How to harden your Windows devices according to baselines during and post-installation using PowerShell and JumpCloud

Intro

An often neglected or completely ignored security measure is system hardening. Besides many other common mandatory measures like your up2date AV/EDR/XDR on every system, properly configured access controls on every system/device including non-privileged access for users, MFA everywhere and more.

A good starting point to get things straight are the CIS Critical Security Controls v8 where the fourth control is: Secure Configuration of Enterprise Assets and Software

Especially the controls 4.1 - Establish and Maintain a Secure Configuration Process and 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure are applicable when it comes to hardening your OS's (not only Windows of course).

Now you may ask: How I'm gonna do this in practice?

How can I harden - for example - my Windows Operating Systems out there in the wild or before it gets into the wild? Ideally, you will ship/handover hardened devices to your users and you will also frequently audit and remediate where applicable. CIS CSC's and the respective Benchmarks may not be your choice. Instead - depending on your preferences, requirements and specifications, you may choose Microsofts's own Security Baselines, BSI's SySiPHuS or any other. Another important consideration here is: Such baselines need extensive testing and often fine-tuning before you gonna apply them to your fleet of devices in production environments. You don't want to:

• disrupt your business by disabling functions and features which are necessary for some or all of your employees
• run into post-hardening scenarios where other critical tools like your RMM or Software Deployment are impaired

Practical Approach and Solution

Start small. Besides finding and shaping the right baselines - you need to talk to your peers, managers, departments like Information Security, GRC, Finance, HR and more where needed. Once you've done all that - and that can be a lot of work by itself - you can start evaluating practical approaches leading to a feasible solution which is appropriate and might let you sleep a bit easier at night knowing that your overall security posture is in a much better shape now.

Hardening a Windows 10 (version 21H2)

You don't have to re-invent the wheel. Luckily, there are pretty solid usable solutions out there. Many roads are leading to Rome. In this article we will be using a fantastic tool called HardeningKitty written in PowerShell (stable and signed, MIT License).

Great about this tool: it gives you quite a couple of options in terms of which baseline you want to apply and there's also a web-based interface available which allows you to customise and create your own lists catered to your needs - in addition, it provides additional valuable information on all the settings. Most importantly: it can be executed without interaction. Others such as Stand-Alone Windows Hardening (SAWH) do require manual steps during execution.

As an example, we will apply the Microsoft Security baseline for Windows 10. All you need for a simplified approach is:

• The script itself which will act as a module
• The Security Baseline as a CSV file
• A JumpCloud Command carrying the 2 files and the payload utilising them

The JumpCloud Command is a PowerShell Script by itself. Important is that the script and baseline need to be attached/uploaded to the Command in this case. You could also acquire them during the runtime from the source (links above) by using Invoke-WebRequest.

The Script used for this Command looks like this:

# Set Execution Policy and Location

Set-ExecutionPolicy Bypass -Force

Set-Location C:\Windows\Temp\




# Import the required Module which is carried out via JC Command

Import-Module C:\Windows\Temp\Invoke-HardeningKitty.ps1 -Force




# Create a Backup- and Report-File before applying anything 

Invoke-HardeningKitty -Mode Config -Backup -BackupFile "$env:computername-pre-hardening-backup.csv" 

Invoke-HardeningKitty -Log -Report -FileFindingList .\finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv -ReportFile $env:computername-pre-hardening-report-machine.log




# Applying the MSFT Security Baseline by using the so-called 'HailMary'-mode 

Invoke-HardeningKitty -Mode HailMary -Log -Report -FileFindingList .\finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv




# Running a post-hardening report 

Invoke-HardeningKitty -Mode Audit -Log -Report -FileFindingList .\finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv -ReportFile $env:computername-post-hardening-report.log         

Note: the pre/post-reports are - of course - optional. You can consider uploading them to a blob storage within the script if you need to keep an audit trail of all these activities. Central repositories and reports on top of them can also help to identify gaps at a later stage - just like you need to closely watch OS- and Application patching.

This simple script goes here:

Now you're able to Run the Command against a group of devices or a single device - the latter is the advisable approach as you need to validate and confirm that everything is still working as expected post-hardening. Once you execute the script, the payloads appear in the Windows-Temp-Folder and gets executed:

Note: At a later stage, once you're satisfied and in line with your requirements, you can also trigger this Command via Webhook or via JumpCloud's PowerShell Module (more about that in a bit, using a trigger).

As you can see in the screenshot above, the very own scoring of HardeningKitty went from 3.2 (pre-hardening) up to a 6.0 (post-hardening). The Windows installation which was just hardened here was a fresh install using my 'AutoPilot Scenario powered by MDT'.

I issued the command post-installation to the device. Ideally, this hardening process will be part of the installation process itself - supervised by IT personnel. How could we do this?

Baking it into the AutoPilot scenario

If you have read the article about my AutoPilot scenario, you will remember that we were using the JumpCloud PowerShell module to:

• assign the device to a group named 'Onboarding'
• assign the designated user to the device with non-privileged access (standard user)
• enabling device-level Push-MFA

From the AutoPilot-script:

# Add this device to the designated default System Group used for 'Onboarding'

Add-JCSystemGroupMember -GroupName 'Onboarding' -SystemID $sys_id 

        

and

# Assign the user to the device without being an Administrator

Add-JCSystemUser -Username $username -SystemID $sys_id -Administrator $False

Write-Output "All tasks have been completed successfully. The script will now clean up and announce a restart."         

and

# Turn on MFA on the device

Write-Output "Enabling MFA on the device-level"

Set-JCSystem -SystemID $agentconf.systemKey -allowMultiFactorAuthentication $true
        

Now we can fairly easily extend the script here and harden the machine out-of-the-box. Therefore we need to know the Command-ID from JumpCloud to be able to assign it to the device, issue the Command execution and unbind the device from the Command afterwards. Once you have acquired the ID, you can set it as a variable at the beginning of the AutoPilot-Script. Next you can use the Add-JCCommandTarget to add the device to the Command, use Invoke-JCCommand to execute (you need to define a trigger - 'hardening' in this example) and lastly remove the device from the Command once successfully hardened by using Remove-JCCommandTarget:

# Apply MSFT Security Baseline via JumpCloud Command

# Add device to the Command

Add-JCCommandTarget -CommandID $HardeningCommandID -SystemID $agentconf.systemKey

# Execute the Command to harden the device

Invoke-JCCommand -trigger 'hardening' 

# Wait for the hardening to finish
Sleep 240 #alternatively check for the log-file post-hardening

# Remove the hardened device from the Command itself

Remove-JCCommandTarget -CommandID $HardeningCommandID -SystemID $agentconf.systemKey         

I'm putting this new section after the user-assignment and enablement of device-level Push-MFA. The output during execution looks like this:

Conclusion

Hardening a device or even custom applications like Chrome or Office365 doesn't have to be hard, actually. Yes, you will need to dig your way through this, especially when you're dealing with multiple OS-versions, different OS languages (it's recommended to default to en-US and apply language packs as needed), and a diverse set of users and roles within your organisation. You may consider different customised baselines according to your needs. I hope this guiding article has provided you a potential path to make this work and pass your audits with much more confidence. (not promoting checkbox-compliance though)

Previous articles

• How to securely acquire a secret key from within Powershell required for the installation of the JumpCloud agent (in various scenarios including MDT)
• How to acquire logs (or anything else) from a remote Windows computer easily via JumpCloud by using Commands and S3
• Part 1: How to build an 'Auto Pilot scenario' with JumpCloud for Windows