Security Configuration Change Management, Monitoring and Control

In this article I demonstrate an effective way to prepare, implement, monitor and test security configuration changes on Microsoft Windows OS; How to record changes, track, monitor, test and what tools are best to use to accomplish these tasks.

I will cover:

·????????Microsoft Assessment and Planning (MAP) Toolkit – identify applications and users of applications affected by security configuration change

·????????Assessment and communication – how to communicate system change to management and user base

?·????????Windows Server hardening templates – to identify needed system configuration changes to improve security posture and disable legacy protocols

·????????CIS Benchmarks – use as alternatives to Microsoft hardening templates in preparing security configuration benchmarks

·????????The Microsoft Operations Framework (MOF) – Microsoft best practices and guidelines for making security configuration changes ?

·????????Microsoft Security Configurator (MSC) – free tool used to analyze, configure and document security configuration elements for Windows based OS

·????????Change control – how to define configuration changes going into effect, document expected impact, change approval, what monitoring will be utilized to oversee the change and who approved it. Prepare for roll-back plan in case the change needs to be reverted.

·????????Use Microsoft Sentinel for event tracking - collect Windows event logs from affected systems and track any application errors due to the changes put in place. ?

?Microsoft Assessment and Planning (MAP) Toolkit is a free tool that helps organizations assess their IT environments and determine the readiness of their systems for migration to new technologies. Here's how you can use MAP to inventory applications and users:

Download and install the MAP Toolkit on a server or workstation that has access to the network where you want to perform the inventory.

Launch the MAP Toolkit and select the "Inventory and Assessment" option from the main menu.

Select the "Inventory" option from the list of assessment types.

Specify the scope of the inventory by selecting the devices or subnets that you want to scan. You can also specify the protocols and ports to use for the inventory.

Configure the application and user inventory options by selecting the "Applications and Users" option from the inventory options list. This will enable MAP to collect information about the installed applications and user accounts on the devices being scanned.

Start the inventory scan by clicking the "Start Inventory" button. MAP will then begin scanning the specified devices and collecting information about the installed applications and user accounts.

View the results of the inventory scan in the MAP Toolkit console. You can export the inventory data to Excel or other formats for further analysis and reporting.

Overall, using MAP to inventory applications and users can help you gain a better understanding of the software and user accounts that are installed on your network, which can be useful for software license management, security auditing, and migration planning.

Windows Server hardening templates are pre-defined sets of security configurations that can be applied to a Windows Server operating system to enhance its security and protect it from potential threats. These templates typically contain a set of security policies, settings, and recommendations that are designed to secure the operating system and its associated components, such as services, applications, and user accounts.

The templates can be used to configure various security features, including user authentication and authorization, network security, system hardening, and data protection. Examples of common hardening templates include the Center for Internet Security (CIS) Microsoft Windows Server 2019 Benchmark and the National Institute of Standards and Technology (NIST) Security Configuration Framework for Windows Server 2016.

By using these templates, organizations can ensure that their Windows Server environments are secure and comply with industry standards and best practices. However, it is important to note that the application of hardening templates should be carefully planned and tested to ensure that they do not adversely affect the functionality or performance of the systems and critical business applications delivered to the users.

CIS Benchmarks as alternatives to Microsoft hardening templates- CIS (Center for Internet Security) benchmarks are a set of best practices for securing various IT systems and applications. CIS scans are automated tools that check whether a system or application is configured according to the CIS benchmarks. Here's how you can use CIS scans and benchmarks:

Identify the systems and applications that you want to secure. CIS benchmarks are available for various operating systems, databases, web servers, and other applications.

Download the relevant CIS benchmarks for your systems and applications. You can download them from the CIS website.

Review the CIS benchmarks and identify the configuration settings that need to be applied to your systems and applications. The CIS benchmarks provide a detailed list of security controls and configuration settings that should be implemented.

Use the CIS scans to check whether your systems and applications are configured according to the CIS benchmarks. The scans will generate a report that highlights the configuration settings that are not compliant with the benchmarks.

Remediate the configuration settings that are not compliant with the CIS benchmarks. This may involve changing system settings, installing patches, or updating software.

Use the CIS scans regularly to ensure that your systems and applications remain compliant with the benchmarks. CIS benchmarks are updated regularly, so it's important to keep up-to-date with the latest versions.

The Microsoft Operations Framework (MOF) is a collection of best practices and guidelines for IT service management. MOF provides a framework for planning, deploying, and managing IT services in a structured and systematic manner. One of the key components of MOF is the Security Management discipline, which provides guidance on how to implement security configuration changes in an organization.

The Security Management discipline in MOF provides a structured approach to implementing security configuration changes. The approach involves the following steps:

Assess security risks: Conduct a risk assessment to identify potential security threats and vulnerabilities.

Define security policies: Define security policies and standards that reflect the organization's risk tolerance and compliance requirements.

Design security controls: Develop a set of security controls that align with the security policies and standards.

Implement security controls: Deploy the security controls across the IT environment.

Monitor security controls: Monitor the effectiveness of the security controls and identify any weaknesses or gaps.

Respond to security incidents: Develop a plan for responding to security incidents and ensure that all stakeholders are aware of the plan.

Review and improve: Review the security configuration changes regularly and make improvements based on feedback and lessons learned.

By following this structured approach, Fallon Health can ensure that their security configuration changes are implemented in a controlled and effective manner, minimizing the risk of security incidents and adverse effects when implementing security configuration changes.

Microsoft Security Configurator (MSC) is a tool that can be used to analyze and configure security settings for Windows-based computers. It can be used to configure Group Policy settings and customize security templates. When used in conjunction with Group Policy, MSC can help organizations to implement security configuration changes across their IT environment.

Here's how to use MSC with Group Policy:

Analyze the current security settings: Before configuring any security settings, it's important to analyze the current settings to identify any weaknesses or gaps. MSC can be used to generate a security baseline report, which provides a detailed overview of the current security settings on a computer.

Configure the security settings: Once the current security settings have been analyzed, MSC can be used to configure the desired security settings. This can be done by creating a security template that includes the desired settings, or by modifying an existing template.

Apply the security template: Once the security template has been created or modified, it can be applied to the computers in the organization using Group Policy. This can be done by linking the policy to an organizational unit (OU) or domain, and then configuring the security settings in the policy.

Test the security settings: Before deploying the security settings to all computers in the organization, it's important to test the settings on a small group of computers to ensure that they work as expected and do not cause any issues.

Monitor and maintain the security settings: After the security settings have been deployed, it's important to monitor them regularly to ensure that they remain effective and up-to-date. MSC can be used to generate reports and alerts on security-related events, and to identify any issues that need to be addressed.

By using MSC with Group Policy, organizations can implement security configuration changes across their IT environment in a structured and controlled manner, ensuring that their systems are secure and compliant with industry standards and best practices.

How to use MOF, Group Policy, and Microsoft Security Configurator to assess, implement and monitor security configuration changes.

?Security configuration change workflow and change control using the Microsoft Operations Framework (MOF) and Microsoft Security Configurator (MSC) to affect and monitor a security configuration change by use of Group Policy:

Assess security risks: Conduct a risk assessment to identify potential security threats and vulnerabilities.

Define security policies: Define security policies and standards that reflect the organization's risk tolerance and compliance requirements.

Analyze current security settings: Use MSC to generate a security baseline report that provides a detailed overview of the current security settings on a computer.

Design security controls: Develop a set of security controls that align with the security policies and standards.

Configure security settings: Use MSC to configure the desired security settings, either by creating a security template that includes the desired settings or by modifying an existing template.

Test the security settings: Before deploying the security settings to all computers in the organization, test the settings on a small group of computers to ensure that they work as expected and do not cause any issues.

Implement security controls: Apply the security template to the computers in the organization using Group Policy. This can be done by linking the policy to an organizational unit (OU) or domain, and then configuring the security settings in the policy.

Monitor security controls: Use MSC to monitor the effectiveness of the security controls and identify any weaknesses or gaps.

Respond to security incidents: Develop a plan for responding to security incidents and ensure that all stakeholders are aware of the plan.

Review and improve: Review the security configuration changes regularly and make improvements based on feedback and lessons learned.

Change control is an important aspect of implementing security configuration changes. Here's an example of how change control could be implemented using MOF and MSC:

Define the change: Clearly define the security configuration change that needs to be implemented.

Assess the impact: Assess the impact of the security configuration change on the IT environment, including any potential risks or issues that may arise.

Plan the change: Develop a detailed plan for implementing the security configuration change, including a timeline, roles and responsibilities, and contingency plans.

Test the change: Test the security configuration change on a small group of computers to ensure that it works as expected and does not cause any issues.

Implement the change: Implement the security configuration change across the IT environment using Group Policy and MSC.

Monitor the change: Monitor the effectiveness of the security configuration change and identify any issues that need to be addressed.

Review the change: Review the security configuration change and its impact on the IT environment, including any lessons learned that can be used to improve future changes.

By using MOF and MSC to implement security configuration changes and change control, organizations can ensure that their systems are secure and compliant with industry standards and best practices, while minimizing the risk of security incidents and breaches.

Change monitoring and implementation control using Microsoft Sentinel - Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that provides a centralized platform for monitoring and analyzing security-related events across different systems, applications, and services. Here's how you can monitor Windows operating system events using Microsoft Sentinel:

Set up a data source in Microsoft Sentinel to collect Windows event logs. This can be done by configuring the Windows Event Forwarding (WEF) service on your Windows servers to forward events to Microsoft Sentinel. Alternatively, you can install the Microsoft Monitoring Agent (MMA) on your Windows servers and configure it to send event logs to Microsoft Sentinel.

Create a new workspace in Microsoft Sentinel and configure the data connectors to collect Windows event logs from your data source. This can be done by navigating to the "Data connectors" tab in the Microsoft Sentinel dashboard and selecting the "Windows Event Logs" connector.

Create a new query in Microsoft Sentinel to search for Windows operating system events. This can be done by using the "Kusto Query Language" (KQL) to search for specific event IDs or keywords in the Windows event logs. For example, you can search for event IDs related to successful or failed logins, account lockouts, system crashes, and other security-related events.

Set up alerts in Microsoft Sentinel to notify you when specific Windows operating system events occur. This can be done by creating a new alert rule and defining the conditions that trigger the alert, such as the frequency or severity of a particular event.

Monitor the Windows operating system events in Microsoft Sentinel and use the built-in dashboards and visualizations to analyze the data and identify potential security threats or vulnerabilities. You can also use the advanced hunting feature to search for specific patterns or anomalies in the event logs.

Overall, monitoring Windows operating system events using Microsoft Sentinel can help detect and respond to system changes and application errors after the change has been set in place. This allows to create a feedback loop while implementing and testing security configuration changes.

Downloads

MAP toolkit: https://www.microsoft.com/en-us/download/details.aspx?id=7826

Microsoft Security Configurator: https://www.microsoft.com/en-us/download/details.aspx?id=55319

MOF – Microsoft operations Framework: https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc506049(v=technet.10) ?