Windows Server hardening through PowerShell and Ansible
Most of the enterprises are having challenges in constantly changing security settings; it needs to be reviewed very often. Every enterprise are following the standards to avoid configuration flaws, There are hardening standards and benchmarking recommendation from different organizations like CIS, NIST and NCSC
Enterprises are may use their own standards and baseline based on their IT Security team recommendations. Whatever the standards are being used its IT teams responsibility to make updated and produce the report whenever needed
The biggest challenge is to update millions of records for all devices in the enterprise. Let me go through simple way to update hardening on Windows server environment through powershell and Ansible
Using PowerShell applying changes in Windows server Registry
function SetRegistryHardening()
{
If (!(Test-Path $registrypath))
{
Write-Host “creting new item…”
New-Item -Path $registrypath -Force | out-null
New-ItemProperty -Path $registrypath -Name $name -Value $value | out-null
}
Else
{
New-ItemProperty -Path $registrypath -Name $name -Value $value -Force | out-null
}
}
# Ensure ‘Do not allow passwords to be saved’ — this is related to Windows RDP services
write-host “[+] Do not allow passwords to be saved”
$registrypath=”HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services”
$name=”DisablePasswordSaving”
$value=1
Write-host $registrypath
SetRegistryHardening ($registrypath,$name,$value)
# Ensure ‘Limit local account use of blank passwords to console logon only ‘ is enabled.
write-host “[+] Enabling Limit local account use of blank passwords to console logon only”
$registrypath=”HKLM:\System\CurrentControlSet\Control\Lsa”
$name=”LimitBlankPasswordUse”
$value=1SetRegistryHardening ($registrypath,$name,$value)
The function SetRegistryHardening() check the $registrypath which contains the registry path, if not exists create one and update registry key and value. If exists, update value alone
Ok, now how to get the Registry Key and Value
Function regGet($Key, $Item) {
If (!(Test-Path $Key)) {
Return
} Else {
If (!($Item)) {$Item = “(Default)”}
$ret = (Get-ItemProperty -Path $Key -Name $Item).$Item
Return $ret
}
}$registrypath=”HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services”
$KeyPropertyName = “DisablePasswordSaving”
If (regGet $registrypath $KeyPropertyName) {
$ThisVal = regGet $registrypath $KeyPropertyNameWrite-Host “Value: $ThisVal”
}Else {
Write-Host “Key doesnot exits”}
The Ansible way
Modules used in Ansible for Windows Server Hardening
win_user_right — Manage Windows User Rights
o Add, remove or set User Rights for a group or users or groups and You can set user rights for both local and domain accounts.
win_regedit — Add, change, or remove registry keys and values
Setting access controls using win_user_right
— -
tasks:
— hosts: win
— name: “Ensure ‘Access Credential Manager as a trusted caller’ is set to ‘No One’”
win_user_right:
name: SeTrustedCredManAccessPrivilege
users:
action: set
— name: “Configure ‘Access this computer from the network’”
win_user_right:
name: SeNetworkLogonRight
users:
— Administrators
— Authenticated Users
action: set
— name: “Ensure ‘Act as part of the operating system’ is set to ‘No One’”
win_user_right:
name: SeTcbPrivilege
users:
action: set
— name: “Ensure ‘Adjust memory quotas for a process’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE’”
win_user_right:
name: SeIncreaseQuotaPrivilege
users:
— Administrators
— Local Service
— Network Service
action: set
Hardening setting using win_regedit
— -
- hosts: win
tasks:
- name: “Ensure ‘Prevent enabling lock screen camera’ is set to ‘Enabled’”
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization
name: “NoLockScreenCamera”
data: “1”
type: dword
- name: “Ensure ‘Prevent enabling lock screen slide show’ is set to ‘Enabled’”
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization
name: “NoLockScreenSlideshow”
data: “1”
type: dword
- name: “Ensure ‘Prevent enabling lock screen slide show’ is set to ‘Enabled’”
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization
name: “NoLockScreenSlideshow”
data: “1”
type: dword
- name: “Ensure ‘Apply UAC restrictions to local accounts on network logons’ is set to ‘Enabled’ (MS only)”
win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
name: “LocalAccountTokenFilterPolicy”
data: “1”
type: dword
- name: “Set ‘NetBIOS node type’ to ‘P-node’ (Ensure NetBT Parameter ‘NodeType’ is set to ‘0x2 (2)’) (MS Only)”
win_regedit:
path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters
name: “NodeType”
data: “2”
type: dword
