In the last article, we have discussed most of the theory part of server hardening to have a solid understanding of basic concepts. In this article, I will show how you can automate the process of fixing the gaps using OpenSCAP, Ansible and PowerShell’s DSC. We will be discussing Powershell DSC majorly but I will try to touch base the other two as well.
Remediation using PowerShell DSC
Before we proceed with it, it is important to understand what exactly PowerShell DSC is. In simple English terms, Microsoft’s PowerShell Desired State Configuration is a captain that instructs Operating System to be in a specific state, no matter what happens. It gives the order and operating system figure out how it can achieve this. In technical terms, it is Microsoft’s solution for infrastructure as code similar to HashiCorp’s Terraform. Although it is not the same as Terraform, this analogy will help you to understand it better. Microsoft has done a pretty decent job in explaining the basics of PowerShell DSC so I will not be reinventing the wheel. You can learn in detail about Powershell DSC in below links:
There are 3 key concepts that you need to grasp to fully understand PowerShell DSC,these are:
-
Configurations: Congratulations in DSC realm are the set of scripts/instructions using which system attain the desired state. When these configurations(scripts) are run, the system will attain the desired state.
-
Resources: Desired State Configuration (DSC) Resources provide the building blocks for a DSC configuration. A resource exposes properties that can be configured (schema) and contains the PowerShell script functions that the Local Configuration Manager (LCM) calls to “make it so”. For example HostsFile is a resource in DSC which has the property to add, edit and remove entries. Using Powershell scripting language we can apply logic and functions on the resources.
-
LCM: Local Configuration Manager is another important component of DSC. Think of it as the engine which applies all the settings as asked by configuration. It is like a supervisor who keeps on polling the system’s settings to see if the system is in the state as mentioned in the configuration. Just like a kid who is supervising a class in the absence of a teacher(SysAdmin), LCM can notify the sysadmin, if a system “Drifts” from the normal state. Sometimes depending upon the configuration, it can revert the configuration to the original desired state.
-
Push/Pull Model: DSC works in two modes. The names pretty much explain the mode of operation. In Pull model LCM polls a central DSC for the latest configuration and in push model a single machine pushes the configuration to multiple machines.
Hopefully, you have got the idea about what exactly PowerShell DSC is, let’s move to our main task i.e. fixing the gaps as per CIS benchmarks. I have used John de Jager’s script as the baseline and added minor tweaks. It can be accessed here
This guide is a step by step guide to harden a Microsoft windows server using PowerShell DSC (Desired State Configuration). All the hardening guidelines are taken from the CIS Benchmarks guidelines for Microsoft Server 2016 level 1.
Although extreme care has been taken to make it as generic as possible, however, there might be instances when a few controls are tighter and may break your application functionality. We strongly recommend testing this configuration in the Development environment first before taking it to production.
Open Command Prompt as Admin as shown below:
Type powershell in the command prompt:
Run Below Commands
Install-Module NetworkingDsc -Verbose
Install-Module AuditPolicyDsc -Verbose
Install-Module SecurityPolicyDsc -Verbose
Install-Module PSDscResources -VerboseRespond with A for all
Error due to Network Interface Name
Since AWS doesn’t have persistent methods to always give the same name to the network interfaces. Sometimes what happens is that the network interface alias assigned by AWS inside Windows Server is “Ethernet 2“ or sometimes it will be “Ethernet”. You need to modify the piece of the script according to this name. How to check what interface name has been assigned to you? Run below command in powershell Get-NetIPInterface and Change the piece of code as below(Line 15):
Open PowerISE and paste the content of DSC_CIS.ps1 
Click Run (Green Play Button).
End Result will be something like below(Make sure there are no red lines) 
Open a new file and paste the content of LCM.ps1 
Hit Run (Green Play Button). Successful execution will create a file with extension mof.
Now execute Set-DscLocalConfigurationManager -Path “C:\DSCConfigs” 
Run the Command Get-DscLocalConfigurationManager
Check the ConfigurationMode: ApplyAndAutoCorrect, it should be exactly the same. 
Common Errors and Remedies:
Sometime you may encounter the errors. The first step is to make sure, you have read the instructions correctly. Below are a few common errors that are usually encountered:
The request size exceeded the configured MaxEnvelopeSize quota
Explanation: The default value is MaxEnvelopeSizeKB is 500, what essentially this error is indicating is that the size of your DSC configuration is more than the allocated quota. The solution for this issue is to increase the maximum envelope size, by running the following command in an elevated PowerShell session:
Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 2048After running this command in the elevated command prompt, rerun your script again.
The WS-Management service cannot process the request. The WMI service returned an ‘access denied’ error
Explanation: This could be due to the fact that your Windows Powershell ISE is not running with elevated privileges. The solution is to open the command prompt with elevated privileges and then run your powershell script.
Remediation using OpenSCAP Bash Scripts:
Since, SSG’s GitHub page contains the simple, clear and concise information about this, so I will be using the same excerpt from SSG official GitHub repository which says:
A Bash remediation script for each profile is shipped in a scap-security-guide package. The scripts can be found in /usr/share/scap-security-guide/bash/ **or if you build the project from source in **./build/bash.
Moreover, ComplianceAsCode embeds bash remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations.
OpenSCAP, the CLI delivered with Fedora and Red Hat Enterprise Linux systems, contains the ability to transform XML results into an executable script. The syntax to generate a remediation script is:
$ oscap xccdf generate fix \
--result-id xccdf_org.open-scap_testresult_{profile-name} \
/root/ssg-results.xml
Replace {profile-name} with the profile the system was scanned against.For example, for stig-rhel6-server:
$ oscap xccdf generate fix \
--result-id xccdf_org.open-scap_testresult_stig-rhel6-server \
/root/ssg-results.xmlRemediation using OpenSCAP Ansible Playbooks:
ComplianceAsCode embeds ansible remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations. When using OpenSCAP with Ansible, it is advisable to use the playbooks from link. These playbooks are generated from the ComplianceAsCode project and are also available on Ansible Galaxy.
Using all this Process to create Golden AMIs
Most of the ideas related to baking the Golden AMIs are taken from the AWS youtube channel and AWS Knowledge base. Below were my main resourcs to grasp this concept 1. Golden AMI Pipeline 2. VA using Qualys
As companies are adapting to the cloud they want to move as fast as possible, they want to adopt the latest technology present in the market as soon as possible. So it becomes important that we integrate security from the beginning. The very first step in doing so is to use the hardened images used to spin up the instances or even the containers. The simpler solution is to give the developers a hardened image of the operating system which contains all the latest patches,logging capabilities, and configurations best practices. The process of creation of such an image in AWS is known as Golden AMI. Thus building security into the golden AMI pipelines is way using which we can empower the developer with security. You can say this is our end goal to create an automated process of taking a raw image of Operating system, then automatically scan it using tools(OpenSCAP, Inspec) and then fixing the gaps automatically which further integrates with the CI/CD pipelines to bake a hardened Golden AMI and then providing hardened, secured AMI to the developers.
The design idea for such automation for Golden AMI in AWS can be achieved using Automation Documents (SSM) which will trigger the scan for newly submitted images, then results of such scans can be parsed using AWS Lambda which will decide whether to pass the build or fail the build. Once the decision of pass/fail is taken another lambda function can be triggered to harden the images, installing the necessary logging pipelines and patching the system. Below diagram from AWS blog explains the high level overview:
Additionally , if you don’t want to go on Open Source then you can use AWS Inspector. This link explains the automation for Golden Images using AWS SSM and AWS Inspector. The only caveat of the Inspector is that it is not fully available in all the regions yet as the time of writing.
I really hope this article might have provided you ,atleast with the basic idea about server hardening.
Please feel free to reach out to me for any questions or queries.