file. Here is what the CSV looks like after a touch of formatting in excel.
Now let’s look at one of the machines from an attacker perspective to see what might be exploitable and should be prioritized for fixing
First up Watson from Rasta Mouse. The only hard mild issue with Watson is you need to compile it the last time I checked. To compile this you first need to download visual studio community edition (https://visualstudio.microsoft.com/downloads/). Next download Watson from here (https://github.com/rasta-mouse/Watson )
Open up the watson VS solution
After you open the solution, right click on the project to select properties. I compile/target every version of .net so I don’t ever have to do this more than once!
The build the solution
The output will be here. This is where you can copy or rename your exe so you know which exe to run for a specific version of .net framework.
Microsoft Security Compliance Toolkit Download Mac
As you can see we’ve compiled and re-named the executable for several version of .net framework. Each one targets a different version. That way if your 2008 R2 server only has .net framework 3.5 installed you can run that version of Watson that you compile.
Now just run the exe as a regular user on the target machine. I’m running it on my Windows 2008 R2 machine and I’ve found an issue.
Next up, Powerup! Copy https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 to a file and place to a folder where you want to run it. Here it is in action
Next up is WesNG (Windows Exploit Suggester Next Generation). I love that you can do a “systeminfo > systeminfo.txt” on another machine and take that file and analyze it on another machine. I’m running “systeminfo > systeminfo.txt” on my windows 2008 r2 server. Here is WESNG location for download ( https://github.com/bitsadmin/wesng )
Now, I’m going to install Python on my Windows 10 machine, but I’ll be looking for vulnerabilities in my 2008 R2 machine. When you install python, be sure to click the path check box! Otherwise you will have to mess with your path variables manually.
Download WESNG to a folder and extract all the bits. I copy all I need into my root WesNG folder, so I don’t have to dig down a few levels. I also copy the systeminfo.txt from my Windows2008 R2 server here as well.
First run “wes.py — update” to get the latest definitions
Now run it!
And if you are a red teamer and want to only see the ones with known exploits, run it with the “-e” flag
Next up PrivEsc
Microsoft Security Compliance Toolkit Download Free
Privesc — https://github.com/enjoiz/Privesc
Download https://github.com/enjoiz/Privesc/blob/master/privesc.bat to your Windows machine.
Download Sysinternals Suite to your Windows machine from here: https://download.sysinternals.com/files/SysinternalsSuite.zip
*** IMPORTANT**( After unzipping SysinternalsSuite.zip, copy accesschk.exe, ListDLLs.exe, and pipelist.exe to your C:Windows folder. Open a command prompt, navigate to the directory that contains privesc.bat and run it. Here is what it looks like after I clean up some of the output
A couple more tools to check but I don’t have time to do today.
Windows Enum — https://github.com/absolomb/WindowsEnum
Windows Exploit Suggester V1 — https://github.com/GDSSecurity/Windows-Exploit-Suggester
Windows Privesc Check — https://github.com/pentestmonkey/windows-privesc-check
Download windows-privesc-check2.exe to the Windows machine C:Temp
Open a command prompt and type:
C:Tempwindows-privesc-check2.exe — audit -a -o OutputFileName.txt
JAWS — https://github.com/411Hall/JAWS
Copy https://github.com/411Hall/JAWS/blob/master/jaws-enum.ps1 to a file and place it on your Windows C:Temp
Open a command prompt and type:
C:Temp> powershell.exe -ExecutionPolicy Bypass -File jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
I think that’s it for today. Feel free to follow @gw1sh1n, @fastm00 and @_markmo_ on twitter. I’ll write something for Linux when time permits.
Ensuring your organization is secure has to start someplace. For most administrators this is a daunting task. Where do I start? What do I secure first? What would a Threat Actor look for? The sheer number of configuration capabilities in Windows Server and Windows 10 can make these questions hard to answer.
Ensuring your organization is secure has to start someplace. For most administrators, this is a daunting task. Where do I start? What do I secure first? What would a Threat Actor look for? The sheer number of configuration capabilities in Windows Server and Windows 10 can make these questions hard to answer.
This is where Microsoft Security Baselines come in. Microsoft has provided an industry-standard configuration that is broadly known and well-tested to use as a starting point. Different organizations will need different end settings, but starting with a well-known baseline can help jump-start your security stance.
The first step is to head over to the Microsoft Security Compliance Toolkit 1.0 page to download the tools.
At the time of writing this post the following baselines are available:
- Windows 10 Version 1507 up to 20H2
- Windows Server 2012 R2 up to 2019
- Microsoft 365 Apps for Enterprise
- Microsoft Edge
- Windows Update
When you follow the 'download the tools' link and then click Download, a list of baseline versions and tools are presented. Download only the version of baselines that you need. If the organization only has Windows 10 1909 then download 'Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip' when prompted.
Be sure to download PolicyAnalyzer.zip
This tool will become your best friend! The tool lets you load a GPO from a GPO Backup file and compare that GPO with any other GPO you've pulled in to the tool. This is useful to find changes between two versions of GPOs or Baseline levels.
Hint: If you edited a Baseline and need to find the settings you changed you can load a fresh copy of the baseline, your copy of the baseline and then look for the differences.
For the purposes of this article I will be using the latest 20H2 Baselines. The zip file will contain the following folders
|Documentation||Contains very important Documentation about the Baselines as well as the PolicyRules that are used by the PolicyAnalyzer. Can also include announcements from Microsoft.|
|GP Reports||Contains the GPO HTML Report for each policy|
|GPOs||Contains the actual Policies|
|Scripts||Scripts to Import the GPOs to AD, or Local|
|Templates||Contains GPO admx templates|
Understand the Baselines
I can't stress this enough! Understand the Baselines before applying them to your production environment. If you plop these Baselines in without proper testing and understanding I promise you things will break.
Read the Documentation
Your first task before doing anything else is to open the Documentation folder and review the Excel documents within. There are two documents, each shows different information. I'm using the 20H2 Baselines as an example, depending on your Baseline the names may be different.
'FINAL-MS Security Baseline Windows 10 and Windows Server v20H2.xlsx', contains ALL the baseline settings and their values. If you are implementing the baselines for the first time then you should review this document.
'New Settings in Windows 10 and Windows Server v20H2.xlsx', contains settings appearing in 20H2 that are different than the previous version of Baselines. If you have already implemented a previous version of baselines then you can review this document to see what settings have been added/changed or removed.
You can also read the GPO Report that we are all used to seeing in the Group Policy Management 'Details' tab by exploring the 'GP Reports' folder.
Microsoft has provided scripts to import these policies called 'Baseline-ADImport.ps1' and 'Baseline-LocalInstall.ps1' both of which are located in the Scripts folder.
Baseline-ADImport.ps1 - Imports all GPOs to Active Directory, these will show up under 'Group Policy Objects' and will not be applied to anything.
Baseline-LocalInstall.ps1 - Applies various GPO settings to the local machine based on which switch is passed.
Test the Baselines
Testing is fairly simple. Create sub-OU's and apply the required Baselines to the OU. Move test machines and verify functionality. You can also use the Local import script to test a standalone machine without the risk of affecting any other machine on the domain.
Test your applications, test access to network resources, scan the machine with a vulnerability scanner, test remote access, test test test! Then test some more.
Once your testing is done then apply to a larger more varied group of computers and test some more!
It's inevitable, at some point you may need to link two separate Baselines to one OU. This commonly occurs during an upgrade of Windows from one build to a new build. An approach that I see often is to create an entirely new OU, disable inheritance, and then link all the GPOs that it should have to the new temporary OU. This approach leads to increased complexity and administrative effort.
WMI Filters are a good solution to the multiple baselines in one OU situation. WMI Filters can be used to target a specific build version of Windows 10. This lets you assign a WMI Filter to the MSFT Windows 10 [VERSION] - Computer GPO and only apply it to machines that match the build.
Create WMI Filter
You can use the Windows 10 - release information provided by Microsoft to determine the build number for 20H2, which is 19042.
- Open Group Policy Management and navigate to WMI Filters
- Right-click and select 'New'
- Provide Name/Description and click 'Add' and use the following information to build the query
Creating a WMI Filter for a new version of Windows 10 is as easy as finding the new build number using the link provided and changing it in the query.
Note: ProductType = '1' limits the filter to client operating systems only.
- 1 = Client Operating Systems
- 2 = Domain Controllers
- 3 = Non-Domain Controller Server Operating Systems
Applying a WMI Filter
Once the Baselines are imported and the WMI Filter is created you can apply the filter by clicking on the MSFT GPO under 'Group Policy Objects' and picking the appropriate filter from the drop-down. Once the filter is in place you can see an overview by clicking on 'Group Policy Objects'
Currently, in my environment I have 2 Windows 10 2004 machines that I haven't upgraded, so my Workstations OU looks like this (I explain the Override GPO next). The use of WMI Filters ensures that my 2004 machines get only the 2004 Baselines and none of the new settings from the 20H2 Baselines, all without the need to recreate an entirely new OU and link a bunch of GPOs.
Editing the Baselines
Don't! Hear me out. Inevitably there will be a setting that you hate, and you want to turn it off. That is fine, this is your environment, tweak away BUT do not edit the Baseline.
Editing a Baseline causes so many Administrative headaches later on. Imagine this scenario, your organization wants to roll out the 20H2 update and all machines are 1909. The 1909 Baselines are applied in the proper locations, but they have been edited and settings changed. When you go to apply the 20H2 Baselines you will need to find which 1909 settings had been changed and carry those changes forward to the 20H2 Baselines.
As someone who has had to go find these differences, I can say it's not fun. Even when using the Policy Analyzer Tool it takes time.
Overrides to the Rescue!
A great approach to combat the need to make a change and the desire to keep the Baselines at baseline is to use an Override GPO. This override GPO can be set to the highest precedence on the OU and you can override baseline settings by negating the baseline defined setting.
For example, the 20H2 Baseline has a setting for Remote Desktop Connection Client that sets 'Do not allow passwords to be saved' to Enabled. Well I hate it...I hate it so much on my internal domain that I want to turn it off. I research the setting and learn that Unconfigured and Disabled provide the same behavior.
Using this information I can create an override that configures the 'Do not allow passwords to be saved' setting to 'Disabled'. When I apply the Override GPO I will set it at a higher precedence than either of the MSFT Windows 10 - Computer baselines. This ensures that my settings are applied and not the conflicting settings in the Baseline.
The below image is of my 'Workstations' OU. I have applied both 'MSFT Windows 10 20H2 - Computer' and 'MSFT Windows 10 2004 - Computer' because I have not upgraded all my workstations yet. A WMI filter applies the correct MSFT Windows 10 - Computer policy based on build number.
Right now any computer in Workstation OU that is either Windows 10 20H2 or Windows 10 2004 will get the raw Baselines applied. This also means they get the setting I hate enabled.
I have created my Override and adjusted the settings to my liking. Now my Workstations OU looks like so
Notice the 'Link Order', the 'SEC C - MSFT Windows 10 Overrides' has higher precedence than either of the MSFT Baselines so my 'Disabled' setting takes precedence over the 'Enabled' setting defined in the Baselines.
The Override GPO doesn't need to be versioned as 20H2 or 2004 because it doesn't matter. Even if a setting we overrode was removed in 20H2 and was set back to defaults our override would still ensure that the value we want is used. Same logic for a 2004 computer. If the 2004 Baseline did not enable the 'Do not allow passwords to be saved' setting then it still doesn't matter, our override is ensuring that setting will now and forever be disabled as long as the override exists and has precedence.
Hipaa Security Compliance
I currently have three override policies in place on my internal domain, you can override any Baseline this way. For example:
As you can see, now when we implement new Baselines for a new version of Windows we simply link the Baseline and ensure it's below our Override GPO. No more Administrative overhead of trying to remember what was changed, doing comparisons or carrying settings over. A great side effect of using Override GPOs is that you have documented your deviations from the Microsoft Security Baselines.
Good Luck on your adventure in implementing the Microsoft Security Baselines! Remember, these baselines aren't the end-all-be-all to securing your environment. They are simply a good starting point, you will need to test, then test some more and then tweak and when you tweak I hope you now see the value of using Override GPOs. Work smarter not harder!