Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Auditing Microsoft Security Compliance Toolkit Baselines

Security baselines are helpful but to be sure of their effectiveness you need to perform regular audits. Here’s how you can use Tenable.io and Nessus Professional to audit the security baselines included within the Microsoft Security Compliance Toolkit.

An important portion of information security is ensuring systems and software are configured in a secure manner. If you look at the Critical Security Controls lists many organizations produce, Secure Configurations typically appear within the top 5. To support this, we have seen more and more vendors create Security Best Practices documents to help customers protect their infrastructure, such as Microsoft with the Microsoft Security Compliance Toolkit (MSCT). There are also organizations such as the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) producing best practice documents. At Tenable, we have also created Best Practice audits for some popular software.

Some of these documents contain principles (ie: Limit Administrator Privilege) vs prescriptive statements (ie: Lock-out Account After 3 Failed Logins). While both types of documents provide value to an organization, the documents with prescriptive statements are generally easier to validate compliance, as the value is either a pass or fail. Documents with principle statements are usually open to more interpretation, so audits usually require more effort to determine compliance. The Microsoft Security Compliance Toolkit provides prescriptive configurations and guidance.

What is Microsoft Security Compliance Toolkit?

Microsoft produced a set of tools so organizations can apply Microsoft-recommended security configurations to their environment. The typical method for deploying the baselines is via Active Directory using Group Policy Objects (GPOs), or individually via local policy. Also included with the baselines are spreadsheets documenting the settings.

The toolkit contains baselines for newer Microsoft Operating Systems, including:

Windows Server:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2

Windows 10:

  • Windows 10 v1809 (October 2018 Update)
  • Windows 10 v1803 (April 2018 Update)
  • Windows 10 v1709 (Fall Creators Update)
  • Windows 10 v1703 (Creators Update)
  • Windows 10 v1607 (Anniversary Update)
  • Windows 10 v1511 (November Update)
  • Windows 10 v1507

The Windows Server and Windows 10 baselines cover the Core OS and Internet Explorer.

There is also a security baseline for Office 2016.

Why utilize the Microsoft Security Compliance Toolkit?

When you leverage the configuration baselines from Microsoft Security Compliance Toolkit, you are taking an important step to improve your security posture. There are also operational benefits to adopting the baselines. Some of these benefits include:

  • Less complex environment. When using a standard configuration, there is an expectation that all hosts with the same configuration will behave in a similar manner. The fewer different configurations you have to maintain, the easier to test and troubleshoot.
  • Leverage expertise. Most organizations don’t have the resources to completely develop and test their own security baselines. It is good practice to leverage expertise from a trusted source. They can save you a lot of time and effort in creating and maintaining baselines.
  • Better awareness. Having standard configurations is beneficial when analyzing impacts to the environment, including detection of new vulnerabilities, impact of change requests, detecting configuration drift/misconfigurations, etc.

Configuration Auditing with Tenable.io and Nessus

Security baselines are great, but to be sure of their effectiveness you need to perform regular audits. Tenable.io and Nessus Professional include recently created audits for the security baselines included within the Microsoft Security Compliance Toolkit. In addition to the benefits listed above, automated configuration auditing adds the following benefits:

  • Validate the configuration is properly applied.
  • Ensure changes to the environment have not inadvertently modified security settings.
  • Based on scan frequency, be able to narrow down the suspected window of a configuration change.
  • Greatly reduce the manual effort of performing these tasks.
  • Individual checks are mapped to several cybersecurity frameworks and standards. This information and scan history can help support evidence of compliance efforts.

Getting Started Auditing Microsoft Security Compliance Toolkit

You can get started auditing security baselines from the Microsoft Security Compliance Toolkit today. Visit http://downloads.tenable.com and select the audit file(s) for the baselines applied in your environment, then log into Tenable.io or Nessus.

These audits are simple to set up as they do not leverage variables, and the audits have platform checks built in, so each audit will only run on the appropriate OS version.

Tenable.io and Nessus Professional include recently created audits for the security baselines included within the Microsoft Security Compliance Toolkit

For example, if you have a Windows 10 environment with v1809 and v1803, you can set up a scan with both audits, and only the appropriate audit will be evaluated on the host.

Once the configuration is saved, run the scan and review the results.

Tenable.io and Nessus Professional include recently created audits for the security baselines included within the Microsoft Security Compliance Toolkit

For demonstration purposes, this scan was run against a single non-remediated host. Below is example output from one of the checks.

Tenable.io and Nessus Professional include recently created audits for the security baselines included within the Microsoft Security Compliance Toolkit

Each result contains the following information:

- Status - Pass / Fail / Warning

- Remediation steps are displayed if the check did not pass

- When possible, actual results from the system will be included

Wrap-up

If your organization currently does not follow security baselines, or you have created your own but the maintenance is a burden, it may be worth taking a look at the baselines provided as part of the Microsoft Security Compliance Toolkit. These baselines can save you a lot of effort in creation and maintenance.

Additionally once you adopt the security baselines, ensure you are performing regular audits to ensure the baselines are properly in effect.

At Tenable, we strive to regularly update our policy compliance audits to match the newest versions published by Microsoft. We also realize there are many cybersecurity frameworks available for organizations to follow, so we regularly map the checks in the policy compliance audits to various framework controls.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training